Azure Functions & DLL hell reborn

Part of the project I am engaged with involves developing Azure Functions.  The dev team have created a single function and have it working perfectly triggering every 10 minutes during the day.  It is for the processing of surveys that are being managed by our system but have connectors into various survey platforms.

I was asked to create a new process that would interrogate the Verint API and look for new surveys that have certain properties so that they could be automatically added to our system for automated extraction and analysis.

As this was a specific requirement that came from a single customer, I decided that it was best not to alter our generic code that was already developed and working, but rather stand up a new process that will handle the specific need.  I chose to also implement an Azure Function (timer job).

As the API for adding surveys to our system was not yet delivered (coming in the next phase), I needed to implement the code that would insert the data into the database myself.  Rather than re-invent the wheel, I copied the relevant projects from the source code and included them in my separate solution.  I deployed the function into the same function app as the other one and all worked well.

However during a demo it transpired that the original function was not executing and throwing errors about missing types.  So we redeployed the original function and it started working.  Then my new function stopped working…

After a bit of inspection and thought we realised that the problem was with the project that I had copied as it produced a dll with the same name but obviously not the same signature.  It was at that point that we realised that the functions are loaded into the same place within the function app and are not isolated at all.


Best practice would dictate that all functions for a function app should be contained in the same solution – this makes sense as then there will never be any conflicts like this.  However, care should be taken between functions that they do not step on each other’s toes so to speak as they share a common file space and could influence each other.

If functions must be in separate solutions, then minimise the amount of dependant dlls you have, ensure your NuGet dependencies are at a compatible level and test, test, test!

Material design update 2.0.0-beta.2

So I was happily coding away making changes to my test site where I am learning more about the capabilities of Angular 2 when all of a sudden my automated deployment to Azure gave me a broken page.

The error in the console was:

md-input-container must contain an mdInput directive. 
Did you forget to add mdInput to the native input or textarea element?

This is thought was a bit strange as it was working fine locally on both Mac and PC, but on Azure it was giving me this error.  So I deployed an older build and everything was good again.

The area of concern was this:

   <input md-input type="text" class="home-input" id="name" placeholder="name"
       [(ngModel)]="postcode" name="postcode" />

After a little digging I found that my CI build on Azure was getting the latest for material2 and therefore was a victim of the latest updates in beta.2:

Breaking changes from beta.1

There are many changes in there and I was a victim of only one 🙂

For the curious the fix is this:

   <input mdInput type="text" class="home-input" id="name" placeholder="name"
       [(ngModel)]="postcode" name="postcode" />



Kerberos setup for SharePoint 2013

If using Kerberos then the following needs configuring (this is similar to how it is done for SP2010).

Note: The authentication method for Web Applications must be Claims (the default) if you want to support all SharePoint App scenarios. Classic Windows authentication is not supported (in SharePoint 2013 the only way to create this type of Web Application is using PowerShell).

  1. Create SPNs

    In a PowerShell window create the SPN’s for each web application for both the short name and FQDN, e.g.
    setSPN –S HTTP/PORTAL DOMAIN\PortalAppPool

  2. Allow ‘Trust for delegation’
    1. Open Active Directory Users and Computers applet
    2. View the Properties for your SharePoint server
    3. On the Delegation tab select Trust this computer for delegation to any service
    4. Click Ok
    5. Repeat steps a-d for any other servers that will need to delegate authentication, e.g. all WFE’s, CA, App server, etc.


  3. Configure SharePoint Web Application to use Kerberos authentication
    1. Creating a new Web Application
      1. In Central Administration navigate to Manage Web Applications
      2. From the ribbon, click New
      3. In the Claims Authentication Types section ensure Integrated Windows authentication is selected with Kerberos selected from the drop down


    2. Configuring an existing Web Application
      1. In Central Administration navigate to Manage Web Applications
      2. Select the Web Application to configure
      3. From the ribbon click Authentication Providers
      4. Click Default
      5. In the Claims Authentication Types section ensure Integrated Windows authentication is selected with Kerberos selected from the drop down


  4. Ensure IIS settings are correct
    1. Open IIS Manager
    2. Select the Web Site that relates to the Web Application in SharePoint
    3. In the Features View double-click Authentication
    4. Ensure Forms Authentication and Windows Authentication are both enabled (ignore the warning that they cannot be used simultaneously)
    5. Select Windows Authentication and click Providers in the right-hand Actions pane
    6. Ensure Negotiate and NTLM are enabled, with Negotiate being at the top



