Friday, August 24, 2012

ASP.NET : reCaptcha with proxy


If you need reCaptcha in your project, this is a really good one to use. it’s also available as a NuGet package.

The only problem is that it doesn’t use a proxy. There is a Proxy attribute in the control but it inherits from IWebProxy and I couldn’t figure out how to set it.

So (with the help of TortoiseSVN) I grabbed the source and added this code to

public RecaptchaResponse Validate() in RecaptchaValidator.cs

//if (this.proxy != null)
//request.Proxy = this.proxy;
IWebProxy rProxy = WebRequest.GetSystemWebProxy();
string login = ConfigurationManager.AppSettings["reCaptchaLogin"];
string password = ConfigurationManager.AppSettings["reCaptchaPassword"];
if (!String.IsNullOrEmpty(login))
rProxy.Credentials = new NetworkCredential(login, password);
rProxy.Credentials = CredentialCache.DefaultCredentials;
request.Proxy = rProxy;

and then I added an appsettings to the web.config in the Tests directory

<!-- Needed to get past proxy -->
<add key="reCaptchaLogin" value="" />
<add key="reCaptchaPassword" value="" />

Problem solved!


Thursday, August 16, 2012

WIF : Migration from 1.0 to 4.5


Interesting interview with Dominick Baier to discuss his new course Introduction to Identity and Access Control in .Net 4.5. The link is here.

To quote:

“ [Dominick] Yeah, that’s a good question. So, as I just said, Microsoft basically injected these new base classes. And they were really careful that they didn’t break compatibility with existing systems. So, if you are used to using the IIdentity.Name property, for example, what they do under the covers is they go to the clams collection and search for a name claim and give you back that value. So, from the outside, this thing works the same, under the covers, it uses claims. If you are used to use–IsInRole for example, or like the existing like the authorization module in ASP.NET, then what under the covers is happening is that is in role search, it’s for a role claim and to look if that is part of your claims collection. So, in other words, if you haven’t done any heavy customization of .NET built-in security system, things should just work in 4.5. That means, you don’t take advantage of the new system but you don’t break your application just by compiling against 4.5. That also means that you can gradually move into this claims-based world. So you can make use of this new property called Claims which is a collection of statements that you can attach to a user. And yeah, for existing applications, things shouldn’t change at least not from the outside. If you are investing in a new system, or you are not happy with what you have so far, then it’s definitely worth to look like trying to make use of the claims-based infrastructure right from the start. But, I guess the good news is that your systems shouldn’t break, at least if you haven’t done anything radical to .NET built-in infrastructure.”

So hopefully things will just work as normal after the migration.

You can see the class diagram changes at Identity in .NET 4.5–Part 1: Status Quo (Beta 1).


Monday, August 13, 2012

ADFS : Problems with wevtutil


When you are trying to turn on the debug logging for ADFS and you Google it, you will find some entries that tell you to run wevtutil as follows:

wevtutil.exe sl “AD FS 2.0 Tracing/Debug” /L:5

The problem is that you then get an error:

“Too many arguments are specified. The parameter is incorrect.”

To fix this, run:

wevtutil sl “AD FS 2.0 Tracing/Debug” /L:5


Tuesday, August 07, 2012

AD : Programmatically getting password policy


On Windows Server 2008, this doesn’t seem possible. There doesn’t appear to be an API that gives you all the details of the current user’s password policy.

Why does this matter?

Because when the user needs to pick a password and they get it wrong, the standard message is:

“The password you have chosen does not meet corporate policy. Please contact the help desk”.

The standard wrt. complexity is normally:

“The password contains characters from three of the following categories:

  • Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
  • Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
  • Base 10 digits (0 through 9)
  • Non-alphanumeric characters (special characters) (for example, !, $, #, %)
  • Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.”

However, you can summarise the above and then get the pieces of the puzzle individually. To do this, you would have to get each attribute from AD.

Refer Windows Domain Password Policies

Establishes what takes precedence in situations where a user has membership in multiple groups with different password policies.

Toggles whether reversible encryption is enabled.

Determines how many intervening passwords must be unique before one can be reused.

Establishes the number and type of characters required in a password.

Establishes the minimum length of a password.

Determines how long a user must use a password before changing it.

Determines how long a user can use a password before being required to change it.

Determines how many failed password attempts will be allowed before locking out user account.

Determines the time after which the bad password counter will be reset.

Determines how long the account will be locked out after too many failed password attempts.

So the message could be something like:

“Your password must be <msDS-MinimumPasswordLength> characters long, you cannot use one of your previous <msDS-PasswordHistoryLength> passwords and you will have to change it every <msDS-MaximumPasswordAge> days”.


Monday, August 06, 2012

ADFS : Some of the content in the federation metadata was skipped


If you configure ADFS on a regular basis, you are pretty much guaranteed to get this message.

The full text is that it is not supported by ADFS and you should review carefully.

The first step is to get the RP metadata as a file and have a look at it.

The number one reason in my experience is that the connection is http rather than https.

ADFS REQUIRES https – no exceptions.

The number two reason is that the federation has SAML1 stuff e.g.

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location=https://xxx index="1"/>

will throw the warning.


ADFS : Restricting access to an application


Most of the available documentation talks about ADFS as a claims-provider and the RP (the application) uses the set of claims to decide on access and functionality.

However, there are claims which restrict access at the ADFS level.

These are the permit / deny claims.


Create a Rule to Permit or Deny Users Based on an Incoming Claim

An ADFS Claims Rules Adventure

Introduction to Token Issuance Authorization in AD FS 2.0 RC

If you set these rules up correctly, you will get an “Access Denied” error from ADFS.

Because this is all controlled by the claims rules language, you can have complex IF – AND – OR – NOT scenarios to decide whether or not the user gets access to the application.