Thursday, December 22, 2011

C# : Counting "rows" in an XML structutre

Working on a system that returns an XML structure as a string.

The structure looks like:


I needed to find out how many rows there were.

Mr. Google to the rescue and the solution is:
XmlDocument readTable = new XmlDocument();

int rowCount = readTable.SelectNodes("Table/Row").Count;
Refer XPath Examples for the syntax of more kinds of searches you can do.


Friday, December 02, 2011

ASP : The Web Form equivalent of MessageBox

When you are writing a Windows application, the ubiquitous MessageBox is extremely useful for popping up a quick debug message but it’s not available for ASP.NET Web Forms.

In such cases, use:

Response.Write("<script language='javascript'>alert('Your message');</script>");


Wednesday, November 30, 2011

ADFS : Display exceptions

There's a neat feature in ADFS in the web.config that displays exceptions on the error page which I find a MAJOR help when I'm configuring stuff.

Uncomment this piece:

!-- Display the exception message on the error page. Uncomment this, or add the key below to your
app settings if you want to see the exception message. The exception messages are localized in the
language of the server.--

add key="displayExceptions"

The web.config you need is here:


So I changed the code in FormsSignIn to use an exception called exp instead of ex resulting in the error below.


Thursday, November 24, 2011

ADFS : The "All Time" double!

Over on stackoverflow:

And now the pressure is really on ...


Visual Studio : Web deploy - Files\IIS\Microsoft was unexpected at this time

Built a project using the standard VS 2010 SP1 - Right click on the project - Build Deployment Package.

Then tried to deploy it via:

xxx.deploy.cmd /T

The /T does a whatif - always a good idea to check first!

Then run the following when you are happy:

xxx.deploy.cmd /Y

Got the error - "Files\IIS\Microsoft was unexpected at this time". WTF?

First off when you set the environment variable as per the txt file:

set MSDeployPath="C:\Program Files\IIS\Microsoft Web Deploy V2\"

Do NOT put the quotes in and remove the end \ i.e.

set MSDeployPath=C:\Program Files\IIS\Microsoft Web Deploy V2

What the script does is search for this variable and if it's missing, it tries to find the path in the registry via this code:

if "%MSDeployPath%" == "" (

for /F "usebackq tokens=1,2,*" %%h in (`reg query "HKLM\SOFTWARE\Microsoft\IIS Extensions\MSDeploy" /s ^
findstr -i "InstallPath"`) do (

if /I "%%h" == "InstallPath" (

if /I "%%i" == "REG_SZ" (

if not "%%j" == "" (

if "%%~dpj" == "%%j" (

set MSDeployPath=%%j


I have Web Deploy V2 deployed and I don't have such a registry entry? It's this piece of script that produces the error. Just comment it out and all will be sweetness and light.


Tuesday, November 22, 2011

WIF : The FederatedPassiveSignInStatus Control

Doing some WIF development and wanted to sign out the user completely. So I dragged the control from the Toolbox on VS 2010 and then tested it.

WTF - it doesn't do anything.

I set the SignOut action to FederatedPassiveSignOut and had an url for the SignOutPageUrl.

Then I noticed that I'd actually added the control to the Site.Master page so that it would appear on every page on the site. Hmm - but that's not actually a page.

So I removed it and added it to my Home page. Works like a dream.

This may help someone else in the same predicament.

Passive Authentication for ASP.NET with WIF has a good description of SingleSignOut.

Makes the point:

"In more complex scenarios, the same clean-up request should be sent to any other STS involved in the federated session. To that end, the STS would have to have prior knowledge of the clean-up URI for each RP and STS. To support single sign-out, your RPs should be able to process these clean-up requests. Both the FAM and the FederatedPassiveSignInStatus control support this. If you’re using the FAM, the clean-up request can be posted to any URI at the RP and the FAM will process the request and clean up any session cookies. If you’re using the FederatedPassiveSignInStatus control, the clean-up request must be posted to a page that contains the control."


ADFS : Choosing the certificate name

ADFS uses three certificates:
  • Service communications for encrypting the message
  • Token-decrypting for "encrypting" the token
  • Token-signing for signing  the token
The service communications certificate is essentially the SSL certificate that you have configured for the SSL session on the IIS that hosts ADFS. (Yes - folks - it is basically an IIS site - look for it under \inetpub\adfs\ls).

When you configure the certificate for SSL, you need to give it the full name of the site e.g. "". Don't just give it the name "contuso". If you do, ADFS will reject it when you install ADFS and will ask for a certificate that has "dots" in it.

Actually, the real error is "ADFS requires full name for certificate".

Just saying.


Thursday, November 17, 2011

Stackoverflow : Top of the tag heap

One of my goals was to get to the top of the "Top Answerers" for a Tag category in stackoverflow and I finally managed to achieve that ...

Problem is: It's more more difficult to stay at the top than get there!


Friday, November 11, 2011

C# : Parsing dates


Dates are a PIA – no matter what language.

Found a neat way to do the validation e.g. the d/m/yyyy vs. d/mm/yyyy vs. dd/mm/yyyy etc.

bool validDate = DateTime.TryParseExact(txtDate.Text, 
new[] { "dd/MM/yyyy", "d/MM/yyyy"},
CultureInfo.InvariantCulture, DateTimeStyles.None, out d);

if (!validDate)
Error stuff
Valid stuff

So you just add the valid patterns to the array and away you go!


Thursday, November 10, 2011

Stackoverflow : Finally, the top 5%

One of my goals has been to get my stackoverflow rep. up into the top 5%.

And finally, I did it:

And now it gets really hard because I'm up against the big boys

Like this:

Hmm , nothing like a challenge :-)

Still, for the moment, I'll take being (almost) in the top 2,000 worldwide!


ADFS : Problem with FedUtil

I posted this problem over on the forum.


I have an ASP.NET application that uses FBA and calls a web service that performs CRUD operations on a back-end system i.e. the ASP.NET application is the client.

I want to claims-enable this application. I don’t want to do anything re. federation with the web service. It should just run in the background as it currently does.

