Thursday, March 28, 2013

Share Point 2013 - App Permissions, Authentication, Authorization

An App in Share Point gets the permissions that it need while installing the app, from the user who installing app. App permissions are granted through the Appmanifest.xml file during development of an app. User who installing the app may grant all the permissions which he is having or may not grant the permissions. So permissions from the user to an app is all the permissions of the user or no permissions.

Generally App contains the following information,

  • Display Name,
  • Client Id of the app
  • app domain.

Generally Windows Azure Access Control Service (ACS) will store all the basic information of app like display name, APP URL. When Share point User install the app, SharePoint 2013 gets the information from ACS and store it in App management service. Later on the Content DB service and user profile service gets the information from App management shared service.

In Share point 2013 apps has their own identity called App Principle  Unlike Users and groups in share point app principle has permissions and rights. The App principle requests the share point to host the apps web, because it is having full permissions.

Permissions Scopes:
In SharePoint we have different permission scopes, like Site, Web site, List, Library and Tenancy  Here site indicates site level, web sites indicates web site level and list/library indicates the list/library level scope. All the permissions will apply to the child scope like if scope is site, the permissions will be inherit to the entire site level. Permissions will apply all the children in that site. 

Permission Rights:
SharePoint 2013 apps will support four kinds of permissions levels. Read, Write, Manage, Full Control. All these permissions will same as regular share point Reader, Contributor, Designer and Full control. Here to avoid confusion between rights they made right names as unique expect Full Control. Because full control permission level will not be customized.Read, Write, Manage, Full Control permissions are only permissions rights entire share point  For search there is one permission called "Query right". For project server "Submit Right" and "elevate right" are available. For Taxonomy we are having only Read and Write permissions.

Permissions that not aware of SharePoint 2013 are avoided. Suppose, a permission mentioned in the AppManifest file of app that is not recognized by share point 2013, app installed will return an error message. App installer don't have sufficient permissions to install app, in that case also an error message will be shown.

We can supply the permission access for an app through AppManifest.xml file shown read access for list and write access for the web.

<?xml version="1.0" encoding="utf-8" ?>
<App xmlns=""
     Name="Sample App Developement">
    <Title>Sample App Developement</Title>


    <RemoteWebApplication ClientId="7acdfebb-4265-5214-b8d6-657645312987" />


    <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="Read"/>
    <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web/list" Right="Wrire"/>

As discussed above all the share point sites and list have the four rights. In Some other cases like BCS and Project server, Search , Taxonomy permissions will be changed. 

App Permissions - When and How: 
App permissions will grated when an app is installed by  website administrator, granted permissions explicitly and when an app got removed.

App permissions will be stored in content database under App Id. Each Content database will register the app details. App got permissions or deleted, In content database also app permissions will be granted or deleted.

App Authentication and Authorization:
App authentication will process several ways. If the authentication call is not OAuth call, that should be allowed on the basis of share point principle associated to the app web. If it is OAuth call then, share point uses Windows Azure Access Control service (ACS).

App authorization will have three policies, User-only policy, User-App policy, app-only policy depending on the authentication identity. 
User-only policy is used in share point 2010. Here authorization takes only user account.
User-App policy authorization takes both user and app identity.
App-only policy takes only app-identity. For example if there are four people (A,B,C,D) are working in a site. But A wants to App. In that case App-only permissions will apply to the user-A as elevated permissions. Remaining people will not be used the App.

Tuesday, March 26, 2013

SharePoint 2013- Security model, Authentication and Autherization

SharePoint 2013 having both claims and classic mode authentication. Claims Authentication is the default authentication. Classic mode authentication got deprecated and it is managed only through Power shell.
Migrate User method from SharePoint 2010 removed. To migrate accounts We have windows power shell commands.
In SharePoint 2013, we have more logging provided for Trouble shooting.

For Apps in SharePoint  created new Identity and associated to security principle, called as "App Principle". Like regular SharePoint users and group, App principle has certain rights and permissions.

Server to Server security Token service(STS), provides access tokens for Server to server communication. The server to Server STS allows temporary access to the other access services like apps for share point.

