Azure : Azure Active Directory and Web API

Two new labels today - moving off on another tangent!

Vittorio wrote an excellent article Secure ASP.NET Web API with Windows Azure AD and Microsoft OWIN Components.

When I tried to do this, ran into two problems.

Firstly, we have a *&&^%^%%$ corporate proxy - I HATE them.

So had to add the following to the test client in the web.config or app.config:

system.net
defaultProxy enabled="true" useDefaultCredentials="true"
proxy bypassonlocal="True" usesystemdefault="True"
defaultProxy
system.net

Insert your own xml start / end format!

Secondly, got the error:

"System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure."

In Vittorio's example, he uses localhost for the web site as did I.

You have to ensure you have no certificate errors when you browse to localhost - you can check that in IE - the certificate box should NOT be red.

If it is, just click it and run the wizard to import it into the "CA Trusted Root" area.

Also, make sure that it has not expired!

Enjoy!

Misc : Certificate conversions

On Windows, you have the good, old PFX file which contains both the certificate and private key (and the password for the private key).

But in the Linux world, when you complete the certificate request, you get the information in separate files i.e.

• cert.crt       (the certificate)
• cert.key     (the private key)
• ca.crt         (the CA information)

To convert them into something Windows can use, you need OpenSSL.

You can get a Windows version here: Win32 OpenSSL Installation Project

(Please make a donation if appropriate).

The command you need is:

openssl pkcs12 -export -out cert.pfx -inkey cert.key -in cert.crt -certfile ca.crt

You may get an error:

"unable to write 'random state'"

in which case, set an environment variable:

set RANDFILE=C:\"Directory files are in"\.rnd

Out of interest, if you want to go the other way:

openssl pkcs12 -in cert.pfx -out cert.cer -nodes

Enjoy!

ADFS : Changing service communications certificate

This is on Server 2008.

If you've used ADFS for a while, you'll know that the certificates expire, you get new ones and add them and so on.

After a while, the certificate store looks like a mess! Many certificates with the same name.

So you have the bright idea of deleting them all, importing the new one and configuring the new one in ADFS.

BAD move:

When you try and add the new service communications certificate, you get:

Error: AD FS Management
The certificate could not be processed.
Error message: Object reference not set to an instance of an object.

WTF?

This article goes into detail but I still couldn't get it to work.

How to change the ADFS 2.0 service communications certificate after it expires

So you import the new certificate and you've added the new certificate to the IIS https binding.

Mr Google to the rescue and you need to run PowerShell as administrator:

Add-PSSnapin Microsoft.Adfs.PowerShell

Then get the new certificate thumbprint from MMC and use the following:

Set-ADFSCertificate -CertificateType Service-Communications -Thumbprint xxyyzz...

WARNING: PS0001: One or more of the specified certificate(s) has a key length of less than 2048 bits. This may present a security risk.
WARNING: PS0038: This action requires a restart of the AD FS 2.0 Windows Service. If you have deployed a federation server farm, restart the service on every server in the farm.

So restart the service and Hallelujah it all works again!

Enjoy!

Visual Studio : Version issues

Once upon a time, we had VS 2010 and a tool called FedUtil which could be run many times to change the WIF parameters for different hosts, certificates etc.

Also, FedUtil could be run standalone so you could use it on different boxes when you promoted a build from e.g. Dev to Test.

There was no internal STS so we all used SelfSTS.

Then we had VS 2012, where FedUtil morphed to the "Identity and Access Tool" which added some capability but could no longer be run standalone. The "Identity and Access Tool" could be run many times.

It included an internal STS.

Now we have VS 2013 which has a "Change Authentication" feature invoked when you create a project.

There is no internal STS.

You cannot run it standalone and worse of all you cannot run it after the project has been created.

So what happens when I want to migrate my VS 2012 projects to VS 2013?

This SUCKS massively big time.

Is there anyone at Microsoft that actually uses these tools in the real world. Because if there was they wouldn't introduce such restrictions.

Seriously people, get your stuff together!

If you agree, vote here:

In VS 2013, allow ability to run the "Change Authentication" wizard AFTER project is created

Enjoy!

ADFS : Could not establish trust relationship for the SSL/TLS secure channel

The full error:

System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

Trying to get the Web Application Proxy on Server 2012 R2 working with the new ADFS.

Mr. Google to the rescue.

You need to export the certificate (the one behind the federation server name) and place it in the "Computer account" (not "My user account") under "Trusted Root Certification Authorities".

And while I'm on the subject:

Every time you try and install the proxy, it creates certificates under Personal called "ADFS ProxyTrust - machine name".

But if the installation fails. the old ones are not deleted.

Then I got the above error message but the thumbprint in the message was from a previous attempt not the latest.

So I uninstalled WAP and then deleted all these certificates- under "Local Computer - Personal - Certificates".

Then I went to the ADFS installation and under the Service tab - "Revoke All Proxies".

Then re-installed WAP.

Then it worked!

Enjoy!

ADFS : Some musings on Server 2012 R2

Having been through the exercise of installing the latest invocation of both ADFS and the Web Application Proxy:

Don't use CNG certificates. And guess what?

