Author: givenscj

There are only a couple of posts on this across the web, none of which have any replies to them.  This is because this issue relates to any number of failures that can occur with the Workflow Manager service. 

One such error is when you attempt to send a DynamicValue as the request header to an HttpSend Activity.  If any of the headers have a significantly large string to them, you will cause a buffer overflow in the Workflow Manager Service. 

In Workflow Manager 1.0 RTM and service bus 1.0 RTM, this will lead to an error reporting service to consume the remaining memory on your application server and thereby rendering that app server useless.  In the Workflow Manager 1.0 Refresh and Service Bus 1.1 versions, the error simply kills the Workflow Manager service over and and over again.

There are several blog posts on this across the web, many will fix your issue, however, you may find that in some cases, none of them work for you. One such issue is if the configuration file of the Dist Cache has your machine registered, yet it cannot any details about that machine in SharePoint, you will get this error.  Even if you run all those wonderful SharePoint cmdlets.  The fix is to export the configuration file, remove the offending server, then upload the configuration file.  Then your SharePoint cmdlets will work:

1. Export-CacheClusterConfig c: empfile.txt
2. Remove the offending server
3. Import-CacheClusterConfig c: empfile.txt
4. Run the appropriate cmds to add it back

Here is all the scripts I have compiled that will help you to solve any issue you may come across:

  Get-AFCacheHostStatus | % {
    $ServerName = $_.HostName
    Get-AFCacheStatistics -ComputerName $_.HostName -CachePort $_.PortNo | Add-Member -MemberType NoteProperty -Name 'ServerName' -Value $ServerName -PassThru
} | Format-List -Property *   

Stop-SPDistributedCacheServiceInstance -Graceful;
Remove-SPDistributedCacheServiceInstance;

Add-spdistributedcacheserviceinstance

$instanceName ="SPDistributedCacheService Name=AppFabricCachingService"
$serviceInstance = Get-SPServiceInstance | ? {($_.service.tostring()) -eq $instanceName -and ($_.server.name) -eq $env:computername}
$serviceInstance.Unprovision()

$instanceName ="SPDistributedCacheService Name=AppFabricCachingService"
$serviceInstance = Get-SPServiceInstance | ? {($_.service.tostring()) -eq $instanceName -and ($_.server.name) -eq $env:computername}
$serviceInstance.Provision()

Register-CacheHost -Provider SPDistributedCacheClusterProvider -ConnectionString "Data Source=svr-jc-db1;Initial Catalog=SharePoint_Config_2013;Integrated Security=True;Enlist=False" -Account "NT AuthorityNetwork Service" -CachePort 22233 -ClusterPort 22234 -ArbitrationPort 22235 -ReplicationPort 22236 -HostName svr-jc-web2

Use-CacheCluster
Get-AFCacheHostConfiguration -ComputerName ComputerName -CachePort "22233"
Set-CacheHostConfig -Hostname SP2013 -cacheport 22233 -cachesize 300
Update-SPDistributedCacheSize -CacheSizeInMB CacheSize
start-cachehost
restart-cachecluster
Get-CacheHost
Get-CacheHostConfig -ComputerName SP2013 -CachePort 22233
Export-CacheClusterConfig c: empfile.txt
Import-CacheClusterConfig c: empfile.txt
Get-CacheClusterHealth

$farm = Get-SPFarm
$cacheService = $farm.Services | where {$_.Name -eq "AppFabricCachingService"}
$accnt = Get-SPManagedAccount -Identity domain_nameuser_name
$cacheService.ProcessIdentity.CurrentIdentityType = "SpecificUser"
$cacheService.ProcessIdentity.ManagedAccount = $accnt
$cacheService.ProcessIdentity.Update()
$cacheService.ProcessIdentity.Deploy()

Clear-SPDistributedCacheItem -ContainerType DistributedLogonTokenCache

Until further notice I am advising clients NOT to enable partner sharing.  This is because you never know who will be accessing your data from the partner side.  If your partner is a large SharePoint consulting firm, they have no ability to lockdown who can see your data on their side (out of the 100's or 1000's of clients they have). 

