Trying to clone a repo using the GitHub for Mac client at work today was failing due to our proxy server. All my repos would show up, but they would fail when cloning, and trying to synchronize wouldn’t work either. I know I am sitting behind a HTTP proxy at work, but I assumed the GitHub client would just inherit the proxy settings already defined in the OSX preferences. Apparently not… so I hunted around the app to try and find dedicated proxy settings. Again, no luck here, but after looking around forums I discovered you could use the command line to set the proxy:

git config --global http.proxy http://proxy:port

I restarted the GitHub client, and now it would happily clone and sync my repos.

Read More

In this post I provided a description of the active federation authentication pattern and shared how to implement it with RIA Services. In this post I will show how to do the same but use a regular WCF service instead of a RIA Services DomainService. I am including the diagram from my last post, with some minimal modifications here.

I should clarify why I am putting the word active in quotation marks. The following will only make sense if you understand the difference between passive and active federation, which is outlined in the post linked above. In the passive federation case, the user never enters their credentials in the client app; they are redirected to the STS of the identity provider organization. This way the user is providing their credentials directly to the party they trust, and not to the app, which they may not trust. In the active federation case, they actually provide their credentials to the client app, and trust that the app will not be malicious, and will simply forward those credentials to the STS of the identity provider. The client app is responsible for creating a secure login UI, and also for securely transmitting the credentials to the STS. That is a lot of responsibility, and in traditional active federation scenarios, the client app uses strong encryption to guarantee the secure transfer of credentials. Still, lots of users may be reluctant to type in their credentials into a client app they don’t trust.

In this example I show how to do the active federation flow, and my client app does collect the credentials. I have hand-rolled my login UI, and cannot make any guarantees as to how secure it actually is. For the communication with the server, I simply use HTTPS, instead of more comprehensive message-level security. So my example reaps the convenience of the active flow (no need to redirect the user to a different page, login happens in-app), however may not provide the traditional security guarantees associated with it. Hence “active”. 

What I provide here may be perfectly secure for many scenarios but is up to you, the developer, to assess if this particular setup satisfies the requirements of your users and your organization. 

Now some specifics of the sample. It’s a simple app that can draw squares on the screen according to a Fibonacci tiling. There are two registered users: fabrikam\yavor and fabrikam\test and the password for both of them is 12345. Both can log into the app, however only the fabrikam\yavor user is in the role Calculators, meaning people who can carry out calculations on the service. This is enforced by the following attribute on the service’s GetSequence method.

[PrincipalPermission(SecurityAction.Demand, Authenticated = true, Role = "Calculators")]
public int[] GetSequence(int max)

The bottom line here is that even though we have a STS with external user authentication, we kept authorization local to our app (we use ASP.NET roles). That’s a choice you can make as a developer - you can also externalize the user roles (or claims) as part of the STS, or keep them local.

There are lots of extra details in the app, which you’ll see by exploring the source.

The code is available here. The solution should be fairly self-contained, so all you need to run it is Visual Studio 2010 and the Windows Identity Foundation Runtime. Here are some additional notes on the structure of the sample:

• First, please run the included SetupCertificates.cmd script inside the Scripts folder
• The solution will create two applications in your local IIS instance: FibonacciService and IdentityProviderAndSts. Make sure you launch Visual Studio as Administrator, so it has permission to create those. Also make sure you enable HTTPS so both of the applications in the IIS Manager

I want to credit the folks behind the Identity Developer Training Kit, from where I shamelessly stole some code.

Read More

UPDATE: Folks from the Windows Azure team have posted an improved solution for how to host NetTcp services in Azure by using a WebRole instead of a WorkerRole, which simplifies the setup quite a bit.

Silverlight 4 added support for WCF’s NetTcpBinding, which is a performant and scalable TCP-based binding. It is also a useful binding when used in Windows Azure because it is not affected by Azure’s random load-balancer when using multiple instances of the service and creates an effectively pinned duplex connection to the cloud. The only disadvantage of the NetTcp binding is that it Silverlight does not support TCP transport security, so all the traffic to the web service is unsecured and can be intercepted by malicious parties. That may or may not be acceptable for your application.

