Tuesday, March 15, 2011
Friday, March 11, 2011
Windows Identity and Active Directory Federation Services : My links
Just some links that I use on a regular basis.
WIF
Windows Identity Foundation Simplifies User Access for Developers - Home page
Windows Identity Foundation - MSDN Library
Identity Developer Training Kit - Read the System requirements
The Id Element - Identity and Access Management videos
AFDS
Active Directory Federation Services 2.0 - Home page
AD FS 2.0 Step-by-Step and How To Guides - Includes a number of federation guides e.g. PingFederate, Oracle Identity Federation
Blogs
Vibro.NET - Vittorio Bertocci's blog
Steve on Security blog - Good code examples
dominick baier on .net, security and other stuff - The man behind Thinktecture and StarterSTS
Claims-Based Identity Blog - Some good examples of federation with other systems
Eugenio Pace - Examples, architecture and interoperability
Matias Woloski - The guy behind the OpenId bridge
Travis Nielsen - Federation and SharePoint 2010
Alik Levin - Lots of Windows Azure AppFabric Access Control Service (ACS)
Steve Peschka - Special emphasis on Sharepoint 2010
Forums
Claims based access platform (CBA), code-named Geneva - Worth keeping an eye on
Of course, Stackoverflow:
ADFS
ADFS v2.0
WIF
Portals
Essentially collections of links - like this one!
TechNet Wiki Windows Identity Foundation (WIF) and Azure AppFabric Access Control Service (ACS) Survival Guide
Windows Identity Foundation (WIF) Fast Track
Windows Identity Foundation (WIF) SDK Help Overhaul
Windows Identity Foundation (WIF) Questions and Answers
Tools
StarterSTS - StarterSTS is a compact, easy to use security token service that is completely based on the ASP.NET provider infrastructure. It is built using the Windows Identity Foundation and supports WS-Federation., WS-Trust, REST, OpenId and Information Cards.
StarterRP - A relying party for StarterSTS
SelfSTS - SelfSTS is a simple utility which exposes a minimal WS-Federation STS endpoint. SelfSTS can be used as a test STS when developing web sites secured with Windows Identity Foundation. Allows you to quickly generate combinations of claims.
SelfSSL7 - Self signing certificates for IIS7. Generates and stores them. Refer my blog entry WIF : Self signed certificates for instructions.
Protocol bridge claims provider - An implementation of a bridge that talks WS-Federation and SAML tokens on one side and OpenID, OAuth or any other protocol on the identity provider side using Windows Identity Foundation.
Documentation here
Fiddler Inspector for Federation Messages - An inspector for typical federation messages for WS-Federation. Also has support for SAML 2.0P request / response messages.
Security Token Visualizer Control - A simple ASP.NET server control which displays in a compact layout useful information about claims-based identity in a web site secured with Windows Identity Foundation. Just get it!
Online books
A Guide to Claims–based Identity and Access Control - Just read it - cover to cover - twice!. By Eugenio Pace, Dominick Baier, Vittorio Bertocci, Keith Brown, and Matias Woloski. See their blogs above.
Enjoy!
WIF
Windows Identity Foundation Simplifies User Access for Developers - Home page
Windows Identity Foundation - MSDN Library
Identity Developer Training Kit - Read the System requirements
The Id Element - Identity and Access Management videos
AFDS
Active Directory Federation Services 2.0 - Home page
AD FS 2.0 Step-by-Step and How To Guides - Includes a number of federation guides e.g. PingFederate, Oracle Identity Federation
Blogs
Vibro.NET - Vittorio Bertocci's blog
Steve on Security blog - Good code examples
dominick baier on .net, security and other stuff - The man behind Thinktecture and StarterSTS
Claims-Based Identity Blog - Some good examples of federation with other systems
Eugenio Pace - Examples, architecture and interoperability
Matias Woloski - The guy behind the OpenId bridge
Travis Nielsen - Federation and SharePoint 2010
Alik Levin - Lots of Windows Azure AppFabric Access Control Service (ACS)
Steve Peschka - Special emphasis on Sharepoint 2010
Forums
Claims based access platform (CBA), code-named Geneva - Worth keeping an eye on
Of course, Stackoverflow:
ADFS
ADFS v2.0
WIF
Portals
Essentially collections of links - like this one!
TechNet Wiki Windows Identity Foundation (WIF) and Azure AppFabric Access Control Service (ACS) Survival Guide
Windows Identity Foundation (WIF) Fast Track
Windows Identity Foundation (WIF) SDK Help Overhaul
Windows Identity Foundation (WIF) Questions and Answers
Tools
StarterSTS - StarterSTS is a compact, easy to use security token service that is completely based on the ASP.NET provider infrastructure. It is built using the Windows Identity Foundation and supports WS-Federation., WS-Trust, REST, OpenId and Information Cards.
