Tuesday 13 February 2018

GIT Intro

Overview: Git is is very popular and it is similar to existing version control systems.  The key is to be able to work on multiple branches that you can go to at any point.

Let's get started..

Start a new Git repository (repo) - all folders created under the main git folder are part of the repository. Any changes are kept track of and all change history is recorded.  The new repo has a default main branch created automatically.  To create a new repo use the syntax:

>git init

There are files you don't want to keep track of in the repo, so use the .gitignore files or folders to skip specific files from being tracked int he repo.

Once you are writing code, you get a Git local staging area.  -A means All files and folders

>git add -A

Now you make changes in your staging environment via your IDE, and need to add it back to the default "Main" branch.

Create a repo, add code, change code and commit to the branch.

This is a fantastic simple illustration to quickly understand Git.

GitHub is Git hosted (centrally hosted instances, bought by Microsoft circa 2018 but still open source, https://github.com), the developer clones the GitHub repository and works using a distributed source control.  You can host yourself but has great integration with Azure DevOps.   You can also replace the central GitHub with Azure DevOps (Git).
  • Git ignore files, tells source control not to include certain file types
  • Tags for a specific point in time.  Like labels in TFS/Azure DevOps
  • Pull request (PR) - dev made change, and wants to push the code into main branch, someone else generally approves and the code is pulled into the main (Working Directory) branch (depends on branching strategy)
  • Developer normally branches of Main branch using a cloned copy on local dev env.  The Developer does changes, then does a PR, the PR if approved gets approved it gets merged into Main (automatically or manually per config), Main branch has the latest code and the developer can delete their cloned branch.
  • GitHub Enterprise allows integration with Microsoft Teams (sounds amazing)
  • GitHub Codespaces - Instead of local dev, it allows dev using a browser.  Competes with Microsoft's Dev Box (spins up dev env that is browser accessible).  Microsoft Dev Box iGB VM's to choose from, the 16GB, has 4 vCPU's.  Only bills when DevBox is running but the storage used is continuous.  If left on/max monthly cost, it would cost about £370, if well managed i.e. turned off on weekend and overnight but used for roughly 8 hrs a day cost would be around £85 for a month.  All dev licences are included.  Pls check with Ms this is my understanding.
DevOps has morphed into DevSecOps (Development, Security, Operations) - same team responsible for all the roles.  Continuously ensure security built in, call shifting left so it is not tact on at the end of the project.  Includes monitoring and auditing.  Git like other source control systems assists in DevSecOps.

Friday 9 February 2018

CORS for SharePoint Requests

Problem:  I wish to create a standard header for my client to layover multiple applications to tie together branding and global organisation branding.  Similar to what O365 does as shown below:
Provide a common header that logs the user in and dynamically generates the header within SharePoint.  Use an HTTP Javascript request from multiple children applications to deliver the shared user common header.  As I have numerous application on sub-domains (e.g. https://hr.contoso.com https://cash.finance.contoso.com and even https://clients.oldurl.net) so I need to ensure I allow CORS requests that also allow for user authentication.  

"The CORS mechanism supports secure cross-domain requests and data transfers between browsers and web servers."  Mozilla

Initial Hypothesis:

Option 1 - IIS and SharePoint struggle to handle this requirement using configuration.  For instance, by default, only same origin subdomain requests are allowed.  Adding the header Access-Control-Allow-Origin: * allows for any domain but I can't specify to use credentials so I need an anonymous site, and then I lose my ability to identify my user and generate a dynamic menu.
Result: Fail.  I receive the following error in the browser: "A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true"

Option 2- Specify a multiple sub-domains, i.e. Access-Control-Allow-Origin: https://hr.contoso.com,other.contoso.com
To do authentication, I now need the following 3 HTTP response headers:
Access-Control-Allow-Origin: https://hr.contoso.com, https://other.contoso.com
Access-Control-Allow-Credentials: true
Vary: Origin
Result: Fail.  I receive the following error in the browser: "The 'Access-Control-Allow-Origin' header contains multiple values '', but only one is allowed".

Option 3 - Specify a single sub-domains, i.e. Access-Control-Allow-Origin: https://hr.contoso.com
Access-Control-Allow-Origin: https://hr.contoso.com
Access-Control-Allow-Credentials: true
Vary: Origin
Result: Fail.  Works for the hr sub-domain but my other sub-domains fail. I have multiple sub-domains that need access.

Key take away: There can only be 1 Access-Control-Allow-Origin response header, and the returned Access-Control-Allow-Origin header can only have one URL.