When I run FedUtil, I get the message:

“ID1032: A wcf application federated to a security token service requires an application certificate. Please select a certificate for your application.”

It seems that FedUtil is trying to secure the web service and not the browser application? If I supply a certificate and then look at the resulting web.config, FedUtil hasn't done any of the usual passive profile stuff e.g. commenting out the entire current authentication:

!--Commented out by FedUtil--

!--authentication mode="Forms" forms loginUrl="~/Account/Login.aspx" timeout="2880" / /authentication

If I comment out the system.serviceModel section, FedUtil runs as expected.

I then un-comment the section and have a federated browser application with a non-federated web service.

This seems a very round-about way to achieve the objective.

Why does FedUtil only federate the web service?

How do you tell it to federate the browser functionality only? I would have thought that this was a common implementation?

Is there a better way to achieve this?


So what FedUtil seems to do is scan the web.config. If it finds a system.serviceModel section, it assumes this is a WCF session (i.e. active) that you want to secure and off it goes. But in fact, it's the browser session (i.e. passive) that you want to secure.

Anyway, the above provides a work-around but it's a PIA!


Tuesday, November 01, 2011

IIS : Default Web Site dissapears

Happily working away on my Windows 7 box with IIS 7.5, deleted an old web site and somehow (no idea !!!) my "Default Web Site" in IIS 7.5 went west - gone - nixed - went to meet its maker ...!


I found this What??? You deleted "Default Web Site" from IIS?!?! had some useful info.

In particular (as per the article), to check that it really has gone:

"First you want to really make sure that there is not a web site known as W3SVC/1. Who knows, maybe someone had simply renamed your default web site or something. Open a command prompt and type this:


cscript adsutil.vbs enum w3svc/1

If it comes up with "The path requested could not be found" then sure enough, you don't have a true default website anymore. If no error then check out the "ServerComment" to know which web the machine now thinks is the default."

OK - so its really gone. You can follow the rest of the article or simply recreate another one.

I decided to re-install IIS - who knows what else was screwed up?

Control Panel / Programs / Turn Windows features on or off.

Uncheck all the IIS stuff. Then OK - it's all removed.

Then check it all back again - OK - IIS will come back and you may or may not have a "Default Web Site".

If you don't, just add one - there's nothing special about it - it's just another web site.

Start / Administrative Tools / IIS Manager

Right click Sites / Add Web Site

Call it "Default Web Site". Point to:

You should now have it back - along with others that may have been in that directory.

Click "Default Web Site" / "Advanced settings". Check that the ID is 1. You are good to go!

If you use ASP.NET and .NET Framework 4 - beware!

Look here: ASP.NET : Handler “PageHandlerFactory-Integrated” has a bad module “ManagedPipelineHandler” in its module list


Thursday, October 20, 2011

Blogger : Formating a code snippet.

There's many suggestions for this.

Refer my question on stackoverflow.

However, the TechNet wiki recommends tohtml. Just paste in your code snippet, select the language, click the button, copy the resulting html and paste back into whatever.

I use the white style.



Monday, October 10, 2011

TechNet : 15 minutes of fame


Over on the TechNet Wiki, I contributed an article on a Kerberos Survival Guide. 

Just been notified that:

The article Kerberos Survival Guide on the TechNet Wiki has achieved its 15 minutes of fame. Congratulations!

To clarify:

As you can see here: How do I earn points?,  the points you get range between 5 and 2,500 points when your article gets from 500 to 1 million page views. "15 minutes of fame" is the first milestone.


Monday, October 03, 2011

ASP.NET : Handler “PageHandlerFactory-Integrated” has a bad module “ManagedPipelineHandler” in its module list


I do a lot of work developing applications on my Windows 7 32 bit machine using IIS 7.5 and then migrating them to IIS 7.5 on my Windows Server 2008 R2 64 bit box. Not as simple as it sounds.

Using VS 2010, my DefaultAppPool on Windows 7 uses the .NET 4.0 framework whereas it’s 2.0 on Windows 2008. So you need to make a new application pool and set it to “Integrated” and the 4.0 framework.

OK – then I get the above error. The blurb below on the error page says that the most likely cause is that:

“Managed handler is used; however, ASP.NET is not installed or is not installed completely.”

Check my installed features in IIS 7.5 and Yup – ASP.NET is installed, it has a handler etc. So WTF?

Mr. Google to the rescue.

Run a command prompt in administrative mode.

C:\Windows\Microsoft.NET\Framework\v4.0.30319>aspnet_regiis.exe -i
Start installing ASP.NET (4.0.30319).
Finished installing ASP.NET (4.0.30319).

Note: Your version of the framework may be different!

Notice that it installs ASP.NET even though it is already supposed to be there but it fixes the problem and all is well!


Tuesday, September 27, 2011

WCF : WCF Test Client “The contract ‘IMetadataExchange’ in client configuration does not match the name in service contract”


Playing around with WCF web services in VS 2010 and .NET Framework 4.

When I run the WCF Test Client across the web service I get the above error. The service still works but there’s an error symbol (a ! in a red circle on the LHS).

Mr. Google to the rescue and you need to change the framework config file here:


Comment out the “endpoint” section i.e.

  <!-- <endpoint address="" binding="netTcpRelayBinding" contract="IMetadataExchange" name="sb" /> -->

Problem solved.

Even though it still works, I hate these niggly errors in case I’ve screwed up Smile


Thursday, September 22, 2011

ADFS : Google top 5 hits

I was looking at my blog stats and noticed that my article on "Re-installing ADFS v2.0" was among my top 5 articles.

So I Googled ""Re-installing ADFS v2.0" and found that the top 5 search entries in Google all point to my blog!

Note that the last one is actually from an aggregate site that points to the same blog entry.

Looking at the stats for this article. I noticed that the biggest source of queries was from the Geneva forum, the next was from stackoverflow and Mr. Google only came in third.

The message is clear - if you want to bump up your search results, write good, solid, factually correct articles and link to them. :-)


Tuesday, September 20, 2011

ASP : Displaying server variables

Sometimes you need to know who you are logged in as.