To be said another way, this means they have no way to keep random internal employees from checking out your site and data. Until they activate the ability to assign specific people to your accounts, I highly suggest that you stop partner sharing!!!

In other words, think Edward Snowden and Bradley Manning…type of security holes.

Vote for it here on UserVoice:

http://officespdev.uservoice.com/forums/224641-general/suggestions/5983421-enable-granular-permissions-for-o365-partners

Let's talk apps for a moment.  A couple of questions for you:

• If you were to build a single purpose app, where would you do it, how would you do it…why would you do it? 
• If you were to build a multi-purpose app, where would you do it, how would you do it…why would you do it?

If you are stuck in single purpose, Single Page App (SPA) land, then you are quite a few months behind where you should be.  You should be thinking, if I am going to build an app, where will I get the most bang for my buck?  If you are a customer, are you going to ask a consulting partner to build you an app in the future?  If so, do you understand what might happen in the future that will cause you to refactor (rebuild) your app?

Do you understand the differences between application registries such that you know what might happen in the future or how you should architect your apps?

A Scenario to Think About

Many of the people that read my blogs are "SharePoint" people.  So you have seen many of my previous posts on building SharePoint Apps.  Low trust, high trust, OAuth in O365, blah blah (old and boring stuff).  SharePoint Apps were a great start to making Office apps run in predictable way using best practices in terms of user authentication (ie apps don't need passwords) and reliable API calls (REST and CSOM).  But let's step back for a moment.  In general, let's say our goal is to build an multi-purpose App (an app that spans multiple APIs and needs multiple client id and secrets).  These apps are much more complex, as an example, let's talk about how one might build an app that:

• Makes a call to Visual Studio online to get project data that populates Project Server Online with tasks.  The app then adds to your O365 calendar items assigned to you based on project tasks. In addition, the app will post messages to Yammer throughout the entire process.  Additionally, it needs to post various data points by taking snapshots of project report data to a customer's OneNote.com notebook.

This scenario, which I have no doubt many of you will think is "cool" or "I want that", will not be well understood from the sheer amount of effort this will take.  You won't fully recognize the plethora of APIs and App registries of which you would need to create and have target user's authorize in order for your multi-purpose application to work. 

App Registries 

So what do I mean when I say "App Registry"?  As the title of the post eludes too, there are several of them you might be interested in:

• Google Apps
• Azure Active Directory Apps
• SharePoint Apps
• LiveId Apps
• Yammer Apps 
• Facebook, twitter…on and on…

All of these registries utilize OAuth 2.0 as their underlying auth architecture.  When you create an app in a registry, they are going to issue you a client Id and client secret.  In the scenario above, you will see that you will have at least five different apps.  In your multi-purpose app, you will need to manage the auth process with all the client ids and secrets in that app.  This is incredibly painful to manage without using some kind of library in the middle (there are several, take your pick with each being targeted at some platform, we need a platform agnostic approach, see later in this post).  In the end, the goal is to get an "Access Token".  Once you have acquired this token, you can make API calls from your app using the "Authorization" header in the HTTP request.  It is this access token that defines the scopes at which your application with be authorized (such as creating an email, creating a one note page, creating a file in your OneDrive [either consumer or business]).

Since many of you are familiar with the concept of SharePoint and slightly less familiar with Yammer Apps.  Neither of these I will talk much in this post.  But let's do take a look at Live ID vs Azure AD vs Google.  Live ID is what has traditionally been considered the "consumer" authorization platform.  We use it to login to HotmailOutlook.com, our msdn accounts, our OneDrive consumer and OneNote consumer as just a few examples.  Until last week (5/21/2014), Visual Studio Online was also using Live ID (it now supports Azure ADOrganization Accounts but you currently have to create a *new* account and can't move your old one, hopefully that will change). 