Option 4 - Dynamically inject the Access-Control-Allow-Origin, in SharePoint, this is an ISAPI filter, or I need to use the Global.asax to dynamically set the HTTP Access-Control-Allow-Origin header to a white-list list of URLs.  Beware of caching pages downstream.  Alternatively, URL Rewrite can be used on the IIS WFE's.

Thanks to Abhishek Sharma for highlighting my lack of knowledge about CORS requests.

Wednesday 31 January 2018

Looking for a cheap quick UI testing and monitoring Tool - end test and Ghost Inspector Review

Problem:  My client is looking for a simple tool to monitor a website is up and running and can run a small set of UI tests and asserts to verify it is working as expected.

Initial Hypothesis:  There are a lot of monitoring sites like uptime that meet this requirement, but I reviewed Ghost Inspector and endtest.  I am not looking to do full CI as I would look at Selenium WebDriver for an enterprise solution for UI testing.

Resolution:  Trial endtest and Ghost inspector on my O365 subscription to validate it monitors and alerts, can perform advanced logins and it can validate custom pages after JavaScript injection.  Price and feature wise both tools are pretty similar.

Ghost Inspector Initial Thoughts
Easy to use and there is a recording function for Chrome.  This review has put me off Ghost Inspector to some degree but definitely an excellent product to evaluate.
Bad review for Ghost Inspector but it does assume enterprise level UI testing more suited to tooling like Selenium.

endtest Initial Thoughts
Easy to use, setup testing in a matter of minutes, recorded actions and assertions.  The trial is limited as I could not check the scheduling mechanism, but end test looks like the ideal tool for my requirement.  Would need to go for the pro licence at $79 per month.  A simpler smaller option would be more attractive but let's see what the client thinks.

Other Tools for UI Testing:
Selenium IDE is an excellent tool for UI testing and UI automation testing.  Here is a post on Selenium I did a few years back.

qTest Explorer
This is a Manual recording and documentation tool that records browser and desktop interaction.  It's straightforward to use and great for Manual UI testing.  It is not for automation or re-running test but great if the project requires manual testing and proof.

Tuesday 23 January 2018

Basic Branching Strategy for TFS and GIT

  • The main difference between standard TFS branching strategy is that you branch more often for shorter time periods and check in small code change units into the "Development" branch.
  • Delete the black line once the feature is complete and checked back into the Development branch.  Can easily start a new functional local GIT branch to amend the next feature.
Note: Easy to also grab a GIT local branch from the Main branch (inline with you production code base), make changes and then when checked back in they hot-fix goes into both the Main and Development code branches.

Choosing the branching strategy is normally: Release, patch or feature driven.

Visual Studio 2019, Commit code to GIT repository

Friday 19 January 2018

Interviewing Developers, Leads and Consultants for Projects

Overview:  I look for 3 key areas: are you 1) hardworking, 2) smart & 3) do I like you.  The technical part of the interview helps me see if you are hardworking.

Budget is always a big issue, you don't want to waste your time or the employees.  Upfront, both parties need to know they are in the right space.  Also, pay, you need good quality and you don't want people shifting as most companies don't raise properly after recruiting.
Timeline, it takes time to find the right person.  And it takes time, they have notice periods, need to be to onboard/train the person, start early, for a contractor you'll need 1-2 months and for permanent it generally will take 5-6 months.
Clear Job And Expectations is key, it will help scan/find suitable candidates.  Be sure to cover KSA (Knowledge, Skills, and abilities).
Listen don't sell, I see interviewers including me selling if I like the candidate, rather listen than talk a lot.

Depending on the project will dictate the skills and experience I look for.  This post lists the skills I generally look for when hiring dev and leads for SharePoint based projects.  Firstly, I compile a list of skills for the project and ensure each developer role covers multiple areas/expertise types.  My general list is shown below.

Skill needed:
  • Azure or AWS
  • SharePoint/O365/MS Teams
  • PHA
  • TFS / GIT
  • .NET/C# 
  • WCF / Web API/ Open API / Swagger
  • SQL Server/T-SQL
  • Evening/Enterprise Service Bus
  • Entity Framework/Code First
  • JQuery, JavaScript
  • ALM, DevOps, CI/CD
  • Angular JS, KnockOut React VueJS, Other JScript Libraries
  • O365
  • Networking
  • Federation/OAuth/Security
  • Agile/Scrum
I keep a scorecard and Notes that I fill in for each candidate.  If they score too low in the technical section, I don't start the Personal section, and until I think they are a good candidate then I start the problem solving which I find to be the best indicator of if a guy is going to work out.  Looking back at a lot of developers and leads hired, the 2 critical sections are problem-solving and admits limitations (the guys that don't know when to say "I don't know" are generally a problem if hired). 