In the claims world, it’s easy because you have the IPrincipal and IIdentity objects but if these are not available, you need to go back to first principles.

Enter stage left the server variables. These are accessed from the Request object. A simple way to enumerate then all is via the html segment below which you just whack into an asp page.

        <h1>ASP Request Variables Page</h1>

            The current user you are logged in as is: 
                <!-- <%=Request.ServerVariables("AUTH_USER" & "<br />") %> -->
                <%= response.write("AUTH_USER" & "    " &  Request.ServerVariables("AUTH_USER") & "<br /><br />") %>
                for each x in Request.ServerVariables
                    response.write(x & "&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;" &  Request.ServerVariables(x) & "<br /><br />")



Monday, September 12, 2011

ADFS : Selecting claim that's not in the default drop down

When you want to edit the claims rules for a CP or RP in ADFS v2.0, you sometimes need to select an LDAP attribute that's not in the default drop down list.

I've always done this via a custom claim, But then I read this post: Active Directory attribute store: Require custom claim rule to access other attributes?.

The drop down actually allows free-form (not that that is obvious). In case the link disappears, this is how:

"Edit Claims Rules / Add Rule / Send LDAP Attributes as Claims".
Don't select the drop-down, just click in the white space of the grid.
If the box turns dark blue, click again.
Away you go - you can now enter any attribute you like.

This also works for the "Outgoing Claims Type" box.


Stackoverflow : Another milestone

Just clocked up rep. of 6000 over on Stackoverflow !!!

My stackoverflow flair:

profile for nzpcmad at Stack Overflow, Q&A for professional and enthusiast programmers

or overall Stack Exchange flair

profile for nzpcmad on Stack Exchange, a network of free, community-driven Q&A sites


Thursday, September 08, 2011

Windows : The “hidden” tools


There’s an amazing amount of tools “hidden” on your PC that you probably aren’t even aware off Smile.

A lot of them are stored in the

C:\Program Files\Microsoft SDKs\Windows

directory. These mainly derive from the Windows SDK for Windows 7 and .NET Framework 4.

Browse through StartTools.htm located at:

C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin

There’s an amazing collection of tools there.

The actual binaries are located here:

C:\Program Files\Microsoft SDKs\Windows\v7.0A\bin

To quote:

“The Windows SDK tools are designed to make it easier for you to create, deploy, and manage applications and components that target Windows and the Internet. The Windows SDK includes tools for both the .NET 3.5 SP1 and 4 Frameworks - a managed programming model - and tools for Win32® - the native (unmanaged) programming model for Windows. Many of the Windows SDK tools are listed on this page and categorized by target audience: managed, native and "common" (tools that could be used by either managed or native developers).”


Friday, September 02, 2011

PowerShell : Using an IDE


PowerShell is command line which means that you lose out on all the benefits that an IDE brings.

There is an in-built PowerShell IDE:

Just type “ise” from the command line

but it’s pretty basic.

Then I came across PowerGui.

It has two parts viz. an administrative console that allows you to run a collection of PowerShell scripts and a script editor that allows you to enter and run scripts. It has intellisense and a set of built in snippets. It has a debug function where you can step through the script and examine all the variables.

Very neat – and BTW it’s free.


Monday, August 29, 2011

AD : Displaying the SPN


SPN stands for Service Principal Name – used (among others) by Kerberos.

Normally, you work with them via the Setspn tool.


setspn –l <account name>

which lists all spns assigned to that account.

However, you can also do this by:

Start – Administrative Tools – Active Directory Users and Computers – View – Advanced Features

Then navigate to the account via the tree. Right click – Properties – Attribute Editor tab. Then scroll down to servicePrincipalName and double-click.

You can add and remove SPN’s from this window as well. (i.e. the equivalent of setspn –a … or setspn –d …).


Monday, August 22, 2011

WIF : The pipe endpoint 'net.pipe://localhost/s4u/022694f3-9fbd-422b-b4b2-312e25dae2a2' could not be found on your local machine.


If you are using WIF and C2WTS and you get the above error, it’s probably because the C2WTS service is not yet started.

It’s this one in the Services windows (which is in the “Administrative Tools” menu):

“Claims to Windows Token Service”

and the description is:

“Service to convert claims based identities to windows identities”

Note that you must use Windows domain user accounts. These accounts must have a Universal Principal Name (UPN).


Thursday, August 18, 2011

ADFS : Metadata XML won’t display in IE


A number of people have commented on this problem with ADFS v2.0. It seems to be confined to Internet Explorer (IE).

Basically, the problem is that you want to display a site’s metadata so you browse to the URL (the https://xxxx//FederationMetadata/2007-06/FederationMetadata.xml one) and see … zip / nada / nothing / blank. WTF!

Two “solutions” that may help:

  • Use Firefox
  • Toggle the IE compatibility mode.


Wednesday, August 17, 2011

ADFS : Error from “Update from Federation Metadata”


When you’re in ADFS v2.0 and you are trying to update the metadata of a CP or RP, you sometimes get the “An error occurred during an attempt to read the federation metadata” message.

A useful trick is to open a browser and navigate to the URL of the site whose metadata you are attempting to update. If you get any certificate errors, fix them first. ADFS does not like certificate errors. Everything has to be squeaky clean!


Monday, August 15, 2011

IIS : IE missing “Install Certificate” button on “View Certificates”


It’s a common problem with IE. You access a site and get a certificate error and get the pink address bar when you access the site. The solution is to install the certificate into the “Trusted Root CA” certificate store.

You normally do that by clicking the padlock icon to the right of the address bar then “View Certificates” and then clicking the “Install Certificate” button. Lately, I've come across some instances where the button is missing in action. WTF?

Mr. Google to the rescue and the solution is to right-click the IE icon on the desktop and select “Run as administrator”. (In other words, IE needs to be run as Administrator).

And then there was sweetness and light and verily the button doth appear!


Thursday, August 11, 2011

ADFS : Accessing the Windows Internal Database


ADFS either uses SQL Server or an WID to store all the configuration components. I’ve tried before to access the WID with no joy but then discovered that the reason why was because of the completely non-intuitive and obtuse server name which has to be:


Damn, why on earth didn’t I think of that?!

