ASP.NET Security Update Shipping Tuesday, Sept 28th

by | Sep 27, 2010 | BizTalk Community Blogs via Syndication

An hour ago Microsoft released an advance notification security bulletin announcing that we are releasing an out-of-band security update to address the ASP.NET Security Vulnerability that I’ve blogged about this past week.  The security update is fully tested, and is scheduled for release tomorrow – Tuesday September 28th – at approximately 10:00 AM PDT.  The advance notice bulletin is intended to ensure administrators know it is coming, and are better prepared to apply it once the update is available.

We’ll release the update tomorrow via the Microsoft Download Center (I’ll blog links to the individual downloads for each version of .NET).  We will then release the update via Windows Update and the Windows Server Update Service in a few days as we complete final distribution testing via these channels.

Applying the update addresses the ASP.NET Security vulnerability, and once the update is applied to your system the workarounds we have previously blogged about will no longer be required.  Until you have installed the update, though, please do make sure to continue using the workarounds.

You can learn more about tomorrow’s security update release from this Microsoft Security Response Center Blog Post as well as the official Advance Notification Bulletin.  We will also hold a special webcast for the bulletin release on Tuesday, September 28, 2010 at 1:00 PM PDT, where we will present information on the bulletin and take customer questions. If you are interested in attending the webcast, click here to sign up.

Thanks,

Scott

Limiting which user can access service using the Windows Identity Foundation

by | Sep 27, 2010 | BizTalk Community Blogs via Syndication

In my previous blog post I demonstrated how to secure a workflow service using the Windows Identity Foundation. With this in place we only allow users that are trusted by the STS Dominick Baier wrote. That is nice but in some cases we might not want all users to be able to perform all actions.

 

How can we check for individual users against a specific action?

Using an STS we don’t get the user credentials from the client application but we do get a lot of information in the form of security tokens from the STS my means of a SAML header. When we are using Windows Identity Foundation the place to check if a user can use a specific resource is using a ClaimsAuthorizationManager. This ClaimsAuthorizationManager is very simple and it contains just a single method we need to override, the CheckAccess(), which returns a boolean if the user is allowed.

The CheckAccess() function is passed an AuthorizationContext which lets us determine the resource requested, the URL of the workflow service in this case, and details about the user. So suppose we only want to let users with the role “Managers” into our service we would need the following code:

public class MyServiceClaimsAuthorizationManager : ClaimsAuthorizationManager
{
    public override bool CheckAccess(AuthorizationContext context)
    {
        var result = true;
 
        var resource = context.Resource.First();
        if (resource.Value == "http://localhost:1533/Service1.xamlx")
        {
            result = (from i in context.Principal.Identities
                      from c in i.Claims
                      where c.ClaimType == ClaimTypes.Role
                      select c).Any(r => r.Value == "Managers");
       }
 
        return result;
    }
}

The Resource property contains whatever we want to access and the Principal property contains the details about the user wanting access. In this case the Thinktecture provides us with the roles the user provides.

We also need to register this in the web.config file using the <microsoft.identityModel><service> section. This can be done by adding the <claimsAuthorizationManager> element as follows:

<microsoft.identityModel>
  <service>
    <audienceUris>
      <add value="http://localhost:1533/Service1.xamlx" />
    </audienceUris>
    <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
      <trustedIssuers>
        <add thumbprint="7974900A2BB2829BE987C17D2F4503F07C321032" name="http://sample.thinktecture.com/trust/stsdm" />
      </trustedIssuers>
    </issuerNameRegistry>
    <claimsAuthorizationManager type="MyService.MyServiceClaimsAuthorizationManager,MyService"/>
  </service>
</microsoft.identityModel>

With this in place the student can no longer send requests to the workflow service but the manager is free to do so.

 

Authorizing users based on our own data

So far we have been allowing a user in based on the role data for that user. That works fine but suppose we want to use a very different criteria, for example the office location he or she is based in?

