Wednesday, November 30, 2011

ADFS : Display exceptions

There's a neat feature in ADFS in the web.config that displays exceptions on the error page which I find a MAJOR help when I'm configuring stuff.

Uncomment this piece:

!-- Display the exception message on the error page. Uncomment this, or add the key below to your
app settings if you want to see the exception message. The exception messages are localized in the
language of the server.--

add key="displayExceptions"

The web.config you need is here:


So I changed the code in FormsSignIn to use an exception called exp instead of ex resulting in the error below.


Thursday, November 24, 2011

ADFS : The "All Time" double!

Over on stackoverflow:

And now the pressure is really on ...


Visual Studio : Web deploy - Files\IIS\Microsoft was unexpected at this time

Built a project using the standard VS 2010 SP1 - Right click on the project - Build Deployment Package.

Then tried to deploy it via:

xxx.deploy.cmd /T

The /T does a whatif - always a good idea to check first!

Then run the following when you are happy:

xxx.deploy.cmd /Y

Got the error - "Files\IIS\Microsoft was unexpected at this time". WTF?

First off when you set the environment variable as per the txt file:

set MSDeployPath="C:\Program Files\IIS\Microsoft Web Deploy V2\"

Do NOT put the quotes in and remove the end \ i.e.

set MSDeployPath=C:\Program Files\IIS\Microsoft Web Deploy V2

What the script does is search for this variable and if it's missing, it tries to find the path in the registry via this code:

if "%MSDeployPath%" == "" (

for /F "usebackq tokens=1,2,*" %%h in (`reg query "HKLM\SOFTWARE\Microsoft\IIS Extensions\MSDeploy" /s ^
findstr -i "InstallPath"`) do (

if /I "%%h" == "InstallPath" (

if /I "%%i" == "REG_SZ" (

if not "%%j" == "" (

if "%%~dpj" == "%%j" (

set MSDeployPath=%%j


I have Web Deploy V2 deployed and I don't have such a registry entry? It's this piece of script that produces the error. Just comment it out and all will be sweetness and light.


Tuesday, November 22, 2011

WIF : The FederatedPassiveSignInStatus Control

Doing some WIF development and wanted to sign out the user completely. So I dragged the control from the Toolbox on VS 2010 and then tested it.

WTF - it doesn't do anything.

I set the SignOut action to FederatedPassiveSignOut and had an url for the SignOutPageUrl.

Then I noticed that I'd actually added the control to the Site.Master page so that it would appear on every page on the site. Hmm - but that's not actually a page.

So I removed it and added it to my Home page. Works like a dream.

This may help someone else in the same predicament.

Passive Authentication for ASP.NET with WIF has a good description of SingleSignOut.

Makes the point:

"In more complex scenarios, the same clean-up request should be sent to any other STS involved in the federated session. To that end, the STS would have to have prior knowledge of the clean-up URI for each RP and STS. To support single sign-out, your RPs should be able to process these clean-up requests. Both the FAM and the FederatedPassiveSignInStatus control support this. If you’re using the FAM, the clean-up request can be posted to any URI at the RP and the FAM will process the request and clean up any session cookies. If you’re using the FederatedPassiveSignInStatus control, the clean-up request must be posted to a page that contains the control."


ADFS : Choosing the certificate name

ADFS uses three certificates:
  • Service communications for encrypting the message
  • Token-decrypting for "encrypting" the token
  • Token-signing for signing  the token
The service communications certificate is essentially the SSL certificate that you have configured for the SSL session on the IIS that hosts ADFS. (Yes - folks - it is basically an IIS site - look for it under \inetpub\adfs\ls).

When you configure the certificate for SSL, you need to give it the full name of the site e.g. "". Don't just give it the name "contuso". If you do, ADFS will reject it when you install ADFS and will ask for a certificate that has "dots" in it.

Actually, the real error is "ADFS requires full name for certificate".

Just saying.


Thursday, November 17, 2011

Stackoverflow : Top of the tag heap

One of my goals was to get to the top of the "Top Answerers" for a Tag category in stackoverflow and I finally managed to achieve that ...