StarterRP - A relying party for StarterSTS
SelfSTS - SelfSTS is a simple utility which exposes a minimal WS-Federation STS endpoint. SelfSTS can be used as a test STS when developing web sites secured with Windows Identity Foundation. Allows you to quickly generate combinations of claims.
SelfSSL7 - Self signing certificates for IIS7. Generates and stores them. Refer my blog entry WIF : Self signed certificates for instructions.
Protocol bridge claims provider - An implementation of a bridge that talks WS-Federation and SAML tokens on one side and OpenID, OAuth or any other protocol on the identity provider side using Windows Identity Foundation.
Documentation here
Fiddler Inspector for Federation Messages - An inspector for typical federation messages for WS-Federation. Also has support for SAML 2.0P request / response messages.
Security Token Visualizer Control - A simple ASP.NET server control which displays in a compact layout useful information about claims-based identity in a web site secured with Windows Identity Foundation. Just get it!
Online books
A Guide to Claims–based Identity and Access Control - Just read it - cover to cover - twice!. By Eugenio Pace, Dominick Baier, Vittorio Bertocci, Keith Brown, and Matias Woloski. See their blogs above.
Enjoy!
Visual Studio : Automatically generate interface properties and methods
Cam across a neat trick to save you a heap of pain.
If you want to instantiate an interface you need to create a physical "copy".
e.g.
IClaimsIdentity is the interface and Dummy is the physical copy. If you try and compile this, the compiler will complain that you haven't defined all the mandatory methods etc.
You could go through the compiler errors one by one or you could right-click on IClaimsIdentity and select Implement Interface / Implement Interface Explicitly.
This generates:
Much easier to fill in the blanks!
Enjoy!
If you want to instantiate an interface you need to create a physical "copy".
e.g.
class Dummy : IClaimsIdentity
{
}
IClaimsIdentity is the interface and Dummy is the physical copy. If you try and compile this, the compiler will complain that you haven't defined all the mandatory methods etc.
You could go through the compiler errors one by one or you could right-click on IClaimsIdentity and select Implement Interface / Implement Interface Explicitly.
This generates:
class ICII : IClaimsIdentity
{
IClaimsIdentity IClaimsIdentity.Actor
{
get
{
throw new NotImplementedException();
}
set
{
throw new NotImplementedException();
}
}
SecurityToken IClaimsIdentity.BootstrapToken
{
get
{
throw new NotImplementedException();
}
set
{
throw new NotImplementedException();
}
}
ClaimCollection IClaimsIdentity.Claims
{
get { throw new NotImplementedException(); }
}
IClaimsIdentity IClaimsIdentity.Copy()
{
throw new NotImplementedException();
}
string IClaimsIdentity.Label
{
get
{
throw new NotImplementedException();
}
set
{
throw new NotImplementedException();
}
}
string IClaimsIdentity.NameClaimType
{
get
{
throw new NotImplementedException();
}
set
{
throw new NotImplementedException();
}
}
string IClaimsIdentity.RoleClaimType
{
get
{
throw new NotImplementedException();
}
set
{
throw new NotImplementedException();
}
}
string System.Security.Principal.IIdentity.AuthenticationType
{
get { throw new NotImplementedException(); }
}
bool System.Security.Principal.IIdentity.IsAuthenticated
{
get { throw new NotImplementedException(); }
}
string System.Security.Principal.IIdentity.Name
{
get { throw new NotImplementedException(); }
}
}
Much easier to fill in the blanks!
Enjoy!
Friday, March 04, 2011
Stackoverflow : Rep standing
With the new Stackoverflow users changes, you can see how you rate worldwide.
Pleased to say, I'm in the top 10%.
Home James and pass the port.
Enjoy!
Pleased to say, I'm in the top 10%.
Home James and pass the port.
Enjoy!
ASP.NET : HTTP Error 407 Proxy authentication error
If you have to develop behind a proxy, (I hate the @#$% things) you are pretty much guaranteed to get this error.
The solution is to add the following to the web.config.
This specifies that there is a proxy, it uses your default Windows credentials to authenticate, bypasses the proxy for local addresses and uses the standard IE proxy defaults.
Problem solved.
Enjoy!
The solution is to add the following to the web.config.
<configuration>
<system.net>
<defaultproxy enabled="true" usedefaultcredentials="true">
<proxy bypassonlocal="True" usesystemdefault="True">
</proxy></defaultproxy>
</system.net>
</configuration>
This specifies that there is a proxy, it uses your default Windows credentials to authenticate, bypasses the proxy for local addresses and uses the standard IE proxy defaults.
Problem solved.
Enjoy!
Wednesday, February 23, 2011
WIF : Self signed certificates
With WIF and ADFS, certificates cause endless problems.
