SharePoint Code Analysis Framework 5 released

I’m not one to make a blatant product plug but I really like the SharePoint Code Analysis Framework tool and they’ve upped the ante on how effective it is for running QA on SharePoint code, including tests for SharePoint Apps.

What is the SPCAF tool?
A desktop program that evaluates SharePoint code, solutions, features, Apps etc. and  checks all XML, HTML, ASPX, CSS, JavaScript and also assembly code against the quality policies, calculates metrics, generates dependency graphs and builds an inventory report.

Features list here:

Grab it from:

WARNING: This tool can reveal flaws big and small in your SharePoint Solutions. Prepare for some soul-crushing issues to be discovered in your code that your previously considered beautiful.  Hearts may be broken but remember the phoenix always rises out of the ashes. SharePoint is hard, Dev is hard, SharePoint + Dev = well.. a grey hair or two should be expected. Tools like SPCAF help keep us in line with best practices.

You may find that some of the problems reported by SPCAF do not meet your operational engineering minimum standards for rectifying – in particular HTML, CSS, & JS validation is such a patchwork of standards & recommendations, automated validation reports need to be taken with a grain of salt.

Overall, I’ve found SPCAF to be a worthwhile exercise to run on any major chunk of new or updated SharePoint code.

New Features in v5

  • Analyzers
    • New analyzer for JavaScript code applies ca. 150 rules to .JS files in WSPs and Apps
    • New analyzer for SharePoint Apps with lots of rules, metrics, dependencies and inventory checks
  • Client application
    • Completely new client application to improve usability and functionality
    • New client application “Result Viewer” (separate download) to view analysis results without license
    • New settings editor application
  • Migration Assessment
    • New analyzers and reports to analyze WSPs and give recommendations for a transition to the App model
    • Free limited version available
  • Reporting
    • New format of HTML reports with filters, charts, sorting, grouping and many more
    • Extensibility with custom reports and report section
    • New reporting engine based on Razor to ease the creation of custom reports
    • New report type PDF

Can’t wait to try SPCAF? Get your trial now or update the SharePoint Code Analysis Framework already installed on your machine.

New Client Application

The new SPCAF client makes your code analysis even easier.

Just drop your WSP or App Packages in the center of the application and start the analysis or access your recent analysis results directly from the start screen.

Learn more

SPCAF Client

Better Analysis Dashboard

The new analysis dashboard shows you a 360° degree overview of Code Quality, Metrics, Dependencies and Inventory.

From there you can access the individual reports and download Word, PDF, XML or CSV reports to share them with team members.

Learn more

SPCAF Analysis Dashboard
SPCAF Analysis Dashboard

New dynamic reports

The new reports have a simple overview dashboard showing the key findings in a graphical presentation.

You can filter, sort and re-arrange the results and dig down deep into source code to find out what is inside your solution or app.

Learn more

SharePoint Code Quality Report


Code Quality Analysis HTML DOCX PDF XML CSV
Code Dependency Analysis HTML DOCX PDF XML CSV DGML
Code Migration Assessment HTML DOCX PDF XML

New SharePoint Code Migration Assessment Report

Full trust customizations are the main risk and cost driver for migrations to a newer SharePoint version or to Office 365. Without knowing what has been customized you cannot manage the transformation or elimination of custom code.

The new SharePoint Code Migration Assessment provides deep insight into your customizations and allows better effort estimations and risk mitigation.

Learn more

SharePoint Migration Assessment Report

New Analyzers for Apps and JavaScript

With the JavaScript and Apps becoming the only future-proof way of customizing SharePoint both on-premises and in the cloud many seasoned SharePoint developers are now facing a paradigm shift which requires them to adjust their skills.

With the new App and JavaScript analyzers, which contain already in this first release over 170 rules, developers can assure their code quality with SPCAF like they are used to for full-trust code.

Learn more

Documentation of JavaScript Rules

Try it!

Would you like to see these new features in action?

Get a trial and start getting your SharePoint Code under control! released to General Availability – Move your Source Control to the Cloud

Visual Studio Online is the fastest and easiest way yet to plan, build, and ship software across a variety of platforms. With Visual Studio Online, you can set up an environment for you or your team that includes everything from hosted Git repositories and project tracking tools, to continuous integration and an IDE, all packaged up in simple monthly plans. Get up and running in minutes on our cloud infrastructure without having to install or configure a single server.

Integrate with the Visual Studio platform to create your perfect development environment that you’ll love as much as your code. You can customize and extend the Visual Studio IDE or TFS using the comprehensive Visual Studio SDK, or connect with Visual Studio Online using our REST APIs.

Visual Studio Online:

Various TFS & Visual Studio Posts on my Blog:
CloudShare Explorer for Visual Studio 2012
Bing Code Search for C# – Visual Studio Extension
Visual Studio 2013 now available to MSDN Subscribers
Visual Studio 2012 or 2010 for SharePoint 2010 Development?
Visual Guide for Building Team Foundation Server 2012 Environments
PowerPoint Storyboarding with Visual Studio 2012
Rename Team Foundation Server 2010 Team Project
TFS Power Tools for Visual Studio
Cloud SharePoint for Developers : Office 365, Azure, Amazon AWS & CloudShare
Web Essentials 2012 – Visual Studio Extension
Microsoft All-In-One Code Framework new update is out
Syntax Formatting for PowerShell in Visual Studio 2010

Using the built-in Windows Problem Steps Recorder to document user woes

I’m re-introducing the Windows PSR (Problems Steps Recorder) as one of those cool tools we come across, get distracted, forget about, and then come back to as “wow that’s hot”.

Problem Steps Recorder (PSR.exe), is shipping on all builds of Windows 7, Windows 8, Windows 8.1, Windows 8.1.1, Windows Server 2008 R2, Windows Server 2012 & Windows Server 2012 R2. Unfortunately, there is no equivalent Microsoft provided program available for Windows Vista, Windows XP, or other Microsoft operating systems prior to Windows 7. This feature enables the collection of the actions performed by a user while encountering a crash or running through the things they are trying to do, so that we as Consultants, Developers, Support Technicians & Admins can figure out what exactly is going south.