I put together a sample on how to host a NetTcp service in Azure and consume it using a Silverlight client. The first thing to keep in mind here, is that Silverlight has some networking restrictions for security reasons. One of this restrictions is that if you want to speak TCP to a server, the server has to expose a policy file over port 80 explicitly listing the ports that it allows TCP for. Moreover, the ports have to be in the range 4502-4530. In other words if my Silverlight app wants to talk to net.tcp://contoso.cloudapp.net:4502, then I need to expose a policy file at http://contoso.cloudapp.net:80. 

Another interesting concern here is that hosting WCF NetTcp services is only allowed in Azure Worker Roles. This is because the Azure Web Role (which is basically an IIS instance) does not have WCF non-HTTP activation enabled.

My sample actually shows two separate approaches on how to implement this. If you already have an external web server where you host static HTML content as well as your Silverlight XAP file, the sample shows an approach using a single Worker Role.

Now if you don’t have an existing webpage, you are probably already considering a Web Role, where you can host the static HTML files and Silverlight XAP file. In that case we can make our life easier by reusing that WebRole to host the clientaccesspolicy.xml file as well. This diagram shows that approach: Web Role + Worker Role.

To run the sample, you need to install the following:

• Visual Studio 2010
• Windows Azure SDK v1.4
• Windows Azure Tools for Microsoft Visual Studio 2010 Platform v1.4

Keep in mind that when you run the sample locally in the development fabric, it will not run correctly, because the the emulator cannot use port 80. Since the policy file has to be hosted on port 80, calls from Silverlight to the service will fail. This gets resolved when you publish the sample to the cloud.

You can get the sample code here. 

Read More

UPDATE: A coworker here at Microsoft has brought up some interesting thoughts regarding this approach, and I’ve added a brief discussion below the second diagram.

Recently I decided to experiment with RIA Services in federated authentication scenarios. For those of you that aren’t familiar with federation, let’s consider the following scenario: my company Contoso builds an expense reporting application that I host in the cloud. One day I get Fabrikam to sign up as a client, and now I have to onboard all Fabrikam employees onto my system. It is true that I could create a login for every employee, but that is impractical because Fabrikam employees have to remember that extra login, and also I would need to keep my list of logins in sync when employees join or leave Fabrikam.

The solution for this is federated authentication, where my app can use a third-party (Fabrikam’s) authentication provider (also known as a Security Token Service or STS) to authenticate users. I won’t try to explain federation from scratch, because Microsoft’s patterns & practices has a great write-up. You can squint and ignore some of the claims stuff as it’s not super relevant to what I’m describing here.

To build an app with federated auth using RIA Services, most folks resort to passive federation, which you might be familiar with from using things like your LiveID login. The passive approach is browser-friendly and uses a combination of cookies, URIs and redirects to log you in to the site you’re trying to access.  The downside in the case of Silverlight is that you cannot complete the login inside your app: you have to navigate away from the Silverlight control, type in your credentials into a HTML (or ASPX) page, and then be bounced back by your browser to reload the control. Another downside is that you need to host a HTML page for the user to type in their credentials, in addition to the Silverlight app and the web services, which might not be desirable.

The following diagram has a more detailed explanation of the exact flow that happens during the passive scenario:

From what I’ve seen, most folks use this passive pattern with RIA today. Eugenio Pace’s blog has a few great write-ups and demos that you can try out. Some are a bit dated, but you should be able to find your way around.

What I wanted to try out was the active federation case, in which the Silverlight app talks dirctly to the identity provider. This has the benefit of having the user type their credentials directly into the Silverlight app, without having to leave the page, which results in a more polished and faster user experience. Eventually, as the crypto support in Silverlight improves, it may end up being a more secure solution as well, if we are able to encrypt and sign the tokens that are being exchanged. The following diagram demonstrates the slightly different message flow in the active case. Note that the app itself is doing most of the work, not the browser.

Some interesting considerations emerged in conversation with Robert O'Brien, an architect here at Microsoft. Please consider these before building your own app:

• One of the things we gain in this approach over a passive federation approach is the ability to log the user in from inside our UI. That provides for a better user experience, but it also puts the burden on our app to expose a credentials UI and pass the token over to the service. Potentially this could be a security risk for our app. Some folks believe that this goes against the spirit of federated authentication since it takes control away from the identity provider.
• The implementation shown here relies on WS-Trust as the protocol for the token. Unfortunately in today’s federated web, it seems like only ADFS and maybe OpenID servers honor that protocol. If you are trying to use WS-Trust and use Facebook/Yahoo/Google (either directly or through Azure’s Access Control Service) as the identity provider, you will find that WS-Trust is probably not supported. So outside the enterprise environment, this approach might not work.

