Author: Chuck Conway

When are you a Senior Developer?

October 31, 2012 / Chuck Conway / 0 Comments

When I hear “Senior Developer” I think of someone who has mastered programming. I think of a person who can design, code and test a system. They can talk to system architecture or component design. They understand and use design patterns. This person can anticipate the performance bottlenecks, but knows not to pre-optimize. This person will leverage asynchronous programming, queuing, caching, logging, security and persistence when appropriate. When asked they can give a detail explanation of their choice and the pros and cons. In most cases they have mastered object oriented programming and design, this not an absolute other languages such as javascript, F#, scheme are powerful and are not object oriented at heart. They are adept in risk management and most important of all they can communicate the before mentioned to their peers.

What is mastery? There is a generally accepted idea, that to master ANY one skill it takes 10,000 hours of repetition for the human body and mind to grasp and internalize a skill. This is written to at length in Malcolm GladWell’s book Outliers.

Some examples of in Malcolm GladWell’s Outliers are:

Mozart his first concerto at the young age of 21. Which at first seems young, but he has been writing music since he was 11 years old.

The Beatles were initially shunned. They were told they did not have the mustard and should consider a different line of work. They spend 3 years in Germany playing about 1200 times at different venues, each time being 5 to 8 hours in length. They re-emerged as The Beatles we know and love today.

And lastly, Bill Gates at age 20 dropped out of Harvard to found Microsoft. To some this might seem foolish, but considered at 20 he had spent nearly half of his young life programming. In 1975, only maybe 50 people in the world had the experience he did. His experience gave him the foresight to see the future in Microsoft.

Peter Norvig also discusses the 10,000 hours rule in his essay “Teach Yourself Programming in Ten Years”.

In the book Mastery by George Leonard, great detail is given on how to master a skill. One must practice the skill over and over and over again. The more the repetition, the more you become aware of the differences in each repetition. Only with this insight can you become better.

The software industry’s titles (Junior, Mid-Level and Seniors) are misleading and inconsistent from organization to organization. I’ve worked with companies, who defined a Senior Developer as someone whom had 5 years or more of experience. There is not mention to the quality of the experience, just that they have sat in from of a computer for 5 years. In working with these folks many of them had not yet grasp object oriented programming, yet they were considered Senior Developers.

There must be a better more objective way to measure the skill set of a software engineer. John Haugeland has come up with a computer programmer’s skills matrix. It’s gives a common, objective way to measure a programmer’s skill level, which otherwise is left mostly to gut feeling.

When looking at software engineers I see 4 tiers of skills: Luminary, Senior, Mid-Level and Junior.

Liminary (10+ years) is one who has mastered a skill and has set about improving their respective discipline. Some examples include: Ted Neward, Uncle Bob Martin, Donald Knuth, Oren Eini, Peter Norvig, Linus Torvalds. This is change depending on your skill-set.

Senior (7 to 10+ years, Level 3) is one who has spent the last 10,000 hours programing in a specific genre. There is a strong understanding of design patterns, They leverage asynchronous programming, queuing, caching, logging, security and persistence when appropriate.

It’s very possible that a Senior will never reach Liminary. Liminary’s are often found speaking and writing. They are actively trying to impact their discipline.

Mid-Level (4 to 6 years, Level 2) is one who understands day to day programming. They work independently and create robust solutions. However they have yet to experience creating or maintaining large or complex systems. In general Mid-Level developers are great with component level development.

Junior (1 to 3 years, Level 1) is one who understands the basics of programming. They either have a degree in software engineering or computer science or they are self taught. Their code is continually reviewed. Guidance is given in regards to algorithms, maintainability and structure.

Setting up Single Sign On with Windows 2012 and ASP.Net MVC 4

August 30, 2012 / Chuck Conway / 0 Comments

Requirements

Windows 2012
AD FS 2.0 Feature installed
ASP.Net MVC 4.0
Valid SSL certs
Visual Studio 2012
This document covers setting up an ASP.NET MVC 4.0 application using Visual Studio 2012, Windows 2012 and AD FS 2.0 to enable Web Single Sign On.

It’s important to have valid SSL certificates. Self signed certificates will not work. SSL certificates are used to encrypt the tokens and will not work with self-signed certificates. This is very important. If you do not have valid certificates this will not work. Don’t waste your time without valid certificates.