LiveID

LiveID has been around for a while and there are many apps written to support consumer services.  If you wanted to create a LiveID app, you can do it here (note you must have a Live ID account to create one):

https://account.live.com/developers/applications/index

Once you register an app, you will see it in the portal:

 

Scopes for apps include the following:

• Hotmail, Contacts
• OneDrive
• OneNote

Just for kicks, here is SharePoint and Yammer registries screen shots:

SharePoint:

 

Yammer:

 

As a side note, SharePoint and Yammer Apps cannot make calls to O365 APIs, nor can they make calls to LiveId APIs such as OneNote and OneDrive.

Azure AD

Enter Azure Active Directory.  With the huge success of O365, Azure AD is being used as the organizational account backing (in the absence of federated auth) and with the new O365 APIs, as the application registry.  To register an application, you must create an app in the Azure management portal.  By default, your app is only visible to your organization, but can be made to be utilized by external organizations.

https://manage.windowsazure.com

As it stands right now, Azure AD only has a small set of apps that are using it (aside from custom organizational ones) which is commonly referred to as the Consent Framework: 

• Azure Management
• Azure Active Directory
• Office 365 Exchange Online
• Office 365 SharePoint Online

These are shown in the following screenshot (with the "scopes" that each exposes):

 

SharePoint Permissions versus Azure Permissions

One of the big gaps between writing an Azure App and a SharePoint app is the level of permission granularity.  Take a look at the Azure permissions for SharePoint Online in the above screen shot, now look at the available permissions for a SharePoint App in the next screen shot.  What a major gap in permission granularity!:

 

 

If we were to contrast these to the Google Apps portal, things start to get interesting in terms of what the future will hold for Azure AD Apps. The Azure UI is really primitive in terms of permissions assignment (imagine if you had 100 permissions for an app).  Additionally, a drop down won't cut it if t
hey move to as many online supported services as Google has (which is the next registry I explore).  And just to add insult to injury, this error is one of the most annoying EVER:

 

Google Apps

Google Apps registration is available here:

https://console.developers.google.com/project

Here is a screen shot of the Google Apps page:

 

Google vs Azure – "One client id and secret to rule them all"

As compared to Microsoft, hopefully you were able to surmise that Google utilizes a single app registry (with a single client id and secret, with a much more advanced and comprehensive Consent Framework and UI).  So what does this ultimately mean for Azure AD?  If you look at Azure AD, it is in its very early stages (V0.8 maybe?).  Only a few apps are supported when it comes to the Microsoft set of online services.  As compared to Google, they have a lot of work to do.  Each team within Microsoft must make the decision to adopt Azure Active Directory as its future authorization platform in order for us to take advantage of a "single client id, single client secret" as we can do today with Google.  Visual Studio Online made a step towards making this a reality last week.

OAuth 2.0 flows and HelloJS

Now let's talk about OAuth 2.0 flow support. If you haven't seen HelloJS well, you are missing out.  It is an incredibly simple OAuth JavaScript library that allows you to do OAuth authorization in a very simple manner.  As it is using JavaScript, it is a client side implementation.  This means that Azure must support some type of cross origin scripting support (CORS) to get access tokens using simple token flows.  If this is possible today, it isn't documented anywhere.  As it stands right now, you need a server side component to broker the auth calls (WebAuthBroker pattern).  Hopefully this changes in the future or becomes better documented.

Introducing Auth0.com 

So let's go back to the original scenario.  If the goal is to simply get an access token and similarly, make an API call to get a JSON response back, should we really care about any of the details of that process times five (LiveId, AzureAD, SharePoint, Yammer, Google, et all)?  Are you reinventing the wheel over and over again each time you create a new app in any of those registries?  The answer is yes.  Enter Auth0.com.  Auth0 stands to change the way we build our multipurpose apps.  You can get a sample of how Iwe use Auth0 on our SanSpug.org site by attempting to login using any number of OAuth 2.0 credentials (facebook, twitter, etc).  In addition, you can abstract away the API calls for target services such that you simply need to get the responses back and perform your business logic. 