The easiest way to access it is via the free SQL Server Management Studio Express. Ignore all the talk of SQL Server 2005 Express Edition – it works for the WID.

When you connect, leave the “Server Type” as “Database Engine” and insert the above string as the “Server Name”.

Away you go – the two DB of interest are AdfsArtifactStore and ADFSConfiguration.


Monday, August 08, 2011

Kerberos : Some useful tools


Needed to do some work in this area and found the following extremely useful:

KerbTray is a GUI tool used to display ticket information for a given computer running the Kerberos protocol. You can purge all the Kerberos tickets with this.

KList is a DOS prompt tool used to view and delete the Kerberos tickets granted to the current logon session. It allows you to delete selected Kerberos tickets (as opposed to KerbTray which deletes them all).

In terms of debugging, I found Wireshark to be useful to see what happens on the actual wire. You can sort the packets by using the Kerberos protocol as a filter.

The other alternative is to enable Kerberos event logging. Really simple to do – just one registry setting. Just remember to disable it when you are done.

DelegConfig is an ASP.NET application used to help troubleshoot and configure IIS and Active Directory to allow Kerberos and delegated Kerberos credentials. It can be really useful but has to be setup correctly. Worth running if only to read the comments and explanations.


Wednesday, August 03, 2011

WIF : Displaying WIF trace files


Trace or log files are very useful to help you find problems with WIF.

I normally add the following to the end of the web.config.

      <source name="Microsoft.IdentityModel" switchValue="Verbose">
          <add name="xml" type="System.Diagnostics.XmlWriterTraceListener"
               initializeData="xxx\Logs\WIF.xml" />
    <trace autoflush="true" />


This produces a ton of output in XML format but it's not that easy to read it!

The trick is to use the Service Trace Viewer Tool.

See Examining WCF Diagnostic Traces Using Service Trace Viewer Tool for download instructions.

Run up the tool (you may need to run as administrator), then File / Open with the file type set to XML and you'll find it so much easier!


Friday, July 15, 2011

IIS : Classic ASP, Windows 7 and IIS 7

Classic ASP is the good old Active Sever Pages technology which was the way Microsoft rendered web sites before the advent of managed code and ASP.NET.

It is essentially just a directory of asp, htm and other static content.

It's not supported by Microsoft e.g. there is no Classic ASP project type in VS 2010. May might just as well use Notepad (as I've seen some people do!).

Anyway, needed to do some work with this using the Classic .NET AppPool and got:

"The page you are requesting cannot be served because of the extension configuration. if the page is a script, add a handler. if the file should be downloaded, add a mime map."

Mr Google suggested IIS Handler Mappings but when I looked there I saw that ISAPI.dll was disabled (no way to enable it) and the message:

"You must manage managed handlers directly in the configuration file"

Come in Mr Google - your time is up.

Eventually found the solution under Windows Features:

Under IIS / World Wide Web Services / Application Development Features:

ASP = On
ISAPI Extensions = On
ISAPI Filters = On

Under IIS / World Wide Web Services / Common HTTP Features:

Static Content = On


Thursday, July 14, 2011

TechNet : Wiki top dog

I've been doing a lot of work over at the TechNet Wiki - mainly in the WIF area.

Good to see that this week I'm officially top dog.

Frabjous joy in the North Compound!


Wednesday, July 13, 2011

Windows : Windows Integrated Authentication

This is for Windows Integrated Authentication (IWA / WIA)

If you want to use this to automatically log into other sites that you access after logging in once when you come into work:

The site you want to access has to be in the “Local Intranet” zone.

The WIA setting in the IIS site – Authentication icon should be set.

For IE (which can do this behind the scenes):

  • Tools / Internet Options / Security / Custom Level (Scroll down to end) / Automatic login only in Intranet zone
  • Tools / Internet Options / Advanced (Scroll down to Security) / Enable Windows Integrated Authentication.

For Firefox, see

FireFox supports Integrated Windows Authentication


Configuring Windows Integrated AuthN

Note there are three articles here.


SSO with Office 365: ADFS Logon Web Site / Authentication / Browser Support


AD FS, Enhanced Protection for Authentication (EPA), Chrome and Integrated Windows Authentication (IWA)


Friday, July 08, 2011

Misc : Find a similar article


The Internet is a wonderful source of information – the only problem is at least half of it is rubbish and  a quarter of the rest is misleading.

Had an example of this recently on a forum.

I was asking about V2 of a product and the answer was “Look at this article”. Which I duly did and noticed that the article referred to V1 of the product which used a feature which had been removed in V2.

I pointed that out on the forum. Back comes the answer “Oh – just ignore that section” WTF – without that section there is no solution.

Pointed that out on the forum. Back comes the answer “Find a similar article” WTF – that’s where I started. I couldn't find one – hence the forum question.

Thanks for FA dude!


Wednesday, June 29, 2011

ADFS : Restoring / re-installing ADFS v 2.0


There’s really useful information out there on the forums.

If everything turns to custard when you are trying to customise ADFS, you can always re-install.

A quicker way is to know that a copy of the original installation is found at:

…\Program Files\Active Directory Federation Services 2.0\WSFederationPassive.Web

Simply copy it over to:


Thanks to Steve Syfuhs for this tip.


Tuesday, June 28, 2011

ASP.NET : A potentially dangerous Request.Form value was detected from the client

I get this message all the time especially when knocking up quick Web applications to test some WIF concept.
The solution is to add the following in the web.config:
    <pages validateRequest="false" />
    <httpRuntime requestValidationMode="2.0" />


It may help to  add:


in the Page directive as well (This is the first line of your .aspx file).

Also, refer this discussion over on stackoverflow.


Misc : Remote Desktop Connection Manager

When you work with a lot of VM's or remotes sites, you tend to have a lot of RDC (Remote Desktop Connection) windows open which can be confusing to stay the least.

Enter the Remote Desktop Connection Manager.

This is an extremely useful tool which puts everything in one place and accessible with one click. You can also put all your sites into a meaningful hierarchy.