To begin creating their documentation, the user would press the Start Record button.

They would then begin going through the steps that took them towards their question or problem. At any point during this process, they can press the Add Comment button to highlight a problem area and add comments. Once they are done, they click the Stop Record button. Once they stop recording, a Save As window appears letting them browse to the location they want to save the documentation. A zip file is created and saved to that location. Inside the zip file is a .mht file containing the documentation. You will need to use Internet Explorer to view the MHT file.

Opening the documentation will present the help desk, admin, or family tech guy with a step-by-step walkthrough of what the user did, complete with screenshots and any comments made by the user.

Click here for a sample of what the recorded output looks like:

In addition to the screenshots, at the bottom of the report file the PSR generates you’ll find a copy & pastable (plain text) output of the events, like the following:

Recording Session: ‎2014-‎05-‎29 7:35:48 PM – 7:36:51 PM

Recorded Steps: 4, Missed Steps: 3, Other Errors: 0

Operating System: 9600.17041.amd64fre.winblue_gdr.140305-1710

Step 1: User left click in “Sites – Internet Explorer”
Program: Internet Explorer, 11.00.9600.16384 (winblue_rtm.130821-1623), Microsoft Corporation, IEXPLORE.EXE  SCODEF:13064 CREDAT:1782837 /PREFETCH:2, IEXPLORE.EXE
UI Elements:

Step 2: User mouse wheel down in “Pages – Engineering – Internet Explorer”
Program: Internet Explorer, 11.00.9600.16384 (winblue_rtm.130821-1623), Microsoft Corporation, IEXPLORE.EXE  SCODEF:13064 CREDAT:1782837 /PREFETCH:2, IEXPLORE.EXE
UI Elements:

Step 3: User left click in “Pages – Engineering – Internet Explorer”
Program: Internet Explorer, 11.00.9600.16384 (winblue_rtm.130821-1623), Microsoft Corporation, IEXPLORE.EXE  SCODEF:13064 CREDAT:1782837 /PREFETCH:2, IEXPLORE.EXE
UI Elements:

Step 4: User Comment: “This is where it breaks”
UI Elements:

How to Use the PSR


  • When you record steps on your computer, anything you type will not be recorded. If what you type is an important part of recreating the problem you’re trying to solve, use the comment feature described below to highlight where the problem is occurring.

    Some programs, like a full-screen game, might not be captured accurately or might not provide useful details to a support professional.

To record and save steps on your computer

  1. Open Problem Steps Recorder by clicking the Start button, and then typing psr. In the list of results, click psr.

  2. Click Start Record. On your computer, go through the steps on your computer to reproduce the problem. You can pause the recording at any time, and then resume it later.

  3. Click Stop Record.

  4. In the Save As dialog box, type a name for the file, and then click Save (the file is saved with the .zip file name extension).

    To view the record of the steps you recorded, open the .zip file you just saved, and then double-click the file. The document will open in your browser.

To send the problem steps in e‑mail

  • After recording and saving a .zip file, click the help down arrow , and then click Send to E‑mail recipient. This will open an e‑mail message in your default e‑mail program with the last recorded file attached to it.


    • You won’t be able to click the Send to e‑mail recipient option until you’ve recorded and saved a file.

To annotate problem steps

  1. Open Problem Steps Recorder by clicking the Start button , and then typing psr. In the list of results, click psr.

  2. Click Start Record.

  3. When you want to add a comment, click Add Comment.

  4. Use your mouse to highlight the part of the screen that you want to comment on, type your text in the Highlight Problem and Comment box, and then click OK.

  5. Click Stop Record.

  6. In the Save As dialog box, type a name for the file, and then click Save.

    To view the record of the steps you recorded, open the .zip file you just saved, and then double-click the file. The document will open in your browser.

To adjust settings

When you adjust settings for Problem Steps Recorder, they’re only saved for your current session. After you close and reopen Problem Steps Recorder, it will return to the regular settings.

  1. Open Problem Steps Recorder by clicking the Start button , and then typing psr. In the list of results, click psr.

  2. Click the help down arrow , and then click Settings.
  3. You can change the following settings for Problem Steps Recorder:

    • Output Location. If you don’t want to be prompted to save a file after recording, click the Browse button to set a default output file name.

    • Enable screen capture. If you don’t want to capture the screen shots along with the click information, select No. This might be a consideration if you are taking screen shots of a program that contains personal information, such as bank statements, and you are sharing the screen shots with someone else.

    • Number of recent screen captures to store. While the default is 25 screens, you can increase or decrease the number of screen shots. Problem Steps Recorder only records the default number of screen shots. For example, if you took 30 screen shots during a recording but only had 25 screen shots as the default, you would be missing the first five screen shots. In this case, you would want to increase the number of default screen shots.

What about the other screenshot tool <X>?

As usual in software-type things, there’s more than one product around that does the same type of thing. For screenshots, even just in the Microsoft stack there’s:
OneNote Screen Clipping –
Office Screen Clipping –

On the general market, there’s:

I use the great SnagIt on a daily basis to make screenshots (just trying out version 12 this week myself) however, it’s more for us as Consultants to create content for consumption by others. The Problem Steps Recorder has the advantage over SnagIt for particular scenarios where you need the user to show you what’s going on:

– Free
– Built into most Windows environments you’ll encounter these days
– Can be run by end users with very little instruction
– Can be used on workstations where remote desktop’ing in isn’t available, performed autonomously by end users
– Handles all the screenshot’ing, layout, description of user interaction events
– Provides detailed descriptions of interaction events that would be otherwise time-consuming/difficult for a human to collect manually

Final Victory of the PSR

The final advantage I see in the PSR in general (as a troubleshooting tool), is a huge one:
By empowering the user to document their own grief, with their own mouse button and on their own time, you are creating a purer user story:

– they are not being influenced by weird remote desktop software running on their workstation
– they don’t have to worry that the visiting technician invading their desktop is going to discover what kinds of oddball websites they visit while poking around
– there’s less time constraints as the user can run this on their own time, again without someone breathing down their neck
– there’s less chance of their user story being tainted as there’s no one coaching them, directly or indirectly


Store Office 365 User Credentials in Windows Credential Manager

I was recently tooling up to build a WinForm’s application that uploads documents from the end users desktop to their Office 365 SharePoint team site. I found a great set of building blocks to model off of with the awesome SharePoint Client Browser for SharePoint 2010 and 2013 code base.

