Thursday 18 January 2018

TLS Issue - The underlying connection was closed

Problem:  I have a console using CSOM that stopped working when the TLS settings were updated firm-wide.  The communication is between the console and a SharePoint farm, using CSOM, and now it no longer works.  The event log generates the following error message on the client machine: A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

 Initial Hypothesis: The outbound HTTPS traffic is the issue as the error is telling me that the mistake was creating the SSL client credential.  The console runs on a web server, and the TLS restriction change has caused the issue.  This issue is that the console running can't create an SSL client credential.  The TLS change was made to the console VM and not the SharePoint farm.  Here is the PS script to validate TLS versions written by Vadims Podans.


The post below helped me query the windows web servers to check the TLS settings using PowerShell.  I believe the outbound is controlled by the inbound TLS settings.

Resolution:  Change the console to use a know TLS version e.g., TLS1.2 as shown below:
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

Alternatively, revert the TLS setting in the registry. Apparently, this means your server is more susceptible to attack.

Alternatively, specify all the portocols you support from the calling client side application ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls | SecurityProtocolType.Ssl3;

Read this section if you are still having issues.
Factors that Influence Settings:
My CSOM console sits on a VM that hosts IIS, so there are three components to ensure connectivity excluding networking:
1.> SharePoint Server needs to support the TLS version
2.> VM hosting my console's outbound SSL is also set by IIS local TLS settings, so if I want to speak on TLS to the SharePoint server, I also need to have SSL enabled (or registry hacked) on TLS1.2 on the IIS VM hosting my console.
3.> My Console needs to support TLS 1.2 or all versions so it can negotiate for itself.  Regedit to check TLS setting is shown below:
More Info:
https://www.sysadmins.lv/blog-en/test-web-server-ssltls-protocol-support-with-powershell.aspx

Also look at this post to enforce TLS1.2

HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\.NETFramework\\v4.0.30319

   SchUseStrongCrypto = (DWORD): 00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\\.NETFramework\\v4.0.30319
       SchUseStrongCrypto = (DWORD): 00000001


Posted by Paul Beck at 15:33 0 comments
Labels: , ,

Sunday 17 December 2017

Office 365 Technical Governance Thoughts


Hierarchy of Governance of IT
  • Business Governance
  • IT Governance
  • SharePoint Governance
The items to look at for a security breach apply at all 3 governance levels and planing to deal with a Security Breach must cover:

  • Legal Compliance
  • Litigation & Insurance
  • Security
  • Business continuity and Disaster recovery
  • PR
There are a lot of technical pieces involved in Governance of SharePoint such as authentication, security, O365 labels, Microsoft Information Protection (O365 labels) and Azure Information Protection (AIP/AIP Labels), CAS, IRM, .....  there are third party products like skysync, Semantec,.... and a lot of SharePoint Governance is part of other products that also cover SharePoint.



Posted by Paul Beck at 16:59 0 comments
Labels: ,

Tuesday 21 November 2017

Power BI online integrate into SharePoint on-prem. extranet Architecture

Power BI Embedded Online Licencing as of 22 Nov 2017:
Basically, there are 2 parts to licencing PowerBI online.
1.> You licence per the number of pages you render per hour.  You need to have the Power BI Embedded licences on infrastructure to serve up a certain number of requests per hour. So work out your peak number of page request per hour and licence for the appropriate plan.  The table below shows the Power BI Embedded plan you'll need to subscribe to:

PlanVirtual CPUsRAM (GB)Max Request per hour
A113300
A225600
A34101200
A48252400
A516504800
A6321009600
Note:  I believe the plan's can be scaled up or down instantly without display and pausing a service stops the Power BI embedded costs.  If you run over the Max requests per hour I believe the Power BI PaaS will still serve up page/reports but you will get an extra bill for the additional reports.

2.> You'll also need to purchase at least 1 Power BI Pro licence, that is used for: administration, content publishing, and development..
3.> As of time of writing (Nov 2017) the Microsoft Power BI Gateway does not offer High Availability (HA), but I'm sure it is coming soon.
4.>  A single account is used to connect to each source and RLS security has to be applied at the source (SQL SSAS), user table mapping is required.



Also see:
http://blog.sharepointsite.co.uk/2017/10/power-bi-on-prem-extranet-information.html
https://docs.microsoft.com/en-us/power-bi/developer/embedded-row-level-security


Posted by Paul Beck at 23:59 0 comments
Labels: ,

Saturday 18 November 2017

TDD, BDD, DSL...

TDD - Test Driven Development is usual associated with Unit Tests.  