The command

New-SelfSignedCertificate 

which is available on Windows 8 and Windows Server 2012 produces (you guessed it) CNG certificates.

So you need to indulge in some time travel to create older version of self-signed certificates.

And the certificate needs SAN's as per the lab.

Massive change in that neither ADFS nor the proxy is based on IIS. Rather I gather it's built on HTTP.SYS.

So how do you now find the SSL binding?

Use:

netsh http show sslcert 

So how do you customise the screens? Even something as simple as branding?

It now uses GMSA instead of service accounts which take time to replicate.

You need to plan to do this:

Add-KdsRootKey 

the day before. There is a hack as per the lab for test environments:

Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10)

The WAP is behind the "Remote Access Management" tile.

And once you have published a web application you can't edit it. Seriously?

Also, you need to import the certificate that matches the application URL for it to appear in the drop down box.

Documentation (to be polite) is somewhat lacking. C'mon people!

Enjoy!

IE : There is a problem with this website's security certificate

You see this all the time with ADFS especially when setting up new Claims Provider trusts.

ADFS won't accept the metadata if the certificate isn't trusted.

Normally, you just click on the "Security Report" icon in the bar at the top of IE, then "View Certificate", then "Install Certificate".

The "Install Certificate" button won't show if you are not running as Administrator.

But in Server 2012, IE 11, I could not get the button to appear.

Mr. Google to the rescue and it turns out you have to add the site to "Trusted Sites", restart IE and then it magically appears.

Enjoy!

ADFS : Problem with CNG certificates

Busy having a look at the latest ADFS 2.1 on Windows Server 2012 R2.

This is the one with the Web Application Proxy, MFA etc.

So first off, I need a self-signed certificate.

As per the lab, I need a self-signed certificate with SAN e.g.

• Subject Name (CN): adfs1.contoso.com
• Subject Alternative Name (DNS): adfs1.contoso.com
• Subject Alternative Name (DNS): enterpriseregistration.contoso.com

Hmm - problem.

So what tools are on the box. Oh, frabjous joy - there's a PowerShell command:

New-SelfSignedCertificate 

which is available on Windows 8 and Windows Server 2012.

OK - so try to install ADFS and it complains that the certificate is a CNG (Certificate Next Generation) one which ADFS doesn't support.

WTF? - the new ADFS doesn't support the latest standard? Is this not a security system?

My normal way of generating self-signed certificates is to use SelfSSL7.

But this doesn't run on Server 2012 because it uses .NET 4.5 and SelfSSL7 requires .NET 3.5.

So the options are:

• Add the .NET 3.5 role to the server
• Download the source and recompile for .NET 4.5
• Create on a Windows 7 box and export
• Use another tool e.g. makecert

But there's another problem:

SelfSSL7 by default does all the IIS SSL binding and this version of ADFS does not use IIS.

So my command was:

selfssl7 /N cn=adfs.domain.com;cn=adfs.domain.com;cn=enterpriseregistration.adfs.domain.com /K 1024 /V 700 /T /X /F c:\xxx\cert.pfx /W password

i.e. just create a pfx file.

Then import the pfx file into the local certificate store - the same one that New-SelfSignedCertificate would have used i.e.

New-SelfSignedCertificate -DnsName www.fabrikam.com, www.contoso.com -CertStoreLocation cert:\LocalMachine\My

Enjoy!

C# : Always learn something new

Saw this on Rob Miles blog.

What does ?? mean in C# ?

You can read the full article but the essence is:

"?? provides a convenient way that I can map the null value of a nullable variable onto a specific value

int actualAge = customerAge ?? -1;

It saves us having to write code that tests for null and sets a value appropriately. 

The above statement sets the value of actualAge to the value in customerAge unless the value in customerAge is null, in which case it sets it to –1.

if (customerAge == null)
    actualAge = -1;
else    actualAge = customerAge;

In other words ?? is a short form of the above test"

Enjoy!
 

ADFS : MSIS7042: The same client browser session has made '6' requests in the last '1' seconds.

Out of the blue, got this problem.

WTF?

So reviewed my changes to date.

I had made a change to fix the ubiquitous problem:

ID3206: A signin response may only redirect within the current web application

If you have played with WIF, you will have seen this particular problem.

The solution is BTW:

Add this to the global.asax

private void Application_BeginRequest(object sender, EventArgs e)
{
      if (String.Compare(Request.Path, Request.ApplicationPath,     StringComparison.InvariantCultureIgnoreCase) == 0 && !(Request.Path.EndsWith("/")))
                Response.Redirect(Request.Path + "/");
}

This seemed to have fixed the bug but then introduced another - the dreaded slippery slope.

After googling around, I found the problem.

In my ADFS RP, I had configured the endpoint without a trailing slash.

Added the missing "/" and all was well.

Enjoy!

Stackoverflow : onwards and upwards

Moving up the ladder!

Top 3% and all!

Enjoy!

C# : String with spaces is not null or empty

Came across an interesting case.

I was checking a text field with

String.IsNullOrEmpty

and I noticed that if you enter spaces, it is neither null or empty!

Mr. Google out of bed bright and early and:

String.IsNullOrEmpty() Check for Space

The solution is the "IsNullOrWhiteSpace(string value)" one.

Enjoy!