Bennett Adelson Technical Blog

Posts from the consultants at Bennett Adelson

A Lap Around the Azure API Management Service

At a recent conference, our team presented a talk called “A Lap Around Azure API Service Management.” It was a great opportunity to meet others in the area who are active developing on the Microsoft platform.  We appreciated meeting people with varying levels of familiarity in the Web APIs, and it was a perfect opportunity to exchange ideas and experiences.

For people who are new to this space, the presentation covered the Web API ecosystem as well as their value in building modern applications.

clip_image001

From a Web API user’s perspective, there is a wide range of functionality that they expose, including security, caching, logging, tracing, storage, etc.  If you’re building an app, changes are there is already an existing API that will fit your needs.

clip_image001[4]

In addition to pre-built APIs, there is a large, vibrant developer community who are creating and consuming these APIs.  Your company may be able to connect with new customers and new revenue channels by creating your own APIs and working with this community to connect your services in these developers’ applications.

At a high level, the Windows Azure API Management Service (AMS) has four feature sets:

· API Management via the Admin portal

· Admin Portal – manage your APIs

· Proxy – hosting public version of your APIs

· Developer portal – helps developers discover your APIs and promotes adoption

· Analytics – provides insight into usage and the health of your APIs

clip_image002

Publisher/Admin Portal:

Also called the API Management Console, this is where API publishers configure and manage their public APIs.

In AMS, a product contains one or more APIs as well as a usage quota and the terms of use. Once a product is published, developers can subscribe to the product and begin to use the product’s APIs.

The screenshot below shows some of the various types of products that can be created with the management console.  Here, each product represents a tier of service. API publishers can use the AMS product configuration feature to provide different levels of service using call rates, subscriptions requiring approvals, etc.

clip_image003

Proxy:

The AMS Proxy is the middleware that glues the published APIs to an actual implementation. It uses the information provided when importing an API to invoke this “backend” API in response to someone calls the AMS-published API. The proxy is very useful because not only does it isolate the backend API but it also allow the pre and post processing of messages through policies.

 

Developer Portal:

The developer portal is where developers can learn about the publisher’s APIs, view and call operations, and subscribe to products. Prospective customers can visit the developer portal, view APIs and operations, and sign up. The URL for the developer portal is located on the dashboard in the Azure portal for the API Management service instance.  API publishers can customize the look and feel of their developer portal by adding custom content, customizing styles, etc.  Features like the developer portal, alongside the product and subscriber management, can help developers accelerate the adoption of their APIs.

 

Analytics:

The Analytics features provide insight into your API platform. Usage data like successful/blocked/failed calls are reported on a per-user, per product and per API level. There are several charts and tables that allow you to quickly understand how your APIs are operating.  The Analytics features can help providers track API usage and identify performance issues, should these arise.

In addition to these features, the portal also provides a mechanism for policy management.  Using this feature, administrators can easily create policies that can control several facets of the API, such as quotas, payload transformation, etc.  Below is an example of a policy that limits the rate of calls to the API to a maximum of three calls every 60 seconds:

clip_image004

If you would like to learn more about the Azure Management Service and Web API development, please feel free to contact us at Bennett Adelson.  Also, the links below can help provide more information:

http://azure.microsoft.com/en-us/documentation/articles/api-management-get-started/

http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/DEV-B382

“One Size Doesn’t Fit All – User Experience 101”

Often we meet with clients who have already determined the type of technology for their application before they have determined what they want the application to accomplish.

With any project it’s crucial to start with User Experience first. In a sea of frameworks, platforms and operating systems at our disposal, it’s easy to get side tracked by the technology. The user experience tends to take the back seat, when in reality it should drive the appropriate technology set.

By asking a few basic questions we begin to understand what type of technology is best suited to accomplish the business goals and what experience will resonate most with users.

QUESTIONS:

1. What are the business goals of the application? Simply, we want to know what you are hoping the application will accomplish. Is it to increase conversion? Is it to market new products? Is it train or educate your employees? Without understanding the business goals we cannot measure and determine success.

2. Who will be using the application? We want to clearly define user demographics and understand user limitations. As designers we need to learn everything we can about the user: their age, gender, level of technical aptitude and physical limitations that could impact the success of the application. Designing a website for a 55-year old female can be quite different than designing a website for an 18-year old male.