Auth0.com is the ultimate Web Auth Broker servicepattern!  I highly suggest that you take a look at Auth0 and how you can utilize it in your future app design.

Summary

Hopefully you now have enough of a background of information to make some education decisions (such as wait for a few more months?)  in terms of what you might want to consider moving forward in your app design and architecture strategy.  I personally see Azure AD winning out over LiveID.  What this means in the long term with respect to services such as MSDN and the various other business services (MSInvoice, et all) hosted by Microsoft for vendor interaction (of which use LiveID today) is really foggy and not well defined.  A lot of these thoughts I have already conveyed to the various Microsoft teams that should be thinking about the above concepts.  The ball is in various Microsoft's exec's courts to make a high level decision to do the migration towards catching up with Google and deciding that consumer is consumer (LiveID) and business is business (AzureAD).  If they draw that line, you will see migrations away from Live ID happening left and right.

As part of my 5-day O365 course I have a Workflow section that describes things like deploying workflows via Apps with event receivers that deploy to the Host Web.  Also a part of the lab is how to "theoretically" call an O365 API from workflow.  Unfortunately, you cannot call O365 APIs from workflows that live on-premises or in O365.  The reason is two fold. 

• For on-premises, there is a buffer overflow in the Workflow Manager service (1.0, CU1, CU2 and 1.0 refresh) that barfs on large DynamicValue HttpHeaders in the HttpSend request.  Reference this post for the error you will see.
• For O365, there is a special STS validation layer that barfs on the Azure AD access token (Error is "JsonWebToken.Issuer != clientId@realm"). If you pass the token in anything but the "Authorization" header it will pass right through, but it will not pass through in the "Authorization" header.

Therefore, the only avenue you have is to use "Basic" auth when making the calls.  This means you must store the user's username and password somewhere rather than allowing them to go through the basic OAuth process the way it should be.

If you would like to be able to do this, vote for it on UserVoice here:

http://officespdev.uservoice.com/forums/224641-general/suggestions/5981236-enable-azure-workflows-to-call-o365-apis

Updated as of 6/3/1024:

Since I am doing a lot with the O365 APIs at the moment, I figured it would be good to drop the O365 MVP list in addition to the SharePoint one.  I also attached the script to follow all of them below.  So here you go:

Name	Blog	Twitter
Alberto Pascual (Alberto Pascual)	Blog	guruxp
Alexandru Dionisie	Blog	AlexDionisie
Alvaro dos Santos Rezende	Blog
Amin Tavakoli	Blog	amintvk
Arnaud	Blog
Ayman Mohammed El-Hattab	Blog	aymanelhattab
Ben Curry	Blog
Benoit HAMET	Blog	benoit_hamet
Brendon Ford	Blog	stewartisland
Brett Hill	Blog	bretthill
Brian Nøhr	Blog	Bsnohr
Dan Holme	Blog
Danny Burlage	Blog
Darrell C Webster (Darrell Webster)	Blog	DarrellCWebster
Diogo Dias Heringer	Blog
Dragan Panjkov	Blog	panjkov
Eunjoo Lee (Eunjoo Lee)	Blog
Fernando Andreazi	Blog	fandreazi
Genki Watanabe	Blog
Gilles Pommier	Blog
Goran Husman	Blog
HeeJin Lee (Hee Jin Lee)	Blog
Igor Pavlekovic	Blog	igorpnet
Jeremy Dahl	Blog
Jesper Ståhle	Blog	JesperStahle
Jethro Seghers	Blog	jseghers
JinHwan Woo	Blog
Jorge Castañeda Cano	Blog	xorxe
Kazuhiko Nakamura (?? ??)	Blog
Kelsey Epps	Blog	kelseyepps
Kerstin Rachfahl	Blog	himmlischeit
Laurent Miltgen-Delinchamp	Blog
Loryan Strant	Blog	thecloudmouth
Malin Dandenell	Blog
Mario Cortes Flores	Blog
Markus Widl	Blog	markuswidl
Martina Grom	Blog	magrom
Masayuki Mokudai (????)	Blog	Office365Room
Mauricio Cassemiro	Blog
Michael Kirst-Neshva	Blog	ankbs
Myles Jeffery	Blog
Naoki Osada	Blog
Nitin Sadashiv Paranjape	Blog
Nuno Árias Silva (Nuno Árias Silva)	Blog	NunoAriasSilva
Paul Woods	Blog	paulwoods
Poo Ching Loong	Blog
Raphael Köllner	Blog	ra_koellner
Rene Dominik Modery	Blog	modery
Robert D. Crane	Blog
Sara Barbosa	Blog	Sarabarbosa
Sean McNeill	Blog	s_mcneill
Seiji Noro (?? ??)	Blog
Steve Noel	Blog	CloudItca
Tomislav Bronzin (Tomislav Bronzin)	Blog	tbronzin
Vincent Choy	Blog
Yoni Kirsh	Blog
Yoshihide Sakamoto	Blog
Zeljka Knezovic	Blog	zeljkak
Zoltan Zombory (Zombory Zoltán)	Blog	zomby_z
Peter van Hees	Blog	mrpetrovic

