Quantcast
Channel: MSDN Blogs
Viewing all 35736 articles
Browse latest View live

Windows Dev Center: Create a flexible app UI in Windows 8.1

January 13, 2014, 12:38 pm
$
0
0

Kristi Rasmussen here from the Windows Developer Content team. If you’re building Windows Store apps, you want great flexibility when designing your UI. You want tiles in varying sizes and resizable windows that give your users more control over your app. Windows 8.1 gives you more power to build the app you want.

In an earlier post, I talked about new HTML and XAML controls in Windows 8.1. Here, we look at new and updated features that help you create a richer, more consistent experience in your app that your users will love.

  • Resizable windows: When developing apps using Windows 8.1, you have more flexibility with window size and position than you’ve had before. Without fixed-width view states, users of your app can resize apps or show multiple windows on the screen of the same app. Because apps no longer have snapped and fill view states, developers can create apps to work and look great at almost any size. Check out the Application views and UI contrast and settings samples and this video for a glimpse of how this works:
  • Speech synthesis: In Windows 8.1, you can use the Windows.Media.SpeechSynthesis API to prompt an app user for input, highlight app notifications and messages, give instructions, and read content, like an email message or RSS feed. This API supports speech synthesis, or text-to-speech (TTS), in Windows Store apps. Using speech synthesis, you can set the speaking voice to specific gender, voice, and language. You can also customize voice characteristics, like pronunciation, speed, and volume, among others. Check out the speech synthesis sample!
  • Tile updates: We’ve added two tiles sizes to Windows 8.1, for a total of four: small, medium, wide, and large. If you’re looking on the Start screen, four small tiles fits within one medium tile; four medium tiles fit within one large tile.

image

Small tiles don’t support live tile notifications, but they do support badges. All other tile sizes support both. For developers and users, the new tile sizes provided greater flexibility and creativity when working with apps and their corresponding tiles.

  • Search and share updates: Windows 8.1 provides a new search-box control that helps developers give search results to app users. Using Windows.UI.Xaml.Controls.SearchBox for XAML and WinJS.UI.SearchBox JavaScript, you can include a search box within your apps. You can use the Share contract to offer multiple ways to navigate to shared content. Additionally, apps that use the Share contract can improve responsiveness by dismissing the share pane programmatically. For detailed samples, see Sharing content source and Sharing content target.
  • Charm updates: In Windows 8, when there were multiple apps on the screen and the user invoked charms, the system displayed charms for whichever app occupied the most screen space. In Windows 8.1, the system displays charms for the last app that the user interacted with, regardless of how many apps are on the screen or whether there are multiple screens. This makes the workflow for using charms more intuitive to how you’d actually use them.
  • Integrating apps with people and events: With Windows 8.1, you can integrate communication experiences like messaging, email, call, and video-call right into your app. Users of your app can then engage with people directly from your app. You can also provide a way for users to quickly view their calendar and add events to it from within your app. Check out the Contact manager API, Appointments API, and Handling Contact Actions samples to see how it’s done.
  • Better background task management: New capabilities in Windows 8.1 help your system manage resources, like background tasks, more efficiently. With the new quiet hours feature, users can decide when to turn off notifications so they won’t be disturbed. During this time, background tasks are held and queued up for when quiet hours are over. Additionally, if a background task is idle or hung, the system sends the task a cancel notification so that it can stop work and close.

Building a creative and consistent UI can make or break a great app. The changes we’ve made in Windows 8.1 are designed help you build compelling and intuitive apps that keep users interested and wanting more. If you’re a developer, or if you’re interested in learning how to develop cool apps for Windows 8.1, check out the Windows Dev Center for lots more great stuff!

Search

Top 8 Microsoft Developer Links for Friday, January 10, 2014

January 13, 2014, 12:50 pm
$
0
0

ENTERPRISE RESOURCE PLANNING – January 2014 Readiness Update

January 13, 2014, 1:23 pm
$
0
0

What’s new at Convergence 2014?

This year’s conference will offer a revised agenda that begins right away with the opening keynote, and concludes with time to wrap up and transition your conference experience back to your home base. Attendees also have the opportunity to arrive early to participate in offsite community outreach events in the Atlanta community. Register now.

Register for Microsoft Dynamics AX Technical Conference

The Microsoft Dynamics AX Technical Conference is scheduled for February 3–5, 2014, in Bellevue, Washington. This is the premier technical event for Microsoft Dynamics AX—providing three days of training and networking.

WCF: Discover In WCF World

January 13, 2014, 1:59 pm
$
0
0

What is service identity in WCF WSDL ?

 

For normal basicHttpBinding we use one directional authentication where only service authenticates the client. For dual authentication, we allow client to authenticate the service as well.

 

With WS Standard we use the Mutual authentication scheme and publish the service identity to the clients.

The service identity becomes part of WSDL and is available to clients, which gets used by client to authenticate to service. Client compares the endpoint identity value (local) with the actual value the endpoint authentication process returned. If they match, the client is assured it has contacted the expected service endpoint. This protects client to talk to phishing service.

When the client initiates a secure channel to send a message to a service over it, the Windows Communication Foundation (WCF) infrastructure authenticates the service, and only sends the message if the service identity matches the identity specified in the endpoint address the client uses.

 

Identity processing consists of the following stages:

• At design time, the client developer determines the service's identity from the endpoint's metadata (exposed through WSDL).

• At runtime, the client application checks the claims of the service's security credentials before sending any messages to the service.

Client does not send messages to the service until the service's credentials have been authenticated based on what is known in advance from the service's metadata.

 

UPN IDENTITY:

This ensures that the service is running under a specific Windows user account.

The user account can be either the current logged-on user or the service running under a particular user account.

This setting takes advantage of Windows Kerberos security if the service is running under a domain account within an Active Directory environment.

 

SPN IDENTITY:

This ensures that the SPN and the specific Windows account associated with the SPN identify the service.

You can use the Setspn.exe tool to associate a machine account for the service's user account.

This setting takes advantage of Windows Kerberos security if the service is running under one of the system accounts or under a domain account that has an associated SPN name with it and the computer is a member of a domain within an Active Directory environment.

 

If the service authenticates using message- or transport-level SSL with a Windows credential for authentication, and negotiates the credential, the following identity values are valid:

• DNS. The negotiation passes the service's SPN so that the DNS name can be checked. The SPN is in the form host/<dns name>.

• SPN. An explicit service SPN is returned, for example, host/myservice.

• UPN. The UPN of the service account. The UPN is in the form username@domain. For example, when the service is running in a user account, it may be username@contoso.com.

 

If no identity is specified, and the client credential type is Windows, the default is SPN with the value set to the hostname part of the service endpoint address prefixed with the "host/" literal.

 

For Windows Authentication

SPN or UPN are published in WSDL because ....

Kerberos authentication requires that a UPN or SPN be supplied to the client to authenticate the service.

 

From IIS 7 onwards, we introduced a new concept called – KERNEL MODE SECURITY.

This is intended to simplify the SPN management and move authentication to Kernel layer.

With this security mode, the SPN is registered under the Machine Account.

If our web application pool is hosted in a custom domain account, the SPN must be registered for that user account, rather than the machine account.

http://technet.microsoft.com/en-us/library/dd632778.aspx

 

 

 

 

 

 

Stack used for checking the identity at client side:

at System.ServiceModel.Security.IdentityVerifier.DefaultIdentityVerifier.TryGetIdentity(EndpointAddress reference, EndpointIdentity& identity)

at System.ServiceModel.Channels.WindowsStreamSecurityUpgradeProvider.WindowsStreamSecurityUpgradeInitiator.InitiateUpgradePrepare(Stream stream, NegotiateStream& negotiateStream, String& targetName, EndpointIdentity& identity)

 

Source code method:

======================

public override bool TryGetIdentity(EndpointAddress reference, out EndpointIdentity identity)

{

    if (reference == null)

    {

        throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reference");

    }

    identity = reference.Identity;

    if (identity == null)

    {

        identity = this.TryCreateDnsIdentity(reference);

    }

    if (identity == null)

    {

        SecurityTraceRecordHelper.TraceIdentityDeterminationFailure(reference, typeof(IdentityVerifier.DefaultIdentityVerifier));

        return false;

    }

    SecurityTraceRecordHelper.TraceIdentityDeterminationSuccess(reference, identity, typeof(IdentityVerifier.DefaultIdentityVerifier));

    return true;

}

 

 

SCENERIO 1:

=====================

Client passing the correct identity as UPN ...

