Once upon a time, we had VS 2010 and a tool called FedUtil which could be run many times to change the WIF parameters for different hosts, certificates etc.
Also, FedUtil could be run standalone so you could use it on different boxes when you promoted a build from e.g. Dev to Test.
There was no internal STS so we all used SelfSTS.
Then we had VS 2012, where FedUtil morphed to the "Identity and Access Tool" which added some capability but could no longer be run standalone. The "Identity and Access Tool" could be run many times.
It included an internal STS.
Now we have VS 2013 which has a "Change Authentication" feature invoked when you create a project.
There is no internal STS.
You cannot run it standalone and worse of all you cannot run it after the project has been created.
So what happens when I want to migrate my VS 2012 projects to VS 2013?
This SUCKS massively big time.
Is there anyone at Microsoft that actually uses these tools in the real world. Because if there was they wouldn't introduce such restrictions.
Seriously people, get your stuff together!
If you agree, vote here:
In VS 2013, allow ability to run the "Change Authentication" wizard AFTER project is created
Enjoy!
Thursday, October 31, 2013
Monday, October 07, 2013
ADFS : Could not establish trust relationship for the SSL/TLS secure channel
The full error:
System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
Trying to get the Web Application Proxy on Server 2012 R2 working with the new ADFS.
Mr. Google to the rescue.
You need to export the certificate (the one behind the federation server name) and place it in the "Computer account" (not "My user account") under "Trusted Root Certification Authorities".
And while I'm on the subject:
Every time you try and install the proxy, it creates certificates under Personal called "ADFS ProxyTrust - machine name".
But if the installation fails. the old ones are not deleted.
Then I got the above error message but the thumbprint in the message was from a previous attempt not the latest.
So I uninstalled WAP and then deleted all these certificates- under "Local Computer - Personal - Certificates".
Then I went to the ADFS installation and under the Service tab - "Revoke All Proxies".
Then re-installed WAP.
Then it worked!
Enjoy!
System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
Trying to get the Web Application Proxy on Server 2012 R2 working with the new ADFS.
Mr. Google to the rescue.
You need to export the certificate (the one behind the federation server name) and place it in the "Computer account" (not "My user account") under "Trusted Root Certification Authorities".
And while I'm on the subject:
Every time you try and install the proxy, it creates certificates under Personal called "ADFS ProxyTrust - machine name".
But if the installation fails. the old ones are not deleted.
Then I got the above error message but the thumbprint in the message was from a previous attempt not the latest.
So I uninstalled WAP and then deleted all these certificates- under "Local Computer - Personal - Certificates".
Then I went to the ADFS installation and under the Service tab - "Revoke All Proxies".
Then re-installed WAP.
Then it worked!
Enjoy!
Friday, October 04, 2013
ADFS : Some musings on Server 2012 R2
Having been through the exercise of installing the latest invocation of both ADFS and the Web Application Proxy:
Don't use CNG certificates. And guess what?
The command
New-SelfSignedCertificate
which is available on Windows 8 and Windows Server 2012 produces (you guessed it) CNG certificates.
So you need to indulge in some time travel to create older version of self-signed certificates.
And the certificate needs SAN's as per the lab.
Massive change in that neither ADFS nor the proxy is based on IIS. Rather I gather it's built on HTTP.SYS.
So how do you now find the SSL binding?
Use:
netsh http show sslcert
So how do you customise the screens? Even something as simple as branding?
It now uses GMSA instead of service accounts which take time to replicate.
You need to plan to do this:
Add-KdsRootKey
the day before. There is a hack as per the lab for test environments:
Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10)
The WAP is behind the "Remote Access Management" tile.
And once you have published a web application you can't edit it. Seriously?
Also, you need to import the certificate that matches the application URL for it to appear in the drop down box.
Documentation (to be polite) is somewhat lacking. C'mon people!
Enjoy!
Don't use CNG certificates. And guess what?
The command
New-SelfSignedCertificate
which is available on Windows 8 and Windows Server 2012 produces (you guessed it) CNG certificates.
So you need to indulge in some time travel to create older version of self-signed certificates.
And the certificate needs SAN's as per the lab.