3. Are there specific limitations or inefficiencies that could impact the overall design or layout? This is where we start to learn more about the user’s environment and what elements of their job could impact the application interface. For example, if a user is working in a warehouse and needs to scan parts, this might be difficult to do if he is required to wear gloves to perform his job. Environmental limitations can be just as important as physical limitations because they introduce unique design hurdles, which if not solved properly can negatively impact the experience.

4. What are the project requirements? All best laid projects need to start with a plan. This begins with talking to project owners and stakeholders to get common consensus on capabilities, features or attributes of the project’s deliverables. Once this has taken place the next step is to create a prioritized list which will be used as the basis for the project deliverables and ultimately, the project plan. This is the map to keep the project on time and on budget.

5. What are your technology requirements and limitations? Understanding a client’s current technology stack or environment will also impact the way designers will approach their design and layout. We often have to rethink the way a user will complete a task, knowing that a specific feature might night be accessible in certain software or database versions. This is a common problem for mobile operating systems. The innate features of the iPhone 6 are different than those of the iPhone 4S.

By asking a few basic questions upfront, designers and developers begin to gather a clear picture of what they are designing and most importantly, who they are designing for. In the end, this creates a seamless experience for the user and a big win for the client.

Coercion Failed Error when Running a Workflow from a Document Retention Policy

Recently, I had a client that wanted to create a “document review” workflow that would run if a document had not been modified in the past year. The solution involved creating a simple SharePoint 2010 style workflow that would assign a task to review the document to the reviewer(s) defined in the workflow’s association settings. A document retention policy was created to run the workflow if the document had not been modified in the past year. The workflow worked fine when run manually. However, when the workflow was run from the retention policy it was failing with the error: “Coercion Failed: Input cannot be null for this coercion.”

Workflow-CoercionFailed

As it turns out there is a (minimally documented) web application property called PolicyUseAssocDataAsInitData that controls whether the workflow association properties are passed to the workflow when it is started from a retention policy. This property was introduced with an October 2011 hotfix for SharePoint 2010 (see http://support.microsoft.com/kb/2596584).

After setting this property the workflow ran as expected from the retention policy.

You can enable this property on a web application using the following PowerShell commands:

$webApplication = Get-SPWebApplication http://yoursite.url
$webApplication.Properties[“PolicyUseAssocDataAsInitData”] = ‘true’
$webApplication.Update()

NOTE: After setting the property you need to restart the SharePoint Timer service in order for the change to take effect.

 

CU4 for ConfigMgr 2012 R2 has been released

An update (CU4) was released yesterday, Feb 2, 2015, for System Center Configuration Manager 2012 R2 that replaces Cumulative Update 3 (CU3).

This update addresses many distribution related issues, some minor OSD issues, a few critical site issues, some minor client bugs, some MDM fixes, and some SUP fixes.

Also, there have been some additions, like new PowerShell cmdlets (https://support.microsoft.com/kb/3031717) fixes as well as 34 new ones like:

  • Add-CMDeploymentTypeDependency which adds a deployment type as a dependency to a dependency group.
  • Add-CMDeploymentTypeSupersedence which sets one deployment type to supersede another.
  • Get-CMDeploymentTypeDependency which gets existing dependent deployment types from a dependency group.
  • Get-CMQuery which gets a query.

Some optimizations have been made to reduce latency and optimize the data replication in large hierarchies.

Lastly, the updated Endpoint Protection client has been updated to match the version distributed currently.

You can find more information here:
https://support.microsoft.com/kb/3026739/en-us

Jason Condo
Principle Consultant

Reflections on Integration 2014 (aka BizTalk Summit)

I’ve just returned from Integrate 2014, the annual gathering of BizTalk developers in Redmond. The big story this year was that Microsoft’s BizTalk team gave its first public briefings and demonstrations of the new BizTalk architecture it’s been planning for several years. The key features of this new architecture are:

  • BizTalk Server will be refactored and re-implemented as small pluggable components. Each component can be used separately from the others, and new ones can be written by third parties and developers. They can each be developed and versioned separately, so there will no longer be single monolithic releases of “BizTalk Server”. I was reminded of how Microsoft has been breaking up ASP.NET into components with OWIN and Katana.
  • But unlike OWIN, the new BizTalk components will not connect directly to each other. Instead their inputs and outputs will all pass through a new type of runtime engine that acts as a message broker. The message flow will thus be pub/sub rather than a pipeline.
  • There will a web-based “gallery” where developers and business users can pick and choose components and arrange them into workflows. Developers will also have access to components in Visual Studio via Nuget.
  • This architecture will be implemented first on Windows Azure, but will also run on-premise in a future version of the Windows Azure Pack. The latter appeared to be how the Microsoft devs were running their demos.