Now some specifics of the sample. It’s a simple master/detail application that allows you to display and edit data. There are two registered users fabrikam\yavor and fabrikam\test and the password for both of them is 12345. If you don’t log in and try to display the data, you will get an error because of the EnableClientAccess attribute.

[RequiresAuthentication]
[EnableClientAccess()]
public class CustomersService : LinqToEntitiesDomainService<AdventureWorksLT2008R2Entities>;

All authenticated users can view the data, but only users in the Editor role can make changes to it. Only the user fabrikam\yavor is in that role.

[RequiresRole("Editors")]
public void UpdateCustomer(Customer currentCustomer)

The bottom line here is that even though we have a STS with external user authentication, we kept authorization local to our app (we use ASP.NET roles). That’s a choice you can make as a developer - you can also externalize the user roles (or claims) as part of the STS, or keep them local.

There are lots of extra details in the app, which you’ll see by exploring the source.

The code is available here. Note that you need the following installed on your machine for it to work:

• Visual Studio 2010
• SQL Server 2008 R2 Express
• SQL Server 2008 R2 Management Studio Express 
• WCF RIA Services V1 SP1/SP2
• Windows Identity Foundation Runtime
• The AdventureWorks LT 2008R2 database for SQL Server Express 2008 R2

Here are some additional notes on the structure of the sample:

• First, please run the included SetupCertificates.cmd script inside the Scripts folder
• The solution will create two applications in your local IIS instance: AddressBookFederatedAuth and IdentityProviderAndSts. Make sure you launch Visual Studio as Administrator, so it has permission to create those. Also make sure you enable HTTPS so both of the applications in the IIS Manager
• Change the Application pool under which those applications are running to use the Network Service account. 
• Use SQL Server Management Studio, make sure Network Service is added as a login to your SQL instance. When you add the account, make sure you give him some sane Server Roles (for example sysadmin). Let me know in the comments if you find any of these steps difficult and I can provide more detailed instructions.

I want to credit Eugenio Pace, Kyle McClellan, and the folks behind the Identity Developer Training Kit, from where I shamelessly stole some code.

Read More

Recently we were contacted by a customer who was building a Release version of their assembly in Visual Studio and encountered the following error:

You could get the same error if you attempt to run the sgen.exe tool on the built assembly:

~~~ Microsoft ® Xml Serialization support utility [Microsoft ® .NET Framework, Version 4.0.30319.1] Copyright © Microsoft Corporation. All rights reserved. Error: Unable to load one or more of the requested types. Retrieve the LoaderExceptions property for more information.

Read More

As you know one of the new features in RIA Services V1 SP1 is support for T4 templates. The T4 template is a design-time artifact that can modify the way RIA Services client-side code generation happens. For more information on T4 templates, check out Jeff Handley’s blog post on the subject.

Recently I was experimenting with RIA Services and I discovered that the IntelliSense comments for my entities were very sparse on the client. For example my Customer entity has a CompanyName property and the IntelliSense comment for that was:

Gets or sets the "CompanyName" value.

It was clear that this comment was being generated automatically, which was quite annoying because I had used my entity model on the server to carefully create useful comments for each property.

I hear EF is actually smart enough that it supports defining these comments in the database itself, and they will get copied over when you create the model, but I haven’t tried it myself.

So I set out to write a T4 template to take those comments from the server types generated by EF and copy them over to my Silverlight project.

The first step was to tell Visual Studio to scrape all the types in my server project and generate a XML file containing their comments, by going to the Build tab of project properties and checking this box: 

This file is usually used for IntelliSense, but you can open it up and the schema is pretty self-explanatory. Because code comments don’t get compiled into assemblies, this is the only way I know to tell VS to export the comments from my entities.

The next step was to write a simple T4 template using RIA Services extensibility. What this does is that as it is about to generate a type on the client (which happens when you build), it will look up that type name and all its properties in the above XML file, and copy the comments over to the generated file.

~~~ csharp [DomainServiceClientCodeGenerator(typeof(CommentsClientCodeGenerator), “C#”)] public class CommentsClientCodeGenerator : CSharpClientCodeGenerator { private XElement comments;

Read More