Massive change in that neither ADFS nor the proxy is based on IIS. Rather I gather it's built on HTTP.SYS.
So how do you now find the SSL binding?
Use:
netsh http show sslcert
So how do you customise the screens? Even something as simple as branding?
It now uses GMSA instead of service accounts which take time to replicate.
You need to plan to do this:
Add-KdsRootKey
the day before. There is a hack as per the lab for test environments:
Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10)
The WAP is behind the "Remote Access Management" tile.
And once you have published a web application you can't edit it. Seriously?
Also, you need to import the certificate that matches the application URL for it to appear in the drop down box.
Documentation (to be polite) is somewhat lacking. C'mon people!
Enjoy!
Thursday, October 03, 2013
IE : There is a problem with this website's security certificate
You see this all the time with ADFS especially when setting up new Claims Provider trusts.
ADFS won't accept the metadata if the certificate isn't trusted.
Normally, you just click on the "Security Report" icon in the bar at the top of IE, then "View Certificate", then "Install Certificate".
The "Install Certificate" button won't show if you are not running as Administrator.
But in Server 2012, IE 11, I could not get the button to appear.
Mr. Google to the rescue and it turns out you have to add the site to "Trusted Sites", restart IE and then it magically appears.
Enjoy!
ADFS won't accept the metadata if the certificate isn't trusted.
Normally, you just click on the "Security Report" icon in the bar at the top of IE, then "View Certificate", then "Install Certificate".
The "Install Certificate" button won't show if you are not running as Administrator.
But in Server 2012, IE 11, I could not get the button to appear.
Mr. Google to the rescue and it turns out you have to add the site to "Trusted Sites", restart IE and then it magically appears.
Enjoy!
Wednesday, October 02, 2013
ADFS : Problem with CNG certificates
Busy having a look at the latest ADFS 2.1 on Windows Server 2012 R2.
This is the one with the Web Application Proxy, MFA etc.
So first off, I need a self-signed certificate.
As per the lab, I need a self-signed certificate with SAN e.g.
So what tools are on the box. Oh, frabjous joy - there's a PowerShell command:
New-SelfSignedCertificate
which is available on Windows 8 and Windows Server 2012.
OK - so try to install ADFS and it complains that the certificate is a CNG (Certificate Next Generation) one which ADFS doesn't support.
WTF? - the new ADFS doesn't support the latest standard? Is this not a security system?
My normal way of generating self-signed certificates is to use SelfSSL7.
But this doesn't run on Server 2012 because it uses .NET 4.5 and SelfSSL7 requires .NET 3.5.
So the options are:
SelfSSL7 by default does all the IIS SSL binding and this version of ADFS does not use IIS.
So my command was:
selfssl7 /N cn=adfs.domain.com;cn=adfs.domain.com;cn=enterpriseregistration.adfs.domain.com /K 1024 /V 700 /T /X /F c:\xxx\cert.pfx /W password
i.e. just create a pfx file.
Then import the pfx file into the local certificate store - the same one that New-SelfSignedCertificate would have used i.e.
New-SelfSignedCertificate -DnsName www.fabrikam.com, www.contoso.com -CertStoreLocation cert:\LocalMachine\My
Enjoy!
This is the one with the Web Application Proxy, MFA etc.
So first off, I need a self-signed certificate.
As per the lab, I need a self-signed certificate with SAN e.g.
- Subject Name (CN): adfs1.contoso.com
- Subject Alternative Name (DNS): adfs1.contoso.com
- Subject Alternative Name (DNS): enterpriseregistration.contoso.com
So what tools are on the box. Oh, frabjous joy - there's a PowerShell command:
New-SelfSignedCertificate
which is available on Windows 8 and Windows Server 2012.
OK - so try to install ADFS and it complains that the certificate is a CNG (Certificate Next Generation) one which ADFS doesn't support.
WTF? - the new ADFS doesn't support the latest standard? Is this not a security system?
My normal way of generating self-signed certificates is to use SelfSSL7.
But this doesn't run on Server 2012 because it uses .NET 4.5 and SelfSSL7 requires .NET 3.5.