At the conference Microsoft referred to the new components as “microservices”. This term didn’t seem to appeal to everyone, and I won’t be surprised if Microsoft comes up with new terminology. (They no longer refer to it as “AppFabric” as they did in 2010.) And although the BizTalk team is moving the technology forward, we learned from Scott Guthrie (who gave the keynote) and Bill Staples (Director of Program Management for the Azure Application Platform) that Microsoft is planning to adopt this architecture for other Azure features and services.

Microsoft did not have a public preview of the microservice architecture to announce at the conference, but they promised it for 2015 Q1. That is also when they plan to release the first preview of the BizTalk Server 2015, which should be a “major” release since it will come in an odd-numbered year.

Although GA for the new BizTalk architecture is probably more than a year off, the most exciting takeaway for me was the affirmation, both from Microsoft and the developers assembled from round the world, that BizTalk Server and Microsoft Azure BizTalk Services (MABS) are still strong, vital and more able than ever to handle demanding enterprise integration. Old customers are sticking with BizTalk, and new ones are adopting it all the time. At Bennett Adelson we will continue to keep BizTalk at the center of our Connected Systems practice.

Microsoft releases Out of Band update today

Microsoft has rereleased update MS14-068 (Kerberos Checksum Vulnerability) as an out of band update and urges customers to deploy it. Stated on their Security Bulletin Summary page (https://technet.microsoft.com/en-us/library/security/ms14-nov.aspx) is that Microsoft is aware of targeted threats for 068. Microsoft recommends customers apply this update to their domain controllers as quickly as possible as it could allow a normal domain account to be elevated to that of a domain admin. An attacker with administrative privilege on a domain controller can make a nearly unbounded number of changes to the system that can allow the attacker to persist their access long after the update has been installed. Therefore, it is critical to install the update immediately.   The implications are huge here, so I wouldn’t sit on this too long if I were you.

MS14-068
Kerberos Checksum Vulnerability

This security update resolves a privately reported vulnerability in Microsoft Windows Kerberos KDC that could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account. An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers. An attacker must have valid domain credentials to exploit this vulnerability. The affected component is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability.

This security update is rated Critical for all supported editions of Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. The update is also being provided on a defense-in-depth basis for all supported editions of Windows Vista, Windows 7, Windows 8, and Windows 8.1. For more information, see the Affected Software section.

The security update addresses the vulnerability by correcting signature verification behavior in Windows implementations of Kerberos. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability.

For more information about this update, see Microsoft Knowledge Base Article 3011780.

Additional Notes: If you aren’t already aware, Azure Active Directory (AAD) does not expose Kerberos over any external interface and is therefore not affected by this vulnerability (although domain controllers running in Azure would be).

Jason Condo
Principle Consultant

Windows 10 IT Pro Training – November 20th

Newly announced, Microsoft is offering some free live training November 20th on MVA for IT Pros around Windows 10. Simon May, Brad McCabe, Michael Niehaus, Chris Hallum, and Fred Pullen are your hosts and I expect it to be a great session. If you have had the chance to see Simon or Michael speak I am sure you will agree this is something you don’t want to miss. If you have the time, check it out.

http://www.microsoftvirtualacademy.com/liveevents/windows-10-technical-preview-fundamentals-for-it-pros

Windows 10 Technical Preview Fundamentals for IT Pros

Live Event Details
November 20, 2014
9am–1pm PST

In this Jump Start training with live Q&A, join us as the lead Windows 10 Enterprise Product Managers roll back the covers on the Windows 10 Technical Preview. Learn about new UI enhancements, find out how management and deployment is evolving, and hear how new security enhancements in Windows 10 can help your organization respond to the modern security threat landscape. Be sure to bring your questions!

Windows 10 – Build 9879 released

As I have posted before I am using Windows 10 as my main device on my Surface Pro and am quite impressed. At first, the new OS was bloated and used way too much power. With the second update (9860) three weeks ago, I was pleased to see my tablet go back to 5-8 hours of battery life with impressive power savings when docked while on battery. Well, in all its awesomeness, it looks like we have another update to test out!

