Sandboxed Solutions – SharePoint 2010

So you have probably heard about this new "Sandboxed" solution "feature" of SharePoint 2010.  Sounds cools right?  Well, let's just wait till your developers get ahold of it and start to screw with your users in production!

So reservations I have include:

  • Point system is too high (300 points/day).  Really?  For each unhandled exception I get 1/50th of a point.  That means it would take  15,000 unhandled exceptions!  

Let me put that into perspective for you.

  • What if you create an event receiver that has an unhandled exception on PURPOSE?
  • Deploy that event receiver to your site for a specific list (let's say only the most important one on the site)
  • Well, your end users will have the joy of trying to add/update an item 15,000 times while getting a nasty modal error popup before you hit 300 points and it is disabled
  • Oh, did I mention they would need to do that every morning?

Sounds fun right? No….

  • How about the fact that the resource points aren't updated but every 15 minutes?  Hmmm, guess that means I can do as many bad things as I want in 15 minutes and go over 300 points!
  • Oh, wait what if the Timer service is NOT running?  No points will be updated…doh!

Not too sure about this whole Sandboxed Solution thang…how about you?


Follow me on twitter!

State Service Application – SharePoint 2010

 So, you decided not to use the Configuration Wizard to setup your Service Applications like I did eh?  So you probably got as far as I did…one item you can't create from the menu is the "State Service Application".

So how do you create it manually?  Well you could try the PowerShell commands in some order like this (dont do this by the way):


This of course will create everything, but for some reason the state service application doesn't see the database.  I'm not a 10 of 10 on PowerShell just yet and b/c I'm currently too lazy to open up Visual Studio and reverse engineer the Object Model, I decided to figure out how to get it to work in some other way!

Turns out, the solution lies in the Configuration Wizard for the farm on the Central Administration site.  Just delete the State Service Application, then run the wizard.  It will give you the options for anything that doesn't exist, that would include our lovely state service application.  It will then build the appropriate connections and ta-da!  it all just magically works.   I'm still not totally satisfied that my PowerShell commands didn't work, but hey, beta right?

One other step, you have to turn on the "In Proc" session state in the IIS 7.0 Manager for each web application.


Follow me on twitter!

SharePoint 2010 Content DB versus SharePoint 2007 Content DB

Here are the changes between the content database structure of 2007 and 2010.  AGAIN, this is based on beta!

  • New Tables:
    • AllFileFragments
    • AllListsAux
    • AllListsPlus
    • AllListUniqueFields
    • AllLookupRelationships
    • AllWebParts
    • CustomActions
    • Resources
    • SharedAccessRequests
    • SiteDeletion
    • SolutionResourceUsageDaily
    • SolutionResourceUsageDailyOrdinal
    • SolutionResourceUsageLog
    • SolutionResourceUsageWindowed
    • Solutions
    • WebsPlus
  • Deleted Tables:
    • Categories
    • Image0x
    • WebCat
    • WebParts
  • Added Columns
  • Delete Columns
  • New Stored procedures
  • Deleted Stored Procedures


SharePoint 2010 versus SharePoint 2007 Object Model (Microsoft.SharePoint.dll)

There are the differences between the new object model (Microsoft.SharePoint.dll) and the old.  Some classes/interfaces/enums were removed, but nothing that looks to hurt anyone.  The really cool part though…no properties or methods were removed between the two versions (doesn't mean that they are not depreciated however)!  NOTE:This is based on a beta version of SharePoint 2010.

  • Classes/Interfaces/Enums in 2007:   3225
  • Classes/Interfaces/Enums in 2010:   6658
  • New namespaces in 2010:    46
    • Microsoft.BusinessData
  • I have attached lists of
    • All new classes/interfaces
    • All removed classes/interfaces
    • All Property Changes (adds and deletions) to old classes
    • All Methods Changes (adds and deletions) to old classes


New objects
Delete objects
New Properties
New Methods


SharePoint 2010 Records Center Greatly Improved

So far I am very impressed with the new Records Center site definition and architecture of SharePoint 2010.  Some of the new features include:

  • New and informative page for administering the Records Center (allows newbies to work with the record center easily)
  • Routing Rules based on submitted record properties (not just the content type anymore) – COOL
  • Routing to a different site (not just on the Records center site only anymore) – NICE
  • Routing Priority (allows for more complex routing scenarios)
  • Retention expiration can be based off of the typcial fields (ModifyDate, CreateDate) and a new one called "Declared Record" (when it was defined as a record)
  • On Expiration has the following actions:
    • Move to Recycle Bin
    • Permanently Delete
    • Transfer to Another Location
    • Start a workflow
    • Skip to Next Stage
    • delete Previous drafts
    • Delete all previous versions

At a farm level you can:

  • Configure Send To Connections by Web Application (versus Farm in 2007)
  • Allow multiple send to Connections
  • Three options on "Send" event (Copy, Move, Move and leave link)
  • On submission, the final "resting" place is returned for the item

Nice changes!

