ADFS : Restoring / re-installing ADFS v 2.0

 

There’s really useful information out there on the forums.

If everything turns to custard when you are trying to customise ADFS, you can always re-install.

A quicker way is to know that a copy of the original installation is found at:

…\Program Files\Active Directory Federation Services 2.0\WSFederationPassive.Web

Simply copy it over to:

…\inetpub\adfs\ls

Thanks to Steve Syfuhs for this tip.

Enjoy!

ASP.NET : A potentially dangerous Request.Form value was detected from the client

I get this message all the time especially when knocking up quick Web applications to test some WIF concept.
The solution is to add the following in the web.config:

 <system.web>
    <pages validateRequest="false" />
    <httpRuntime requestValidationMode="2.0" />
    ...

Update:

It may help to  add:

validateRequest="false"

in the Page directive as well (This is the first line of your .aspx file).

Also, refer this discussion over on stackoverflow.

Enjoy!

Misc : Remote Desktop Connection Manager

When you work with a lot of VM's or remotes sites, you tend to have a lot of RDC (Remote Desktop Connection) windows open which can be confusing to stay the least.

Enter the Remote Desktop Connection Manager.

This is an extremely useful tool which puts everything in one place and accessible with one click. You can also put all your sites into a meaningful hierarchy.

I really wish there was a list of all the internal tools that Microsoft folk have developed over the years!

Enjoy!

Misc : Dual identity

Originally when I registered with MSDN I used my normal name (nzpcmad). Moved on to other areas and when I wanted to use MSDN again, I found that things had changed. When I updated my profile, I was informed that the name “nzpcmad” was already in use (WTF – I know that!) and hence was forced to choose a new name “nzpcmad1”.

So just to confirm:

nzpcmad = nzpcmad1 = Me

Enjoy!

 

Misc : Windows Live Writer

 

Something in the nature of an experiment. Setting up Windows Live Writer so I can contribute to the TechNet Wiki (my name there is nzpcmad1) so thought I would try to my actual blog.

Enjoy!

.NET : Reflector 7 won't load add-ins-

The new Reflector 7 is pretty whizzy but it generally won't load the old add-ons from here. So frustrating - all these useful tools but problems, problems ...

Mr. Google to the rescue (as always!).

You need to run the Reflector Plugin Converter.

Essentially, this converts the version number from 5.0 to 7.0.

Run in a command prompt as an administrator.

...\Reflector7>PluginConverter.exe Reflector.CodeSearch.dll 7.0.0.0

Reflector plugin converter - Sebastien LEBRETON (reflexil.net)
Backuping Reflector.CodeSearch.dll to Reflector.CodeSearch.dll.bak
Reading Reflector.CodeSearch.dll
Found version 5.0.0.0, patching to 7.0.0.0
Writing Reflector.CodeSearch.dll

Enjoy!

Visual Studio : Debgging ASP.NET appaliocation running in IIS

VS 2010 - IIS 7.5.

Normal situation for me is to run my applications inside IIS rather than inside the VS web server or IIS Express. This is mainly because of issues around https (although IIS Express does help in this regard).

The problem then is how to debug it. The way around this is to use Debug / Attach to Process.

First connect to your application from a browser.

Now go to VS, set your breakpoint and in the "Attach to Process" entry, you'll see a w3wp.exe entry. (Under the user name , you'll see that it uses the DefaultAppPool.) Click on this, ignore warnings and execute your application workflow from the browser until you hit the breakpoint.

Job done!

Note: Nearly all of my applications use the DefaultAppPool. Would it breakpoint if it used a different one?

Note: I've found that unless you run up your app in the browser first, you don't see the w3wp entry.

Enjoy!

PowerShell : Survival Guide

Take a look at Windows PowerShell Survival Guide.

Everything you wanted to ask about PowerShell and were afraid to ask!

See the cheat sheets:

Windows PowerShell Refcard

Windows PowerShell Quick Reference: A two-page "cheat sheet."

Enjoy!

Misc : Help other developers out

Over the past few months, I've been far more proactive in helping other developers who have posted tools etc. on the Internet.

I've tested a new STS, a whizzy certificate tool and an utility that shows the claims that a RP gets without having to have actual RP.

Did some testing - provided feedback and comments.

I've been amazed by the response.

You get a dialogue going with other people, they give you some good hints and (in a minor sort of way) you kind of feel like you know them.

It's been really worthwhile.

So find a tool that you use, test a new release and see where you go ..

Which poses the question I often ponder - "How did developers work before the Internet? Can we actually develop without Google?"

BTW - Can you Fizz Buzz?

Enjoy!

SharePoint 2010 : Do you need ADFS in addition to the SP STS?