If you are part of the fast track, you started receiving the newest build (9879) on the 12th. If you are part of the slower track, you should start seeing the build in the next week or so. There are some nice enhancements and I cant wait to play with this and give my feedback. If you are running this in an enterprise, you may want to put yourself on the slow track until they work out some of the bugs with the new build. The following are the current known bugs:

Some known problems:

As with the last build, you’re getting hot-off-the-presses code which means there are a few issues. We’ll be publishing WU updates shortly to fix the first two, but the remainder will not be fixed for 9879.

  • In some cases you may get a black screen when trying to log-in or unlock. The only option is to hold the power button to hard reboot.
  • You will be unable to connect to Distributed File System network locations.
  • Some systems may see disk growth of 20GB+ due to driver install duplication. On systems with low disk space this can block setup and cause a rollback to the previous build.
  • Skype calls will disconnect and Music will stop playing if those apps are minimized.
  • There are several known issues with screen sharing with Lync.

You can find out more at the Windows Blog (http://blogs.windows.com/bloggingwindows/2014/11/12/new-build-available-to-the-windows-insider-program/)

Jason Condo
Principle Consultant

First Looks for Windows 10 Preview

Windows 10 Live Tiles

Here are some first looks at the Windows 10 Preview installation experience and initial use of the system. This is the very first release and I expect changes to happen quickly as feedback happens but will try to keep the blog updated as things go. I think the first this you will notice after installing and logging in is the change in how you get to you applications and make system changes. The Start Menu is back and the swipe for switching apps is changed.

Installation

The following are screens of the installation process. Nothing amazing and it really just reminds me of Windows 8. I wouldn’t expect much yet as the focus is on core functionality of the OS, not the installation experience. There are a few things to note:

  1. Review the legal notice. They have done some work to make it easier to understand and have also effectively use bold fonts to highlight things that are of importance to you.
  2. The importing of settings. These are from Windows 8.1, but sure make setting up your system easy. I ran this on my Surface Pro and was amazed that in the upgrade I did not have to reinstall anything. All my windows apps were there as well as my Modern apps. all of my data was there as well.

Windows 10 install  clip_image002

 clip_image003  clip_image004

 clip_image005   clip_image006

 clip_image007 

Initial Configuration

Here, for the sake of being able to get into the system quickly, I chose to use express settings. I will choose the other route and blog on it later.

clip_image008

You will need internet access (just like in Windows 8 if you want to link to your Microsoft account. Otherwise you will get a message saying to create a local account.

clip_image009   clip_image010

If you have Windows Phone 8.1, you might be familiar with this next screen. Microsoft has an application for your phone called Authenticator that is similar to an RSA token for your Live ID. I love this two factor method for ensuring my live ID doesn’t get associated to rogue machine and have all my data sync to it.

clip_image011

wp_ss_20141001_0001 wp_ss_20141001_0002

If it connects, it will let you import settings from other systems you might have. In this case, here is my Win8.1 Surface Pro

clip_image012

Just like Windows 8.1, you get the first run experience for Microsoft Apps

clip_image013   clip_image015clip_image016

And after login (yes, my wallpaper is a black screen on my computers)

 clip_image017

The desktop

Once in, there are two things you will find quickly. One, is that we have the Start Menu back. I have mixed feelings about this as I am really used to the Start Screen and grouping my apps. Drilling in to find my apps from an alphabetized list is not optimal for me, however, it isn’t that I browse for applications like that very often. On my Surface, I found this type of menu difficult to use with only touch.

The other is the feedback function as you click on new features. Personally, I think this should not appear the first time I click on something as I am exploring new features and the prompting is on something I don’t have context to provide opinion on yet necessarily. However, you can add feedback easily enough later as you use the system through the Feedback application.

Windows 10 Start menu   clip_image019

You can see folders still just like windows 7, and your modern apps are in the root and you can interact with them just like you could in the start screen by right clicking on them. Here I right clicked ion Yammer and told it to install.

clip_image020

You can still pin applications to the start, resize them, and leverage live tiles. It is like the best of both worlds from Windows 7 and Windows 8.