As promised, here is my blog post on how to extend SharePoint 2013 REST APIs! This post is similar in technical depth as the Extending Ceres engine post here.

The general premise is to add your own end points to the REST APIs in an on-premise environment.  This is a totally valid scenario similar to extending sharepoint with your own Service Applications.  This technique is used by the Project Server team (totally different team from the SharePoint team) to extend the ProjectServer and ProjectData REST end points.  I have published the sample project here. Here are the high level steps of what you must do:

1. Create a class decorated with ClientCallableType
1. Set the name to the same name as the class
2. Generate a new ServerTypeId set it
3. Set the FactoryType to a Object Factory that you will create next
2. Add methods and properties to the class, decorate with ClientCallable, ClientCallableMethod, ClientCallableProperty
3. Create the Object Factory that inherits from ClientCllableObjectFactory (this will create an class instance using an identifier)
1. Decorate the class with the Clietn
2. CallableObjectFactory attribute, set the ServerTypeId to the one you generated for the class
3. Implement the GetObjectById method
4. Create a ServerStub class that inherits from Microsoft.SharePoint.Client.ServerStub
1. Decorate the class with the ServerStub attribute, set the type to the class type, set the TargetTypeId to the ServerTypeId
2. Implement a public constructor
3. Override the following properties and methods
1. TargetType (returns typeof(class))
2. TargetTypeId
3. TargetTypeScriptClientFullName (the name of your client target type you will create next)
4. ClientLibraryTargets (what clients can call your rest endpoint)
5. GetProperty Method
6. InvokeConstructor method (for both the CSOM and REST calls)
7. Constructor implementations called from InvokeConstructor
8. InvokeMethod (this calls the object's method)
9. GetMethods (this is required to tell the $metadata endpoint what is available)
10. GetProperties (similar to GetMethods)
5. Create another class in a .Client namespace
1. Decorate it with the ScriptType attribute, set the name and ServerTypeId
2. Make it inherit from ClientObject
3. Create the properties and methods that match to your server side class
6. Create a ScriptTypeFactory that implements the IScriptTypeFactory interface
1. Implement the IFromJson method, use a switch statement to generate a Client class object based on the scriptType string
7. Create the ProxyLibrary.xxx.xml file
1. Deploy to the {SharePointRoot}/ClientCallable directory
8. Open the project's AssemblyInfo.cs file
1. Add a UrlSegmentAliasMap attribute
2. Add a ClientNamespaceMap attribute
3. Add a ClientTypeAssembly attribute
9. Deploy the Farm Solution
10. Perform an IIS Reset
11. Hit a "_/api/$metadata" endpoint, you should see your end point displayed!

Enjoy!
Chris

 

Here is a Windows PowerShell script I wrote to follow all the users in a list.  I have provided the list of the MVP twitter handles in the zip file.

Enjoy!
Chris