Dec 062012
 

Introduction

This is going to be a multi-part series of articles with the end goal of producing a solution which handles security/identity claims across domain boundaries using WCF services and Active Directory Federation Services 2.0 (with a federation trust) and Active Directory.  In order to demonstrate an approach to handling claims, we need an environment which is capable of supporting the infrastructure configuration we require.

Network Design

I strongly recommend that you put the time and effort into understanding the network topography.  When designing a key foundation of your approach to security, it’s critical that you have a working knowledge of the kind of trust you are placing in your trusted sub-systems.  For the next few articles, I’m going to rely on the following network design, which you can (not without some effort) establish for yourself using virtual machines:

image
Basic Network Design

Host Configuration

To keep resource usage to a minimum, I’ve designed my test environment to reuse hosts for key roles.  In practice, you might not normally mix roles in a production environment – refer to the appropriate ‘best practices’ to properly plan your infrastructure and deployment of critical roles!  Here’s a view of what is on each host:

image
Host Configuration

Installation and Configuration

You’ll need a minimum of two server installs to make this happen, although I’m using four to separate ADFS 2.0 and to configure an Enterprise Certificate Authority rather than a standalone CA.  You’ll also need the Windows Identity Foundation (WIF) SDK installed with your copy of Visual Studio (Visual Studio can be installed elsewhere – not on your test servers). 

I’ll be using Visual Studio 2010 for this, but I’m sure there’s a solution for Visual Studio 2012.  To streamline your configuration, I’ve provided links two some excellent walkthroughs on the MSDN blog site – the one you need to pay attention to is the ADFS 2.0 installation and configuration.

My Mobile Configuration

Since this is a fairly intensive number of operating systems, I’ve put together a fairly decent local configuration which I can take with me.  I’m using a 480 GB SanDisk SSD in an eSATA external enclosure (my laptop does not support USB 3 at the moment).  I’m running VM images off the SSD and getting very respectable performance.  No problems running four VMs in parallel.

 

Kit

How to Get Up and Running

My best advise is to follow the links below.  You’ll need a fair amount of stuff downloaded, so better jump on that.  Once you have some clean OSes and the installation packages, my best advise is to follow the walkthroughs.  Be careful not to accidentally skip anything, the configuration is a bit tricky at times, but if you follow the walkthrough closely you should have a working environment in about half a day or less.  My configuration varies to the walkthrough (as I have two domains), but if you duplicate the configuration for two different directories you should have something which can work.

Links Galore

If you’re going to build a test environment (frankly, just do it – it’s the best way) budget at least a day to get everything configured properly.  Don’t cut corners, it’ll only hurt you later.
Check back soon for the next article, where we’ll start to get familiar with the environment, and build a claims-aware application.

Important Downloads

.NET Framework 4.0 Runtime
http://www.microsoft.com/en-au/download/details.aspx?id=17718

.NET Framework 4.0.3 Update
http://www.microsoft.com/en-au/download/details.aspx?id=29053
Update 4.0.3 for Microsoft .NET Framework 4 – Design-time Update for Visual Studio 2010 SP1
http://www.microsoft.com/en-au/download/details.aspx?id=29054

Active Directory Federation Services 2.0 (RTW)
http://www.microsoft.com/en-us/download/details.aspx?id=10909&hash=Hx4OGpwvFzmf7%2bC7rR1nq18CYhcY%2bSE4ok1ifL%2fvSkYIpezfAxg6ePR2zpfAplmm6g%2fUyL1VU7RtmnuR6T4NWg%3d%3d

Windows Identity Foundation (Runtime)
http://www.microsoft.com/en-us/download/details.aspx?id=17331

Windows Identity Federation SDK
http://www.microsoft.com/en-us/download/details.aspx?id=4451

 

Installation and Configuration Walkthroughs

ADFS 2.0 Installation Walkthrough
http://blogs.msdn.com/b/alextch/archive/2011/06/27/installing-a-stand-along-adfs-service.aspx
Establishing a Federation Trust Walkthrough
http://blogs.msdn.com/b/alextch/archive/2011/06/27/establish-federation-trust.aspx

Building a Claims-aware Web Application Walkthrough
http://blogs.msdn.com/b/alextch/archive/2011/06/27/building-a-test-claims-aware-asp-net-application-and-integrating-it-with-adfs-2-0-security-token-service-sts.aspx

These walkthroughs really helped! 