This is a question that has been puzzling me for a while. Given that SP 2010 has its own STS, what value is derived from federating the SP STS with the company ADFS and then federating this ADFS with other companies STS?

Why not simply federate the SP STS with other companies STS directly?

I looked high and low for this answer but couldn't find anything that completely answered this for me.

Then the SP chapters for the excellent Claims Based Identity & Access Control Guide were published.

(Aside: If you have any interest whatsoever in the claims world, I urge you to read this guide and look at the accompanying samples!)

This includes a diagram of the "hub model" viz:

Notice that Adatum has both a SP STS and a ADFS.

But then they show the "direct trust model" viz:

Notice that although Adatum has an ADFS, it plays no part in the federation to other companies STS.

So the answer would seem to be "No".

However, as per the guide, the advantages of the hub model are:

• It's easier to manage multiple trust relationships in ADFS rather than SharePoint.
  
• It's simpler to manage a single trust relationship in SharePoint and it avoids the requirement for multiple custom claims providers.
  
• You can reuse the trust relationships in the FP with other relying parties.
  
• You can leverage ADFS features such as integration with auditing tools to track token issuing.
  
• ADFS supports the SAMLP protocol in addition to WS-Federation.
  

From my experience, the ADFS GUI is far easier to use than SP Powershell commands. The last point is potentially also a deal-breaker. It means that you can't use the SP STS directly if the other companies use non-ADFS products to do the federation e.g. PingIdentity. OpenSSO, OpenAM, Tivoli Identity Manager etc.

Enjoy!

Claims : Funny joke

Came across this on Vittorios's excellent blog.

Ref:

The gist of it is:

A passive client enters a shop, and starts looking around.

A salesperson approaches: "Sir, can I help you?"

And the passive client: "Just browsing."

OK - so you need some claims background to get it.

For those who don't have that background - there are two claims profiles for clients viz. active (web services) and passive (browsers).

Enjoy!

ADFS : Stop / start ADFS v2.0

The MMC plugin for ADFS v2.0 (Active Directory Federation Services) has no way of stopping and starting ADFS. (In that same way that IIS has Stop and Restart links).

However, there are two ways to do this.

The first is via the Services menu.

Start / Administrative Tools / Computer Management / Services and Applications / Services / AD FS 2.0 Windows Service

(Description : This enables Active Directory Federation Services 2.0 to issue security tokens and information cards.)

The second is via the command line. Ensure you are running as Administrator.

C:\Windows\system32>net stop adfssrv
The AD FS 2.0 Windows Service service is stopping.
The AD FS 2.0 Windows Service service was stopped successfully.

C:\Windows\system32>net start adfssrv
The AD FS 2.0 Windows Service service is starting........
The AD FS 2.0 Windows Service service was started successfully.

Sure beats stopping / restarting the whole Windows 2008 server!

Enjoy!

WIF : Generating self-signed certificates

If you work with WIF (Windows Identity Foundation), you'll soon find that you need lots of self-signed certificates. These are used for securing the top level SSL connection and signing and encrypting the token.

Potentially, you need three certificates. The SSL certificate is mandatory as is the token signing certificate but the token encryption certificate is optional. You could use the same certificate for all three - not that that is recommended!

In IIS 7.5, in IIS manager, click on the very top level on the LHS. In the middle pane, under IIS, click on "Server Certificates". Then in the RHS, click on "Create Self-Signed Certificate". After creating one, click on "Default Web Site" on the LHS. On the RHS, click on "Bindings" and you can associate this certificate with the HTTPS port 443 connection.

The problem with this certificate is that the cn (common name) is the machine name of your IIS server, not the URL of the web site. Also, the certificate is not added to the "Trusted Root Certificate Authorities" section of the browser certificate store. You need to do this manually. All this results in browser certificate errors.

SElfSSL7 overcomes these problems and this is the utility I generally use to resolve this. There are options to automatically add the new certificate to the certificate store and to update the IIS binding. (See a previous blog entry for more info.)

There are many other ways to create certificates e.g.:

Makecert.exe (Certificate Creation Tool)

or the

Win32 version of OpenSSL. There's a good article on how to use it here.

You can also do this in PowerShell - refer: Creating Self Signed Certificates with PowerShell.

DeployManager is a neat tool to create and display certificates (coming largely from the WCF viewpoint). Unlike the mmc snap-in which shows the Windows names (Personal), this shows the .NET names (My):

DeployManager

To look at the certificates, use:

Certutil

or OpenSSL

or the Certificate snap-in to mmc : How to: View Certificates with the MMC Snap-in. The same article also shows you how to view certificates with Internet Explorer.

The Certmgr.exe (Certificate Manager Tool) is also useful.

Enjoy!