SPCB2013 - Main Screen - v1_3

In a nutshell, it’s a treeview inside of a split panel, that enumerates pretty much all the elements that constitute SharePoint at the site collection level. It includes the Microsoft.SharePoint.Client DLL’s which take care of the bulk of operations for communicating with the remote SharePoint, be it on-prem or Office 365. It also includes tooling to be able to execute PowerShell against the remote SharePoint instance.

So we now we have a desktop platform to build custom functionality against. Any good App should be easy to use and minimize interaction required – to that end, I wasn’t quite happy with the “stickiness” of the login on the SharePoint Client Browser project. I wanted a way to securely stash the username and password so that the user wouldn’t have to input the password every time.

Where’s the place where Outlook, Lync, Internet Explorer and more store user credentials? It’s the Windows Credential Manager – accessible from the Windows Control Panel, this system provides a secure persistent store for username + passwords.

“Credential Manager allows you to store credentials, such as user names and passwords that you use to log on to websites or other computers on a network. By storing your credentials, Windows can automatically log you on to websites or other computers. Credentials are saved in special folders on your computer called vaults. Windows and programs (such as web browsers) can securely give the credentials in the vaults to other computers and websites.”

Once again, Codeplex makin’ me look good – after a fair chunk of research I wound up back at Codeplex with the following project: Credential Management. CredentialManagement is a free, open source library that can be utilized to help the application manage storing and retrieving of user credentials using the Windows Credential Management API.

The main problem this project solves is that the handles to get into the Windows Credential Manager are C++. Ouch.. so, it take’s care of this little friction point for us by wiring in some Windows Interop stuff, the guts of which can be seen in the NativeMethods.cs file in that project.

So, let’s get into mashing this sucker into our Office 365 desktop client app.

Part 1 – Build CredentialManagement.dll and add it to your SharePoint Client Browser

1. Download the SharePoint Client Browser project source code, garnish to taste. Customize freely to suit your use but try not to mess with the authentication steps too much or it will be harder to use the following steps to integrate the CredentialManager code.
2. Download the CredentialManager project source code
3. Open the CredentialManager project in Visual Studio and make sure it’s in Release mode instead of Debug (you always check this before publishing anyhow, right?) and Build it:
4. Go to the /Bin/Release folder for the project and grab the CredentialManager.dll. Transplant it into your active SharePoint Client Browser visual studio project and add it as a Reference:

Now it’s time to get out the wrench and do some plumbing.

Part 2 – Add CredentialManagement functions into the SharePoint Client Browser

While the SharePoint Client Browser has some discussions and collateral on the Codeplex pages, the CredentialManagement project is bare bones and not documented in any form. The following sections should serve to give you enough insight into it’s workings so that you can save some time integrating it into this or any other project where you’d like to be able to store and retrieve user credentials from the Windows Credential Manager.

1. In the SharePoint Client Browser project, open the SiteAuth.cs file, ensure you have the correct Using’s, and add the following four functions:

using Microsoft.SharePoint.Client;
using SPBrowser.Extentions;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.Security;
using System.Text;
using System.Xml.Serialization;
using SPClient = Microsoft.SharePoint.Client;
using CredentialManagement;

//Begin Credential Manager functions
        public static string GetUsername(string strUrlAsString)
            var cm = new Credential { Target = strUrlAsString };
            if (!cm.Exists())
                return null;

            string un = cm.Username.ToString();
            return un;

        public static string GetPassword(string strUrlAsString)
            var cm = new Credential { Target = strUrlAsString };
            if (!cm.Exists())
                return null;

            string up = cm.Password.ToString();
            return up;

        public static bool SetCredentials(string strUrlAsString, string strUsername, string strPassword)
            var cm = new Credential { Target = strUrlAsString, PersistanceType = PersistanceType.Enterprise, Username = strUsername, Password = strPassword };
            return cm.Save();

        public static void RemoveCredentials(string strUrlAsString)
            var cm = new Credential { Target = strUrlAsString };
        //End Credential Manager functions

2. That’s it for that portion – you can choose the details around how you want to store the credentials. In my case, I added a checkbox for “Save my credentials” and that triggers whether to fire the SetCredentials function based on the user login prompt info filled in. After that, the user credentials are visible in the Windows Credential Manager:

Part 3 – Open and populate the Login Form when the App opens

We want to pre-populate the login form with the recently saved credentials when the program opens.