Setting up AD FS 2.0 on Windows 2012

Assuming Windows 2012 is installed. With a valid SSL certificate install the SSL certificate in IIS. This is done by opening IIS (7+) Management Console, selecting the root web server node and opening the Server Certificates found in the Feature view. Do not install the AD FS feature before installing the certificate. AD FS extracts the host name from the SSL certificate and will use localhost if a certificate is not found.

If AD FS is installed before installing the SSL certificates

If this does happen, you’ll need to uninstall the the AD FS role and manually delete the IIS applications (removing them from the IIS management console is not enough they must be removed from the IIS metabase via the command line).

C:WindowsSystem32inetsrvappcmd.exe delete app "Default Web Site/adfs"
C:WindowsSystem32inetsrvappcmd.exe delete app "Default Web Site/adfs/ls"

Once a valid certificate is installed the AD FS role can be installed.

When reinstalling ADFS, the relying party needs to rebind to AD FS’s FederationMetadata otherwise you’ll encounter an ASP.Net error stating there was a token error.

Federation Services URL

At times this url uses localhost as the host. I am not certain of the cause, but unless localhost is the domain used in the ssl cert, it will not work. The following link describes how to change it.
http://technet.microsoft.com/en-us/library/dd353709%28v=ws.10%29.aspx

At this point AD FS is setup on the server. However, it does not have any trusts established, with the exception of Active Directory (configured by default). The next step is to create a trust with a Relying party.

A trust is a relationship setup between the relying party(ASP.Net MVC) and the issuer (AD FS). The trust is setup on both the relying party and the issuer.

https://myhostname.com/federationmetadata/2007-06/federationmetadata.xml

Creating a Relying Party

Assuming you have installed Visual Studio 2012, download the Windows Identity Foundation Identity and Access Tool Extension tools. Once installed create a MVC 4 project. The option “Identity and Access” is added to the project right-click menu. The Windows Identity Foundation SDK might also be a requirement.

This brings up the Identity and Access option screen.

Enter the path to the STS metadata document

The STS metadata document is generated by the AD FS server. The FederationMetadata.xml defines the Issuer (sometimes referred to as the Identity Server) and allows MVC 4(Relying Party) to create a trust between itself and the Issuer.

Enter the Realm for your Application

The realm is the MVC application. Unless the MVC application and the AD FS are on the same server the localhost host will not work. The realm is the url to your site.

Setting up a Relying Party Trust in AD FS

The Relying Party is created, now it’s time to set up the Relying Party Trust in AD FS. Back on the server open up AD FS MMC screen and click on “Add Relying Party Trust…”

The next screen asks for the FederationMetadata.xml from the relying party. In the previous step when the FederationMetadata.xml was added into the MVC 4 application a FederationMetadata.xml was created for the MVC 4 application. Now we must import the Relying Party FederationMetadata.xml into the AD FS server to complete the trust.

The FederationMetadata.xml can either be imported via a url or added via a local file. The default FederationMetadata.xml path is https://myhostname.com/FederationMetadata/2007-06/FederationMetadata.xml (same as it was for the AD FS server). If it successfully retrieves the FederationMetadata.xml you can click next until the end.

The next step is to add an endpoint. The endpoint is where a user is redirected to upon successful authentication. Start by clicking the Relying Party Trusts folder, you’ll see the Relying Party Trust that was just created. Right-click on it and select “Properties” a tabbed interface will appear. From the monitoring tab Uncheck “Automatically update relying party” this feature does not work out of the box.

Note: If the relying party is configured correctly this step is not necessary.

Click on the endpoint tab and click add. The “Add an Endpoint” dialog will appear. Select WS-Federation for the Endpoint Type. This will automatically set the Binding dropdown to “POST”. In the URL field enter the url in which an authenticated user is sent.

That’s it! The AD FS single sign on should prompt you for credentials. Once entered it will redirect you back to your site’s landing page.

Accessing AD FS with a non-IE browser

Out of the box you’ll encounter a dialog asking for username and password. For whatever reason it would not accept my domain credentials.

In a nutshell a property ExtendedProtectionTokenCheck is set to required when running windows 7. Only IE supports this feature.