Authentication and Authorization:
SharePoint 2013, supports access for the users at site, list, list item, folder level. Security management is based on the roles at all levels providing consistent security management on all share point. Like SharePoint 2010, @013 also supports role based User interface and Object model for assigning Permissions. So that it is easy to maintain List level, Item level, folder level security implements same model as website level.

Authorization, means share point identifies the current user and authenticated but the user can performs which action at specific object like list, library, site, web or folder. SharePoint 2013, does not implement any authentication or identity management. It relies on external systems whether Windows or non- windows authentication.

SharePoint 2013 supports following authentication:

Windows authentication: All IIS and windows authentication options like Basic authentication, Digest authentication, Certificate, NTLM and Kerberos are supported. Windows authentication allows IIS to perform authentication for SharePoint 2013.

Forms authentication: Non-Windows authentication system, uses ASP.NET forms based authentication system. This mode enable to work with variety of identity management systems including externally defined groups or roles such as LDAP and Light weight database identity management systems. Forms authentication allows ASP.NET to perform the authentication in share point  In SharePoint 2013, ASP.NET forms are supported by only claims authentication. Form provider must be registered with in a web application configured for form.

Claims-based identity and authentication:
Claims based identity is an identity model in share point  includes features such as authentication across users of windows based systems and non windows based, multiple authentication types.

An user signs into share point 2013, the user token is validated and used to sign-in share point  Here is user token is security token provided by claims provider. Following are supported sign-in access modes,

  • Windows Claims mode sign-in
  • SAML passive sign-in mode
  • ASP.NET membership and role sign-in
  • Windows classic mode sign-in
When you build claims applications, User presents identity of application in a set of claims. One claim could be username, another might be email id. 

Under this model, Single sign-on is much easier to achieve and application is no longer responsible for following things,
Authenticating users.
Storing USEr accounts and passwords
Integrating with other platforms or other systems

Forms Based Authentication:
Forms based authentication provides custom identity management in SharePoint 2013 by implementing a membership provider. The uses for identifying and authenticating users and role managers. In SharePoint 2013 membership provider must implement System.Web.Security.Membership.ValidateUser method. The membership provider is responsible for validating the credential information by using System.Web.Security.Membership.ValidateUser method. . But actual token is created by the security token service(STS).  STS creates user token from the user name is validated by the membership provider and from the set of group memberships associated with the user name that are provided by the membership provider. In ASP.NET membership, sign-in happens by redirecting the client to webpage where the ASP.NET log-in credentials are hosted. After creation of identity share point 2013 converts into  Microsoft.IdentityModel.Claims.ClaimsIdentity object as claims based representation for the user.

Monday, March 25, 2013

SharePoint 2013- call outs , Creating custom callouts

Callout pop up is one more UI change in SharePoint 2013. Metro UI was introduced in share point 2013 and one of the new concept is Callouts. This is very light weight Ui that shows item, user information and shows actions.

here is the images shows some of the Callouts in SharePoint 2013.
For a document Library,

Task list,

In the Callout structure, 

Title: Title area of the Callout 

Content: Content Area to show content.

Close: Close button, that to close the popup. we can close callout by using close button, clicking on out side the Callout and pressing escape button.

Beak: Way to show the callout. Here we have two options, Top to Bottom, Left to Right. Means when we click/hover on the link the way that callouts shows.  Callouts can show Top to Bottom, Left to right.

SharePoint 2013 - Callouts:
In SharePoint 2013, we have special JS files to run callouts. Callout.js, is the main JavaScript file for callouts in share point 2013. All the java script files will be located under 15/layouts folder.Here is image shows the values in debugging mode.

How to create: 
Create an Html element as launch point for the callout. This is the source (click/hover) for calling callout popups. 

<div id="calloutLaunchPoint">callout Launch Point</div>

Configure the options for callout. Choose the HTML element for callout and configure the options for callout. To Specify the configuration option we need to call CalloutOptions class.

<script type="text/javascript">
var calloutOptions = new CalloutOptions(); 
calloutOptions.ID = 'calloutID'; 
calloutOptions.launchPoint = calloutLaunchPoint; 
calloutOptions.beakOrientation = 'leftRight'; 
calloutOptions.content = 'content'; 
calloutOptions.title = 'title'; 
var callout = CalloutManager.createNew(calloutOptions);

here is the simple code to create a custom callout. Copy the code and paste the code in page.