1. To this end, go to MainBrowser.cs in the SharePoint Client Browser project, and modify the relevant functions to match below (note I stripped out the program update checking stuff that was present):

        private void MainBrowser_Shown(object sender, EventArgs e)
            // try to login via via recent sites
        private void LoadRecentSites()
                var cm = new Credential { Target = Constants.ROOT_SITE_COLLECTION };
                if (cm.Exists())
                    ClearSavedAccountToolStripMenuItem.Enabled = true;
            catch (System.Exception ex)
                MessageBox.Show(ex.Message, this.Text, MessageBoxButtons.OK, MessageBoxIcon.Error);
                richTextBoxLog.Text = string.Format("{0}{1} {2}", richTextBoxLog.Text, Environment.NewLine, ex.Message);
                radLabelElementStatus.Text = ex.Message;

2. In the SharePoint Client Browser file AddSite.cs, add/modify the following to achieve the effect of pre-populating the Username & Password fields from the Windows Credential Manager cred’s stored for that URL:

public AddSite(SiteAuth site)
                tbSiteUrl.Text = site.UrlAsString;
                var cm = new CredentialManagement.Credential { Target = tbSiteUrl.Text };
                if (cm.Exists())
                    string strUsername = SPBrowser.SiteAuth.GetUsername(tbSiteUrl.Text);
                    tbUsername.Text = strUsername;
                    string strPassword = SPBrowser.SiteAuth.GetPassword(tbSiteUrl.Text);
                    tbPassword.Text = strPassword;

                tbSiteUrl.Enabled = false;
                cbAuthentication.Enabled = false;
                cbAuthentication.SelectedIndex = (int)site.Authentication;

                if (tbUsername.Text.Length > 0)
            catch (Exception ex)
                MessageBox.Show(ex.Message, this.Text, MessageBoxButtons.OK, MessageBoxIcon.Error);

Part 4 – Give the user the ability to clear their credentials from the App

Finally, you may want to give users the ability to proactively clear their credentials from the Windows Credential store with a push button or such. In my case, I added a “Clear Saved Account” menu option.

Here is what I made up for that click function:

private void ClearSavedAccountToolStripMenuItem_Click(object sender, EventArgs e)
                // Remove from global site collection list
                SiteAuth site = Globals.SiteCollections.SingleOrDefault(s => s.Url.OriginalString.Equals(((SPClient.Site)_selectedContextMenuNode.Tag).Url, StringComparison.InvariantCultureIgnoreCase));
            catch (System.Exception ex)
                richTextBoxLog.Text = ex.Message;
                MessageBox.Show(this, "Saved Account Credentials have been cleared from Windows Credential Manager", "Clear Saved Account", MessageBoxButtons.OK, MessageIcon.None);
                ClearSavedAccountToolStripMenuItem.Enabled = false;
                lblElementStatus.Text = "Saved Account Credentials have been cleared from Windows Credential Manager";

Part 5 – Reference Windows Credentials to pull up the SharePoint Client Context

You will probably be wanting to execute calls with the SharePoint Client to accomplish different tasks. In the example below, we are looking up a list named “Contacts” in the Office 365 project site, binding it as datasource and wiring up the datasource to a datagrid (in this case, a Telerik RadGrid, but any old .NET datagrid would work too):

Microsoft.SharePoint.Client.ClientContext clientContext = new Microsoft.SharePoint.Client.ClientContext(siteUrl);
                string strSecPassword = SiteAuth.GetPassword(Constants.ROOT_SITE_COLLECTION);

                System.Security.SecureString passWord = new System.Security.SecureString();
                foreach (char c in strSecPassword.ToCharArray()) passWord.AppendChar(c);

                Microsoft.SharePoint.Client.SharePointOnlineCredentials Creds = new Microsoft.SharePoint.Client.SharePointOnlineCredentials(SiteAuth.GetUsername(Constants.ROOT_SITE_COLLECTION), passWord);
                clientContext.Credentials = Creds;

                Microsoft.SharePoint.Client.List oList = clientContext.Web.Lists.GetByTitle("Contacts");

                Microsoft.SharePoint.Client.CamlQuery camlQuery = new Microsoft.SharePoint.Client.CamlQuery();
                camlQuery.ViewXml = "<View><RowLimit>100</RowLimit></View>";
                Microsoft.SharePoint.Client.ListItemCollection collListItem = oList.GetItems(camlQuery);



                System.Data.DataTable table;
                table = new System.Data.DataTable();
                table.Columns.Add("Select", typeof(bool));
                table.Columns.Add("Email Address", typeof(string));
                table.Columns.Add("First Name", typeof(string));
                table.Columns.Add("Last Name", typeof(string));
                System.Data.DataRow row;

                foreach (Microsoft.SharePoint.Client.ListItem oListItem in collListItem)
                    row = table.Rows.Add();
                    row["Select"] = oListItem["IsDefault"];
                    row["Email Address"] = oListItem["Email"];
                    row["First Name"] = oListItem["FirstName"];
                    row["Last Name"] = oListItem["Title"];

                radGridViewContacts.DataSource = table.DefaultView; 

The result of this one, a grid bound to your SharePoint list (with a select checkbox column added):


The Windows Credential Manager is the central store for desktop creds. As more and more people get on board with Office 365, desktop Apps that use functionality like the SharePoint Client Browser will become more and more in demand. WinForm’s are going to be around for a while yet – but next generation of this would be of course be to leverage the Windows Credential Manager in a Windows 8 App. To this end, you can use the much simpler WinRT Password Vault functionality that’s available in Windows 8.

CloudShare Explorer for Visual Studio 2012

For those who don’t know about – it’s a subscription-paid virtual server hosting environment along the lines of Amazon EC2 or Azure, which has a key twist: it provides pre-configured virtual machines that specifically focus on SharePoint and related technologies. We use it for development at itgroove when we need to do high-level development, as a complement to local Hyper-V development images.

I finally took their CloudShare Explorer extension for Visual Studio 2012 for a spin – it’s pretty sweet:

Allow developers to spend more time coding and less time thinking about the tools they use. The CloudShare Explorer allows developers to access CloudShare development and testing environments without leaving Visual Studio. With CloudShare Explorer for Visual Studio, you can easily create and access your cloud-based labs.