I really wish there was a list of all the internal tools that Microsoft folk have developed over the years!


Wednesday, June 22, 2011

Misc : Dual identity

Originally when I registered with MSDN I used my normal name (nzpcmad). Moved on to other areas and when I wanted to use MSDN again, I found that things had changed. When I updated my profile, I was informed that the name “nzpcmad” was already in use (WTF – I know that!) and hence was forced to choose a new name “nzpcmad1”.

So just to confirm:

nzpcmad = nzpcmad1 = Me



Tuesday, June 21, 2011

Misc : Windows Live Writer


Something in the nature of an experiment. Setting up Windows Live Writer so I can contribute to the TechNet Wiki (my name there is nzpcmad1) so thought I would try to my actual blog.


Monday, June 20, 2011

.NET : Reflector 7 won't load add-ins-

The new Reflector 7 is pretty whizzy but it generally won't load the old add-ons from here. So frustrating - all these useful tools but problems, problems ...

Mr. Google to the rescue (as always!).

You need to run the Reflector Plugin Converter.

Essentially, this converts the version number from 5.0 to 7.0.

Run in a command prompt as an administrator.

...\Reflector7>PluginConverter.exe Reflector.CodeSearch.dll

Reflector plugin converter - Sebastien LEBRETON (
Backuping Reflector.CodeSearch.dll to Reflector.CodeSearch.dll.bak
Reading Reflector.CodeSearch.dll
Found version, patching to
Writing Reflector.CodeSearch.dll


Friday, June 17, 2011

Visual Studio : Debgging ASP.NET appaliocation running in IIS

VS 2010 - IIS 7.5.

Normal situation for me is to run my applications inside IIS rather than inside the VS web server or IIS Express. This is mainly because of issues around https (although IIS Express does help in this regard).

The problem then is how to debug it. The way around this is to use Debug / Attach to Process.

First connect to your application from a browser.

Now go to VS, set your breakpoint and in the "Attach to Process" entry, you'll see a w3wp.exe entry. (Under the user name , you'll see that it uses the DefaultAppPool.) Click on this, ignore warnings and execute your application workflow from the browser until you hit the breakpoint.

Job done!

Note: Nearly all of my applications use the DefaultAppPool. Would it breakpoint if it used a different one?

Note: I've found that unless you run up your app in the browser first, you don't see the w3wp entry.


Thursday, June 16, 2011

Wednesday, June 15, 2011

Misc : Help other developers out

Over the past few months, I've been far more proactive in helping other developers who have posted tools etc. on the Internet.

I've tested a new STS, a whizzy certificate tool and an utility that shows the claims that a RP gets without having to have actual RP.

Did some testing - provided feedback and comments.

I've been amazed by the response.

You get a dialogue going with other people, they give you some good hints and (in a minor sort of way) you kind of feel like you know them.

It's been really worthwhile.

So find a tool that you use, test a new release and see where you go ..

Which poses the question I often ponder - "How did developers work before the Internet? Can we actually develop without Google?"

BTW - Can you Fizz Buzz?


Tuesday, June 07, 2011

SharePoint 2010 : Do you need ADFS in addition to the SP STS?

This is a question that has been puzzling me for a while. Given that SP 2010 has its own STS, what value is derived from federating the SP STS with the company ADFS and then federating this ADFS with other companies STS?

Why not simply federate the SP STS with other companies STS directly?

I looked high and low for this answer but couldn't find anything that completely answered this for me.

Then the SP chapters for the excellent Claims Based Identity & Access Control Guide were published.

(Aside: If you have any interest whatsoever in the claims world, I urge you to read this guide and look at the accompanying samples!)

This includes a diagram of the "hub model" viz:

Notice that Adatum has both a SP STS and a ADFS.

But then they show the "direct trust model" viz:

Notice that although Adatum has an ADFS, it plays no part in the federation to other companies STS.

So the answer would seem to be "No".

However, as per the guide, the advantages of the hub model are:

  • It's easier to manage multiple trust relationships in ADFS rather than SharePoint.
  • It's simpler to manage a single trust relationship in SharePoint and it avoids the requirement for multiple custom claims providers.
  • You can reuse the trust relationships in the FP with other relying parties.
  • You can leverage ADFS features such as integration with auditing tools to track token issuing.
  • ADFS supports the SAMLP protocol in addition to WS-Federation.

From my experience, the ADFS GUI is far easier to use than SP Powershell commands. The last point is potentially also a deal-breaker. It means that you can't use the SP STS directly if the other companies use non-ADFS products to do the federation e.g. PingIdentity. OpenSSO, OpenAM, Tivoli Identity Manager etc.


Claims : Funny joke

Came across this on Vittorios's excellent blog.


The gist of it is:

A passive client enters a shop, and starts looking around.

A salesperson approaches: "Sir, can I help you?"

And the passive client: "Just browsing."

OK - so you need some claims background to get it.

For those who don't have that background - there are two claims profiles for clients viz. active (web services) and passive (browsers).


Friday, June 03, 2011

ADFS : Stop / start ADFS v2.0

The MMC plugin for ADFS v2.0 (Active Directory Federation Services) has no way of stopping and starting ADFS. (In that same way that IIS has Stop and Restart links).

However, there are two ways to do this.

The first is via the Services menu.

Start / Administrative Tools / Computer Management / Services and Applications / Services / AD FS 2.0 Windows Service

(Description : This enables Active Directory Federation Services 2.0 to issue security tokens and information cards.)

The second is via the command line. Ensure you are running as Administrator.

C:\Windows\system32>net stop adfssrv
The AD FS 2.0 Windows Service service is stopping.
The AD FS 2.0 Windows Service service was stopped successfully.

C:\Windows\system32>net start adfssrv
The AD FS 2.0 Windows Service service is starting........
The AD FS 2.0 Windows Service service was started successfully.

Sure beats stopping / restarting the whole Windows 2008 server!


WIF : Generating self-signed certificates

If you work with WIF (Windows Identity Foundation), you'll soon find that you need lots of self-signed certificates. These are used for securing the top level SSL connection and signing and encrypting the token.