<script type="text/javascript">
ExecuteOrDelayUntilScriptLoaded(CallOut, "callout.js");
function CallOut()
var targetElement = document.getElementById('calloutLaunchPoint');
var calloutOptions = new CalloutOptions();
calloutOptions.ID = 'notificationcallout';
calloutOptions.launchPoint = targetElement;
calloutOptions.beakOrientation = 'topbottom';
calloutOptions.content = 'content';
calloutOptions.title = 'title';
var callout = CalloutManager.createNew(calloutOptions);
<div id="calloutLaunchPoint">callout Launch Point</div>

Code must be placed in Embedded

Here is the image that shows the callout.

CallOut Actions:

Actions options configured Through CallOutActionOptions object
In Actions we have options below, 

Text: Required Option.

OnClickCallBack: Is a function that handles the action click event. If we don't want any menu options, this is required. it has two parameters, slandered HTML DOM and 

Here is the code for launch Action item in Callouts.

<script type="text/javascript">
ExecuteOrDelayUntilScriptLoaded(CreateCallOutPopup, "callout.js");
function CreateCallOutPopup()
var targetElement = document.getElementById('LaunchCallout');
var calloutOptions = new CalloutOptions();
calloutOptions.ID = 'notificationcallout';
calloutOptions.launchPoint = targetElement;
calloutOptions.beakOrientation = 'leftRight';
calloutOptions.content = 'content';
calloutOptions.title = 'title';
var displayedPopup = CalloutManager.createNew(calloutOptions);
var customAction = new CalloutActionOptions();
customAction.text = 'Action 1';
customAction.onClickCallback = function(event, action)
alert("This is JavasCript alert on Custom Action");
var _newCustomAction = new CalloutAction(customAction);
<div id="LaunchCallout">Launch Callout</div>

[Code must be in Embedded as explained above.]

it will show the image as

I'll show drop down option in callouts in my next post.

Sunday, March 24, 2013

SharePoint 2013 - Workflows

Workflow, One of the Major Change from SharePoint 2010 to Share Point 2013. In SharePoint 2010 workflows developed and will run on Workflow foundation 3.5. Microsoft people choose a new path in share point 2013.  workflows will run on windows workflow foundation 4.5. In 2013 workflow is not hosted by share point  Now all new share point 2013 workflows are hosted by a new product, windows azure workflow. This is separate from share point 2013. Below are imaged showing Workflow changes in SharePoint 2010 to SharePoint 2013.

SharePoint still supporting .net framework 3,5 workflows. But this only to execute share point 2010 workflows. In Windows Azure Workflows also we have facility to call .net 3.5 workflows using Interop activity.

When creating new workflow and publishing workflow to share point 2013, SharePoint retains the value and publishes Windows Azure Workflow server. When we call the workflow in share point  it will ask Windows Azure Workflow server to start the workflow and pass the context to the workflow. Windows Azure Workflow uses Client Object Model for information and run the workflow.

As SharePoint 2010, There is some built in options for retry the workflows. We'll have this feature in SP2013 and Windows Azure Workflows. This feature will keep on trying to call the alternative if any problem with the workflow. Things will queued up for later on process. There is lot of API's in Client Object Model, to view and interact with the workflow. We also use some REST API's in windows Azure Workflows to check what' happening.

create workflows

Big change from 2010 workflows to 2013 workflow frameworks, there is no custom code. All the workflows are declarative it was created by Designer or visual studio 2012. We can create a WCF service and host it as out side of SharePoint and access it using HTTP  actions. Here the advantage is we can call service either designer or visual studio.

Some big improvements in SharePoint 2013 designer is that we have loops in share point 2013, and we can use office controls like, COPY/PASTE etc..

Stages in Workflows

Here Replacement of share point State machine workflows, a new concept called Stages. A workflow can have one or more stages. Each stage will have Gate and end. It determines where to start and where to go next or end depends on the condition.

What's new in SharePoint designer Workflows 

As mentioned earlier we have Loops and office controls , also we have visual designer through visio. So that we can have the ability to edit the workflow properties.