Finally.. If you hit problems with your STS certificate – check the HTTPS bindings of your local IIS:

http://www.shutuplaura.com/journal/2010/1/5/adfsv2-rc-iis-certificates.html

Jun 142011
 

Sometimes, for various reasons, we come across projects or solutions we have to maintain to our chagrin.  We have an application which runs on .NET 2.0 and can’t be upgraded to 3.5 or beyond.  This application consumes web services published via the old ASMX services, and uses Web Service Extensions 3.0 (WSE 3.0) – the precursor to Windows Communication Foundation (WCF).

If you are in the same position, and you have upgraded your solution to Visual Studio 2010 (but are still targeting .NET 2.0), you might find that, by default, updating those web references causes the base class to change from WebServicesClientProtocol to SoapHttpClientProtocol.

This is by design, as it is anticipated that all web services be upgraded to WCF, however sometimes this causes widespread destruction and it’s easier and more convenient to just be able to use the previous importer.  This can be done in Visual Studio 2010, but it is somewhat nasty.

Here is a step by step guide to enabling WSE 3.0 references in Visual Studio 2010:

1. Close Visual Studio 2010
2. Download and Install WSE 3.0 (if you haven’t already)
     a. http://www.microsoft.com/downloads/en/details.aspx?FamilyID=018a09fd-3a74-43c5-8ec1-8d789091255d
3. In Explorer, open the following folder:

a. C:\ProgramData\Microsoft\MSEnvShared\Addins (or)
b. C:\Documents and Settings\All Users\Application Data\Microsoft\MSEnvShared\Addins


4. Locate the following file:
     a. WSESettingsVS3.Addin
5. Open the file in Notepad
6. Replace <Version>8.0</Version> with <Version>10.0</Version>, then save
7. In Explorer open the following folder:
    a. C:\Program Files\Microsoft Visual Studio 10.0\Common7\IDE
8. Locate the following file:
   
a. devenv.exe.config
9. Open the file in Notepad
10. Add the following at the end of the file (before the </configuration>) and save:

<system.web>
<webServices>
<soapExtensionImporterTypes>
<add type="Microsoft.Web.Services3.Description.WseExtensionImporter,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
</soapExtensionImporterTypes>
</webServices>
</system.web>

11. Open Visual Studio 2010
12. In Tools -> Options -> Environment->Add-in/Macros Security ensure that this entry exists:
       a. %APPDATA%\Microsoft\MSEnvShared\Addins
13. Update web references

References:

http://stackoverflow.com/questions/433062/wse-client-project-keeps-reverting-webservicesclientprotocol-to-soaphttpclientpro
http://www.junasoftware.com/blog/how-to-use-wse-3-in-visual-studio-2010.aspx
http://www.junasoftware.com/blog/how-to-use-wse-3-in-visual-studio-2008.aspx

Apr 032010
 

Well, it’s been a busy week.  Unfortunately it hasn’t left me with much time to write any meaningful blog entries – apologies.  Last Friday I managed to implement an end-to-end solution for object graph serialization with Entity Framework (v4) POCO objects to and from WCF Web Services (note: for .Net clients only at this stage). 

It is a fairly complicated thing to explain, so I’m only going to go into detail if there is sufficient interest in the solution.  There is sufficient material to be found on the Internet (see my previous post for links), but it’s certainly not all in one place and you would have to combine aspects of a different example – in the case of supporting serialization back from the WCF client (via a generated proxy).

The summary goes something like this:

  1. Create edmx model
  2. Generate POCO entities using the template support
  3. Split the entities into a separate assembly
  4. Consume the entities and context via a Web Service (WCF) facade
  5. Implement a custom attribute to handle EF Proxies
  6. Implement a custom attribute to handle cyclic references (for entities with a self-reference) – (if needed)
  7. Implement a custom attribute to be outputted in the client proxy stub – (if needed)
  8. Use the common assembly with the client and the WCF service

So – in short – if you are interested in a detailed entry (or series of entries) please leave a comment here, otherwise I may get to the subject later in the year when I have more time (and if there is interest).

In other news, I did some work with a WinForms client and TreeView control which was my first Windows Application for quite a while.  I’ve got to say, I’m really impressed how easy it is to use TreeView controls in .Net WinForms over MFC/C++.  Back in the old days, TreeView controls were a bit tricky to work with – .Net makes it almost too easy.