Skip to main content

Posts

Showing posts from 2011

MVC 3 and Azure ACS–Protect parts of the site

If you have worked with ADFS 2.0 or other claims based security models Azure’s Access Control Service (ACS) should not seem all the new to you. It is basically Azure’s hosted Secure Token Service (STS). Recently I have been building an MVC 3 application and did not want my application to be forums protected. My personal opinion is that no one wants to create one off logins on the web anymore. To solve this I decided to use MVC 3 with ACS. Adding ACS to your MVC 3 project is not very hard and is explained in a few blogs on the net (here is a good one). You basically just use Visual Studio’s “Add STS” functional like you would for any other STS. When you add the STS to your project it updates your web.config with information it needs for federation to work. By default it protects your entire website. This means you cannot even hit the login page without signing in. But what if I want unauthenticated people to read parts of my website, like the homepage? Well this is what I had to figure…

Windows Phone and HTTPS service calls

If you have been working with Windows Phone and trying to make HTTPS based calls to other services there are a couple things you will want to know. Since these HTTPS calls happen over a secure connection there are a few nuances you have to be aware of. Windows Phone is pretty touchy about HTTPS certificates. Normally on a web page you can just create a self-signed cert and either bypass the cert trust warning or install the cert in to the machines trusted CA list. However, Windows Phone does not have this flexibility. During development or test you probably are using a self-signed cert. If your Windows Phone app calls a HTTPS service using a self-signed cert you will get an error saying “service not found” or “remote server returned a error: not found.” This is because the call is causing a certificate error since the cert is not in the phones trusted cert tree. To solve this problem the emulator or device needs to install the certificate. To do this just navigate to the .cer file in …

Understanding Azure Marketplace event flow

In working with the sample projects in the the Azure SDK I wanted to make sure I understood how the Marketplace event flow was happening. If you do the tutorial in the Azure 1.4 it helps you connect an application so it can handle subscription events from the marketplace. There is a lot of code created for you though. Once I got it working I still did not really understand what the event flow was happening from the Marketplace to my application. The solution? Spend some time digging through all the code and application flow and create a nice little Visio to help visualize it. Below is the diagram I created. Hopefully, if you have used the tutorial this will help you understand how the components you created and configured actually get wired together.

Azure Access Control - ACS50000: There was an error issuing a token.

I have been playing with the Azure Access control solution and how to put an application into the Azure Marketplace SaaS offering. The first issue I ran into was getting ACS to work. I had developed a solution with Microsoft’s Active Directory Federation services 2.0 before some the concept was familiar to me. Even through the topic was familiar to me federation errors are often still a pain to resolve. The first thing you have to do is understand if the error is coming from the provider or client. In this case even though ACS is throwing the error the error is actually coming from the client as it is rejecting the token. It can be rejecting the token for a few reasons.1) The certificate thumbprint the website is looking to validate against does not match. Check the sites web.config trusted issuers section and make sure the thumbprint matches what ACS has. <issuerNameRegistrytype="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Ver…

Security Config in IIS Express

I have gotten tired of always having to look this up or remember where it is at. That means it is time to post to my blog so I can find it easier and hopefully others can too. If you are having issues with IIS Express authentication errors (like the Unauthorized 401.2 error I always get) here is some help. I can never remember what the last setting was I had IIS Express set to for authorization. To change IIS Express for windows auth or anonymous auth you want to work with the applicationhost.config file. It can be found here …Documents\IISExpress\config. You want to change the settings in the following area of the config file. <authentication><anonymousAuthenticationenabled="true"userName=""/><basicAuthenticationenabled="false"/><clientCertificateMappingAuthenticationenabled="false"/><digestAuthenticationenabled="false"/><iisClientCertificateMappingAuthenticationenabled="false"></iisCli…

Sharepoint 2010, ADFS 2.0 and Roles

I actually copied this article from here. I have been working with ADFS a lot and know that before long this will come in handy so I wanted to save it on my blog. February 6th, 2010 by Fredrik Lindström in ADFS, Windows Server 2008 R2I’ve been tinkering quite a bit with Sharepoint 2010 and ADFS 2.0 lately and figured that this was worth sharing.I followed the steps outlined in Travis Nielsen’s blog post to configure a federated identity provider in Sharepoint 2010 and configured ADFS 2.0 in my own way since our setup involves quite a few partner organizations. One thing that is not mentioned in the step by step guide is how to configure Sharepoint to accept role claims and assign access rights based on those claims.The following Powershell snippet will do the trick$issuer = Get-SPTrustedIdentityTokenIssuer$issuer.ClaimTypes.Add(”http://schemas.microsoft.com/ws/2008/06/identity/claims/role“)$map=New-SPClaimTypeMapping “http://schemas.microsoft.com/ws/2008/06/identity/claims/role” -Inco…