Workflows through Visual Studio

The new change in vs 2013, we can create workflows declaratively  we can use custom code create WCF service and host it out of share point  We can use HTTP activities to activities and call WCF services. There is new Data type called Dynamic Value. So that we can get the data returned by WCF.

What is "Dynamic Value Data Type"

When we call WCF service through HTTP, it will return an object type "Dynamic Value". This is new data type in Windows Azure Workflow. We can use other activity to pull data from Dynamic Value. using XPATH notation.

Workflows with Apps

Yes, We can create workflow as app in share point. Using workflow as logic to Apps. So here code must be Client side code. Suppose, in a case that we need to send email to users, an workflow will be created in app. When app deployed to site, it will call Workflow located in Windows Azure Servers, and workflow will call WCF service having custom code.

Friday, March 22, 2013

Share Point Managed Paths

In Share point we have Managed paths for web applications. When we create a new site collection in a web application by default root site collection will be created with web application URL. Remaining site collections will create using '/site' managed path. If we want to create a site collection with the name 'test' it will take next to '/site' managed path. We can create our own managed paths in share point instead of existing.

In SharePoint 2010, "Central Administration -> Application Management--> Manage Web Applications--> 'By selecting the web application On the Top ribbon you can see the option managed paths'". You can create your own managed paths.

By default you can see two managed paths, (root) (Explicit inclusion) , sites (Wildcard inclusion). 

Explicit inclusion and Wildcard inclusion:

In explicit inclusion, you can't create more than one site collection under that managed path. For Example you have created a explicit managed path 'MyExplicitPath', You can create only one site collection, like "http://Servername:9090/MyExplicitPath", You don't have any option to create one more site collection. You can see this in the image below.

As shown the above image, you can see only one site collection with 'MyExplicitPath' managed path.

In wildcard inclusion, you can have option to create multiple site collections with the managed path. For example, you have created a managed path 'MyWildCardPath', you can add multiple site collection under http://servername:9090/MyWildCardPath/SiteCollection1http://servername:9090/MyWildCardPath/SiteCollection2http://servername:9090/MyWildCardPath/SiteCollection3....

As shown in the above image wildcard inclusion will allow text box after managed path. So that we can create multiple site collections.

we can choose Explicit inclusion to create site collections with unique site collection under a managed path and Wildcard inclusion to create multiple site collections under a managed path.

Wednesday, March 20, 2013

Sharepoint 2013 - App Model

App Model is the major and interesting change from SharePoint 2010 to share point 2013. It brings a new set of opportunities from development environment. Before going to app model, we can check few things,

What are development models we have in share point?

  • We have Solution Package model and Client object model and Ecma Script Object model. Solution Packages models are farm solutions and Sand Boxed solutions  Extended in SharePoint 2010) are not deprecated or not going away. There is no change in both of them.
  • App model will not support SharePoint Server side code. there is no chance of access like Sand boxed solutions. All the code must be run in client side (JavaScript) or out of share point (like Azure or other hosting Plat forms), just connect back to share point remotely.
  • Only SharePoint 2013 will support App Model  There is no support for earlier versions of share point yet.
Why App Model?

In SharePoint 2010, with farm solutions, custom code was deployed into server. All the things will deployed to the server means an IT consultant with console access would need to upload the solution package to the server. So that the Access must be required to deploy the solution in farm level. This will only works On Prem environment. It will not suitable for hosted deployment. Both Farm and Sand Boxed solutions developer need to have full understanding on the server and command on sever API.Farm solutions are not suitable for cloud environment. We can use sand boxed solution on cloud environment, but there is lot of limitations put users off from it. For example we cannot call External Web services from sand boxed solutions and we can only access limited set of SharePoint API's.

App model is mainly designed for cloud hosting. It will not use server side code. It will use only client script like java script or jQuery, and will work on top of share point framework. So that it will keep environment light. you can easily migrate the apps and easily add the apps from app store.

App Isolation- 

Apps are isolated. One app cannot talk with other app. When we install app share point will create a sub site in the existing site like as : here apps will run under a separate domain. APPID will generated for share point.

There is no alternative way to call the app with out URL  If you want to try to call the app from parent site (i mean site which app was created or app was installed) it access to URL only. The reason here isolation. Apps will run under a separate domain, If in case apps will run same domain, here apps will use java script to access data. That will cause security issue. So that Microsoft people elected to go for another domain and that will unique for app. So that we can skip cross site attack.