Problem is: It's more more difficult to stay at the top than get there!


Friday, November 11, 2011

C# : Parsing dates


Dates are a PIA – no matter what language.

Found a neat way to do the validation e.g. the d/m/yyyy vs. d/mm/yyyy vs. dd/mm/yyyy etc.

bool validDate = DateTime.TryParseExact(txtDate.Text, 
new[] { "dd/MM/yyyy", "d/MM/yyyy"},
CultureInfo.InvariantCulture, DateTimeStyles.None, out d);

if (!validDate)
Error stuff
Valid stuff

So you just add the valid patterns to the array and away you go!


Thursday, November 10, 2011

Stackoverflow : Finally, the top 5%

One of my goals has been to get my stackoverflow rep. up into the top 5%.

And finally, I did it:

And now it gets really hard because I'm up against the big boys

Like this:

Hmm , nothing like a challenge :-)

Still, for the moment, I'll take being (almost) in the top 2,000 worldwide!


ADFS : Problem with FedUtil

I posted this problem over on the forum.


I have an ASP.NET application that uses FBA and calls a web service that performs CRUD operations on a back-end system i.e. the ASP.NET application is the client.

I want to claims-enable this application. I don’t want to do anything re. federation with the web service. It should just run in the background as it currently does.

When I run FedUtil, I get the message:

“ID1032: A wcf application federated to a security token service requires an application certificate. Please select a certificate for your application.”

It seems that FedUtil is trying to secure the web service and not the browser application? If I supply a certificate and then look at the resulting web.config, FedUtil hasn't done any of the usual passive profile stuff e.g. commenting out the entire current authentication:

!--Commented out by FedUtil--

!--authentication mode="Forms" forms loginUrl="~/Account/Login.aspx" timeout="2880" / /authentication

If I comment out the system.serviceModel section, FedUtil runs as expected.

I then un-comment the section and have a federated browser application with a non-federated web service.

This seems a very round-about way to achieve the objective.

Why does FedUtil only federate the web service?

How do you tell it to federate the browser functionality only? I would have thought that this was a common implementation?

Is there a better way to achieve this?


So what FedUtil seems to do is scan the web.config. If it finds a system.serviceModel section, it assumes this is a WCF session (i.e. active) that you want to secure and off it goes. But in fact, it's the browser session (i.e. passive) that you want to secure.

Anyway, the above provides a work-around but it's a PIA!


Tuesday, November 01, 2011

IIS : Default Web Site dissapears

Happily working away on my Windows 7 box with IIS 7.5, deleted an old web site and somehow (no idea !!!) my "Default Web Site" in IIS 7.5 went west - gone - nixed - went to meet its maker ...!


I found this What??? You deleted "Default Web Site" from IIS?!?! had some useful info.

In particular (as per the article), to check that it really has gone:

"First you want to really make sure that there is not a web site known as W3SVC/1. Who knows, maybe someone had simply renamed your default web site or something. Open a command prompt and type this:


cscript adsutil.vbs enum w3svc/1

If it comes up with "The path requested could not be found" then sure enough, you don't have a true default website anymore. If no error then check out the "ServerComment" to know which web the machine now thinks is the default."

OK - so its really gone. You can follow the rest of the article or simply recreate another one.

I decided to re-install IIS - who knows what else was screwed up?

Control Panel / Programs / Turn Windows features on or off.

Uncheck all the IIS stuff. Then OK - it's all removed.

Then check it all back again - OK - IIS will come back and you may or may not have a "Default Web Site".

If you don't, just add one - there's nothing special about it - it's just another web site.

Start / Administrative Tools / IIS Manager

Right click Sites / Add Web Site

Call it "Default Web Site". Point to:

You should now have it back - along with others that may have been in that directory.

Click "Default Web Site" / "Advanced settings". Check that the ID is 1. You are good to go!

If you use ASP.NET and .NET Framework 4 - beware!

Look here: ASP.NET : Handler “PageHandlerFactory-Integrated” has a bad module “ManagedPipelineHandler” in its module list