Async Web Parts in SharePoint 2007/2010

Some of you may have seen my tweet:  "#sp2010 web parts have a new "AJAX Options" in the tool pane, u can enable "Asyncronous refresh" for each web part. Be careful w this!"

Why?  It reminded me of a little known fact when creating async tasks server side with web parts.  You should watch out for the asnyc page loading of web parts because of this setting in the web.config file:

In SharePoint 2007, WebPartWorkItem has default setting of 7000ms.
In SharePoint 2010,  guess what!  The WebPartWorkItem section is GONE (even though a sectionhandler still exists)!  What the default is these days…who knows!?!  I'm guessing it is still 7000ms.

Anything registered with RegisterWorkItemCallback will be included in the timeout (can cause later web parts to error if a previous web part uses it all).  It is described in an article hidden waaaayyyy down in the bowels of MSDN:

Again, be careful with this when running async operation on the server – convert as much as you can to Client Object Model (AJAX)! 

Now, let me tell you, *most* web parts in SharePoint 2010 are being loaded via AJAX,  this means no more annoying full page refreshes of each web part on a page, we can refresh them separately from each other!  Sweet!


SharePoint 2010 BCS/BDC Schema changes

When migrating your BDC app def files, here are some changes I found so far, also I have attached the 2010 BDC Schema (please note this is beta version):

  • Root element must be:
    • <Model xmlns=""   Name="AdventureWorksSample">
  • A <LobSystems> element must wrap your <LobSystem>
  • Your Entities are now partitioned to namespaces (have to add the Namespace attribute) 
  • Your Entities are versioned now!  (have to add the Version attribute)
  • More strict second level validation rules attribute IsCollection must be "false"
    • SpecificFinder should only return one thing, not sure I like this or not
    • A SpecificFinder cannot have the "IDataRecord" Wrapper anymore, you must remove this extra level!
    • Forces the creations of a new singleton method with possibly the same parameters (breaking one of my dev rules [don't copy and paste]…hmmm)
    • You will have to move your default values to the correct methods (don't copy paste your method definitions unless you want to waste ALOT of time)
  • In relationship/association methods, you must specific the IdentifierEntityNamespace of the related entities
  • Association is no longer at the rear of the file, it is specified as a subElement of MethodInstance of Method of an Entity
    • Namespace attriubute must be on SourceEntity and DestinationEntity

If you really don't want to deal with this, send a tweet at Lighting Tools for an automated conversion tool called BDC Metaman!


ACS SharePoint 2010 Courseware Release Schedule/Beta Program

This is the email I just sent out to the Training world.  If you would like to participate in the beta courseware program, drop us an email!

Dear Training Colleagues,


ACS just returned from the SharePoint 2009 Conference in Las
Vegas!  The NDA’s are now lifted and SharePoint 2010 is coming fast! 
Are you going to be ready for it? 


Here is a set of things you can do to get prepared for one
of the hottest and most anticipated Microsoft releases in a very long time!


Upgrade one of your classrooms to run updated

o   All
64-bit machines

o   At
least 8GB of memory

o   You
will need at least 60-75Gb of free space for the multiple images (2-3 images
with diff drives)

o   You
will need to run Hyper-V (Server 2008+) or Sun Microsoft Systems (Virtual Box) to run the 64 bit host


We are aware of the gaps in the current MOC
courseware and have defined 3 courses that we will be refreshing.  Our
plan is not to compete against MOC at the same level, but simply supplement it
with materials that will be needed with the April release of SharePoint
2010.  These will be courses that you can start promoting to your

o   Please
note that these will not be loaded into the CWLibrary to begin but with time
will be available for you to gain MVR credits.


Become part of the ACS beta courseware program:

o   We
will give you access to the courseware before the product launches so you can
get your trainers up to speed. 

o   You
will be required to sign an NDA in order to gain access to our course outlines
(we should have these available end of this week) and the beta training
materials (available end of Jan 2010).

o   Partner
selection will be done this week to all interested parties.

o   You
will be allowed to run the course to a select few students before the April
release (Feb time frame, NOTE:  no other competing training providers
are offering this!).  Please note this will be based on the public Nov.
beta release of SharePoint 2010 and the revised RTM materials will be available
approximately April 2010).


We look forward to working together to generate revenue off
SharePoint 2010 next year!


As always, thanks!