We can present the app in three ways to the customers-

  • Immersive App: Here app will take an entire page and when we click on the app it will redirect to a page. Every App has this functionality because every app app has a start page.
  • Part App: This is app is located in a part of a page, similar as web part  Suppose we have map just provide a widget to show the location.
  • Custom Action App: Here app will be shown in a ribbon control or as menu item. For example we can take print option.
Scope of an App-

There are two choices to build the app scope

  • Web Scoped: Web scoped apps will live only with in the app web.
  • Tenant scoped: we can publish the app to the entire company or to the public scope.
Availability of Apps -

Just like Mobile apps we have a market for share point apps and we can acquire or buy the apps from app market. There is a private market place for employee in corporate company. Microsoft is having market place in cloud. Developers can develop their apps and sell it through Microsoft app market. There is more chances to launch third party market places and sell the apps. This will get more spice to the app market and help boosting the competition.

Types of Apps-

There are three types of app development models are available to build apps.

  • SharePoint Hosted Apps: Here in this option every thing in SharePoint "With in SharePoint Only". When you install the app, a new site will create with in the share point and will keep all the app content in share point  app content will be lists, Pages, Site Columns  Content Types etc. All the process will happen in client browser using client side scripting.
  • Developer Hosted Apps/ External Apps: In this scenario all the logic will be external to share point  Logic may be in any technology like .net , Java, PHP...and on any infrastructure like IIS, Apache ... Here share point will work as a Launching pad. That might do anything. Here the name "Developer/External" comes that developer or external is the responsible for the code.
  • Azure Or Auto Hosted: Here App will be located in cloud. When ever developer download the app from cloud and installs it in site, app will automatically create site and also provisions a new azure website. We can build this type of app and host in cloud. 
What i need to do to develop Apps?

Before developing and deploying apps, we need to do some configurations,

  • Subscription service and App Management service must be running for apps usage.
  • we need to create the DNS domain to create the unique URL's for app.

What we can do with apps?

  1. We can write remote event receivers
  2. Deploy new fields based on existing field types
  3. Can provision lists, Content types  with in app website.
  4. We can have custom application pages to work
  5. Can consume custom web services.

What we can't do?

  1. Custom Site Definitions
  2. Delegate Controls
  3. Custom Themes
  4. Custom Action groups and Custom Hidings
  5. Custom User Controls
  6. Timer Jobs
  7. Workflows

Thanks for Salman Blog and Andrew Connel to providing very useful posts on App model. 

Monday, March 18, 2013

SharePoint - Check list exists or not in a site using Trygetlist() method

In SharePoint, most of the data operations can be done through List\ Library. We can access the list in SPObjectModel to get the data. If site doesn't contain any list with given name, it will return null reference exception. To fix that we have a methods in SPObjectModel, TryGetList(String List Name).

Here is the code to analyse the both methods
SPList currentList=null;
using (SPSite currentSite = new SPSite("http://servername:5656"))
       using (SPWeb currentWeb = currentSite.OpenWeb())
             currentList = currentWeb.Lists["MyList"];
in the above code, if there is no list with name "MyList", it will return null reference exception in line SPList currentList = currentWeb.Lists["MyList"];  to avoid this we will write the code placing the line in try, catch block. But it is not a good to code to place try catch blocks regularly.

 In SPObjectModel we have a built in method "TryGetList(string List Name). If there is list with given name, it will return SPList object. If there is no list with given name it will return null.
SPList currentList=null;

using (SPSite currentSite = new SPSite("http://servername:5656"))
      using (SPWeb currentWeb = currentSite.OpenWeb())
            currentList = currentWeb.Lists.TryGetList["MyList"];
So that we can check null value.

Share Point- The trial period for this product has expired

While working on SharePoint 2010,One fine Monday morning i came to office and started my work. I was started browsing my share point dev site, it was shown an error message "The trial period for this product has expired." 