The solution for IIS 7 is to use SelfSSl7.
It's a command line application e.g.
I normally use:
SelfSSL7 /V 90 /Q /X /F c:\xxx\Cert.pfx /W password /T
Enjoy!
The solution for IIS 7 is to use SelfSSl7.
It's a command line application e.g.
USAGE:
SELFSSL7.EXE [/N cn=name] [/K size] [/V days] [/T] [/I] [/S name] [/A I
PAddress] [/P port] [/X] [/F file] [/W password] [/Q]
CERTIFCATE PARAMETERS:
/N name Specifies the common name(s) of the certificate.
Computer name is used if not specified.
Example: /N cn=m1.contoso.com or /N cn=m1.contoso.com;cn=m2.contoso.com
/K size Specifies the key length. Default is 1024.
/V days Specifies the validity of the certificate in days.
Default is 30 days.
TRUST PARAMETERS:
/T Adds the self-signed certificate to user's "Trusted Certificates" list.
IIS PARAMETERS:
/I Add SSL binding to IIS.
Use with the following parameters:
/S name Specifies the name of the site. Default is "Default Web Site".
/A IP Specifies the IP address for the IIS binding. Default is *.
/P port Specifies the SSL port. Default is 443.
EXPORT PARAMETERS:
/X Export certificate to PFX file.
Use with the following parameters:
/F PFX file location.
/W password for PFX file.
OTHER PARAMETERS:
/Q Overwrites existing SSL binding and/or PFX file.
The default behavior is equivalent with:
selfssl7.exe /N cn="machine name" /K 1024 /V 30
/I /S "Default Web Site /P443 /A * /T
I normally use:
SelfSSL7 /V 90 /Q /X /F c:\xxx\Cert.pfx /W password /T
Enjoy!
ADFS : Re-installing ADFS v2.0
Had a number of problems with this so decided to remove ADFS and re-install.
Un-installed it via Control Panel, removed the web site from IIS (Default Web Site) and deleted the adfs directory under inetpub.
When I ran the wizard again, all components correctly installed but the wizard complained that it found the web site so could not re-install. The message was "Existing web site detected".
WTF - I removed everything.
Mr. Google to the rescue and eventually I found the solution.
You need to run the command:
"appcmd delete app "Default Web Site/adfs/ls"
and
"appcmd delete app "Default Web Site/adfs/card"
"appcmd" runs under the command prompt and is found under "C:\Windows\System32\inetsrv".
Enjoy!
Un-installed it via Control Panel, removed the web site from IIS (Default Web Site) and deleted the adfs directory under inetpub.
When I ran the wizard again, all components correctly installed but the wizard complained that it found the web site so could not re-install. The message was "Existing web site detected".
WTF - I removed everything.
Mr. Google to the rescue and eventually I found the solution.
You need to run the command:
"appcmd delete app "Default Web Site/adfs/ls"
and
"appcmd delete app "Default Web Site/adfs/card"
"appcmd" runs under the command prompt and is found under "C:\Windows\System32\inetsrv".
Enjoy!
Friday, February 04, 2011
LINQ : LINQPad sample not a valid zip file
Under the Samples tab in LINQPad, you can download more samples.
When I clicked this, I got an error telling me that the file in ...\AppData\Local\Temp\LINQPad was not a valid zip file.
WTF?
So I ran up the estimable Fiddler in order to see what was happening and when I tried it, it all worked!
Somehow, putting Fiddler in the middle fixes the problem.
Bizarre, but alls well that ends well!
Enjoy!
When I clicked this, I got an error telling me that the file in ...\AppData\Local\Temp\LINQPad was not a valid zip file.
WTF?
So I ran up the estimable Fiddler in order to see what was happening and when I tried it, it all worked!
Somehow, putting Fiddler in the middle fixes the problem.
Bizarre, but alls well that ends well!
Enjoy!
Friday, January 21, 2011
WIF : Problems with SecurityTokenVisualizerControl
This control shows the token information for WIF / ADSL v2.
The control can be downloaded from Security Token Visualizer Control.
The problem is that the wizard looks for Visual Studio 2008. I have Visual Studio 2010 but the wizard doesn't think that's good enough!
Also, it tells me that I don't have the WIF SDK installed. Actually, I do!
Workaround:
Once you've installed the download, don't bother with the wizard - it requires VS 2008 etc.
Navigate to:
C:\IdentityTrainingKit2010\SecurityTokenVisualizerControl\code\Microsoft.Samples.DPE.Identity.Controls
or wherever you installed it and then open:
Microsoft.Samples.DPE.Identity.Controls.csproj
in VS.
You'll have to convert it from an older standard (just reply "Yes" to the question).
Then build it. You now have a .dll in the \bin directory.
Add this .bin to the Toolbar viz. Right click on Toolbar - "Add Tab" - give it a name like "Security Token Visualizer Control".