Potentially, you need three certificates. The SSL certificate is mandatory as is the token signing certificate but the token encryption certificate is optional. You could use the same certificate for all three - not that that is recommended!

In IIS 7.5, in IIS manager, click on the very top level on the LHS. In the middle pane, under IIS, click on "Server Certificates". Then in the RHS, click on "Create Self-Signed Certificate". After creating one, click on "Default Web Site" on the LHS. On the RHS, click on "Bindings" and you can associate this certificate with the HTTPS port 443 connection.

The problem with this certificate is that the cn (common name) is the machine name of your IIS server, not the URL of the web site. Also, the certificate is not added to the "Trusted Root Certificate Authorities" section of the browser certificate store. You need to do this manually. All this results in browser certificate errors.

SElfSSL7 overcomes these problems and this is the utility I generally use to resolve this. There are options to automatically add the new certificate to the certificate store and to update the IIS binding. (See a previous blog entry for more info.)

There are many other ways to create certificates e.g.:

Makecert.exe (Certificate Creation Tool)

or the

Win32 version of OpenSSL. There's a good article on how to use it here.

You can also do this in PowerShell - refer: Creating Self Signed Certificates with PowerShell.

DeployManager is a neat tool to create and display certificates (coming largely from the WCF viewpoint). Unlike the mmc snap-in which shows the Windows names (Personal), this shows the .NET names (My):


To look at the certificates, use:


or OpenSSL

or the Certificate snap-in to mmc : How to: View Certificates with the MMC Snap-in. The same article also shows you how to view certificates with Internet Explorer.

The Certmgr.exe (Certificate Manager Tool) is also useful.


Friday, May 20, 2011

ACS : Powershell commands with Appfabriclabs / Proxy

The ACS team have just announced a set of Powershell commands for ACS.

See here.

Two small problems - they work for ACS but not for Appfabriclabs and ,secondly, they don't work for people who have to work behind a proxy.

Some quick changes to the provided VS project should have you running in no time.

For Appfabriclabs:

In Constants.cs

//public const string AcsHostName = "";
public const string AcsHostName = "";

For the proxy:

In ServiceManagementWrapper.cs - just add the proxy code below.

private string GetTokenFromACS()
var client = new WebClient();

WebProxy proxy = new WebProxy("", 1234);

proxy.BypassProxyOnLocal = true;
proxy.UseDefaultCredentials = true;

client.Proxy = proxy;

client.BaseAddress = string.Format("https://{0}.{1}", this.serviceNamespace,


Then rerun the startHere.cmd to update and install the plugin.


Wednesday, May 11, 2011

Misc : To celebrate the 250th post!

Yup, folks, this is the 250th post (on Wednesday, 11th May 2011).

The very first one was on Wednesday, March 23, 2005 entitled "SQL CE : Merge Replication". (When the world was young and I still did embedded work and Windows CE was cool bananas!).


Powerpoint : Using the pen

Came across a neat trick in Powerpoint 2010.

If you hit F5 to run your presentation, you can then right-click on the slide:

Pointer Options / Pen

and then draw some annotations or arrows or whatever to help explain. You can also use this to highlight various pieces of text on the fly. Naturally, you can change the pen colour.

When you finish the deck, you will be asked if you want to keep the annotations.

However, if you start with a blank slide, you can use this to physically draw Powerpoint slides that are only pictures, arrows etc. in freehand.

Build up the blank slides, say "Yes" to keep annotations and voila - a freehand presentation.

There are keyboard shortcuts e.g. Ctrl P for the Pen, Ctrl E to Erase, Ctrl M to show / hide the markup etc.

There's a full list here.


Thursday, April 28, 2011

Powershell : Getting a list of commands

Powershell is a useful tool if you like a command line interface.

Although it has a pretty comprehensive list of help commands, quite often you can't remember the exact command.

e.g. you remember that the command had the word "item" in it.

So use:

get-command *item*

which gives you a list of all commands that contain the phrase "item".


ADFS : Federating with SelfSTS

SelfSTS is an extremely useful application which simplifies WIF testing by allowing you to define claims without an instance of AD installed.

Given that it supports the WS-Federation protocol, it should in theory be able to be federated with AFDS v2.0. However, in practice, it doesn't fly. ADFS complains that there are unsupported elements in the federation metadata. If you try and import the metadata via a file, ADFS complains that only https URL's are supported. SelfSTS has the common or garden http URL.

However, this article shows how to federate SelfSTS with Azure's Appfabric ACS. Since you can federate ACS with ADFS, you can essentially get the federation working - albeit in a round-about way.


Wednesday, April 06, 2011

ADFS : Setting up a proxy

The instructions on Things to Check Before Troubleshooting AD FS 2.0 specify using proxycfg to change the proxy settings.

However, on Windows 2008 Server R2, this has been deprecated and you need to use Netsh.

Open a command prompt. You need to run as administrator.

C:\>netsh /?

Usage: netsh [-a AliasFile] [-c Context] [-r RemoteMachine] [-u [DomainName\]Use
rName] [-p Password | *]
[Command | -f ScriptFile]

The following commands are available:

Commands in this context:
? - Displays a list of commands.
add - Adds a configuration entry to a list of entries.
advfirewall - Changes to the `netsh advfirewall' context.
branchcache - Changes to the `netsh branchcache' context.
bridge - Changes to the `netsh bridge' context.
delete - Deletes a configuration entry from a list of entries.
dhcpclient - Changes to the `netsh dhcpclient' context.
dnsclient - Changes to the `netsh dnsclient' context.
dump - Displays a configuration script.
exec - Runs a script file.
firewall - Changes to the `netsh firewall' context.
help - Displays a list of commands.
http - Changes to the `netsh http' context.
interface - Changes to the `netsh interface' context.
ipsec - Changes to the `netsh ipsec' context.
lan - Changes to the `netsh lan' context.
mbn - Changes to the `netsh mbn' context.
namespace - Changes to the `netsh namespace' context.
nap - Changes to the `netsh nap' context.
netio - Changes to the `netsh netio' context.
p2p - Changes to the `netsh p2p' context.
ras - Changes to the `netsh ras' context.
rpc - Changes to the `netsh rpc' context.
set - Updates configuration settings.
show - Displays information.
trace - Changes to the `netsh trace' context.
wcn - Changes to the `netsh wcn' context.
wfp - Changes to the `netsh wfp' context.
winhttp - Changes to the `netsh winhttp' context.
winsock - Changes to the `netsh winsock' context.
wlan - Changes to the `netsh wlan' context.

