Wednesday, October 24, 2018

Azure B2C : Calling a web API from Azure AD B2C using data types

There is a good overview here.

In terms of the data types that you can pass, these can be:
  • boolean
  • date
  • dateTime
  • int
  • long
  • string
  • stringCollection
  • alternativeSecurityIdCollection

The above is the XML to define some of the claim types.

In terms of the JWT returned, the claims look like:


Tuesday, September 11, 2018

Monday, August 27, 2018

stackoverflow : Top 1%

Finally got there:

There are over 9 million users on stackoverflow and currently I'm sitting at:

Now it gets into the decimals e.g. top 0.5 %


Friday, August 24, 2018

Misc : My audience

Just out of interest, my audience as reported by Blogger.

Strange that Google has "Unknown Region"?

Chrome is way ahead on the browsers and Windows is way ahead on the OS.

Would have thought the iPad figure would be higher but maybe iPad users have no interest in Identity :-)


C# : Invalid URI

The full message is:

"Invalid URI : The hostname could not be parsed".

I get this using the URIBuilder class.

Since it was complaining about the hostname I checked the DNS, I checked that I could ping it, I tried the IP address etc. etc.

Eventually worked out that it was because the password contained special characters.

You are apparently supposed to URL encode them.

Just changed the password to use letters and numbers and all was well.

Somewhat misleading error message :-)


Friday, July 13, 2018

stackoverflow : Answered 1,000 questions

Achievement unlocked!

Most of these are in the Identity space and of course the problem is that in order to answer a question, someone has to ask it first.

It is somewhat of a niche category. I've been on stackoverflow for 9 years and 10 months (at time of writing) so it's taken a while to get here.

Looking at the tags e.g. ADFS:

What's also interesting about this is the other contributors.

Just calling out some of them:

Eugenio Pace and Matias Woloski are the founders of Auth0 and vibronet has recently joined them.

leastprivilege is one of the people behind identityserver.

Across the other tags:

I guess now I need to identify my next achievement!

And onto the next 1,000!


Thursday, July 12, 2018

Certificates : Displaying errors

Quite often, you can't connect to an SSL site because .NET will tell you that the certificate is invalid.

This openssl command shows you the certificate errors:

openssl s_client -connect|openssl x509 -text

The output looks like:

depth=2 CN = Company Root CA
verify error:num=19:self signed certificate in certificate chain
        Version: 3 (0x2)
        Serial Number:


It also checks the intermediate and root CA certificate validation chain.


Friday, July 06, 2018

Certificates : The remote certificate is invalid according to the validation procedure

I see this error so many times. It is generally on the client side as part of the .NET framework.

The root cause of this is:
  • Your server certificate is self-signed
  • You are using an incorrect host name to connect
  • Your certificate is not trusted
The host name must match the subject name on the certificate e.g. and both point to the same URL but the certificate has been issued to So that is the name you need to use to get to the web site. Or else you can add the other names to the SAN.

If the certificate is not trusted, you can add it to the "Trusted Root Certification Authorities". But be mindful of security.

I find it useful to log why .NET doesn't like it.

Just in case that article disappears, I've saved the config here.

Key info:

The Network Service account must be able to write to this log so give the account access to the directory. 

Change the log location.

e.g. initializeData="c:\Logs\Trace.log"

Now assume that is not in the DNS and you have an IP address e.g.

Now the URL is but the certificate subject name is Bingo. You get the error.

The solution is to create a host file entry.

Now you can browse to and the name will match.


Visual Studio : You need to find somefile.cs to view the source

Debugging through some socket code and suddenly the debugger came up with the above when I tried to step into the .NET code.

It was asking for NetworkStream.cs , Socket.cs etc.

Trying to browse to the file wasn't helping.

So Mr. Google to the rescue.

The solution is:

Visual Studio / Tools / Options / Debugging / General / Enable source server support

Problem solved.


Tuesday, July 03, 2018

C# : The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly

Busy doing some work with a SQL component.

To check all was well, I set VS to break-point on all CLR exceptions and suddenly it came up with the above error.


Lots of discussions with Mr. Google and the usual ton of garbage but then I found this.

Run "cmd" as admin.

cd C:\Windows\Inf\.NET Data Provider for SqlServer

lodctr _dataperfcounters_shared12_neutral.ini

That did the trick.

BTW, lodctr "allows you to register or save performance counter name and registry settings in a file and designate trusted services".


Monday, July 02, 2018

log4net: Why are all logs written to when I invoke just one?

I was trying to get log4net working and I wanted 3 logs:

  • Console
  • Text file
  • Event log
So the config. looked like:
      !--level value="ALL" /
      appender-ref ref="ConsoleLog" /
      appender-ref ref="Log" /
      appender-ref ref="EventLog" /--
and then e.g.:
appender name="ConsoleLog" type="log4net.Appender.ColoredConsoleAppender"
        level value="ERROR" /
        foreColor value="White" /
        backColor value="Red, HighIntensity" /
      layout type="log4net.Layout.PatternLayout"
        conversionPattern value="%date [%thread] %level %logger - %message%newline"/
and called via e.g. :

private static readonly ILog LogConsole = log4net.LogManager.GetLogger("ConsoleLog"); 

But when I tried e.g.


all three logs were invoked and all three entries were written!

Turns out you need to remove the root level and use e.g.:
logger name="ConsoleLog"
      level value="ALL" /
      appender-ref ref="ConsoleLog" /
where the  "appender-ref" points to the correct log.

Then all works as expected.

Note: angle brackets removed for display purposes!


Wednesday, June 20, 2018

Auth0 playground

Auth0 have a neat playground where you can play around with the Lock settings.

Lock is the Auth0 login component.

I was trying to get some extra fields added when the user wants to self-register and we want to capture some extra information.

There are examples but they don't have context i.e. they show you what attribute to set but you don't get to see the full picture.

As usual, the gist is here.

This is the basic screen - notice I've added some of the Asian social providers like Baidu. This isn't part of the js - it's part of the application configuration.

Here is the signup screen. Clicking "United States" shows the drop-down. Also notice the checkbox at the bottom.

Shortening the text shows the error message that is part of the validation.