•Complete list of your CloudShare environments in the CloudShare Explorer tab. The list is continuously updated with the status of the environments.
•Full screen remote access to the CloudShare machines with just a click of a mouse.
•Resume your lab environments.
•Revert the environment, or a specific machine, to the latest snapshot (only works with a CloudShare TeamLabs account).
•Web access to your lab web servers within Visual Studio.
•Add a machine to an environment (only works with a CloudShare TeamLabs account).
•Delete a machine in an environment (only works with a CloudShare TeamLabs account).
•Prevent CloudShare environments from being suspended if the user is still working on them.
•Highly customizable – you can turn on / off most of the functionality of the plugin as needed

Config Steps:

Download for Visual Studio 2013

Step 1: Download and install the Visual Studio Extension

Step 2: Login to the CloudShare website and Generate your API Credentials under My Account > API Credentials


Step 3: Add your API Credentials into the CloudShare Explorer interface in Visual Studio:

Step 4: That’s it! You can now work with your CloudShare environments directly in Visual Studio!
2014-01-20 8-47-41 AM

Developing Microsoft SharePoint Server 2013 Core Solutions video online now

11-8-2013 6-39-49 PM Are you a developer for the Microsoft platform, interested in helping your organization collaborate and manage workflow using SharePoint solutions? Take this course to learn the core skills common to most SharePoint development activities. Find out how to work with backend data and front end user interfaces and security. You’ll get some guidelines and best practices that will help you optimize your SharePoint applications. You’ll see some cool demos that will show you how to create an app, deploy it to a catalog, and install it. And you’ll see workflows inside the dramatically enhanced SharePoint Designer. This Jump Start will help you prepare for Exam 70-488.

Instructors | Chris Johnson – General Manager, Provoke Solutions Inc.; Consultant; Christopher Harrison – Microsoft Certified Trainer

Related Exam(s) | 70-488: Developing Microsoft SharePoint® Server 2013 Core Solutions Associated Course(s) | 20488: Developing Microsoft SharePoint® Server 2013 Core Solutions

Go to the page linked below and sign up for a free MVA (Microsoft Virtual Academy) account and get started:

11-8-2013 6-36-27 PM

Symptoms of Pathological Science & Technical Problem Solving

Irving Langmuir had an interesting career in science. He made countless discoveries an inventions including the diffusion pump, atomic hydrogen welding, submarine detection devices and the gas-filled incandescent light bulb, and even coined the word “plasma”. What is really interesting for me, however, is that in 1953 he coined the term “pathological science“, describing research conducted with accordance to the scientific method, but tainted by unconscious bias or subjective effects. This is in contrast to pseudoscience, which has no pretense of following the scientific method. In his original speech, he presented ESP and flying saucers as examples of pathological science; since then, the label has been applied to polywater and cold fusion.

As a side-effect of all his right-on inventions and amazing science, he also excelled at keeping an eye open for scientists who had unconsciously broken with the scientific methodology. Langmuir described it as “These are cases where even when no dishonesty was involved, people were tricked into false results by a lack of understanding about what human beings can do to themselves in the way of being led astray by subjective effects, wishful thinking, or threshold interactions.”

He did a lecture in 1954  where he proposed a list of “symptoms of pathological science”:

1. The maximum effect that is observed is produced by a causative agent of barely detectable intensity, and the magnitude of the effect is substantially independent of the intensity of the cause.
2. The effect is of a magnitude that remains close to the limit of detectability; or, many measurements are necessary because of the very low statistical significance of the results.
3. Claims of great accuracy.
4. Fantastic theories contrary to experience.
5. Criticisms are met by ad hoc excuses thought up on the spur of the moment.
6. Ratio of supporters to critics rises up to somewhere near 50% and then falls gradually to oblivion.

Now what does this have to do with us techies? Coming into a typical SharePoint, IIS, ASP .NET or indeed any other technical issue with many actors and moving parts, I find that the notion of pathological science is really something to watch out for. There are a few key risky neighbourhoods around some of the harder IT issues when they involve parachuting in to a lot of unknowns.

A major contributor to pathological science in the IT realm these days is, in my opinion, the “Let me Google/Bing that for you” effect – As far as I can tell, the world did not go off it’s axis when Google went globally down for a period. Global internet traffic dipped a bit, some people might have been induced to try an alternate approach or go take a break.

Although it’s a bit cynical to paint search engines with a broad brush as they give so much information out freely, there are schools of  thought that propose search engines make people dumber. 🙂  At the least, people such as, let’s say, Irving Langmuir, managed to crank out stunning inventions without such aids.

In the Microsoft world there are generally enough technical documents, forums, blogs, snippets and personal experiences that one can rapidly use a search engine to zero in on “a” fix for a particular symptom, but the problem is that these channels need to be vetted to exclude all the following critical factors as complications:

– software versions
– software interdependencies
– personal opinions
– known bugs
– unknown bugs
– known unknown bugs
– hardware
– networking
– OS
– End user or external system interaction patterns
– .. and so forth.

When trying to isolate a cause for these types of issues, it’s important to stick to the patterns of these old school science greats. While things these days in the IT sector may be almost childlike in comparison to what these scientists dreamed up in their heads with no acronyms or decades of progress to back them up, the silo’s of logic that we have created around modern code mask huge underlying complexities. The problems we encounter daily normally are not so simple in that we have a square peg and are trying to fit it in a round hole- it’s that we have a bunch of pegs of various diameters, many of which will fit the pattern despite not being a true fit for the problem.

The cure for having many “so-so” answers to an issue and no definitive “right” answer is to fall back on experience, reason, and research and peer review.

Oh and what became of Irving Langmuir? Well, he went on in his latter career to pitch the concept of controlling weather via cloud seeding, so that humans could spawn rain clouds and such- with huge potential for agriculture and of course military uses. Unfortunately, he wanted to believe his weather spawning solution worked so much, he became an ironic victim of his own Pathological Science.

“Utilizing his own criteria for pathology, Langmuirʼs claims for cloud seeding qualified on several counts: they rested on observations close to the threshold of detectability, on apparently meaningful patterns generated in field trials; on the inability of critics to reproduce the experiments; on the intervention of the courts, legislature, and the press; and on overreliance on the credentials of a Nobel laureate rather than proof.”

In essence, despite knowing better, he pursued the result instead of getting a result from pursuit. I think this is something that all of us involved in IT can keep in mind in our daily problem solving.