Stack:

at System.ServiceModel.Security.IdentityVerifier.DefaultIdentityVerifier.TryGetIdentity(EndpointAddress reference, EndpointIdentity& identity)

 

EndPointAddress object is created based on the identity set in the config file.

We return success from the highlighted code…

 

public override bool TryGetIdentity(EndpointAddress reference, out EndpointIdentity identity)

{

    if (reference == null)

    {

        throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reference");

    }

    identity = reference.Identity;

    if (identity == null)

    {

        identity = this.TryCreateDnsIdentity(reference);

    }

    if (identity == null)

    {

        SecurityTraceRecordHelper.TraceIdentityDeterminationFailure(reference, typeof(IdentityVerifier.DefaultIdentityVerifier));

        return false;

    }

    SecurityTraceRecordHelper.TraceIdentityDeterminationSuccess(reference, identity, typeof(IdentityVerifier.DefaultIdentityVerifier));

    return true;

}

 

 <DataItem>

<TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Information">

<TraceIdentifier>http://msdn.microsoft.com/en-US/library/System.ServiceModel.Security.SecurityIdentityDeterminationSuccess.aspx</TraceIdentifier>

<Description>Identity was determined for an EndpointReference.</Description>

<AppDomain>ConsoleApplication1.vshost.exe</AppDomain>

<ExtendedData xmlns="http://schemas.microsoft.com/2006/08/ServiceModel/ServiceIdentityDeterminationTraceRecord">

<IdentityVerifierType>System.ServiceModel.Security.IdentityVerifier+DefaultIdentityVerifier</IdentityVerifierType>

<Identity xmlns="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity">

<Upn>saurabs@fareast.corp.microsoft.com</Upn>

</Identity>

<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">

<Address>net.tcp://saurabh21.fareast.corp.microsoft.com/TCP/Service1.svc</Address>

<Identity xmlns="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity">

<Upn>saurabs@fareast.corp.microsoft.com</Upn>

</Identity>

</EndpointReference>

</ExtendedData>

</TraceRecord>

</DataItem>

 

Next we try to get the Associated SPN for the identity …

 

        internal static string GetSpnFromIdentity(EndpointIdentity identity, EndpointAddress target)

        {

            bool foundSpn = false;

            string spn = null;

            if (identity != null)

            {

                if (ClaimTypes.Spn.Equals(identity.IdentityClaim.ClaimType))

                {

                    spn = (string)identity.IdentityClaim.Resource;

                    foundSpn = true;

                }

                else if (ClaimTypes.Upn.Equals(identity.IdentityClaim.ClaimType))

                {

                    spn = (string)identity.IdentityClaim.Resource;

                    foundSpn = true;

                }

                else if (ClaimTypes.Dns.Equals(identity.IdentityClaim.ClaimType))

                {

                    spn = String.Format(CultureInfo.InvariantCulture, "host/{0}", (string)identity.IdentityClaim.Resource);

                    foundSpn = true;

                }

            }

            if (!foundSpn)

            {

                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.CannotDetermineSPNBasedOnAddress, target)));

            }

            return spn;

        }

 

 

 

Next we see..

at System.ServiceModel.Diagnostics.SecurityTraceRecordHelper.TraceIdentityVerificationSuccess(EventTraceActivity eventTraceActivity, EndpointIdentity identity, Claim claim, Type identityVerifier)

at System.ServiceModel.Security.IdentityVerifier.DefaultIdentityVerifier.CheckAccess(EndpointIdentity identity, AuthorizationContext authContext)

 

We are calling the CheckAccess method to confirm the claims received as a part of service identity...

Confirm if the claims are for same identity what we specified..

 

public override bool CheckAccess(EndpointIdentity identity, AuthorizationContext authContext)

{

    if (identity == null)

    {

        throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("identity");

    }

    if (authContext == null)

    {

        throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("authContext");

    }

    for (int i = 0; i < authContext.ClaimSets.Count; i++)

    {

        ClaimSet claimSet = authContext.ClaimSets[i];

        if (claimSet.ContainsClaim(identity.IdentityClaim))

        {

            SecurityTraceRecordHelper.TraceIdentityVerificationSuccess(identity, identity.IdentityClaim, base.GetType());

            return true;

        }

        string expectedSpn = null;

        if (ClaimTypes.Dns.Equals(identity.IdentityClaim.ClaimType))

        {

            expectedSpn = string.Format(CultureInfo.InvariantCulture, "host/{0}", new object[] { (string) identity.IdentityClaim.Resource });

            Claim claim = this.CheckDnsEquivalence(claimSet, expectedSpn);

            if (claim != null)

            {

                SecurityTraceRecordHelper.TraceIdentityVerificationSuccess(identity, claim, base.GetType());

                return true;

            }

        }

        SecurityIdentifier identitySid = null;

        if (ClaimTypes.Sid.Equals(identity.IdentityClaim.ClaimType))

        {

            identitySid = this.GetSecurityIdentifier(identity.IdentityClaim);

        }

        else if (ClaimTypes.Upn.Equals(identity.IdentityClaim.ClaimType))

        {

            identitySid = ((UpnEndpointIdentity) identity).GetUpnSid();

        }

        else if (ClaimTypes.Spn.Equals(identity.IdentityClaim.ClaimType))

        {

            identitySid = ((SpnEndpointIdentity) identity).GetSpnSid();

        }

        else if (ClaimTypes.Dns.Equals(identity.IdentityClaim.ClaimType))

        {

            identitySid = new SpnEndpointIdentity(expectedSpn).GetSpnSid();

        }

        if (identitySid != null)

        {

            Claim claim2 = this.CheckSidEquivalence(identitySid, claimSet);

            if (claim2 != null)

            {

                SecurityTraceRecordHelper.TraceIdentityVerificationSuccess(identity, claim2, base.GetType());

                return true;

            }

        }

    }

    SecurityTraceRecordHelper.TraceIdentityVerificationFailure(identity, authContext, base.GetType());

    return false;

}

 

 

Dumping objects:

 

Our identity Object:

0:000> !do 0x27d97ec

Name:        System.ServiceModel.UpnEndpointIdentity

MethodTable: 51800748

EEClass:     51444ad8

Size:        32(0x20) bytes

File:        C:\windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll

Fields:

      MT    Field   Offset                 Type VT     Attr    Value Name

4ffcb198  4002575        4 ...odel.Claims.Claim  0 instance 027d9930 identityClaim

4ffcb2b8  4002576        8 ...m.IdentityModel]]  0 instance 00000000 claimComparer

65dc15b8  400257d        c ...ecurityIdentifier  0 instance 00000000 upnSid

65dc6f18  400257e       18       System.Boolean  1 instance        0 hasUpnSidBeenComputed

65dc29b4  400257f       10 ...l.WindowsIdentity  0 instance 00000000 windowsIdentity

65dcb060  4002580       14        System.Object  0 instance 027d980c thisLock

 

 

0:000> !DumpObj /d 027d9930

Name:        System.IdentityModel.Claims.Claim

MethodTable: 4ffcb198

EEClass:     4ff64b38

Size:        24(0x18) bytes

File:        C:\windows\Microsoft.Net\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll

Fields:

      MT    Field   Offset                 Type VT     Attr    Value Name

65dcacc0  40007a9        4        System.String  0 instance 027d98b0 claimType

65dcb060  40007aa        8        System.Object  0 instance 02732d6c resource

65dcacc0  40007ab        c        System.String  0 instance 027d9818 right

4ffcb2b8  40007ac       10 ...m.IdentityModel]]  0 instance 027d9954 comparer

4ffcb198  40007a8       dc ...odel.Claims.Claim  0   static 0293d9b8 system

 

 