So the options are:
- Add the .NET 3.5 role to the server
- Download the source and recompile for .NET 4.5
- Create on a Windows 7 box and export
- Use another tool e.g. makecert
SelfSSL7 by default does all the IIS SSL binding and this version of ADFS does not use IIS.
So my command was:
selfssl7 /N cn=adfs.domain.com;cn=adfs.domain.com;cn=enterpriseregistration.adfs.domain.com /K 1024 /V 700 /T /X /F c:\xxx\cert.pfx /W password
i.e. just create a pfx file.
Then import the pfx file into the local certificate store - the same one that New-SelfSignedCertificate would have used i.e.
New-SelfSignedCertificate -DnsName www.fabrikam.com, www.contoso.com -CertStoreLocation cert:\LocalMachine\My
Enjoy!
Wednesday, September 04, 2013
C# : Always learn something new
Saw this on Rob Miles blog.
What does ?? mean in C# ?
You can read the full article but the essence is:
"?? provides a convenient way that I can map the null value of a nullable variable onto a specific value
It saves us having to write code that tests for null and sets a value
appropriately.
The above statement sets the value of actualAge to the value in customerAge unless the value in customerAge is null, in which case it sets it to –1.
In other words ?? is a short form of the above test"
Enjoy!
What does ?? mean in C# ?
You can read the full article but the essence is:
"?? provides a convenient way that I can map the null value of a nullable variable onto a specific value
int actualAge = customerAge ?? -1;
The above statement sets the value of actualAge to the value in customerAge unless the value in customerAge is null, in which case it sets it to –1.
if (customerAge == null)
actualAge = -1;
else actualAge = customerAge;
Enjoy!
ADFS : MSIS7042: The same client browser session has made '6' requests in the last '1' seconds.
Out of the blue, got this problem.
WTF?
So reviewed my changes to date.
I had made a change to fix the ubiquitous problem:
ID3206: A signin response may only redirect within the current web application
If you have played with WIF, you will have seen this particular problem.
The solution is BTW:
Add this to the global.asax
After googling around, I found the problem.
In my ADFS RP, I had configured the endpoint without a trailing slash.
Added the missing "/" and all was well.
Enjoy!
WTF?
So reviewed my changes to date.
I had made a change to fix the ubiquitous problem:
ID3206: A signin response may only redirect within the current web application
If you have played with WIF, you will have seen this particular problem.
The solution is BTW:
Add this to the global.asax
private void Application_BeginRequest(object sender, EventArgs e)This seemed to have fixed the bug but then introduced another - the dreaded slippery slope.
{
if (String.Compare(Request.Path, Request.ApplicationPath, StringComparison.InvariantCultureIgnoreCase) == 0 && !(Request.Path.EndsWith("/")))
Response.Redirect(Request.Path + "/");
}
After googling around, I found the problem.
In my ADFS RP, I had configured the endpoint without a trailing slash.
Added the missing "/" and all was well.
Enjoy!
Thursday, August 29, 2013
Wednesday, August 28, 2013
C# : String with spaces is not null or empty
Came across an interesting case.
I was checking a text field with
String.IsNullOrEmpty
and I noticed that if you enter spaces, it is neither null or empty!
Mr. Google out of bed bright and early and:
String.IsNullOrEmpty() Check for Space
The solution is the "IsNullOrWhiteSpace(string value)" one.
Enjoy!
I was checking a text field with
String.IsNullOrEmpty
and I noticed that if you enter spaces, it is neither null or empty!
Mr. Google out of bed bright and early and:
String.IsNullOrEmpty() Check for Space
The solution is the "IsNullOrWhiteSpace(string value)" one.
Enjoy!
AAD : SSO between AAD and Salesforce
The write-up is here:
Tutorial: Windows Azure AD integration with Salesforce
but I couldn't get it working.
Luckily, I have some SAML experience so figured out the problem.
I posted before about how important it is to get the NameID stuff right and this was indeed the problem.
When you create the user in Salesforce, you have to make sure that the Salesforce username is exactly the same as the login name you use for your AAD tenant.
And you have to use a valid email name.
The email name and username do not have to match.
So assume I log into my AAD tenant as:
jbloggs@tenant.onmicrosoft.com
My email address is jbloggs@gmail.com.