SharePoint Hire Interview Question Matrix



Hiring staff in a highly specialized technical field such as SharePoint can rapidly turn into an inconsistent & time-consuming (expensive) affair, if you don’t have the right system in place. Selecting the right candidate for a SharePoint job from a pool of applicants with largely similar backgrounds & CV’s can be daunting – SharePoint encompasses, even by IT hiring standards, a huge body of knowledge and experience.

Think of all the expense & effort involved with bringing on a new SharePoint hire into your team: onboarding, setting up benefits, training, team familiarization, meetings, etc. Now imagine having to burn up all of that, if you make a less than perfect hiring decision! You stand to risk your company reputation, team trust, customer satisfaction, and so on. Most prominently, you would be right back where you started – looking for a great SharePoint expert for your team.

So What

Failure to properly screen your SharePoint hire applicants can lead to big trouble when it come’s time for them to be effective in their jobs. Once you get through all the standard HR practices & processes, the question remains: “Is this guy/gal really a SharePoint pro?”. To help determine that, an extremely effective screening method is a series of technical questions combined with a scoring system.

Now What

OPTION A- Hire itgroove’s SharePoint MVP’s to perform your interviews for you.

OPTION B- Purchase and download the SharePoint Hire Interview Question Matrix Excel Workbook for only $40. The itgroove SharePoint Hire Interview Question Matrix Excel Workbook is composed of two Worksheets:

1. Questions Scorecard
This Excel Worksheet contains 56 carefully researched, in-depth SharePoint Hiring Questions, composed from real world experience of itgroove’s 3 SharePoint MVP’s. These questions are divided into the following categories:
– General SharePoint Knowledge
– SharePoint 2010 IT Pro
– SharePoint Development
– SharePoint 2013

A Score column is used to rate your Job Applicant’s response to the questions.

All questions include a detailed answer and background explanation for the answer – you don’t necessarily need to be a SharePoint guru yourself in order to effectively grade someone with this worksheet!

2. Personal Scorecard
The Personal Scorecard Worksheet incorporates a detailed scoring formula that rates your potential hire by the following traits:
– Amount and Quality of relevant experience
– Communication Skills in Interview
– Technical Skills Level
– Enthusiasm
– Overall Fit/Suitability for Role
– Educational Qualifications
– Evidence of Research into our Company

The general interview results for these traits are entered into the Worksheet so that an overall grade for the Candidate can be achieved. This grade can then be stacked up against all your other interviewee’s results, to enable quick & fair qualification of who is most suitable for the job position.

Buy Now on the itgroove Store

SharePoint Interview Questions

The History of Programming Languages

Programming languages enable users to write programs for specific computations/algorithms.

    • 1843: Ada Lovelace credited with first computer programming language; wrote an algorithm for the Analytical Engine (early mechanical computer)
    • There are 1.2M+ computer programmers and software developers in the US

Infographic by Veracode Application Security

The TIOBE index: An indicator of the popularity of various languages, based upon global numbers of engineers, courses, and third-party vendor

2013 TIOBE Index

Position Jan 2013 Position Jan 2012 Delta in Position Programming Language Ratings Jan 2013 Delta Jan 2012 Status
1 2 Up C 17.855% +.089% A
2 1 Down Java 17.417% -0.05% A
3 5 Very Up Objective-C 10.283% +3.37% A
4 4 Same C++ 9.140% +1.09% A
5 3 Very Down C# 6.196% -2.57% A
6 6 Same PHP 5.546% -0.16% A
7 7 Same Visual Basic 4.749% +0.23% A
8 8 Same Python 4.173% +0.96% A
9 9 Same Perl 2.264% -0.50% A
10 10 Same JavaScript 1.976% -0.34% A
See Source 5

The History and Influence of Programming Languages

1957 – Fortran (short for “The IBM Mathematical Formula Translating System”) General-purpose, high-level. For numeric and scientific computing (as an alternative to assembly language). Oldest programming language still used today.

  • Creator: John Backus of IBM
  • Primary Uses: Supercomputing applications (i.e. weather and climate modeling, animal and plant breeding, computational science functions)
  • Used By: NASA

1958 – Lisp (short for “List Processor”) High-level. For mathematical notation. Several new computer science topics: tree data structures, automatic storage management, dynamic typing, and self-hosting compilers

  • Creator: John McCarthy of MIT
  • Primary Uses: AL development, air defense systems
  • Used By: Etsy uses Clojure, a dialect of Lisp

1959 – Cobol (short for “Common Business-Oriented Language) High-level. Primarily for business computing. First programming language to be mandated by the US Department of Defense.

  • Creator: Short Range Committee (SRC)
  • Primary Uses: Business software (esp. finance and administration systems, but also banks, insurance agencies, governments, military agencies)
  • Used By: Credit cards, ATMs
  • *Fun Fact Action movie The Terminator used samples of Cobol source code for the text shown in the Terminator’s vision display.

1964 – BASIC (acronym for “Beginner’s All-purpose Symbolic Instruction Code”) General-purpose, high-level. Designed for simplicity. Popularity exploded in the mid-‘70s with home computers; early computer games were often written in Basic, including Mike Mayfield’s Star Trek.

  • Creator: John George Kenny and Thomas Eugene Kurtz of Dartmouth (SRC)
  • Primary Uses: Home computers, simple games, programs, utilities
  • Used By: Microsoft’s Altair BASIC, Apple II

1970 – Pascal (after French mathematician/physicist Blaise Pascal) High-level. For teaching structured programming and data structuring. Commercial versions widely used throughout the ‘80s.

  • Creator: Niklaus Wirth
  • Primary Uses: Teaching programming. Also – Object Pascal, a derivative, is commonly used for Windows application development
  • Used By: Apple Lisa (1983), Skype

1972 – C (based on an earlier language called “B”) General-purpose, low-level. Created for Unix systems. Currently the world’s most popular programming language.2  Many leading languages are derivatives, including C#, Java, JavaScript, Perl, PHP, and Python.