0:000> !DumpObj /d 027d98b0

Name:        System.String

MethodTable: 65dcacc0

EEClass:     659d486c

Size:        128(0x80) bytes

File:        C:\windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll

String:      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

Fields:

      MT    Field   Offset                 Type VT     Attr    Value Name

65dcc480  40000aa        4         System.Int32  1 instance       57 m_stringLength

65dcb6b8  40000ab        8          System.Char  1 instance       68 m_firstChar

65dcacc0  40000ac        c        System.String  0   shared   static Empty

    >> Domain:Value  008867e0:NotInit  <<

 

 

0:000> !DumpObj /d 02732d6c

Name:        System.String

MethodTable: 65dcacc0

EEClass:     659d486c

Size:        82(0x52) bytes

File:        C:\windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll

String:      saurabs@fareast.corp.microsoft.com

Fields:

      MT    Field   Offset                 Type VT     Attr    Value Name

65dcc480  40000aa        4         System.Int32  1 instance       34 m_stringLength

65dcb6b8  40000ab        8          System.Char  1 instance       73 m_firstChar

65dcacc0  40000ac        c        System.String  0   shared   static Empty

 

 

 

Authorization context received from the service…

0:000> !do 0x293db44

Name:        System.IdentityModel.SecurityUtils+SimpleAuthorizationContext

MethodTable: 4ffcbcb0

EEClass:     4ff6c610

Size:        20(0x14) bytes

File:        C:\windows\Microsoft.Net\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll

Fields:

      MT    Field   Offset                 Type VT     Attr    Value Name

4ffcb998  40011db        4 ....SecurityUniqueId  0 instance 00000000 id

4ffcbb90  40011dc        8 ...conditionalPolicy  0 instance 0293d8bc policy

659d86a4  40011dd        c ...bject, mscorlib]]  0 instance 0293db7c properties

 

 

0:000> !DumpObj /d 0293d8bc

Name:        System.IdentityModel.Policy.UnconditionalPolicy

MethodTable: 4ffcbb90

EEClass:     4ff6c574

Size:        40(0x28) bytes

File:        C:\windows\Microsoft.Net\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll

Fields:

      MT    Field   Offset                 Type VT     Attr    Value Name

4ffcb998  400088d        4 ....SecurityUniqueId  0 instance 00000000 id

4ffcbbec  400088e        8 ...l.Claims.ClaimSet  0 instance 0293d9e8 issuer

4ffcbbec  400088f        c ...l.Claims.ClaimSet  0 instance 0293d88c issuance

4ff5179c  4000890       10 ...m.IdentityModel]]  0 instance 00000000 issuances

65dc8bdc  4000891       1c      System.DateTime  1 instance 0293d8d8 expirationTime

65dc3968  4000892       14 ...incipal.IIdentity  0 instance 0293d7b8 primaryIdentity

65dc6f18  4000893       18       System.Boolean  1 instance        0 disposable

65dc6f18  4000894       19       System.Boolean  1 instance        0 disposed

 

 

0:000> !DumpObj /d 0293d7b8

Name:        System.Security.Principal.GenericIdentity

MethodTable: 65dc2d48

EEClass:     65adcafc

Size:        64(0x40) bytes

File:        C:\windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll

Fields:

      MT    Field   Offset                 Type VT     Attr    Value Name

659e0bf0  4001b15        4 ...Claim, mscorlib]]  0 instance 0293d7f8 m_instanceClaims

659e0c90  4001b16        8 ...lib]], mscorlib]]  0 instance 0293d810 m_externalClaims

65dcacc0  4001b17        c        System.String  0 instance 0293d43c m_nameType

65dcacc0  4001b18       10        System.String  0 instance 0293d548 m_roleType

65dcacc0  4001b19       14        System.String  0 instance 0293d428 m_version

65dc652c  4001b1a       18 ...ms.ClaimsIdentity  0 instance 00000000 m_actor

65dcacc0  4001b1b       1c        System.String  0 instance 00000000 m_authenticationType

65dcb060  4001b1c       20        System.Object  0 instance 00000000 m_bootstrapContext

65dcacc0  4001b1d       24        System.String  0 instance 00000000 m_label

65dcacc0  4001b1e       28        System.String  0 instance 00000000 m_serializedNameType

65dcacc0  4001b1f       2c        System.String  0 instance 00000000 m_serializedRoleType

65dcacc0  4001b20       30        System.String  0 instance 00000000 m_serializedClaims

65dcacc0  4001b2a       34        System.String  0 instance 02732d6c m_name

65dcacc0  4001b2b       38        System.String  0 instance 02621228 m_type

 

 

0:000> !DumpObj /d 02732d6c

Name:        System.String

MethodTable: 65dcacc0

EEClass:     659d486c

Size:        82(0x52) bytes

File:        C:\windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll

String:      saurabs@fareast.corp.microsoft.com

Fields:

      MT    Field   Offset                 Type VT     Attr    Value Name

65dcc480  40000aa        4         System.Int32  1 instance       34 m_stringLength

65dcb6b8  40000ab        8          System.Char  1 instance       73 m_firstChar

65dcacc0  40000ac        c        System.String  0   shared   static Empty

    >> Domain:Value  008867e0:NotInit  <<

 

 

 

We can see the identity in both is same..

And eventually the identity verification succeeds...

 

Note:

The method is only called if we are on Kerberos authentication scheme..

Otherwise we fall back to NTLM..

Next case demonstrate the same…

 

 

Scenario 2:

================

When client don't specify any identity ......

However he is supposed to specify as UPN.....

 

Stack:

at System.ServiceModel.Diagnostics.SecurityTraceRecordHelper.TraceIdentityDeterminationSuccess(EndpointAddress epr, EndpointIdentity identity, Type identityVerifier)

at System.ServiceModel.Security.IdentityVerifier.DefaultIdentityVerifier.TryGetIdentity(EndpointAddress reference, EndpointIdentity& identity)

 

<TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Information">

<TraceIdentifier>http://msdn.microsoft.com/en-US/library/System.ServiceModel.Security.SecurityIdentityDeterminationSuccess.aspx</TraceIdentifier>

<Description>Identity was determined for an EndpointReference.</Description>

<AppDomain>ConsoleApplication1.vshost.exe</AppDomain>

<ExtendedData xmlns="http://schemas.microsoft.com/2006/08/ServiceModel/ServiceIdentityDeterminationTraceRecord">

<IdentityVerifierType>System.ServiceModel.Security.IdentityVerifier+DefaultIdentityVerifier</IdentityVerifierType>

<Identity xmlns="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity">

<Dns>saurabh21.fareast.corp.microsoft.com</Dns>

</Identity>

<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">

<Address>net.tcp://saurabh21.fareast.corp.microsoft.com/TCP/Service1.svc</Address>

</EndpointReference>

</ExtendedData>

</TraceRecord>

 

We can see here we end up in setting the DNS identity....

Because of this code....

 

identity = reference.Identity;

    if (identity == null)

    {

        identity = this.TryCreateDnsIdentity(reference);

    }

 

 

private EndpointIdentity TryCreateDnsIdentity(EndpointAddress reference)

{

    Uri uri = reference.Uri;

    if (!uri.IsAbsoluteUri)

    {

        return null;

    }

    return EndpointIdentity.CreateDnsIdentity(uri.DnsSafeHost);

}

 

 

So it reads the service URL and get the DNSSafeHost value from there...

In my case...

URI is: net.tcp://saurabh21.fareast.corp.microsoft.com/TCP/Service1.svc

so "DnsSafeHost" is "saurabh21.fareast.corp.microsoft.com"

 

Since my service also happen to run on same box so we are good to go in this case...

 

BUT … this is good to go only if we ok with NTLM …

Since we did not specified the correct UPN, we have fallen back to NTLM

 

If I set an end point behavior at client side, where I set allowNTLM = false..

Mutual authentication check will fail…

 

Then the Case 2 will fail…. As expected….

Error:

The remote server did not satisfy the mutual authentication requirement.

