ADFS : Choosing the certificate name

ADFS uses three certificates:

• Service communications for encrypting the message
• Token-decrypting for "encrypting" the token
• Token-signing for signing  the token

The service communications certificate is essentially the SSL certificate that you have configured for the SSL session on the IIS that hosts ADFS. (Yes - folks - it is basically an IIS site - look for it under \inetpub\adfs\ls).

When you configure the certificate for SSL, you need to give it the full name of the site e.g. "contuso.co.uk". Don't just give it the name "contuso". If you do, ADFS will reject it when you install ADFS and will ask for a certificate that has "dots" in it.

Actually, the real error is "ADFS requires full name for certificate".

Just saying.

Enjoy!

Stackoverflow : Top of the tag heap

One of my goals was to get to the top of the "Top Answerers" for a Tag category in stackoverflow and I finally managed to achieve that ...

Problem is: It's more more difficult to stay at the top than get there!

Enjoy!

C# : Parsing dates

 

Dates are a PIA – no matter what language.

Found a neat way to do the validation e.g. the d/m/yyyy vs. d/mm/yyyy vs. dd/mm/yyyy etc.

bool validDate = DateTime.TryParseExact(txtDate.Text, 
    new[] { "dd/MM/yyyy", "d/MM/yyyy"},  
    CultureInfo.InvariantCulture, DateTimeStyles.None, out d);  

 if (!validDate)  
 {
      Error stuff
 }
 else
      Valid stuff

So you just add the valid patterns to the array and away you go!

Enjoy!

Stackoverflow : Finally, the top 5%

One of my goals has been to get my stackoverflow rep. up into the top 5%.

And finally, I did it:

And now it gets really hard because I'm up against the big boys

Like this:

Hmm , nothing like a challenge :-)

Still, for the moment, I'll take being (almost) in the top 2,000 worldwide!

Enjoy!

ADFS : Problem with FedUtil

I posted this problem over on the forum.

Essentially:

I have an ASP.NET application that uses FBA and calls a web service that performs CRUD operations on a back-end system i.e. the ASP.NET application is the client.

I want to claims-enable this application. I don’t want to do anything re. federation with the web service. It should just run in the background as it currently does.

When I run FedUtil, I get the message:

“ID1032: A wcf application federated to a security token service requires an application certificate. Please select a certificate for your application.”

It seems that FedUtil is trying to secure the web service and not the browser application? If I supply a certificate and then look at the resulting web.config, FedUtil hasn't done any of the usual passive profile stuff e.g. commenting out the entire current authentication:

!--Commented out by FedUtil--

!--authentication mode="Forms" forms loginUrl="~/Account/Login.aspx" timeout="2880" / /authentication

If I comment out the system.serviceModel section, FedUtil runs as expected.

I then un-comment the section and have a federated browser application with a non-federated web service.

This seems a very round-about way to achieve the objective.

Why does FedUtil only federate the web service?

How do you tell it to federate the browser functionality only? I would have thought that this was a common implementation?

Is there a better way to achieve this?

--------------------------------------------------------

So what FedUtil seems to do is scan the web.config. If it finds a system.serviceModel section, it assumes this is a WCF session (i.e. active) that you want to secure and off it goes. But in fact, it's the browser session (i.e. passive) that you want to secure.

Anyway, the above provides a work-around but it's a PIA!

Enjoy!

IIS : Default Web Site dissapears

Happily working away on my Windows 7 box with IIS 7.5, deleted an old web site and somehow (no idea !!!) my "Default Web Site" in IIS 7.5 went west - gone - nixed - went to meet its maker ...!

WTF!

I found this What??? You deleted "Default Web Site" from IIS?!?! had some useful info.

In particular (as per the article), to check that it really has gone:

"First you want to really make sure that there is not a web site known as W3SVC/1. Who knows, maybe someone had simply renamed your default web site or something. Open a command prompt and type this:

c:
cd\Inetpub\AdminScripts

cscript adsutil.vbs enum w3svc/1

If it comes up with "The path requested could not be found" then sure enough, you don't have a true default website anymore. If no error then check out the "ServerComment" to know which web the machine now thinks is the default."

OK - so its really gone. You can follow the rest of the article or simply recreate another one.

I decided to re-install IIS - who knows what else was screwed up?

Control Panel / Programs / Turn Windows features on or off.

Uncheck all the IIS stuff. Then OK - it's all removed.

Then check it all back again - OK - IIS will come back and you may or may not have a "Default Web Site".

If you don't, just add one - there's nothing special about it - it's just another web site.