  • Creator: Dennis Ritchie of Bell Labs
  • Primary Uses: Cross-platform programming, system programming, Unix programming, computer game development
  • Used By: Unix

1980 – Ada (After Ada Lovelace, inventor of the first programming language) High-level. Derived from Pascal. Contracted by the US Department of Defense in 1977 for developing large software systems.

  • Creator: Jean Ichbiah
  • Primary Uses: Dept. of Defense, banking, manufacturing, transportation, commercial aviation
  • Used By: NSTAR, Reuters, NASA, subways worldwide

1983 – C++ (formerly “C with Classes”; ++ is the increment operator in “C”) Intermediate-level, object-oriented. An extension of C, with enhancements such as classes, virtual functions, and templates.

  • Creator: Bjarne Stroustrup
  • Primary Uses: Commercial application development, embedded software, server/client applications, video games
  • Used By: Adobe, Google Chrome, Mozilla Firefox, Microsoft Internet Explorer

1983 – Objective-C (object-oriented extension of “C”) General-purpose, high-level. Expanded on C, adding message-passing functionality based on Smalltalk language.

  • Creator: Brad Cox and Tom Love of Stepstone
  • Primary Uses: Apple programming
  • Used By: Apple’s OS X and iOS operating systems

1987 – Perl (a language named “PEARL” already existed, so “Pearl” wasn’t an option…) General-purpose, high-level. Created for report processing on Unix systems. Today it’s known for high power and versatility.

  • Creator: Larry Wall of Unisys
  • Primary Uses: CGI, database applications, system administration, network programming, graphics programming
  • Used By: IMDb, Amazon, Priceline, Ticketmaster

1991 – Python (for British comedy troupe Monty Python – tutorials, sample code, and instructions often reference them) General-purpose, high-level. Created to support a variety of programming styles and be fun to use.

  • Creator: Guido Van Rossum of CWI
  • Primary Uses: Web application, software development, information security
  • Used By: Google, Yahoo, Spotify

1993 – Ruby (the birthstone of one of the creator’s collaborator) General-purpose, high-level. A teaching language influence by Perl, Ada, Lisp, Smalltalk, etc. Designed for productive and enjoyable programming.

  • Creator: Yukihiro Matsumoto
  • Primary Uses: Web application development, Ruby on Rails
  • Used By: Twitter, Hulu, Groupon

1995 – Java (for the amount of coffee consumed while developing the language) General-purpose, high-level. Made for an interactive TV project. Cross-platform functionality. Second most popular language (behind C).2

  • Creator: James Gosling of Microsystems
  • Primary Uses: Network programming, web application development, software development, Graphical User Interface development
  • Used By: Android OS/apps

1995 – PHP (“Personal Home Page”) Open-source, general-purpose. For building dynamic web pages. Most widely used open-source software by enterprises.

  • Creator: Rasmus Lerdorf
  • Primary Uses: Building/maintaining dynamic web pages, server-side development
  • Used By: Facebook, Wikipedia, Digg, WordPress, Joomla

1995 – JavaScript (final choice after “Mocha” and “LiveScript” High-level. Created to extend web page functionality. Dynamic web pages use for form submission/validation, interactivity, animations, user activity tracking, etc.

  • Creator: Brendan Eich of Netscape
  • Primary Uses: Dynamic web development, PDF documents, web browsers, desktop widgets
  • Used By: Gmail, Adobe Photoshop, Mozilla Firefox

Vulnerability Distribution on First Submission by Language

Java Rating .NET Rating C/C++ Rating
Code Quality 86% Cytographical Issues 78% Error Handling 87%
Cyptographical Issues 73% Code Quality 75% Buffer Overflow 75%
Directory Traversal 73% Directory Traversal 65% Buffer Management Errors 74%
CRLF Injection 71% Information Leakage 61% Numeric Errors 74%
Information Leakage 56% Time and State 46% Cyptographic Issues 66%
Time and State 56% Cross-site Scripting (XSS) 43% Directory Traversal 55%
Insufficient Input Validation 54% CRLF Injection 41% Dangerous Functions 51%
Cross-site Scripting (XSS) 49% Insufficient Input Validation 34% Time and State 44%
Credentials Management 44% SQL Injection 32% Code Quality 40%
API Abuse 42% OS Command Injection 23% Untrusted Search Path 27%
SQL Injection 41% Credentials Management 19% Format String 24%
Encapsulation 26% Untrusted Search Path 18% Race Conditions 23%
Session Fixation 25% Error Handling 18% OS Command Injection 20%
OS Command Injection 21% Buffer Management Errors 6% API Abuse 13%
Race Conditions 18% Buffer Overflow 6% Information Leakage 11%

Takeaways from the Above Table:

  • CRLF highly prevalent in Java but less so in .NET languages; doesn’t rank for C/C++
  • SQL Injection and Cross Site Scripting fairly prevalent in Java and .NET
  • Code Quality vulnerabilities very likely to occur in Java and .NET languages, less so in C/C++
  • Cryptographic issues and Directory Traversal in the Top Six for each family
  • Error Handling and Buffer Overflow common in C/C++ but much less in .NET; not ranked in Java

While Certain Values are more prevalent in some languages, producing secure code ultimately depends on secure development processes rather than which language is used.

Nine Tips for Secure Programming

  1. Always check for OWASP Top Ten vulnerabilities
  2. Ensure that sensitive data is properly encoded and encrypted
  3. Use access control and permissions to protect resources and limit application/user capabilities
  4. Validate all input and output
  5. Write code that is capable of handling exceptions (errors) securely
  6. Write code that is free of hardcoded credentials or cryptographic keys
  7. Use passwords and session management practices to verify users
  8. Store data securely
  9. Implement comprehensive yet realistic security policies



Claims Based Authentication in SharePoint 2013, SharePoint 2010 and SharePoint Online

What is SharePoint Claims Authentication?