Windows 10 Live Tiles

Modern Apps in a Windows world

We can now use Modern Apps (Metro Apps) like we use regular Windows applications. They wove around in Windows and dock seamlessly, however some application UIs are not meant for windows and you will find moving around with scrollbars challenging/annoying. There is a new item in the title bar for interacting with the application for displaying and interacting with it. I found the options in the drop down to be difficult to click on using touch on my Surface and I expect this to change. Docking them is simpler and swapping between them using swipe from the left has changed from full application swapping to the familiar application task switch similar to Windows 7.

Yammer

Conclusion

On the surface, you might question why this is a whole new version. The control panel, file system, and desktop all work the same.There are some interface changes, notably the Start Menu and application interaction but if your using Win8/Win8.1 already you would be challenged to see a major difference outside of that. I definitely have the feeling they are trying to reach the users of Windows 7 that just don’t want to go to the new interface for Windows 8. This is a nice halfway point and I can see it being accepted.

It is what you can’t see that is the most exciting. Management of the system will leverage MDM frameworks, possibly making it easier to manage and discern corporate data and settings from personal. I think this was evident in to me when I upgraded my Surface and all of my data, applications, and configurations stayed. There wasn’t a single thing I had to do to make my Surface usable. Kick off the process, come back 20 minutes later and pickup where I started with a new UI. Awesome! HomeGroups will be leveraged more as will the connection to cloud services, OneDrive being most prevalent at first. Exciting times and I look forward to getting to dig in under the hood now.

I will explore more and keep you posted on any other changes I find.

Jason Condo
Principle Consultant

Microsoft to start blocking out of date ActiveX controls in Internet Explorer

As we all know some of the most obvious paths into the system through the browser is through out of date ActiveX controls like old versions of Java and Flash, among others. While many enterprises may still have a need to run old versions of Java for their line of business app that they just can’t get upgraded, this leaves their user and systems vulnerable to malware written to take advantage of those old, unpatched versions. I had a customer not too long ago that had to have the older version of Java 1.6 for a time keeping system. Every time I would go in and review their SCEP logs I would see JAVA vulnerabilities at the top of the list and many systems infected to a point that they had to reimage them.

Microsoft has recognized this and is implementing a patch to Internet Explorer 8 and newer that will implement functionality to identify a list of known ActiveX controls (from a hosted definition file at Microsoft) and if not in the Local Intranet or Trusted sites zone, will display a pop-up bar notifying the user the ActiveX control has been blocked and that they should upgrade it to the latest. IT Pros will be able to manage this experience, as well as make sure their line-of-business applications are in the correct zones. To aid in this, there are new ADM templates available so that GPOs can be created to assist in configuring this.

While Microsoft was looking to implement the blocking functionality this week, we have some reprieve from the feedback heard from the community and provided an update yesterday that they will initially just be warning on old ActiveX controls for 30 days before the blocking goes into effect. This give IT Pros like you about 30 days to address this. While you can read more here (http://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-ActiveX-controls.aspx), I see a few options available to you:

Upgrade or replace your application to work with the latest ActiveX control

I am pretty sure this will not be the immediate option since this most likely requires a budget, time, and resources to implement before the deadline and I have seen approvals for projects take longer than that. This is the best option though since it only takes one system to get infected from a vulnerability to bring an enterprise down.

Look to moving your applications into the proper security zones in IE

I have worked many customers who did not know how to manage security zones in IE (or even why it was important) and open their Internet zone up to enable their line-of-business apps/websites to run. I feel this is worse than any outdated ActiveX issue since every bit of code on the web gets the same open access the LOB app did. I recommend that if you aren’t familiar with zones, make an effort to do so and use them. Then look to moving your outdated application to a zone that allows it to run.

Temporarily block the IE update

If you manage your IE settings already and manage updates to your systems, you may have the ability to prevent the update from installing. While this is definitely a short term workaround, it would at least prevent the blocking aspect of the patch from taking effect until you have had time to implement a zones workaround or application upgrade. This is technically feasible but I have not tried it to verify.

Use a different browser

While I see this happening more and more because of other compatibility issues with IE, this is an option if you are dead set on keeping that old application and cannot move it to an appropriate security zone or manage it. This still may not be an option because many of those older apps were written to work with older versions of IE as well.

Whatever you choose, I wish you well in keeping your line-of-business apps working and hopefully this is a step from Microsoft towards a safer surfing experience for your users.

Follow

Get every new post delivered to your Inbox.