So I create the Salesforce user with:
email = jbloggs@gmail.com
username = jbloggs@tenant.onmicrosoft.com
Check your email - you will get a "Change Password" email from Salesforce.
Change your password.
Login to AAD - navigate to the Access Panel - click Salesforce.
What will happen is that AAD will take your logged in name, put it in a NameID SAML assertion called username and pass it to Salesforce.
Salesforce will check that there is a registered user with that username.
There is so A-OK - you are logged in.
I did not have to synchronise any accounts to achieve this.
Enjoy!
Tutorial: Windows Azure AD integration with Salesforce
but I couldn't get it working.
Luckily, I have some SAML experience so figured out the problem.
I posted before about how important it is to get the NameID stuff right and this was indeed the problem.
When you create the user in Salesforce, you have to make sure that the Salesforce username is exactly the same as the login name you use for your AAD tenant.
And you have to use a valid email name.
The email name and username do not have to match.
So assume I log into my AAD tenant as:
jbloggs@tenant.onmicrosoft.com
My email address is jbloggs@gmail.com.
So I create the Salesforce user with:
email = jbloggs@gmail.com
username = jbloggs@tenant.onmicrosoft.com
Check your email - you will get a "Change Password" email from Salesforce.
Change your password.
Login to AAD - navigate to the Access Panel - click Salesforce.
What will happen is that AAD will take your logged in name, put it in a NameID SAML assertion called username and pass it to Salesforce.
Salesforce will check that there is a registered user with that username.
There is so A-OK - you are logged in.
I did not have to synchronise any accounts to achieve this.
Enjoy!
Monday, August 12, 2013
ASP.NET : Inline validation controls no longer red
So I had a project that I was busy migrating from .NET 3.5 to .NET 4.5.
Now I use the asp:RequiredFieldValidator controls and suddenly I noticed that the error messages were no longer in red.
I then compared the projects - no obvious .ccs changes or anything like that.
Then I compared the web.config files and noticed that:
pages controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID" validateRequest="false"
had changed to:
pages controlRenderingCompatibilityVersion="4.0" clientIDMode="AutoID" validateRequest="false"
This must have happened during the wizard that migrates the project.
Have a look at:
What's New in ASP.NET 4 and Visual Web Developer
where it mentions that validators no longer render inline color:Red styles.
Changing it back to "3.5" sorted it out.
Isn't red the international error colour anyway?
Enjoy!
Now I use the asp:RequiredFieldValidator controls and suddenly I noticed that the error messages were no longer in red.
I then compared the projects - no obvious .ccs changes or anything like that.
Then I compared the web.config files and noticed that:
pages controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID" validateRequest="false"
had changed to:
pages controlRenderingCompatibilityVersion="4.0" clientIDMode="AutoID" validateRequest="false"
This must have happened during the wizard that migrates the project.
Have a look at:
What's New in ASP.NET 4 and Visual Web Developer
where it mentions that validators no longer render inline color:Red styles.
Changing it back to "3.5" sorted it out.
Isn't red the international error colour anyway?
Enjoy!
Friday, August 09, 2013
WCF : The request for security token could not be satisfied because authentication failed
In full:
System.ServiceModel.Security.SecurityNegotiationException The caller was not authenticated by the service. System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed.
I see this when the WS call is cross domain on wsHttpBinding.
Quick and dirty is to remove the security (or move to basicHttpBinding).
Not recommended on a Production system but to get over the hump …
On the client side change:
<wsHttpBinding>
<binding name="WSHttpBinding_IService" >
<security mode="None" />
</binding>
</wsHttpBinding>
On the WS side change:
<system.serviceModel>
<services>
<service name=xxx">
<endpoint address="" binding="wsHttpBinding" contract="WcfServiceLibrary.IService" bindingConfiguration="NoSecurityConfig">
<identity>
<dns value="yyy" />
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="NoSecurityConfig">
<security mode="None" />
</binding>
</wsHttpBinding>
</bindings>
Essentially, the changes are to add the “security mode = None” and to add the new bindingConfiguration ="NoSecurityConfig" and then specify the binding for it.
Enjoy!
Subscribe to:
Posts (Atom)