The claims-based identity is an identity model in Microsoft SharePoint that includes features such as authentication across users of Windows-based systems and systems that are not Windows-based, multiple authentication types, stronger real-time authentication, a wider set of principal types, and delegation of user identity between applications.

Claims-based identity is based on the user obtaining a security token that is digitally signed by a commonly trusted identity provider and contains a set of claims. Each claim represents a specific item of data about the user such as his or her name, group memberships, and role on the network. Claims-based authentication is user authentication that utilizes claims-based identity technologies and infrastructure. Applications that support claims-based authentication obtain the security token from the user and use the information within the claims to determine access to resources. No separate query to a directory service like Active Directory is needed.

In a simple analogy:

You check in at the Airport (Authentication)
– present credentials (Passport)
– credentials are validated by security guard

You receive a boarding pass (Signed Claims)
– Seat, Frequent Flyer, Gate etc.

Think of a claim as a piece of identity information (for example, name, e-mail address, age, or membership in the Sales role). The more claims your application receives, the more you know about your user. These are called “claims” rather than “attributes,” as is commonly used in describing enterprise directories, because of the delivery method. In this model, your application does not look up user attributes in a directory. Instead, the user delivers claims to your application, and your application examines them. Each claim is made by an issuer, and you trust the claim only as much as you trust the issuer. For example, you trust a claim made by your company’s domain controller more than you trust a claim made by the user.

Claims-based authentication in Windows is built on Windows Identity Foundation (WIF), which was formerly known as the Security Token Service, or STS. Many areas of SharePoint still refer to the name STS so it’s important to understand that it and WIF are one in the same. The Security Token Service comes pre-baked into the standard SharePoint 2010 install:

The Security Token Service Application in Central Administration:

The Security Token Service Application in IIS:

WIF is a set of .NET Framework classes that is used to implement claims-based identity. Claims-based authentication relies on standards such as WS-Federation, WS-Trust, and protocols such as SAML.

Microsoft recommends Claims-based authentication as the preferred provider to use on fresh SharePoint 2010 installs. You can configure this on a per-Web Application basis in SharePoint via the following dialog in Central Admin > Web Applications > Manage Web Applications > Ribbon Bar – New

If you select Classic-Mode Authentication, you configure the Web application to use Windows authentication and the user accounts are treated by SharePoint Server 2010 as Active Directory Domain Services (AD DS) accounts.

If you select Claims-Based Authentication, SharePoint Server automatically changes all user accounts to claims identities, resulting in a claims token for each user. The claims token contains the claims pertaining to the user. Windows accounts are converted into Windows claims. Forms-based membership users are transformed into forms-based authentication claims. Claims that are included in SAML-based tokens can be used by SharePoint. Additionally, SharePoint developers and administrators can augment user tokens with additional claims. For example, Windows user accounts and forms-based accounts can be augmented with additional claims that are used by SharePoint Server 2010.

Claims Based Authentication (Tokens) Classic Mode Authentication
-Windows Authentication: NTLM/Kerberos, Basic-Forms-based Authentication (ASP.NET Membership provider and Role Manager)
-Trusted Identity Providers-Custom Sign-in page
-Windows Authentication (NTLM/Kerberos) only

*Both map authenticated users to the same SPUser object (security principles)

What does Claims look like/feel like?

The core process of Claims is illustrated as follows:

The core currency of Claims is the identity token.



i = Identity Claim all other claims will use “c” as opposed to “i”
: = Colon separator
0 = Reserved to support future Claims
#/? = Claim Type Encoded Value. The out of the box claim types will have a hardcoded encoded value, this will enable parity across farms.
E.g. Key: ? Value:

           Key: # Value:

./0 = Claim Value Type. The out of the box claim value types will have a hardcoded encoded value, this will enable parity across farms.

            E.g. Key: . Value: urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name

            Key: 0 Value:

w/m/r/t/p/s = Original Issuer Type -> w = windows, m = membership, r = role, t = trusted STS, p = personal card, s= local sts claim

Why do I want to use Claims?

1. Decouples Authentication logic from Authorization and Personalization logic – this means speed and flexibility
2. Provides a common way for applications to acquire the identity information the need about users
3. Cloud-ready – lays the foundation to be able to Authenticate against Azure, Facebook, Google, Windows Live ID etc.
4. Federation – Partner networks, business to business, subsidiaries can all interact in the same sphere of authentication, cross machine and cross-farm
5. Supports existing identity infrastructure (Active Directory, LDAP, SQL, WebSSO etc.)
6. Standards-based and interoperable

Bonus Prize:
7. In SP 2010 we can have a single Web Application configured to use multiple authentication types which allows different auth types to be served from one URL:

Claims Gotchas

General issues for all Claims implementations
– Search crawler requires NTLM in the zone it uses
– Office Client Integration (2007 SP2+, 2010 are minimum requirements in order to maintain Client integration e.g. fluid editing of Word Document)
– SharePoint Designer does not support working with Claims Enabled Endpoints for Web Services

Migration issues when moving from Classic to Claims
– When upgrading from Classic to Claims, you will need to migrate users and Test & re-work customizations (Web parts, workflows etc.)
– After you move to Windows claims, you cannot go back to Windows classic. Ensure that you have good backups before you start and try your migration in a lab first before moving into production.
– Existing alerts may not fire, if this occurs the only workaround may be to delete and recreate the alerts
– Search crawl may not function, double-check the web application policies and ensure that the search crawl account shows the new converted account name. If it does not, you must manually create a new policy for the crawl account.


Configure Forms-based Authentication for a Claims-based Web Application
Configure the Security Token Service

SharePoint and Claims-based Identity

A Guide to Claims-based Identity and Access Control

SharePoint Server 2010 IT Professional Evaluation Guide

Plan Authentication Methods (SharePoint Server 2010) on TechNet

Claims-Based identity with Windows

Claims to Windows Token Service Overview (MSDN)
Claims Based Authentication in SharePoint 2010
Friends don’t Let Friends Use Claims Based Authentication