 

Source Code…

            void ValidateMutualAuth(EndpointIdentity expectedIdentity, NegotiateStream negotiateStream,

                SecurityMessageProperty remoteSecurity, bool allowNtlm)

            {

                if (negotiateStream.IsMutuallyAuthenticated)

                {

                    if (expectedIdentity != null)

                    {

                        if (!parent.IdentityVerifier.CheckAccess(expectedIdentity,

                            remoteSecurity.ServiceSecurityContext.AuthorizationContext))

                        {

                            string primaryIdentity = SecurityUtils.GetIdentityNamesFromContext(remoteSecurity.ServiceSecurityContext.AuthorizationContext);

                            throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(

                                SR.RemoteIdentityFailedVerification, primaryIdentity)));

                        }

                    }

                }

                else if (!allowNtlm)

                {

                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(

                        SR.StreamMutualAuthNotSatisfied)));

                }

            }

 

 

 

EVEN NTLM check may fail… if the host header and the DNS name are different…

if I host my service runs on a different box name... not on saurabh21.fareast.corp.microsoft.com

Then the check will eventually fail... and this will eventually help us detect the phishing sites…

 

Let’s see how...

I configured my WCF service to run on XYZ.com as host header.....

So the end point to client now becomes....

net.tcp://xyz.com/TCP/Service1.svc

Eventually the DNS value computed by client  (in case we don't add any UPN) will be XYZ.com

 

In this case, when the client receives the Windows (Kerberos) credentials /claims  for the service, it expects to see the DNS value to be XYZ.com.

and we know this is invalid.. so finally server reject the negotiation with this error...

 

 

SCENERIO 3

==============

If we pass blank or wrong UPN ... why it works ?

 

It works because we fall back to NTLM...

When falling back to NTLM, no matter what we specify it works.... because we are no longer on the Kerberos layer.

 

To stop this behavior..

we can set the allowNTLM = false in the client end point behavior...

Once done we no longer be able to get the blank or wrong UPN working...

 

      <behaviors>

        <endpointBehaviors>

          <behavior name="my">

            <clientCredentials>

              <windows allowNtlm="false"/>

            </clientCredentials>

          </behavior>

        </endpointBehaviors>

      </behaviors>

 

        <client>

            <endpoint address="net.tcp://xyz.com/TCP/Service1.svc" binding="netTcpBinding" behaviorConfiguration="my"

                bindingConfiguration="net" contract="ServiceReference1.IService1"

                name="net">

                <identity>

                    <userPrincipalName value="" />

                </identity>

            </endpoint>

        </client>

 

 

SPNEGO and KERBEROS

http://thekspace.com/home/component/content/article/54-kerberos-and-spnego.html

 

Important link:

http://msdn.microsoft.com/en-us/library/bb628618.aspx

 

 

Net.Tcp internally relies on the SPNEGO protocol ... and we know for sure that falling back to NTLM will work

Until we explicitly set it to false in end point behavior...

==================================================

 

http://msdn.microsoft.com/en-us/library/dd357379.aspx

http://www.ietf.org/rfc/rfc4178.txt

 

 

Hope the content help in understanding the <identity> in WCF World.

WCF: Discover In WCF World

January 13, 2014, 2:00 pm
$
0
0

What is service identity in WCF WSDL ?

 

For normal basicHttpBinding we use one directional authentication where only service authenticates the client. For dual authentication, we allow client to authenticate the service as well.

 

With WS Standard we use the Mutual authentication scheme and publish the service identity to the clients.

The service identity becomes part of WSDL and is available to clients, which gets used by client to authenticate to service. Client compares the endpoint identity value (local) with the actual value the endpoint authentication process returned. If they match, the client is assured it has contacted the expected service endpoint. This protects client to talk to phishing service.

When the client initiates a secure channel to send a message to a service over it, the Windows Communication Foundation (WCF) infrastructure authenticates the service, and only sends the message if the service identity matches the identity specified in the endpoint address the client uses.

 

Identity processing consists of the following stages:

• At design time, the client developer determines the service's identity from the endpoint's metadata (exposed through WSDL).

• At runtime, the client application checks the claims of the service's security credentials before sending any messages to the service.

Client does not send messages to the service until the service's credentials have been authenticated based on what is known in advance from the service's metadata.

 

UPN IDENTITY:

This ensures that the service is running under a specific Windows user account.

The user account can be either the current logged-on user or the service running under a particular user account.

This setting takes advantage of Windows Kerberos security if the service is running under a domain account within an Active Directory environment.

 

SPN IDENTITY:

This ensures that the SPN and the specific Windows account associated with the SPN identify the service.

You can use the Setspn.exe tool to associate a machine account for the service's user account.

This setting takes advantage of Windows Kerberos security if the service is running under one of the system accounts or under a domain account that has an associated SPN name with it and the computer is a member of a domain within an Active Directory environment.

 

If the service authenticates using message- or transport-level SSL with a Windows credential for authentication, and negotiates the credential, the following identity values are valid:

• DNS. The negotiation passes the service's SPN so that the DNS name can be checked. The SPN is in the form host/<dns name>.

• SPN. An explicit service SPN is returned, for example, host/myservice.

• UPN. The UPN of the service account. The UPN is in the form username@domain. For example, when the service is running in a user account, it may be username@contoso.com.

 

If no identity is specified, and the client credential type is Windows, the default is SPN with the value set to the hostname part of the service endpoint address prefixed with the "host/" literal.

 

For Windows Authentication

SPN or UPN are published in WSDL because ....

Kerberos authentication requires that a UPN or SPN be supplied to the client to authenticate the service.

 

From IIS 7 onwards, we introduced a new concept called – KERNEL MODE SECURITY.

This is intended to simplify the SPN management and move authentication to Kernel layer.

With this security mode, the SPN is registered under the Machine Account.

If our web application pool is hosted in a custom domain account, the SPN must be registered for that user account, rather than the machine account.

http://technet.microsoft.com/en-us/library/dd632778.aspx

 

 

 

 

 

 

Stack used for checking the identity at client side:

at System.ServiceModel.Security.IdentityVerifier.DefaultIdentityVerifier.TryGetIdentity(EndpointAddress reference, EndpointIdentity& identity)

at System.ServiceModel.Channels.WindowsStreamSecurityUpgradeProvider.WindowsStreamSecurityUpgradeInitiator.InitiateUpgradePrepare(Stream stream, NegotiateStream& negotiateStream, String& targetName, EndpointIdentity& identity)

 

Source code method:

======================

public override bool TryGetIdentity(EndpointAddress reference, out EndpointIdentity identity)

{

    if (reference == null)

    {

        throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reference");

    }

    identity = reference.Identity;

    if (identity == null)

    {

        identity = this.TryCreateDnsIdentity(reference);

    }

    if (identity == null)

    {

        SecurityTraceRecordHelper.TraceIdentityDeterminationFailure(reference, typeof(IdentityVerifier.DefaultIdentityVerifier));

        return false;

    }

    SecurityTraceRecordHelper.TraceIdentityDeterminationSuccess(reference, identity, typeof(IdentityVerifier.DefaultIdentityVerifier));

    return true;

}

 

 

SCENERIO 1:

=====================

Client passing the correct identity as UPN ...

Stack:

at System.ServiceModel.Security.IdentityVerifier.DefaultIdentityVerifier.TryGetIdentity(EndpointAddress reference, EndpointIdentity& identity)

 

EndPointAddress object is created based on the identity set in the config file.