Candidate Template:  John Doe

Branding, knows SP limits excellent,
8 missed JS injection
SAML, ADFS, passive clainms and SSL
Types, S2S vs ACS, Certs, MVC app pkg
Namespaces, versions ng,
Trimming, CEWS, components, DisplayTemplates, KQL
SSRS, Power BI, SSAS, rdl, understand no depth in knowledge


Super adjusted


Admits limitations


Problem Solving:       

SharePoint Problem Solving


Smart, nice guy, super knowledgeable.  Admitted he does not know BI at all and then actually gave a solid explanation of BI on SP. 
Technical: 9
Personal: 9

Problem Solving: 8

Example qus when trying to identify a candidates strengths:
QU: Difference/compare Web Services vs WCF vs Web API
Web Services is the oldest, .asmx extension are ASP.NET Microsoft's web services.  HTTP protocol only and uses SOAP (XML).  Microsoft proprietary.
WCF was the next release and ends with the extension .svc.  Supports the following protocols: HTTP, HTTPS, TCP, Named Pipes, MSMQ.  WCF uses SOAP (XML)Complex to configure but offers flexibility.  Add REST support using webHttpBindings and then can use XML, JSON and ATOM data format.  IIS needs config change to support PUT and .. verbs.
WebAPI is part of MVC template wasn't originally.  Simple to setup and supports REST.  Lightweight and easy to setup.  Easy to consume.  HTTP protocol only. Supports XML and JSOM data format.

CSS Basic Qus (as I am rubbish, thanks to Jeff H):
QU: How can we add/implemented CSS to our pages (3 approaches)
ANS: Inline css, in the head section of the page or call/reference an external CSS file
QU: Explain Z-Index
ANS: Stack order
QU: Browser engines used
ANS:  IE uses Trident or now called HTMLEdge, Chrome & Opera use Blink; Safari uses webKit; Firefox/Mozilla uses Gecko.
QU: Explain block object positioning between: Absolute, relative and fixed. 
QU: Diff class selector vs and id selector
QU: Explain Display: None vs Display: Hidden

Template used for a Delivery Lead:



Kam Score







Programming C#



Front end/JS/HTML











Kam Score       
















Admits limitations



Problem Solving:       


Kam Score


Problem Solving



Thursday 18 January 2018

TLS Issue - The underlying connection was closed

Problem:  I have a console using CSOM that stopped working when the TLS settings were updated firm-wide.  The communication is between the console and a SharePoint farm, using CSOM, and now it no longer works.  The event log generates the following error message on the client machine: A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

Initial Hypothesis: The outbound HTTPS traffic is the issue as the error is telling me that the mistake was creating the SSL client credential.  The console runs on a web server, and the TLS restriction change has caused the issue.  This issue is that the console running can't create an SSL client credential.  The TLS change was made to the console VM and not the SharePoint farm.  Here is the PS script to validate TLS versions written by Vadims Podans.

The post below helped me query the windows web servers to check the TLS settings using PowerShell.  I believe the outbound is controlled by the inbound TLS settings.

Resolution:  Change the console to use a know TLS version e.g., TLS1.2 as shown below:
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

Alternatively, revert the TLS setting in the registry. Apparently, this means your server is more susceptible to attack.

Alternatively, specify all the portocols you support from the calling client side application ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls | SecurityProtocolType.Ssl3;

Read this section if you are still having issues.
Factors that Influence Settings:
My CSOM console sits on a VM that hosts IIS, so there are three components to ensure connectivity excluding networking:
1.> SharePoint Server needs to support the TLS version
2.> VM hosting my console's outbound SSL is also set by IIS local TLS settings, so if I want to speak on TLS to the SharePoint server, I also need to have SSL enabled (or registry hacked) on TLS1.2 on the IIS VM hosting my console.
3.> My Console needs to support TLS 1.2 or all versions so it can negotiate for itself.  Regedit to check TLS setting is shown below:
More Info:

Also look at this post to enforce TLS1.2


   SchUseStrongCrypto = (DWORD): 00000001
       SchUseStrongCrypto = (DWORD): 00000001

Sunday 17 December 2017

Office 365 Technical Governance Thoughts

Hierarchy of Governance of IT
  • Business Governance
  • IT Governance
  • SharePoint Governance
The items to look at for a security breach apply at all 3 governance levels and planing to deal with a Security Breach must cover:

  • Legal Compliance
  • Litigation & Insurance
  • Security
  • Business continuity and Disaster recovery
  • PR
There are a lot of technical pieces involved in Governance of SharePoint such as authentication, security, O365 labels, Microsoft Information Protection (O365 labels) and Azure Information Protection (AIP/AIP Labels), CAS, IRM, .....  there are third party products like skysync, Semantec,.... and a lot of SharePoint Governance is part of other products that also cover SharePoint.