  1. Write tests before creating any application code.
  2. Write code
  3. Run code with tests to verify it works
  4. Repeat to add more functionality to your code

BDD - Behaviour-driven Development is an Agile development process that encourages collaboration between team members.   BDD combines TDD with ideas from domain-driven design (DDD) and object-oriented analysis and design to deliver software.   Get you requirements into User Stories, and develop Acceptance Criteria (I like Gherkin).  This ensure the "The Three Amigos" product owner/business, analysts, testers and programmers are on the same page (note these roles in Agile are often all performed by 1 person).

Domain Specific Language (DSL) - Language used to help communicate a systems behavior or share information such as User Stories and Gherkin,  DSL is very similar to a General Purpose Language such as Use Cases.
Posted by Paul Beck at 08:59 0 comments
Labels: , , , ,

Wednesday 1 November 2017

Using a CDN for Custom User Actions

Problem:  I need to inject JavaScript into a couple of hundred thousand site collections and subsites using a Custom User Action.  I want to use a CDN.  Governance will not let me add to the layouts folder on the WFE's.  Using a CDN for a CUA is causing the blank page.

Initial Hypothesis:  I don't want to deploy the same JS file hundreds of thousands of times into the local site collections.  As updating and storage are crazy.  I want a CDN like behaviour, and the closest I can get is to modify the hive directory on each SharePoint on-prem. farm that allows me to reference the JS.  I do have several farms and IT governance won't let me modify the WFE's.

Tobias Lekman has an excellent comprehensive overview of the CUA issue:
https://blog.lekman.com/2013/01/scriptlink-registration-in-sharepoint.html

Doing the usual testing, bizarrely I can use anonymous https://radimaging.sharepoint.com/_layouts/15/guestaccess.aspx?docid=55529eccf4555d698555cb26108fb555&authkey=555-6M9555zF555g555 for my CUA JS file.
When I allow external access on my personal public O365 E3 tenant, I can use this URL, the CUA works perfectly.  My client does not have an Office 365 external public tenant I can use, so an Akamai (or another CDN)CDN and fake the validation.  It's either SP URL validated, or I need to load it differently if I want to use a CDN.  I used an Akamai CDN and added /_layouts/15/ into the URL using folders, and the CDN started working for my CUA. e.g. https://cdn.domain.com/sharepoint/_layouts/15/cuatest.js

Possible Resolution:
  1. Local Site Collection uploaded files
  2. CDN assuming the JS location has: 

Posted by Paul Beck at 21:59 0 comments
Labels: , ,

Saturday 7 October 2017

Power BI on-prem extranet Information Architecture

Posted by Paul Beck at 15:59 0 comments
Labels:

Saturday 30 September 2017

Integrating Skype into a SPA in SharePoint

SPA are pretty common and recently on a project I had a request to show contacts with a SPA hosted on SharePoint.  Here is code that shall show Skype presence to the user.

Note: Works on IE, requires the user to be logged into Skype and have the Skype client.

<!DOCTYPE html>
<html dir="ltr" lang="en-US">
<head>
    <meta http-equiv="X-UA-Compatible" content="IE=10" />
    <title> Presence with Skype </title>
    <link rel="stylesheet" type="text/css" href="/_layouts/15/1033/styles/Themable/corev15.css" />
    <script type="text/javascript" src="/_layouts/15/init.js"></script>
    <script type="text/javascript" src="/_layouts/15/1033/strings.js"></script>
    <script type="text/javascript" src="/_layouts/15/core.js"></script>
</head>
<body>
    <script type="text/javascript">
        var g_presenceEnabled = true;
    </script>
    <div>
        ​ <span class="ms-verticalAlignTop ms-noWrap ms-displayInlineBlock">
            <span class="ms-imnSpan">
                <a class="ms-imnlink ms-spimn-presenceLink" aria-hidden="true" onclick="IMNImageOnClick(event);return false;" href="#">
                    <span class="ms-spimn-presenceWrapper ms-imnImg ms-spimn-imgSize-10x10">
                        <img name="imnmark" class="ms-spimn-img ms-spimn-presence-online-10x10x32" id="imn_1,type=smtp" alt="Offline" src="/_layouts/15/images/spimn.png" sip="pb@radimaging.co.uk" showofflinepawn="1" />
                    </span>
                </a>
            </span>
            <span class="ms-noWrap ms-imnSpan">
                Paul beck
            </span>
        </span>
    </div>
</body>

</html>
Posted by Paul Beck at 12:59 1 comments
Labels: , , ,
Subscribe to: Posts (Atom)