I am very sure that Iam not working on any trail product. Started googling it and found 3 reasons for that error,

  • My SharePoint is trailed one and it was expired.
  • Problem with my Central Administrator Application pool Account
  • Problem with my registry.
There is 0% chances for the first one. If it is, i have only one choice to fix it (get licensed version of share point :))

While checking the second option, Go to inet manager, check the central administration site application pool account. It was running with Network Credentials. Account that are running application pool need to be in the local administrator group. So i just changed the application pool account to Administrator. 

Run--> inetmgr-->Application Pools--> SharePoint Central Administrator--> Advanced Sttings--> Identity (change the account)

Or add the current application pool identity account to local Administrator group.

Run "iisreset"   

Still you have same issue, there might be some share point secure sources not configured correctly . You need to run "SharePoint Configuration wizard" or run 
"psconfig.exe -cmd secureresources" command(c:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\Bin\psconfig.exe -cmd secureresources)

Friday, March 15, 2013

Share Point 2013- Minimal Download Strategy

Minimal Download strategy:

Minimal Download strategy is enhancement introduced in share point 2013. It improves the rendering performance of a page, when there is large parts of the page don't change. So that it can provide more fluid navigation experience to the user. 

For example navigating from Home page to Shared documents page mainly content Area will be changed. There are just minor changes other parts like top navigation and side navigation (Global navigation and quick launch) as shown in the below images. 


As general AJAX case, controls uniquely interface with sever. In SharePoint Chrome controls are with the URL at their core. Minimal Download strategy implements a new download manager that interfaces between the client and server and retrieves data as needed depending on the initial request. each and every controls interfaces with DM to update itself.

In share point page we have mainly two parts chrome and content area.

Chrome defined by master page includes overall layout, core styling, page behavior, location and size of the content area and any common controls like navigation which shares across pages

Content Area defined by content page inherits styles from master page and interacts with the controls on the chrome.

Unlike SharePoint previous versions page will not be loaded every time when user request the page. Here MDS will reduces the amount of data need to be download like css, Scripts. So that the browser parsing and rendering time will be decreased ,performance will be improved and proves smoother transitions.

Minimal download strategy uses start.aspx file pages, with URL will be encoded in '#' mark.When navigating two pages only changes will be downloaded. Download manager is responsible for difference between source and destination pages.

Enable or disable:

In Site features we can activate or deactivate minimal download strategy feature as shown in the image. (Site Action->Site features). By default it will be activated.

Thursday, March 14, 2013

SharePoint 2013 Apps - Error occurred in deployment step 'Install App for SharePoint': The requested service, '../AppMng.svc' could not be activated. See the server's diagnostic trace logs for more information.

SharePoint 2013 is interesting like any thing for me. While developing a custom app using Visual studio 2012, Deploying the app i got an error

Error occurred in deployment step 'Install App for SharePoint': The requested service, '<SiteURL>/AppMng.svc' could not be activated. See the server's diagnostic trace logs for more information.

By entering the Url in my browser it was gave me more information that 

Memory gates checking failed because the free memory is less than 5% of total memory. As a result, the service will not be available for incoming requests. To resolve this, either reduce the load on the machine or adjust the value of minFreeMemoryPercentageToActivateService on the serviceHostingEnvironment config element.

message it self says that there are more services are working in this machine, Please close some un-used services or change "minFreeMemoryPercentageToActivateService" value in web.config "serviceHostingEnvironment" tag. By default it will be 5 you can change it. 

I was just closed some un used applications. It was worked for me.

Monday, March 11, 2013

SharePoint 2013- you receive "Side Loading of apps is not enabled on this site error while installing app"

If got an error "Side Loading of apps is not enabled on this site error while installing app" , while deploying an app to share point 2013 site by using VS 2013. The main reason that in share point 2013 site we have a new site template, "Developer site", We can only deploy the apps to developer site.

Finally the solution is you can just deploy the apps to developer site ( site / site collection created with developer site template.)

SharePoint 2013 - "Sorry, apps are turned off. If you know who runs the server, tell them to enable apps" when trying to add Apps

while adding apps to share point site, you need to configure the apps for share point server manually. 
we need to follow the actions below,

  • Configure the App site collection 
  • Configure the App domain
  • Configure an account for apps
  • finally if you are having host header for that web application, you need to create a new web application.
following are the blog articles that explain clearly configuring the apps to share point.