Start / Administrative Tools / IIS Manager

Right click Sites / Add Web Site

Call it "Default Web Site". Point to:

C:\inetpub\wwwroot

You should now have it back - along with others that may have been in that directory.

Click "Default Web Site" / "Advanced settings". Check that the ID is 1. You are good to go!

If you use ASP.NET and .NET Framework 4 - beware!

Look here: ASP.NET : Handler “PageHandlerFactory-Integrated” has a bad module “ManagedPipelineHandler” in its module list

Enjoy!

Blogger : Formating a code snippet.

There's many suggestions for this.

Refer my question on stackoverflow.

However, the TechNet wiki recommends tohtml. Just paste in your code snippet, select the language, click the button, copy the resulting html and paste back into whatever.

I use the white style.

Neat!

Enjoy!

TechNet : 15 minutes of fame

 

Over on the TechNet Wiki, I contributed an article on a Kerberos Survival Guide. 

Just been notified that:

The article Kerberos Survival Guide on the TechNet Wiki has achieved its 15 minutes of fame. Congratulations!

To clarify:

As you can see here: How do I earn points?,  the points you get range between 5 and 2,500 points when your article gets from 500 to 1 million page views. "15 minutes of fame" is the first milestone.

Enjoy!

ASP.NET : Handler “PageHandlerFactory-Integrated” has a bad module “ManagedPipelineHandler” in its module list

 

I do a lot of work developing applications on my Windows 7 32 bit machine using IIS 7.5 and then migrating them to IIS 7.5 on my Windows Server 2008 R2 64 bit box. Not as simple as it sounds.

Using VS 2010, my DefaultAppPool on Windows 7 uses the .NET 4.0 framework whereas it’s 2.0 on Windows 2008. So you need to make a new application pool and set it to “Integrated” and the 4.0 framework.

OK – then I get the above error. The blurb below on the error page says that the most likely cause is that:

“Managed handler is used; however, ASP.NET is not installed or is not installed completely.”

Check my installed features in IIS 7.5 and Yup – ASP.NET is installed, it has a handler etc. So WTF?

Mr. Google to the rescue.

Run a command prompt in administrative mode.

C:\Windows\Microsoft.NET\Framework\v4.0.30319>aspnet_regiis.exe -i
Start installing ASP.NET (4.0.30319).
..................
Finished installing ASP.NET (4.0.30319).

Note: Your version of the framework may be different!

Notice that it installs ASP.NET even though it is already supposed to be there but it fixes the problem and all is well!

Enjoy!

WCF : WCF Test Client “The contract ‘IMetadataExchange’ in client configuration does not match the name in service contract”

 

Playing around with WCF web services in VS 2010 and .NET Framework 4.

When I run the WCF Test Client across the web service I get the above error. The service still works but there’s an error symbol (a ! in a red circle on the LHS).

Mr. Google to the rescue and you need to change the framework config file here:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config

Comment out the “endpoint” section i.e.

<client>
  <!-- <endpoint address="" binding="netTcpRelayBinding" contract="IMetadataExchange" name="sb" /> -->
<metadata>

Problem solved.

Even though it still works, I hate these niggly errors in case I’ve screwed up

Enjoy!

ADFS : Google top 5 hits

I was looking at my blog stats and noticed that my article on "Re-installing ADFS v2.0" was among my top 5 articles.

So I Googled ""Re-installing ADFS v2.0" and found that the top 5 search entries in Google all point to my blog!

Note that the last one is actually from an aggregate site that points to the same blog entry.

Looking at the stats for this article. I noticed that the biggest source of queries was from the Geneva forum, the next was from stackoverflow and Mr. Google only came in third.

The message is clear - if you want to bump up your search results, write good, solid, factually correct articles and link to them. :-)

Enjoy!

ASP : Displaying server variables

Sometimes you need to know who you are logged in as.

In the claims world, it’s easy because you have the IPrincipal and IIdentity objects but if these are not available, you need to go back to first principles.

Enter stage left the server variables. These are accessed from the Request object. A simple way to enumerate then all is via the html segment below which you just whack into an asp page.

<html>
    <body>
    
        <h1>ASP Request Variables Page</h1>

        <h2>
            The current user you are logged in as is: 
            <u>
                <!-- <%=Request.ServerVariables("AUTH_USER" & "<br />") %> -->
                
                <%= response.write("AUTH_USER" & "    " &  Request.ServerVariables("AUTH_USER") & "<br /><br />") %>
            <u>
        </h2>
                
            <%
                for each x in Request.ServerVariables
                    response.write(x & "&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;" &  Request.ServerVariables(x) & "<br /><br />")
                next
            %> 
            
    </body>

</html>

Enjoy!