Then right-click on the new tab - "Choose Items" and browse to the .dll.
The control will now be in your toolbar ready to be dragged onto your page.
Remember to add saveBootstrapTokens="true" to the web.config.
Enjoy!
The control can be downloaded from Security Token Visualizer Control.
The problem is that the wizard looks for Visual Studio 2008. I have Visual Studio 2010 but the wizard doesn't think that's good enough!
Also, it tells me that I don't have the WIF SDK installed. Actually, I do!
Workaround:
Once you've installed the download, don't bother with the wizard - it requires VS 2008 etc.
Navigate to:
C:\IdentityTrainingKit2010\SecurityTokenVisualizerControl\code\Microsoft.Samples.DPE.Identity.Controls
or wherever you installed it and then open:
Microsoft.Samples.DPE.Identity.Controls.csproj
in VS.
You'll have to convert it from an older standard (just reply "Yes" to the question).
Then build it. You now have a .dll in the \bin directory.
Add this .bin to the Toolbar viz. Right click on Toolbar - "Add Tab" - give it a name like "Security Token Visualizer Control".
Then right-click on the new tab - "Choose Items" and browse to the .dll.
The control will now be in your toolbar ready to be dragged onto your page.
Remember to add saveBootstrapTokens="true" to the web.config.
Enjoy!
Thursday, January 13, 2011
WCF : Could not find default endpoint element that references contract
Working through the WCF samples, I came across the in-line calculator.
Built it according to the instructions (using Visual Studio 10 and .NET Framework 4), ran it up and got the following exception:
A lot of communication with Mr. Google and then came across a comment way down in a blog entry that offered some hope.
To generate the proxies, you run:
This generates two files:
CalculatorService.cs
output.config
and you add them to your project using "Add Existing Item".
To get rid of the exception, simply rename "output.config" to "app.config" and ensure it is part of your project.
Enjoy!
Built it according to the instructions (using Visual Studio 10 and .NET Framework 4), ran it up and got the following exception:
Could not find default endpoint element that references contract 'ICalculator' in the ServiceModel client configuration section. This might be because no configuration file was found for your application, or because no endpoint element matching this contract could be found in the client element.
A lot of communication with Mr. Google and then came across a comment way down in a blog entry that offered some hope.
To generate the proxies, you run:
svcutil.exe http://localhost/IISHostedCalc/service.svc?wsdl
This generates two files:
CalculatorService.cs
output.config
and you add them to your project using "Add Existing Item".
To get rid of the exception, simply rename "output.config" to "app.config" and ensure it is part of your project.
Enjoy!
Tuesday, December 21, 2010
Visual Studio : Counting lines of code
Had a look at a vb application to get a feeling for how much work it would take to support it.
One of the measures of complexity is "lines of code" (LoC). Yes, I know it's a crap measure but it's better than nothing and a useful guide.
Mr. Google to the rescue and (no surprise), a good answer on Stackoverflow.
So downloaded the code from here and installed it.
Warning - I had to open and close the project a few times before I could get it to "take" but I got it working and I found that it was a really useful tool.
Hasn't been updated for ages so very much in the Visual Studio 2003 / 2005 era but luckily that was the ballpark I was in.
Enjoy!
One of the measures of complexity is "lines of code" (LoC). Yes, I know it's a crap measure but it's better than nothing and a useful guide.
Mr. Google to the rescue and (no surprise), a good answer on Stackoverflow.
So downloaded the code from here and installed it.
Warning - I had to open and close the project a few times before I could get it to "take" but I got it working and I found that it was a really useful tool.
Hasn't been updated for ages so very much in the Visual Studio 2003 / 2005 era but luckily that was the ballpark I was in.
Enjoy!
Wednesday, December 08, 2010
Visual Studio : Unable to make the session state request
I was running up Visual Studio for an ASP.NET project when I got this error:
"Unable to make the session state request to the session state server. Please ensure that the ASP.NET State service is started and that the client and server ports are the same. If the server is on a remote machine, please ensure that it accepts remote requests by checking the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspnet_state\Parameters\AllowRemoteConnection."
Mr. Google to the rescue and you have to start up:
Control Panel / Administrative Tools / Services.
Right click on ASP.NET State Service / Start
Refresh the browser and you're good to go.
Enjoy!
"Unable to make the session state request to the session state server. Please ensure that the ASP.NET State service is started and that the client and server ports are the same. If the server is on a remote machine, please ensure that it accepts remote requests by checking the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspnet_state\Parameters\AllowRemoteConnection."
Mr. Google to the rescue and you have to start up:
Control Panel / Administrative Tools / Services.
Right click on ASP.NET State Service / Start
Refresh the browser and you're good to go.
Enjoy!
Subscribe to:
Posts (Atom)