More information on the issue
http://stackoverflow.com/questions/6309210/ntlm-authentication-to-ad-fs-for-non-ie-browser-without-extended-protection-sw

How to disable it
http://social.technet.microsoft.com/wiki/contents/articles/1426.ad-fs-2-0-continuously-prompted-for-credentials-while-using-fiddler-web-debugger.aspx

Troubleshooting Tips

1. Recompile the website and trying adding the trust for both ADFS and the web site.

2. Re-install AD FS, that had some issues also, but sometimes it getting to get a fresh start.

3. Installing ADFS Multiple times and you encounter a 503 on the FederationServerServices.asmx

Try removing the ACLs

netsh http delete urlacl url=http://+:80/adfs/services/
netsh http delete urlacl url=https://+:443/adfs/services/
netsh http delete urlacl url=https://+:443/FederationMetadata/2007-06/
netsh http delete urlacl url=https://+:443/adfs/fs/federationserverservice.asmx/

Continuing with the tips

4. When reinstalling ADFS after IIS was removed, the previous ADFS web directory under C:inetpubadfs* needs to be deleted.

5. The configuration service URL 'net.tcp://localhost:1500/policy' may be incorrect or the AD FS 2.0 Windows Service is not running.

setspn -l myservername

before

The SPN is not set or is incorrect. The following thread discusses it in more detail.

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/cd9bc625-49f3-499b-9bf3-4ef32fbf64ec/

hint: casing does matter.

After

6. The X.509 certificate CN=ADFS Signing - mydomain.com is not in the trusted people store. The X.509 certificate CN=ADFS Signing - mydomain.com chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

This is not recommended for going into production, but it will get you past the issue:

http://social.technet.microsoft.com/wiki/contents/articles/windows-identity-foundation-wif-how-to-change-certificate-chain-validation-settings-for-web-applications.aspx

In Conclusion

My overall experience with AD FS 2.0 and Windows 2012 has been painful. Working with AD FS 2.0 reminds me of working with Sharepoint 2010 in the early days.

Some of the configuration is done differently on the Windows 2012 server versus in Visual Studio, even though you are doing the same exact things (i.e. setting up a trust). Once the server is setup and the trusts are established and working correct it’s a thing of beauty, until you get there, good luck!

Creating a Generic Type at Runtime

May 22, 2012 / Chuck Conway / 0 Comments

I have a type (at runtime), I want to use it with an IOC container (in this case StructureMap) to find a generic implementation using this type. How do I do that?

It’s simpler than you’d think:

Type genericType = typeof (AbstractValidator);
Type type = genericType.MakeGenericType(bindingContext.ModelType);

//Structure Map container
var instance = _container.GetInstance(type);

Deploying with MsDeploy Outside of Visual Studio

May 10, 2012 / Chuck Conway / 1 Comment

Building the msdeploy package with MSBuild.

This requires MsDeploy to be installed on the build machine.

MSBUILD /T:Package /P:Configuration=QA;PackageLocation="C:\Build\Artifacts\eserve\DEV\QA\QA.zip"

Deploying the package with MsDeploy to a web site

How to get the msdeploy command.

-source:package='C:BuildArtifactseserveDEVQAQA.zip' -dest:auto,ComputerName='https://eserve-dev.sacda.org:8172/MsDeploy.axd?site=eserve-dev',UserName='conwayc',Password='austin_1',IncludeAcls='False',AuthType='Basic' 
-verb:sync 
-disableLink:AppPoolExtension 
-disableLink:ContentExtension 
-disableLink:CertificateExtension 
-allowUntrusted 
-retryAttempts=2

Copying the package with ROBOCOPY

Copying the package to another folder with robocopy has an issue. Robocopy uses exit codes as success/error codes. CI servers look at the exit code of a command to determine success or failure. Robocopy breaks this model. Luckliy the sql team posted a code snippet to get around this issue.

rem http://weblogs.sqlteam.com/robv/archive/2010/02/17/61106.aspx
robocopy %*
rem suppress successful robocopy exit statuses, only report genuine errors (bitmask 16 and 8 settings)
set/A errlev="%ERRORLEVEL% &amp; 24"
rem exit batch file with errorlevel so SQL job can succeed or fail appropriately
exit/B %errlev%

Deploying from folder to site

-verb:sync -source:contentPath=C:BuildArtifactsSSOClientDEV -dest:contentPath="C:inetpubadfsls",computerName='http://customer.dev.myconsolidated.net
/MsDeployAgentService',userName=ccadmin,password=$urewest123

Change App Path at Commandline via MSBuild

/T:Package 
/P:Configuration=DEV;PackageLocation="C:\BuildArtifacts\Grover\Dev\Builds\DEV\Grover.zip";DeployIISAppPath=dev.grover.winnemen.com

Using MsBuild to deploy contents to folder

/T:PipelinePreDeployCopyAllFilesToOneFolder /P:Configuration=QA;_PackageTempDir="C:Build\Artifacts\Momntz\DEV\Builds\QA

Deploying Local with MSDeploy

"C:\Program Files\IIS\Microsoft Web Deploy V3\msdeploy.exe" -verb:sync -source:package='C:\BuildArtifacts\AlSupport.zip' -dest:auto,computerName='localhost' -allowUntrusted -retryAttempts=2 -verbose

Deploying folder to Azure with MSDeploy

The following command line is for deploying a folder to windows azure websites.