We return success from the highlighted code…

 

public override bool TryGetIdentity(EndpointAddress reference, out EndpointIdentity identity)

{

    if (reference == null)

    {

        throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reference");

    }

    identity = reference.Identity;

    if (identity == null)

    {

        identity = this.TryCreateDnsIdentity(reference);

    }

    if (identity == null)

    {

        SecurityTraceRecordHelper.TraceIdentityDeterminationFailure(reference, typeof(IdentityVerifier.DefaultIdentityVerifier));

        return false;

    }

    SecurityTraceRecordHelper.TraceIdentityDeterminationSuccess(reference, identity, typeof(IdentityVerifier.DefaultIdentityVerifier));

    return true;

}

 

 <DataItem>

<TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Information">

<TraceIdentifier>http://msdn.microsoft.com/en-US/library/System.ServiceModel.Security.SecurityIdentityDeterminationSuccess.aspx</TraceIdentifier>

<Description>Identity was determined for an EndpointReference.</Description>

<AppDomain>ConsoleApplication1.vshost.exe</AppDomain>

<ExtendedData xmlns="http://schemas.microsoft.com/2006/08/ServiceModel/ServiceIdentityDeterminationTraceRecord">

<IdentityVerifierType>System.ServiceModel.Security.IdentityVerifier+DefaultIdentityVerifier</IdentityVerifierType>

<Identity xmlns="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity">

<Upn>saurabs@fareast.corp.microsoft.com</Upn>

</Identity>

<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">

<Address>net.tcp://saurabh21.fareast.corp.microsoft.com/TCP/Service1.svc</Address>

<Identity xmlns="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity">

<Upn>saurabs@fareast.corp.microsoft.com</Upn>

</Identity>

</EndpointReference>

</ExtendedData>

</TraceRecord>

</DataItem>

 

Next we try to get the Associated SPN for the identity …

 

        internal static string GetSpnFromIdentity(EndpointIdentity identity, EndpointAddress target)

        {

            bool foundSpn = false;

            string spn = null;

            if (identity != null)

            {

                if (ClaimTypes.Spn.Equals(identity.IdentityClaim.ClaimType))

                {

                    spn = (string)identity.IdentityClaim.Resource;

                    foundSpn = true;

                }

                else if (ClaimTypes.Upn.Equals(identity.IdentityClaim.ClaimType))

                {

                    spn = (string)identity.IdentityClaim.Resource;

                    foundSpn = true;

                }

                else if (ClaimTypes.Dns.Equals(identity.IdentityClaim.ClaimType))

                {

                    spn = String.Format(CultureInfo.InvariantCulture, "host/{0}", (string)identity.IdentityClaim.Resource);

                    foundSpn = true;

                }

            }

            if (!foundSpn)

            {

                throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(SR.GetString(SR.CannotDetermineSPNBasedOnAddress, target)));

            }

            return spn;

        }

 

 

 

Next we see..

at System.ServiceModel.Diagnostics.SecurityTraceRecordHelper.TraceIdentityVerificationSuccess(EventTraceActivity eventTraceActivity, EndpointIdentity identity, Claim claim, Type identityVerifier)

at System.ServiceModel.Security.IdentityVerifier.DefaultIdentityVerifier.CheckAccess(EndpointIdentity identity, AuthorizationContext authContext)

 

We are calling the CheckAccess method to confirm the claims received as a part of service identity...

Confirm if the claims are for same identity what we specified..

 

public override bool CheckAccess(EndpointIdentity identity, AuthorizationContext authContext)

{

    if (identity == null)

    {

        throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("identity");

    }

    if (authContext == null)

    {

        throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("authContext");

    }

    for (int i = 0; i < authContext.ClaimSets.Count; i++)

    {

        ClaimSet claimSet = authContext.ClaimSets[i];

        if (claimSet.ContainsClaim(identity.IdentityClaim))

        {

            SecurityTraceRecordHelper.TraceIdentityVerificationSuccess(identity, identity.IdentityClaim, base.GetType());

            return true;

        }

        string expectedSpn = null;

        if (ClaimTypes.Dns.Equals(identity.IdentityClaim.ClaimType))

        {

            expectedSpn = string.Format(CultureInfo.InvariantCulture, "host/{0}", new object[] { (string) identity.IdentityClaim.Resource });

            Claim claim = this.CheckDnsEquivalence(claimSet, expectedSpn);

            if (claim != null)

            {

                SecurityTraceRecordHelper.TraceIdentityVerificationSuccess(identity, claim, base.GetType());

                return true;

            }

        }

        SecurityIdentifier identitySid = null;

        if (ClaimTypes.Sid.Equals(identity.IdentityClaim.ClaimType))

        {

            identitySid = this.GetSecurityIdentifier(identity.IdentityClaim);

        }

        else if (ClaimTypes.Upn.Equals(identity.IdentityClaim.ClaimType))

        {

            identitySid = ((UpnEndpointIdentity) identity).GetUpnSid();

        }

        else if (ClaimTypes.Spn.Equals(identity.IdentityClaim.ClaimType))

        {

            identitySid = ((SpnEndpointIdentity) identity).GetSpnSid();

        }

        else if (ClaimTypes.Dns.Equals(identity.IdentityClaim.ClaimType))

        {

            identitySid = new SpnEndpointIdentity(expectedSpn).GetSpnSid();

        }

        if (identitySid != null)

        {

            Claim claim2 = this.CheckSidEquivalence(identitySid, claimSet);

            if (claim2 != null)

            {

                SecurityTraceRecordHelper.TraceIdentityVerificationSuccess(identity, claim2, base.GetType());

                return true;

            }

        }

    }

    SecurityTraceRecordHelper.TraceIdentityVerificationFailure(identity, authContext, base.GetType());

    return false;

}

 

 

Dumping objects:

 

Our identity Object:

0:000> !do 0x27d97ec

Name:        System.ServiceModel.UpnEndpointIdentity

MethodTable: 51800748

EEClass:     51444ad8

Size:        32(0x20) bytes

File:        C:\windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll

Fields:

      MT    Field   Offset                 Type VT     Attr    Value Name

4ffcb198  4002575        4 ...odel.Claims.Claim  0 instance 027d9930 identityClaim

4ffcb2b8  4002576        8 ...m.IdentityModel]]  0 instance 00000000 claimComparer

65dc15b8  400257d        c ...ecurityIdentifier  0 instance 00000000 upnSid

65dc6f18  400257e       18       System.Boolean  1 instance        0 hasUpnSidBeenComputed

65dc29b4  400257f       10 ...l.WindowsIdentity  0 instance 00000000 windowsIdentity

65dcb060  4002580       14        System.Object  0 instance 027d980c thisLock

 

 

0:000> !DumpObj /d 027d9930

Name:        System.IdentityModel.Claims.Claim

MethodTable: 4ffcb198

EEClass:     4ff64b38

Size:        24(0x18) bytes

File:        C:\windows\Microsoft.Net\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll

Fields:

      MT    Field   Offset                 Type VT     Attr    Value Name

65dcacc0  40007a9        4        System.String  0 instance 027d98b0 claimType

65dcb060  40007aa        8        System.Object  0 instance 02732d6c resource

65dcacc0  40007ab        c        System.String  0 instance 027d9818 right

4ffcb2b8  40007ac       10 ...m.IdentityModel]]  0 instance 027d9954 comparer

4ffcb198  40007a8       dc ...odel.Claims.Claim  0   static 0293d9b8 system

 

 

0:000> !DumpObj /d 027d98b0

Name:        System.String

MethodTable: 65dcacc0

EEClass:     659d486c

Size:        128(0x80) bytes

File:        C:\windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll

String:      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

Fields:

      MT    Field   Offset                 Type VT     Attr    Value Name

65dcc480  40000aa        4         System.Int32  1 instance       57 m_stringLength

65dcb6b8  40000ab        8          System.Char  1 instance       68 m_firstChar

65dcacc0  40000ac        c        System.String  0   shared   static Empty

    >> Domain:Value  008867e0:NotInit  <<

 

 

0:000> !DumpObj /d 02732d6c

Name:        System.String

MethodTable: 65dcacc0

EEClass:     659d486c

Size:        82(0x52) bytes

File:        C:\windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll

String:      saurabs@fareast.corp.microsoft.com

Fields:

      MT    Field   Offset                 Type VT     Attr    Value Name

65dcc480  40000aa        4         System.Int32  1 instance       34 m_stringLength

65dcb6b8  40000ab        8          System.Char  1 instance       73 m_firstChar

65dcacc0  40000ac        c        System.String  0   shared   static Empty

 

 

 

Authorization context received from the service…

0:000> !do 0x293db44

Name:        System.IdentityModel.SecurityUtils+SimpleAuthorizationContext

MethodTable: 4ffcbcb0

EEClass:     4ff6c610

Size:        20(0x14) bytes

File:        C:\windows\Microsoft.Net\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll

Fields:

      MT    Field   Offset                 Type VT     Attr    Value Name

4ffcb998  40011db        4 ....SecurityUniqueId  0 instance 00000000 id

4ffcbb90  40011dc        8 ...conditionalPolicy  0 instance 0293d8bc policy

659d86a4  40011dd        c ...bject, mscorlib]]  0 instance 0293db7c properties

 

 

0:000> !DumpObj /d 0293d8bc

Name:        System.IdentityModel.Policy.UnconditionalPolicy

MethodTable: 4ffcbb90

EEClass:     4ff6c574

Size:        40(0x28) bytes

File:        C:\windows\Microsoft.Net\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll

Fields:

      MT    Field   Offset                 Type VT     Attr    Value Name

4ffcb998  400088d        4 ....SecurityUniqueId  0 instance 00000000 id

4ffcbbec  400088e        8 ...l.Claims.ClaimSet  0 instance 0293d9e8 issuer

4ffcbbec  400088f        c ...l.Claims.ClaimSet  0 instance 0293d88c issuance

4ff5179c  4000890       10 ...m.IdentityModel]]  0 instance 00000000 issuances

65dc8bdc  4000891       1c      System.DateTime  1 instance 0293d8d8 expirationTime

65dc3968  4000892       14 ...incipal.IIdentity  0 instance 0293d7b8 primaryIdentity

65dc6f18  4000893       18       System.Boolean  1 instance        0 disposable

65dc6f18  4000894       19       System.Boolean  1 instance        0 disposed

 

 

0:000> !DumpObj /d 0293d7b8

Name:        System.Security.Principal.GenericIdentity

MethodTable: 65dc2d48

EEClass:     65adcafc

Size:        64(0x40) bytes

File:        C:\windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll

Fields:

      MT    Field   Offset                 Type VT     Attr    Value Name

659e0bf0  4001b15        4 ...Claim, mscorlib]]  0 instance 0293d7f8 m_instanceClaims

659e0c90  4001b16        8 ...lib]], mscorlib]]  0 instance 0293d810 m_externalClaims

65dcacc0  4001b17        c        System.String  0 instance 0293d43c m_nameType

65dcacc0  4001b18       10        System.String  0 instance 0293d548 m_roleType

65dcacc0  4001b19       14        System.String  0 instance 0293d428 m_version

65dc652c  4001b1a       18 ...ms.ClaimsIdentity  0 instance 00000000 m_actor

65dcacc0  4001b1b       1c        System.String  0 instance 00000000 m_authenticationType

65dcb060  4001b1c       20        System.Object  0 instance 00000000 m_bootstrapContext

65dcacc0  4001b1d       24        System.String  0 instance 00000000 m_label

65dcacc0  4001b1e       28        System.String  0 instance 00000000 m_serializedNameType

65dcacc0  4001b1f       2c        System.String  0 instance 00000000 m_serializedRoleType

65dcacc0  4001b20       30        System.String  0 instance 00000000 m_serializedClaims

65dcacc0  4001b2a       34        System.String  0 instance 02732d6c m_name

65dcacc0  4001b2b       38        System.String  0 instance 02621228 m_type

 

 

0:000> !DumpObj /d 02732d6c

Name:        System.String

MethodTable: 65dcacc0

EEClass:     659d486c

Size:        82(0x52) bytes

File:        C:\windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll

String:      saurabs@fareast.corp.microsoft.com

Fields:

      MT    Field   Offset                 Type VT     Attr    Value Name

65dcc480  40000aa        4         System.Int32  1 instance       34 m_stringLength

65dcb6b8  40000ab        8          System.Char  1 instance       73 m_firstChar

65dcacc0  40000ac        c        System.String  0   shared   static Empty

    >> Domain:Value  008867e0:NotInit  <<

 

 

 

We can see the identity in both is same..

And eventually the identity verification succeeds...

 

Note:

The method is only called if we are on Kerberos authentication scheme..

Otherwise we fall back to NTLM..

Next case demonstrate the same…

 

 

Scenario 2:

================

When client don't specify any identity ......

However he is supposed to specify as UPN.....

 

Stack:

at System.ServiceModel.Diagnostics.SecurityTraceRecordHelper.TraceIdentityDeterminationSuccess(EndpointAddress epr, EndpointIdentity identity, Type identityVerifier)

at System.ServiceModel.Security.IdentityVerifier.DefaultIdentityVerifier.TryGetIdentity(EndpointAddress reference, EndpointIdentity& identity)

 

<TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Information">

<TraceIdentifier>http://msdn.microsoft.com/en-US/library/System.ServiceModel.Security.SecurityIdentityDeterminationSuccess.aspx</TraceIdentifier>

<Description>Identity was determined for an EndpointReference.</Description>

<AppDomain>ConsoleApplication1.vshost.exe</AppDomain>

<ExtendedData xmlns="http://schemas.microsoft.com/2006/08/ServiceModel/ServiceIdentityDeterminationTraceRecord">

<IdentityVerifierType>System.ServiceModel.Security.IdentityVerifier+DefaultIdentityVerifier</IdentityVerifierType>

<Identity xmlns="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity">

<Dns>saurabh21.fareast.corp.microsoft.com</Dns>

</Identity>

<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">

<Address>net.tcp://saurabh21.fareast.corp.microsoft.com/TCP/Service1.svc</Address>

</EndpointReference>

</ExtendedData>

</TraceRecord>

 

We can see here we end up in setting the DNS identity....

Because of this code....

 

identity = reference.Identity;

    if (identity == null)

    {

        identity = this.TryCreateDnsIdentity(reference);

    }

 

 

private EndpointIdentity TryCreateDnsIdentity(EndpointAddress reference)

{

    Uri uri = reference.Uri;

    if (!uri.IsAbsoluteUri)

    {

        return null;

    }

    return EndpointIdentity.CreateDnsIdentity(uri.DnsSafeHost);

}

 

 

So it reads the service URL and get the DNSSafeHost value from there...

In my case...

URI is: net.tcp://saurabh21.fareast.corp.microsoft.com/TCP/Service1.svc

so "DnsSafeHost" is "saurabh21.fareast.corp.microsoft.com"

 

Since my service also happen to run on same box so we are good to go in this case...

 

BUT … this is good to go only if we ok with NTLM …

Since we did not specified the correct UPN, we have fallen back to NTLM

 

If I set an end point behavior at client side, where I set allowNTLM = false..

Mutual authentication check will fail…

 

Then the Case 2 will fail…. As expected….

Error:

The remote server did not satisfy the mutual authentication requirement.

 

Source Code…

            void ValidateMutualAuth(EndpointIdentity expectedIdentity, NegotiateStream negotiateStream,

                SecurityMessageProperty remoteSecurity, bool allowNtlm)

            {

                if (negotiateStream.IsMutuallyAuthenticated)

                {

                    if (expectedIdentity != null)

                    {

                        if (!parent.IdentityVerifier.CheckAccess(expectedIdentity,

                            remoteSecurity.ServiceSecurityContext.AuthorizationContext))

                        {

                            string primaryIdentity = SecurityUtils.GetIdentityNamesFromContext(remoteSecurity.ServiceSecurityContext.AuthorizationContext);

                            throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(

                                SR.RemoteIdentityFailedVerification, primaryIdentity)));

                        }

                    }

                }

                else if (!allowNtlm)

                {

                    throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityNegotiationException(SR.GetString(

                        SR.StreamMutualAuthNotSatisfied)));

                }

            }

 

 

 

EVEN NTLM check may fail… if the host header and the DNS name are different…

if I host my service runs on a different box name... not on saurabh21.fareast.corp.microsoft.com

Then the check will eventually fail... and this will eventually help us detect the phishing sites…

 

Let’s see how...

I configured my WCF service to run on XYZ.com as host header.....

So the end point to client now becomes....

net.tcp://xyz.com/TCP/Service1.svc

Eventually the DNS value computed by client  (in case we don't add any UPN) will be XYZ.com

 

In this case, when the client receives the Windows (Kerberos) credentials /claims  for the service, it expects to see the DNS value to be XYZ.com.

and we know this is invalid.. so finally server reject the negotiation with this error...