Chris Givens

CEO, Architecting Connected Systems


SharePoint 2007/2010 Security

I'm CISSP, computer science dude.  I can hack your computer, steal your credit card numbers and social engineer you all day long.  So when I say SharePoint is not secure, I mean it.  Case in point:

  • PROOF #1 – Any DBA can dump the contents of your content database by default in 2007 AND 2010.   Reference this blog post:
  • PROOF #2 – Web Application policy can be setup to give "Full Control" to anyone the Central Administrator decides to (including him or herself)
  • PROOF #3 – Site Collection Admins are "God" when it comes to the data in the Site Collection
  • PROOF #4 – Development = Production odds are less than 5% (once you give the developers the database backup, that's it, they own the content)
  • PROOF #5 – Ignorance kills your SharePoint – Removing certain blocked file types can cause security holes.  Reference this blog post:
  • PROOF #6 – Blind public deployments of SharePoint to the internet (the _vti_bin problem).  Reference this blog post:

Are these bad things, technically no if you trust the people you have assigned to each role.  But keep in mind, social engineering is a powerful foe!

How does You/I/SharePoint 2007/2010 fix this?

  • FIX #1 – 2007/2010 – Implement IRM/DRM – this encrypts your files and locks them down no matter where they will go (covered in my 50149 operations course)
    • Search has to be setup to have read access across the IRM domain
  • FIX #2 – 2007/2010 – Implement custom actions or event receivers to encrypt the documents when they are "added", "checked in", decrypt on "check out"  (covered in my 50064 course)
    • Prevents SQL DBA's from PROOF #1
    • Problem is, you lose functionality (workflows are "Added", which means the files are encrypted – DOH!, search can't index your content)
  • FIX #3 – 2010 only – implement an encryption RBS (watch for this in my future courses)
    • Things are awesome,  content is encrypted in data store, Search is setup with Read permissions through SharePoint – LIFE IS GOOD, until someone (like me) social engineers your IW staff to give me what I want
  • FIX #4 – build some kind of scrub routine on your content database before you give it to your developers
    • Hard to do given the structure of the content database, but possible if everything is tagged with content types/meta data (easier to do in SP2010)
  • FIX #5 – Don't remove things from blocked file types unless you really know what you are doing!
  • FIX #6 – Don't blindly deploy your internet website using SharePoint, reduce your hacker footprint as much as possible!

In reality, there is no security in this world.  Sorry…am I fair to pick on SharePoint, no, no matter what platform you choose, same issues will exist!


Windows Azure MessageBus for consumption by SharePoint 2010?

I recently tweeted:

"Azure needs to
have a message bus for Social Computing Activity Streams with a common
auth (LiveId/OpenID) and BizTalk like plugs…#DREAMIN"

But I have no doubt that it is going to happen. It will be a massive MSMQ (message queue) in the cloud with BizTalk like adapters that will allow us to send our "Encrypted" messages with routing info (very similar to the current EDI platforms today), but rather than EDI, we are free to choose our format other than a routing message on the top of it!

This all sounds familiar though right?  I just mentioned EDI, a very condensed text/tab based format for sending data.  Problem with EDI, proprietary networks that have high entry costs and lets face it, UGLY.  Will it continue to live?  Yeah, for a few more years at least.  What will it give way to?  XML has taken it's fair share for the past 10 years, more likely…JSON formatted messages?  Definitely not XML, some of you may have seen my tweet "Web Services RIP (1999-2009)".  It was funny, and some people didn't like it too much, but unfortunately…its TRUE.

What else sounds familiar?  Oh, only the fact that it has been done elsewhere too, Mastercard, Visa, and American Express have the largest transaction systems in the world.  Trillions of dollars of transactions (and similar number of transaction counts) occuring everyday!  At a previous company we even tapped into the massive network of transactions (hence why I know how to get your credit card number) to pump messages into the systems.  We built memory based databases and built a massive message bus that accepted messages and routed them for processing by multiple subscribers, super cool stuff!  We even did object oriented database rather than the older relational forms (another long blog post).

What makes this time so different?  People.  Social Computing has opened the eyes of individuals to be able to "brag" through "ego" about what they are doing.  And it may not be all "ego", but pretty close.  So now we can see the concept of "Activity" streams being built around everything we do!  Every time we purchase something, start our car, make a phone call, all our every day events will be able to be pumped into the message queue in the sky for subscribers to be able to "plug" into and watch our every move!

Thanks to innovative applications like Facebook, they have paved the way for every new application to have a concept of "Activity" streams in ATOM format where these message are going to be bought and sold to the masses for behavior analysis! 

And so on to our best friend SharePoint 2010.  SharePoint 2010 has an "extensible" activity stream.  This stream will allow every application you touch, to "pump" messages into the stream queue for people to monitor!  Imagine if you will, every system you work with inside your company pumping status messages back about you.  Are you doing your job?  Your activity stream says you aren't!  Thinking what I am thinking at this point?  Lots of applications, both good and bad will come of this. 

From a user standpoint, activity stream data will be VERY sensitive.  From an "Application" standpoint, if we are to say that a user in SharePoint is an "Application", then activity streams create a whole new world of possibilities!

If companies simply stick to a user is a user for their streams, we may start to see government step in soon and limit the types of things that WILL start to happen with the technology.

Insightful eh? Enjoy!