Tuesday, March 31, 2015

Visual Studio : Missing metadata

Out of the blue, starting getting:

Metadata file '...\abc\xyz.dll' could not be found

Look in the folder - there it is - WTF?

Mr. Google and figured out that something had changed in my build order.

To get the build order, right click the solution - "Project Build Order".

Then build all the dll first and then the projects that consume the .dll.

You can do this by playing around with the dependencies.


Friday, March 13, 2015

ASP.NET : Could not load file or assembly

For example:

"Could not load file or assembly System.Web.Http.WebHost, Version=".

Came to work one morning, built my system, WTF, error as above.

All worked perfectly when I left the day before.

There had been a Windows Update during the night and obviously some dll's had been updated - so much for backward compatibility.

Problem was - I couldn't figure out who was calling this dll and hence where the reference / binding was

Mr. Google and came across this Scott Hansleman post:

Back to Basics: Using Fusion Log Viewer to Debug Obscure Loader Errors

I'm using VS 2013 and Windows 8.1.

So go to:

C:\Program Files (x86)\Microsoft Visual Studio 12.0\Common7\Tools\Shortcuts

This is the shortcut to the VS Command Line Tool - "Developer Command Prompt for VS2013".

In the command line - fuslogvw.exe - run as Administrator.

In Settings - "Log bind failures to disk" / "Enable custom log path". Type in path - make sure the path exists.

Restart IIS.

Navigate to your web site - get the error - back to the tool - click "Refresh" - BOOM.

You will also notice that the text on the ASP.NET error page is different - it doesn't talk about the regedit change.

To repeat - if you use the tool you don't have to screw around with registry settings.

When you are done, remember to disable the log via the tool as it slows everything down.


Wednesday, March 11, 2015

WIF : WIF10201: No valid key mapping

The full error is:

WIF10201: No valid key mapping found for securityToken: 'System.IdentityModel.Tokens.X509SecurityToken' and issuer: 'http://xxx/adfs/services/trust'.

This is with ADFS 3.0 and the base VS 2013 with ASP.NET MVC.

Long discussion with Mr. Google - many entries, many explanations - "remove the trailing slash" , blah, blah, the most bizarre was "This is because WIF doesn't support SAML".

Yes - that statement's true but WTF does it have to do with the problem?

Google quality is getting exponentially worse and worse.

I knew this error rang a bell and after some quite reflection I remembered why. Vittorio had mentioned it:

His article didn't apply in my case because I get the error straight away - the home page doesn't display so there's no "Sign up for this application" link.

The article goes on to say that this "issue will be fixed soon".

So I took a punt and upgraded to VS 2013 Update 4.

Created a new project - problem solved.


Friday, March 06, 2015

ADFS : Legacy IE, legacy OS and ADFS 3.0

This is the ADFS that runs on Server 2012 R2.

Been busy with a project that has some legacy components.

Firstly - XP.

No longer supported and full of security holes. In particular, it does not support SNI (Server Name Indication).

To get ADFS 3.0 to work, refer:

How to support non-SNI capable Clients with Web Application Proxy and AD FS 2012 R2

ADFS 3.0 login failing from IE8

IE8 is the last incantation of IE on XP.

If you use a later OS e.g. Windows 7 and you play in the identity space with federation and lots of redirects, you may find IE 8 reporting "Internet Explorer cannot display the webpage".

This is because IE 8 has a redirect limit of 10 which is fine for a normal web site but not fine for the SSO browser profile which is based on redirects i.e.

User --> Application --> IDP1 --> IDP2 --> IDP 3 etc and then the rollback all the way down.

If the application is SharePoint, that alone has 3 to 4 redirects.

There is a "fix" but it involves regedit which is per machine and not something suitable for the average user,

Far better to upgrade IE or use another browser.


Thursday, February 19, 2015

ADFS : RPUrl and SharePoint

I blogged previously about how you get the RPUrl field in the wctx field to see the originator of the message.

Normally for a .NET application, you'll see:

wctx: RPUrl=https://domain/application...

However, for SharePoint, you configure two identifiers in ADFS i.e.


ADFS uses the urn in the RPUrl, so you'll see:

wctx: RPUrl=urn:sharepoint:application...

Which is a pain is you have to support both.


Tuesday, February 10, 2015

IIS : Application pool service account

IIS web sites run under application pools and if you look under "Advanced settings" you see an application pool runs under an Identity.

This Identity can be a number of accounts e.g. ApplicationPoolIdentity or NetworkService. But you can also set your own service account under "Custom account".

I needed to do this but kept getting:

"The specified password is invalid.Type a new password."


Had a conversation with Mr. Google. Seriously - about the only probable cause not mentioned was the proverbial kitchen sink!

Then I realised that this was a domain account so I needed to type:


Bang! Problem solved - sometimes we keep getting confused by all the trees.


Thursday, February 05, 2015

ADFS : Claims are URI

Answered this question over on the forum.

But for general interest.

Claims are URI and URL are a subset of URI so you would expect that URI look something like:


So you can't have a claim type of givenName.