The following sub-contexts are available:
advfirewall branchcache bridge dhcpclient dnsclient firewall http interface ips
ec lan mbn namespace nap netio p2p ras rpc trace wcn wfp winhttp winsock wlan

To view help for a command, type the command, followed by a space, and then type ?.

We want the winhttp option:

C:\>netsh winhttp /?

The following commands are available:

Commands in this context:
? - Displays a list of commands.
dump - Displays a configuration script.
help - Displays a list of commands.
import - Imports WinHTTP proxy settings.
reset - Resets WinHTTP settings.
set - Configures WinHTTP settings.
show - Displays currents settings.

To view help for a command, type the command, followed by a space, and then type ?

To see the current proxy, use:

C:\>netsh winhttp show proxy

Current WinHTTP proxy settings:

Direct access (no proxy server).

To set the proxy, use:

C:\>netsh winhttp set proxy /?

Usage: set proxy [proxy-server=] [bypass-list=]


Tag Value
proxy-server - proxy server for use for http and/or https protocol
bypass-list - a list of sites that should be visited bypassing the
proxy (use "" to bypass all short name hosts)


set proxy myproxy
set proxy myproxy:80 ";bar"
set proxy proxy-server="http=myproxy;https=sproxy:88" bypass-list="*"


Tuesday, March 29, 2011

WCF : Testing your web service

Back in the day (before WCF), you could use "Web Service Studio". This was a web service client tool that could import your web service's WSDL and allow you to test the service's methods without having to roll your own test client.

However, this doesn't work with WCF. It imports the WSDL no problem but doesn't show any methods to test.

You can also direct your browser to the web service e.g.


and you get a test page starting "You have created a service".

It shows you how to run svcutil on the command line e.g.

svcutil.exe http://localhost:8000/ServiceModelSamples/Service?wsdl

"This will generate a configuration file and a code file that contains the client class. Add the two files to your client application and use the generated client class to call the Service."

But - roll of drums and enter stage left Windows Communication Foundation (WCF) Test Client (WcfTestClient.exe)

"You can also invoke the WCF Test Client (WcfTestClient.exe) outside Visual Studio to test an arbitrary service on the Internet. To locate the tool, go to the following location:

C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\ "

Very neat!


Friday, March 11, 2011

Windows Identity and Active Directory Federation Services : My links

Just some links that I use on a regular basis.


Windows Identity Foundation Simplifies User Access for Developers - Home page

Windows Identity Foundation - MSDN Library

Identity Developer Training Kit - Read the System requirements

The Id Element - Identity and Access Management videos


Active Directory Federation Services 2.0 - Home page

AD FS 2.0 Step-by-Step and How To Guides - Includes a number of federation guides e.g. PingFederate, Oracle Identity Federation


Vibro.NET - Vittorio Bertocci's blog

Steve on Security blog - Good code examples

dominick baier on .net, security and other stuff - The man behind Thinktecture and StarterSTS

Claims-Based Identity Blog - Some good examples of federation with other systems

Eugenio Pace - Examples, architecture and interoperability

Matias Woloski - The guy behind the OpenId bridge

Travis Nielsen - Federation and SharePoint 2010

Alik Levin - Lots of Windows Azure AppFabric Access Control Service (ACS)

Steve Peschka - Special emphasis on Sharepoint 2010


Claims based access platform (CBA), code-named Geneva - Worth keeping an eye on

Of course, Stackoverflow:


ADFS v2.0



Essentially collections of links - like this one!

TechNet Wiki Windows Identity Foundation (WIF) and Azure AppFabric Access Control Service (ACS) Survival Guide

Windows Identity Foundation (WIF) Fast Track

Windows Identity Foundation (WIF) SDK Help Overhaul

Windows Identity Foundation (WIF) Questions and Answers


StarterSTS - StarterSTS is a compact, easy to use security token service that is completely based on the ASP.NET provider infrastructure. It is built using the Windows Identity Foundation and supports WS-Federation., WS-Trust, REST, OpenId and Information Cards.

StarterRP - A relying party for StarterSTS

SelfSTS - SelfSTS is a simple utility which exposes a minimal WS-Federation STS endpoint. SelfSTS can be used as a test STS when developing web sites secured with Windows Identity Foundation. Allows you to quickly generate combinations of claims.

SelfSSL7 - Self signing certificates for IIS7. Generates and stores them. Refer my blog entry WIF : Self signed certificates for instructions.

Protocol bridge claims provider - An implementation of a bridge that talks WS-Federation and SAML tokens on one side and OpenID, OAuth or any other protocol on the identity provider side using Windows Identity Foundation.
Documentation here

Fiddler Inspector for Federation Messages - An inspector for typical federation messages for WS-Federation. Also has support for SAML 2.0P request / response messages.

Security Token Visualizer Control - A simple ASP.NET server control which displays in a compact layout useful information about claims-based identity in a web site secured with Windows Identity Foundation. Just get it!

Online books

A Guide to Claims–based Identity and Access Control - Just read it - cover to cover - twice!. By Eugenio Pace, Dominick Baier, Vittorio Bertocci, Keith Brown, and Matias Woloski. See their blogs above.


Visual Studio : Automatically generate interface properties and methods

Cam across a neat trick to save you a heap of pain.

If you want to instantiate an interface you need to create a physical "copy".


class Dummy : IClaimsIdentity

IClaimsIdentity is the interface and Dummy is the physical copy. If you try and compile this, the compiler will complain that you haven't defined all the mandatory methods etc.

You could go through the compiler errors one by one or you could right-click on IClaimsIdentity and select Implement Interface / Implement Interface Explicitly.