 

 

SCENERIO 3

==============

If we pass blank or wrong UPN ... why it works ?

 

It works because we fall back to NTLM...

When falling back to NTLM, no matter what we specify it works.... because we are no longer on the Kerberos layer.

 

To stop this behavior..

we can set the allowNTLM = false in the client end point behavior...

Once done we no longer be able to get the blank or wrong UPN working...

 

      <behaviors>

        <endpointBehaviors>

          <behavior name="my">

            <clientCredentials>

              <windows allowNtlm="false"/>

            </clientCredentials>

          </behavior>

        </endpointBehaviors>

      </behaviors>

 

        <client>

            <endpoint address="net.tcp://xyz.com/TCP/Service1.svc" binding="netTcpBinding" behaviorConfiguration="my"

                bindingConfiguration="net" contract="ServiceReference1.IService1"

                name="net">

                <identity>

                    <userPrincipalName value="" />

                </identity>

            </endpoint>

        </client>

 

 

SPNEGO and KERBEROS

http://thekspace.com/home/component/content/article/54-kerberos-and-spnego.html

 

Important link:

http://msdn.microsoft.com/en-us/library/bb628618.aspx

 

 

Net.Tcp internally relies on the SPNEGO protocol ... and we know for sure that falling back to NTLM will work

Until we explicitly set it to false in end point behavior...

==================================================

 

http://msdn.microsoft.com/en-us/library/dd357379.aspx

http://www.ietf.org/rfc/rfc4178.txt

 

 

Hope the content help in understanding the <identity> in WCF World.

Vídeo – sustentabilidade ambiental

January 14, 2014, 9:29 am
$
0
0
Segue vídeo da minha apresentação que fiz sobre o tema Sustentabilidade Ambiental. A ideia nesta apresentação é explicar como uma empresa pode atingir níveis de maturidade para TI Verde. Espero que gostem do vídeo: ...read more...(read more)

Attaching to saving and saved events of a Work Item in a Custom Control

January 14, 2014, 9:54 am
$
0
0

We have been asked lately about whether it is possible to do something before or after save operation of a work item inside a custom control. The answer is, yes, you can do that.

When a change occurs in a work item, there is actually a lot of events fired like field change, revert, saving, saved, etc. All you need to do is subscribing to the work item change event and then applying appropriate filtering on the change type when the work item is bound to the form (bind event of all controls on the form is called when a work item is bound to a form).

Please do not forget unsubscribing during unbind. Also note that these are all read-only notifications which means none of them can be cancelled.

Let's see some code:

bind: function (workItem) {this._base(workItem);this._workItemChangeDelegate = function(sender, args) {if (args.change === "saving") {// Do something...
        } elseif (args.change === "saved") {// Do something...
        }
    }// Delegate enables the specified function to run under current custom control's context// so that you can access other methods inside _workItemChangeDelegate 
    workItem.attachWorkItemChanged(TFS.Core.delegate(this, this._workItemChangeDelegate));
}

unbind: function (workItem) {this._base(workItem);
    workItem.detachWorkItemChanged(this._workItemChangeDelegate);
    delete this._workItemChangeDelegate;
}

 

And one last comment about "Save & Close". The above events are fired from Object Model but  "Save & Close" happens in UI level which prevents custom controls to attach that event. Because we do not have any API's for UI commands, it is not possible to intervene. Sorry for any inconvenience.

Hope this code piece helps and let us know if you have any questions or feedback.

C# – Aplicaciones multilenguaje, globalización y localización

January 14, 2014, 10:16 am
$
0
0
Intermedio Continuamente en mis conferencias y de paso por los foros a través de internet encuentro multitud de dudas e inquietudes al respecto de Cómo hacer una aplicación que soporte múltiples idiomas, ciertamente hay varias formas de conseguirlo ...read more...(read more)
Search

SCVMM, Hyper-V Replica, UI and PowerShell

January 14, 2014, 10:45 am
$
0
0

Before I get started on this – I do want to be upfront about the context for this post.  In my house I am currently running Hyper-V Server 2012 R2 with Hyper-V Replica enabled.  I am then managing my environment with System Center Virtual Machine Manager 2012 R2.

I am not (yet) using Hyper-V Recovery Manager (http://www.windowsazure.com/en-us/services/recovery-manager/).

Now, if you are unfamiliar with the story here.  Hyper-V Recovery Manager is our official solution for managing Hyper-V Replica with System Center.  This means that I am not doing things “by the book” right now (why?  Because there are only so many hours in the day and this is actually all stuff that I do in my spare time!).

So what is the experience if you are using Hyper-V Replica with System Center Virtual Machine Manager 2012 R2 without Hyper-V Recovery Manager?  In short, not bad.

SCVMM has no support for configuring or orchestrating Hyper-V Replica directly.  I am currently using Hyper-V manager to do that.  It does, however, detect that Hyper-V Replica has been configured and allows me to view the replication health in the SCVMM UI.  There is one annoyance I have found with this configuration:

clip_image002

This is a screenshot of my SCVMM console.  As you can see it has all of my virtual machines and all of their replicas.  I do not have it displayed here – but I can also add a column that shows the replication health.  Unfortunately, there is no way for me to tell which virtual machines are the primary virtual machines and which are the replicas.  Annoying. 

For the most part I can figure this out intuitively (the primary virtual machine is the one that is running!) But if I have a virtual machine that is turned off (like my TS Gateway in the above screenshot) I have not figured out how to tell the primary from the replica using the SCVMM UI.

PowerShell is much better though.

Here it is very easy to tell the virtual machines apart.  Let’s say I wanted to get the primary TS Gateway virtual machine – I would use this command:

$VM = Get-SCVirtualMachine "TS Gateway” | ?{$_.IsPrimaryVM}

Similarly, to get the replica virtual machine I would run:

$VM = Get-SCVirtualMachine "TS Gateway” | ?{$_.IsRecoveryVM}

Nice and simple.

Hopefully I will find the time to setup Hyper-V Recovery Manager soon (after updating my VPN server, setting a new blog site, getting a new mail server up and running, getting the Windows Azure pack loaded…  This may take a while!)

Cheers,
Ben

Announcing Improved Access to Office with Window-Eyes

January 14, 2014, 10:45 am
$
0
0
Today, Microsoft and GW MIcro have announced a new offer for Office customers which provides the opportunity to download the screen reader Window-Eyes for free. Starting today, customers who have purchased and installed any version of Microsoft Office 2010 or later are eligible to download a free copy of Window-Eyes from GW Micro. To learn more about the details on this offer visit the Microsoft Office blog . To learn more about Window-Eyes and how to download the software as a part of this...(read more)

Demystifying Power BI Q&A - Introduction

January 14, 2014, 11:00 am
$
0
0

By now, you’ve probably seen a demo of Power BI Q&A and may have played with one of our sample models. So at this point, you’re probably thinking one of two things: Either you’re amazed by how smart the system is and are convinced it can effortlessly answer nearly any question about any data; or you don’t believe such a thing is possible and are certain it only works in carefully designed toy models after an army of PhD linguists have hand-tuned the system for years.

The truth is somewhere in between.

First off, I must admit that I do have a team of natural language wizards at my disposal. However, their magic is reserved for building the core capabilities of the system, rather than optimizing for any specific model. What they’ve built is essentially a natural language understanding engine based on traditional search and pattern matching techniques, enhanced with:

  • Heuristic matching based on the structure of the model
  • General understanding of English syntax
  • Pre-built business intelligence commands, and
  • Customizable domain-specific knowledge of the
    specific kinds of language used in the target model.

These core capabilities can be applied to any data in a Power Pivot model. However, regardless of how much intelligence we build into it, there are clear limits to the abilities of any system to interpret both the
data and the questions targeted at it. It can’t calculate “total sales by year” from a pile of customer invoice emails. And it won’t be able to tell you “why sales didn’t go up last year”, even if you kept meticulous records.

But rather than just talking about what it can’t do, let me tell you what it can do.