To repeat:

Mapping Given-Name to givenName gives:

System.ArgumentException: ID4216: The ClaimType 'givenName' must be of format 'namespace'/'name'.

Mapping Given-Name to http://givenName gives:

MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.ArgumentException: ID4213: Cannot parse the ClaimType 'http://givenName' into a constituent name and namespace.

Mapping Given-Name to http://company.com/givenName works.

Which makes sense - you can't have a website with a URL of e.g. givenName.


Wednesday, February 04, 2015

ADFS : What happened to my roles?

Setting up a RP trust with the standard LDAP rule which maps "Token Groups - Unqualified Names" to Roles.

But when I enumerated the claims after RP authentication, some were missing?

WTF? when I do an AD memberOf, it displays them all?

Much  head-scratching and investigation and then I remembered that for this ADFS claims rule only non-local domain security groups are returned.

You can confirm this in ADUC by clicking on the Properties / General tab and looking at the group scope and type.

But what if you are not Domain Admin?

Allow me to recommend AD Explorer.

Tip - just click OK on the first page (don't enter credentials) and it will "find" the default DC.

Then navigate to the security group.

Under the attributes, look for groupType.

It will be something like -2147483646.

As per AD Attributes, this is a Global group.

But my missing Security group displayed  -2147483644 which is Domain Local.



Tuesday, January 27, 2015

ADFS : ADFS 3.0 and OAuth2 Links

Gathering some links:

This is for Server 2012 R2.

Securing a Web API with Windows Server 2012 R2 ADFS and Katana

Specifically the section around configuring ADFS with "Add-ADFSClient" and the RP configuration.

OAuth 2 Authorization Code grant in ADFS

And my contribution:

ADFS : ADFS 3.0 and OAuth2


Tuesday, January 20, 2015

ADFS : ADFS 3.0 and OAuth2

This is for Server 2012 R2.

There are a lot of blogs about this but very little useful information.

So I thought about creating a client that shows this.

And then I thought about Authorization Server.

You can get this working if you want - just hook up to AS to ADFS as a normal ASP.NET RP for authentication.

But that's not what this post is about - I wanted to use the sample code to access ADFS.

Under "samples/Flows/Clients/OAuth2 CodeFlow you'll find the sample.

First you have to configure ADFS and you have to use PowerShell to do this - there's no wizard support.

You use the AdfsClient commands as per AD FS Cmdlets in Windows PowerShell.

Vittorio has blogged on this: Securing a Web API with Windows Server 2012 R2 ADFS and Katana.

Of interest is setting up the RP (worth repeating that it is neither WS-Fed nor SAML so don't tick any boxes) and the Add-AdfsClient command.  

My RP then looks like:

So running Get-AdfsClient on my box:

RedirectUri : {https://xxx/CodeFlow/callback}
Name        : AMCodeFlowClient
Description : AM Code Flow Client
ClientId    : codeclient
BuiltIn     : False
Enabled     : True
ClientType  : Public 

ToDo: Code changes to the sample.



DOS : long file names

There are times when long file names are a pain.

I had a batch file that called a file inside a directory and the directory had spaces in the name e.g.

c:\a long name\another long name\program.exe

And it wouldn't damn well find it. Kept getting error messages like "File x ...".

I used "" and everything else I could think of.

Then from a long-distant past, I remembered DOS and the command

dir /x

This displays the short names generated for non-8dot3 file names.

So e.g. C:\Program Files\Resource Kit becomes C:\PROGRA~1\RESOUR~1

Putting the short name in the batch file solved the problem.

Go figure.


Tuesday, January 06, 2015

Visual Studio : Missing dll

So there I am - back to work in 2015 and rebuilding a MVC project which I haven't touched for a while and bang - error after error after ...

WTF - Happy New Year!

A long conversation with Mr. Google and:

Errors like:

Could not load file or assembly 'file:///C:\Program Files\Microsoft Visual Studio 12.0\Common7\IDE\Extensions\Microsoft\Web Tools\Publish\Microsoft.VisualStudio.Web.Publish.dll' or one of its dependencies. The system cannot find the file specified.


Could not load file or assembly 'file:///C:\Program Files\Microsoft Visual Studio 12.0\Common7\IDE\Extensions\Microsoft\Web Tools\Scaffolding\Microsoft.AspNet.Scaffolding.VSExtension.12.0.dll' or one of its dependencies. The system cannot find the file specified.


Could not load file or assembly 'file:///C:\Program Files\Microsoft Visual Studio 12.0\Common7\IDE\Extensions\Microsoft\Web Tools\Languages\Microsoft.VisualStudio.JavaScript.Web.Extensions.dll' or one of its dependencies. The system cannot find the file specified.


This is related to VS 2013 Update 4 with ancillary suspects the Azure SDK 2.5 and O365 API Tools.

The solution is to repair VS 2013 Update 4.

I have Windows 7 so:

Control Panel - Programs and Features - Installed Updates - Visual Studio 2013 Update 4 (KB2829760) - Repair.

Just take a looong break while it's running.