"C:\Program Files\IIS\Microsoft Web Deploy V3\msdeploy.exe" -verb:sync -source:contentPath="C:\TeamCity\buildAgent\work\d018513aed1c09f\Build" -dest:contentPath="groverqa",wmsvc=waws-prod-bay-005.publish.azurewebsites.windows.net/msdeploy.axd?site=groverqa,userName=$groverqa,password=secret,authtype='Basic' -AllowUntrusted

All UTC times are not necessarily the same

January 20, 2012 / Chuck Conway / 0 Comments

A friend pointed out that all UTC Time is not the same. When he told me, I responded with “What!?! What are you talking about? It’s the same.” “No it’s not” he said. He explained, that yes using UTC will allot you an agreed upon time format but that does not guarantee that both server’s clocks are synchronized.

For example, Sever A calls server B for updates. Both Servers use UTC Time. Server A sends over a timestamp, how do we know that the two servers clocks are synchronized and that the two times match, we don’t. The odds are they are not. How can they be? Absolute time does not exist. It’s all relative. By using a timestamp to retrieve data from another server you are making an assumption that both servers have the same time.

*photo reference

2 minutes on Migrating Data

December 22, 2011 / Chuck Conway / 0 Comments

I had a great talk with my friend Dave today. He’s a Data Scientist. He knows his stuff, for sure.

We talked about a number of things, but one that really stuck out was data migration. He says never to migrate via code, use a tool. You are reinventing the wheel. You are locked into your solution. All the risk is in your court. And the solution is not flexible. With that said. He went on to say the most efficient way to move data is with a primary key and a hash.

The destination side will request all the primary key and row hash. Taking the primary key it will check if the row exists. If it does exist it will compare the hash of the source to the hash of the destination row. If they match then the process is repeated for the next row. If they don’t match, then the primary key is added to a list of rows to request from the source. If the primary key does not exist then the primary key is added to the list of rows to be retrieved from the source. When the row comparison is completed all the rows that are stale or do not exist are requested from the source and persisted to the destination.

Grunt

If you enjoy grunt work you’ll do the above. If you are a developer who enjoys building robust applications you’ll leave the grunt work to the tools.

Chronic Contractor

June 14, 2011 / Chuck Conway / 0 Comments

This developer is always looking for a gig. There is always something better. Chronic Contractors are expensive. Mileage per dollar varies.

They have battled many and because of this they see problems. Something about every gig frustrates them.

Chronic Contractor tend to work in cutting edge technologies and loathe older “inferior” technologies. They have no allegiance, they don’t care if the ship sinks, another is waiting in the docks.

Insecurinator Developer

June 11, 2011 / Chuck Conway / 0 Comments

This developer refuses to find a better job. They have had only one job, and they will not leave it — It’s the only breast they have fed from.

They are treated poorly, paid next to nothing yet they refuse to look for greener pastures. They have an unlimited supply of excuses; they may even in principle agree to find a new job, but they never will.

Mini-Me Developer

June 8, 2011 / Chuck Conway / 0 Comments

This developer follows the King of the Hill Developer like fly’s to shit. This person is the voice of the King of the Hill Developer in their absence. They developer similar mannerisms and will spout similar phrases used by the King of the Hill Developer. They will some day grow up to be a King of the Hill Developer.

King of the Hill Developer

June 3, 2011 / Chuck Conway / 1 Comment

Typically this developer has been in few organizations. They tend to be the smart frog in the small pond. When another smarter developer joins them, they try to subjugate them. Tactics include withholding information, passive put downs and excessive explaining.

King of the Hill Developers have all the answers, similar to the Go To developer, they have the grand scheme in their minds and only give information as needed. When idea’s arise that are better or will make them look bad they vigorously deny the validity of the idea.

Since they work in a royal vacuum, their designs and code tend to be flawed.

About

Archives