In this series of articles, I’ll be walking you through details of what you can expect Q&A to understand and some things you can do to both improve the answers and make a wider variety of questions work. In Part 1, I’ll describe what Q&A can do out of the box on raw data with little or no effort. In Part 2, I’ll teach you about basic model optimization beneficial both for building and consuming Power View reports as well as for Q&A. Finally, in Part 3, I’ll give you an early preview of the creation of phrasing rules, which are used to reduce ambiguity and introduce complex terms.

Cómo obtener un manejador (handle) para una ventana de WPF

January 14, 2014, 11:02 am
$
0
0
Básico WPF es una parte del .Net Framework muy robusta, pero a veces necesitamos que nuestra aplicación interactue con aspectos más nativos del sistema operativo donde se ejecuta. En estos casos requerimos el menejador ( handle ) de la ventana el cual ...read more...(read more)

Qué es el bucle de mensajes, message loop o WndProc ?

January 14, 2014, 11:22 am
$
0
0
Básico Las ventanas – y los demás controles – funcionan gracias a un bucle de mensajes, todo lo que manejamos nosotros como eventos : click del mouse, mover, cerrar, cambiar tamaño, maximizar etc, realmente es controlado por un bucle en donde se envían ...read more...(read more)

Como usar el WndProc en una Ventana WPF

January 14, 2014, 11:46 am
$
0
0
Básico WPF es una parte del .Net Framework muy robusta, pero a veces necesitamos que nuestra aplicación interactue con aspectos más relacionados con el sistema de ventanas del OS. En estos casos requerimos interceptar mensajes en el WndProc . ...read more...(read more)

Get security updates for January 2014

January 14, 2014, 11:51 am
Search

Demystifying Power BI Q&A - Part 1: Something for Nothing

January 14, 2014, 12:00 pm
$
0
0

Imagine you need to publish some data for your users to query and build reports against, but you’re up against a tight deadline or running late for a meeting or just plain feeling lazy. So instead of your normal careful scrubbing of the data, cleaning of the schema, and so on, you just quickly import your data into Power Pivot and upload the workbook into your Power BI site. Then almost as an afterthought, you enable it for Q&A. What happens?

Fortunately, Q&A has a set of core natural language understanding abilities which work across every Power Pivot model. First, it has context-dependent keyword search capabilities for both data and metadata. Second, it has a set of built-in knowledge for how to filter, sort, aggregate, group and display data. While Q&A will definitely work better against models that have been optimized for Power View and best against models annotated with phrasing rules, these two primary capabilities apply to all models. Note: In the examples below, I did one such optimization, namely setting the Default Fields on some tables to avoid showing too many columns by default.

Basic keyword search

Columns and Tables

With a raw data import, everything depends on the names of the tables and columns, so hopefully your source data had sensible naming conventions. Q&A detects obvious word breaks and plurals, to allow search terms such as “contact name” to match the column ContactName or “retail customer” to match the table retail_customers. It does not yet, however, try to guess the meaning behind abbreviated names like AvgNetPrft, or ones with nonobvious word breaks like pickuptime, or automatically search related terms such as matching “client” to a table named Customer.

Data Values

Q&A will match string data values it finds in the model. These searches are case insensitive, and will match either the exact word typed or the singular form of that word. For example, “London filo mix orders”, “London Filo Mix orders” and “london orders for filo mixes” will all find orders in London for the product named Filo Mix

 

For date and year values, Q&A will make a best guess for which column to match against, based on the column data types.

Relationships

When multiple tables or columns are referenced in a query, Q&A utilizes the implicit relationships between a table and the columns it contains (in queries like “customers and their addresses”) and the explicit relationships defined in the model between tables (in queries like “list customers and their orders”).

Distantly related things can be used in a single query, so long as there exists a set of relationships between them.

 

Contextual ambiguity resolution

Q&A’s keyword search capabilities will attempt to use context to resolve ambiguity caused by duplicate column names or duplicate values. For example, “customers 2012 London phone number” will match “London” to customer city rather than employee city and “phone number” to customer phone number rather than employee phone number.

     

Commands

Sorting

Anything can be sorted by any related column:

 

 And sorted in a chosen direction:

 

 Equality Filters

Column values can be explicitly filtered:

 

Or compared to ranges:

     

Date range filters

Dates can be filtered exactly…

     

Or as ranges…

     

Or relative to today.

 

Aggregation and grouping

Aggregates can be requested for numeric columns.

 

These aggregates can be filtered…

 

And grouped.

 

Explicit visualization type requests

Selection of visualization type can be left to Q&A based on the columns selected and the categories of data specified or inferred in the model (in this case, geographical)…

 

Or the type can be named explicitly.

 

The Model

In case you’re interested in playing with this sample model yourself, it can be downloaded here.

Next Time: You get what you pay for

That’s quite a bit of “free” functionality for little to no work on your part, and for certain raw data imports, Q&A does a surprisingly good job of answering user questions. However, there are a number of ways this can go wrong. In Part 2, I’ll step you through the most common problems, and show how you can fix them and improve your Power View experience at the same time.

Until next time, remember: Time flies like an arrow but fruit flies like a banana.

 

Converting ink to shapes in Visio 2013

January 14, 2014, 12:39 pm
$
0
0

Touch devices like the Surface device and large scale devices like PPI devices are making Visio popular for sketching out ideas in front of an audience.  If you are not as quick with dropping shapes and connecting shapes using touch gestures you might find yourself using the Ink tools to just quickly draw something and then convert it to real Visio shapes in the future.

Here are some tips for converting Ink to Visio Shapes in Visio 2013.  Here is an example of a rectangle that I have drawn on the page using the Pen Ink tool.

clip_image004

I know want to convert this ink to a more suitable/presentable shape from the stencil that I have open which you can see to the left I in the screen shot above.

I can delete the Ink and then drag a Square from the stencil and drop it in its place.  But I can also use the new Replace Shape feature.

After you draw something with the Ink tools, you will have the Pen or Highlighter tool selected.
clip_image006

The key here is to switch back to the Pointer tool.  When in doubt always switch back to the Pointer tool.

clip_image008

This will change the tools that are available in the Ribbon. The reason for this is because the Pen and Highlighter are basically edit tools for the selected Ink item on the page. Once you choose the Pointer tool you are out of edit mode for the Ink and the Ribbon will update, enabling items such as Convert to Text and Convert to Shape.

clip_image010

Now that the Pointer tool is selected and the “mode” has changed it is time to “replace” the Ink with any shape from the selected stencil. If you have an Ink shape selected you will see that the Replace Shape feature is disabled.

clip_image012

This is disabled because this is just a metafile embedded on the page, Visio cannot do much with it. There is one step before you get access to the Replace Shape feature and this is to choose to Convert to Shape

clip_image014

Once this step is complete you can choose any shape from the active stencil in the Replace Shape gallery.

clip_image016

The Ink will be replaced with the selected shape and will retain the size, position and formatting of the Ink shape that it replaced.

clip_image018

C# – Win32SessionChangesNotifier libreria para recibir notificaciones de cambios de sesión

January 14, 2014, 12:47 pm
$
0
0
Intermedio A veces necesitamos que nuestro software audite ciertos eventos generados por el equipo, como por ejemplo cuando se abren o cierran sesiones. Esto es importante por ejemplo para disparar procesos pesados cuando el computador no este en uso ...read more...(read more)

Forms - Recibir notificaciones cuando hay cambios de sesión

January 14, 2014, 1:16 pm
$
0
0
Intermedio Afortunadamente es muy fácil de hacer si hacemo uso de esta libreria: Win32 Session Changes Notifier Que he creado yo mismo y esta disponible en Github. Lecturas recomendadas C# – Win32SessionChangesNotifier libreria ...read more...(read more)

DIGITAL MARKETING – January 2014 Readiness Update

January 14, 2014, 1:25 pm
$
0
0

Competency update: name and requirement changes

Digital marketing is a broad concept, and a potentially misleading term. In 2012, we modified the Digital Marketing competency to focus on our Bing Advertising partners. To complete the transition, in February 2014, the name will be changed to Digital Advertising, and requirements will be updated, to better reflect what Bing partners do.

Viewing all 35736 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>