    We also need to enable IIS to participate in Kerberos exchanges using the app pool identity (a domain account) rather than the local system account otherwise Kerberos authentication will fail with a KRB_AP_ERR_MODIFIED error. There are 2 ways of doing this:

    1. Machine wide for all IIS Web Sites. (Ideal for a dev machine)
      1. Edit c:\windows\system32\inetsrv\config\applicationHost.config
      2. Find the system.webserver/security/authentication/windowsAuthentication element
      3. Ensure the attribute useAppPoolCredentials=”true” is present
      4. Save the file and restart IIS
    2. Individually per web site in IIS. This option is better for targeting implementation at specific web sites. Also SP2010 required this approach as it did not support this value switched on, however SP2013 does seems to support this now.
      1. In IIS Manager
      2. Select the Web Site that relates to the Web Application in SharePoint
      3. In the Features View double-click Authentication
      4. Select Windows Authentication and click Advanced Settings in the right-hand Actions pane
      5. Ensure Enable Kernel-mode authentication is unchecked

Credit to David Gent who gathered most of the information above and by trial and error

Performance Counters

Performance counters are strange beasts but can be quite useful in order to keep an eye on how custom code is performing in a production environment, and can be invaluable to support staff or infrastructure teams in diagnosing potential causes of system resource issues.

There are a few ‘gotchas’ though and I will try to list as many of them as I can recall:

  1. Creating a new performance counter category should ideally be done by a separate utility as the new category cannot be used by your custom code directly after it has been created. Also the process creating the counter categories must have write access to the registry.

  2. Counter values will expire after the allotted time interval, so for example an AverageTimer counter type needs to be populated at least once every second otherwise you end up with zero values (and an ugly chart when using perfmon).

  3. Choosing the correct counter type is important, and remember that a lot of the hard work is done for you all you need to do is supply the raw data. For example, frequency of operations can be counted by incrementing a RateOfCountsPerSecond32 every time the event happens, and will automatically give you data on how often it happens per second.

  4. Instances. These are particularly useful when finer granularity is required for a counter. Examples of these are the Process counters that allow you to monitor data such as ProcessorTime for each process running on a machine. It is important to note though that instance counters are of the type MultiInstance and cannot be mixed with SingleInstance counters in the same category.

Get all of this right and you can monitor your custom code in perfmon:

PerfMon Chart showing average login times for 3 users

Claims with NTLM and authentication prompts

Investigating an ongoing problem where a Web Application configured with Claims Authentication (with NTLM) occasionally causes users to re-enter credentials through a pop up dialog.

We have been looking into this issue for a long time with no clear-cut answer as to why it is happening, and more confusingly it only happened in our Live environment and not on our development or test servers. So we decided to set up a new environment (1 APP + 1 WFE) and configure it to run the same site collection, but this time configured to use Claims with Kerberos as the authentication method.

After carefully configuring everything (including SPNs), everything seemed to be running smoothly until it was unleashed on our tester. Within the first hour he was presented with a login prompt, so I had a close look at the ULS logs and found a few unexpected error entries corresponding to Claims Authentication:

09/20/2011 15:11:25.20 w3wp.exe (0x03E0) 0x1ABC SharePoint Foundation Claims Authentication bz7l Medium SPSecurityContext.WindowsIdentity: Could not retrieve a valid windows identity for NTName='xxxxxx\xxxxxx', UPN='xxxxxx'. UPN is required when Kerberos constrained delegation is used.
09/20/2011 15:11:25.20 w3wp.exe (0x03E0) 0x1ABC SharePoint Foundation Claims Authentication g220 Unexpected No windows identity for xxxxxx\xxxxxx. 4638f7f1-4ba3-4c6c-a2fe-eae90f64a26b

With a bit more digging I found that my Claims to Windows Token Service was not running. When I started it the problem did not happen again.

So I had a dig around our ULS logs on our Live servers and put a filter on the CategoryClaims Authentication‘, and I started getting lots of the 2nd message (always in pairs) every second. So my theory is that when we get a lot of these messages or maybe a ‘storm’ of them for one user, then that is when the user gets an authentication prompt.

Investigation continues…