This generates:

class ICII : IClaimsIdentity
IClaimsIdentity IClaimsIdentity.Actor
throw new NotImplementedException();
throw new NotImplementedException();

SecurityToken IClaimsIdentity.BootstrapToken
throw new NotImplementedException();
throw new NotImplementedException();

ClaimCollection IClaimsIdentity.Claims
get { throw new NotImplementedException(); }

IClaimsIdentity IClaimsIdentity.Copy()
throw new NotImplementedException();

string IClaimsIdentity.Label
throw new NotImplementedException();
throw new NotImplementedException();

string IClaimsIdentity.NameClaimType
throw new NotImplementedException();
throw new NotImplementedException();

string IClaimsIdentity.RoleClaimType
throw new NotImplementedException();
throw new NotImplementedException();

string System.Security.Principal.IIdentity.AuthenticationType
get { throw new NotImplementedException(); }

bool System.Security.Principal.IIdentity.IsAuthenticated
get { throw new NotImplementedException(); }

string System.Security.Principal.IIdentity.Name
get { throw new NotImplementedException(); }

Much easier to fill in the blanks!


Friday, March 04, 2011

Stackoverflow : Rep standing

With the new Stackoverflow users changes, you can see how you rate worldwide.

Pleased to say, I'm in the top 10%.

Home James and pass the port.


ASP.NET : HTTP Error 407 Proxy authentication error

If you have to develop behind a proxy, (I hate the @#$% things) you are pretty much guaranteed to get this error.

The solution is to add the following to the web.config.

    <defaultproxy enabled="true" usedefaultcredentials="true">
      <proxy bypassonlocal="True" usesystemdefault="True">

This specifies that there is a proxy, it uses your default Windows credentials to authenticate, bypasses the proxy for local addresses and uses the standard IE proxy defaults.

Problem solved.


Wednesday, February 23, 2011

WIF : Self signed certificates

With WIF and ADFS, certificates cause endless problems.

The solution for IIS 7 is to use SelfSSl7.

It's a command line application e.g.

SELFSSL7.EXE [/N cn=name] [/K size] [/V days] [/T] [/I] [/S name] [/A I
PAddress] [/P port] [/X] [/F file] [/W password] [/Q]

/N name Specifies the common name(s) of the certificate.
Computer name is used if not specified.
Example: /N or /N;
/K size Specifies the key length. Default is 1024.
/V days Specifies the validity of the certificate in days.
Default is 30 days.

/T Adds the self-signed certificate to user's "Trusted Certificates" list.

/I Add SSL binding to IIS.
Use with the following parameters:
/S name Specifies the name of the site. Default is "Default Web Site".
/A IP Specifies the IP address for the IIS binding. Default is *.
/P port Specifies the SSL port. Default is 443.

/X Export certificate to PFX file.
Use with the following parameters:
/F PFX file location.
/W password for PFX file.

/Q Overwrites existing SSL binding and/or PFX file.

The default behavior is equivalent with:
selfssl7.exe /N cn="machine name" /K 1024 /V 30
/I /S "Default Web Site /P443 /A * /T

I normally use:

SelfSSL7 /V 90 /Q /X /F c:\xxx\Cert.pfx /W password /T


ADFS : Re-installing ADFS v2.0

Had a number of problems with this so decided to remove ADFS and re-install.

Un-installed it via Control Panel, removed the web site from IIS (Default Web Site) and deleted the adfs directory under inetpub.

When I ran the wizard again, all components correctly installed but the wizard complained that it found the web site so could not re-install. The message was "Existing web site detected".

WTF - I removed everything.

Mr. Google to the rescue and eventually I found the solution.

You need to run the command:

"appcmd delete app "Default Web Site/adfs/ls"


"appcmd delete app "Default Web Site/adfs/card"

"appcmd" runs under the command prompt and is found under "C:\Windows\System32\inetsrv".


Friday, February 04, 2011

LINQ : LINQPad sample not a valid zip file

Under the Samples tab in LINQPad, you can download more samples.

When I clicked this, I got an error telling me that the file in ...\AppData\Local\Temp\LINQPad was not a valid zip file.


So I ran up the estimable Fiddler in order to see what was happening and when I tried it, it all worked!

Somehow, putting Fiddler in the middle fixes the problem.

Bizarre, but alls well that ends well!


Friday, January 21, 2011

WIF : Problems with SecurityTokenVisualizerControl

This control shows the token information for WIF / ADSL v2.

The control can be downloaded from Security Token Visualizer Control.

The problem is that the wizard looks for Visual Studio 2008. I have Visual Studio 2010 but the wizard doesn't think that's good enough!

Also, it tells me that I don't have the WIF SDK installed. Actually, I do!


Once you've installed the download, don't bother with the wizard - it requires VS 2008 etc.

Navigate to:


or wherever you installed it and then open:


in VS.

You'll have to convert it from an older standard (just reply "Yes" to the question).

Then build it. You now have a .dll in the \bin directory.

Add this .bin to the Toolbar viz. Right click on Toolbar - "Add Tab" - give it a name like "Security Token Visualizer Control".

Then right-click on the new tab - "Choose Items" and browse to the .dll.

The control will now be in your toolbar ready to be dragged onto your page.

Remember to add saveBootstrapTokens="true" to the web.config.


Thursday, January 13, 2011

WCF : Could not find default endpoint element that references contract

Working through the WCF samples, I came across the in-line calculator.

Built it according to the instructions (using Visual Studio 10 and .NET Framework 4), ran it up and got the following exception:

Could not find default endpoint element that references contract 'ICalculator' in the ServiceModel client configuration section. This might be because no configuration file was found for your application, or because no endpoint element matching this contract could be found in the client element.

A lot of communication with Mr. Google and then came across a comment way down in a blog entry that offered some hope.

To generate the proxies, you run:

svcutil.exe http://localhost/IISHostedCalc/service.svc?wsdl

This generates two files:


and you add them to your project using "Add Existing Item".

To get rid of the exception, simply rename "output.config" to "app.config" and ensure it is part of your project.