The STS is free to add extra claims as it sees fit and we can use any claim we want to authorize users. And the STS Dominick Baier wrote also contains a claim for which office the user is based in. Suppose we only want to allow users based in the Zoetermeer office to use our web service we could change our ClaimsAuthorizationManager to the following:

 

using System.Linq;
using Microsoft.IdentityModel.Claims;
 
namespace MyService
{
    public class MyServiceClaimsAuthorizationManager : ClaimsAuthorizationManager
    {
        public override bool CheckAccess(AuthorizationContext context)
        {
            var result = true;
 
            var resource = context.Resource.First();
            if (resource.Value == "http://localhost:1533/Service1.xamlx")
            {
                result = (from i in context.Principal.Identities
                          from c in i.Claims
                          where c.ClaimType == "http://sample.thinktecture.com/claims/office"
                          select c).Any(r => r.Value == "Zoetermeer");
            }
 
            return result;
        }
    }
}

 

Using this query against the custom http://sample.thinktecture.com/claims/office claim we only allow users from the Zoetermeer office. Nice as our service has nothing to do about managing user locations, all of that is done centrally my the STS [:)]

Enjoy!

 

www.TheProblemSolver.nl

Wiki.WindowsWorkflowFoundation.eu

BizTalk 2010 Released

by | Sep 27, 2010 | BizTalk Community Blogs via Syndication

I noticed with not too much fan fare that BizTalk 2010 has finally been released, a few days earlier than expected, we were expecting end of this month, however we got it in on the 27th.

http://www.microsoft.com/biztalk/en/us/default.aspx

You can now download the Developer edition for free, there is no license required or cost involved with using the developer edition.

It works quite nicely with Visual Studio 2010, and comes complete with all the adapters required.

You can download the evaluation version here: Evaluation Version

Or the Developer Version here: Developer Edition

You may not see it on MSDN as yet for

Jumping Rattlesnakes..

by | Sep 26, 2010 | BizTalk Community Blogs via Syndication

It’s been a very long time since I posted something here that is not technical, nothing to do with Azure/BizTalk/SOA/ESB, etc. However, I had a rather unusual adventure today that relates back to a long-ago post I did (one of my 5 “favorite posts” I’ve ever done, you can read it here), and as it was so unusual, I felt inspired to write about it.

For most people on the planet, I’ll bet if you were hiking and a rattlesnake dropped right in front of you, you’d probably say “What the .????”. However, I on the other hand, I can actually say “Oh no, not AGAIN!”.

I have now had 3 really-close incidents (in addition to numerous not-so-close encounters, but that’s not the topic here), and the pattern is always the same. It’s always near the end of a hike. The first time was a pretty grueling hike while I was “in training” for trekking in Thailand, there was one last year when I was backpacking with my daughter in the Cascades in Washington state (both of those were 10 mile-ish hikes before “The Incident”). The latest was earlier today. I was at the Olivenhain Water District recreation preserve near Elfin Forest, pretty close to home, and a place I like to go to get in a quick hike, or when I am “in training” for backpacking.

In case this is something you want to try for yourself, here’s how I do it:

  1. Hike fast and hard, get tired and hot. If you can get close to exhaustion, it really enhances the experience!
  2. Have a rattlesnake fall UNEPECTEDLY out of a bush directly in front of you and within striking distance, close enough that you’re about to step on it (this is that hard part, but I seem to be able to do it!)
  3. Deeply rooted ancient species memory going back to Neanderthal days triggers an immediate adrenaline rush. Before my eyes fully realize what I am seeing and have time to tell my brain, I find myself already propelled backwards by reflex action, arcing through the air. Then comes the pain of landing in some contorted position. I figure the time to get air-born is only about 200 milliseconds

There were SOOOO many ironies around today:

  • There was a group of 5 people behind me, that had been out since 4:30am, who were looking for snakes, and had hiked 10 miles without seeing one
  • They had cameras (I didn’t, because this is such a “routine” hike for me). THANK YOU Tamara for these awesome pictures
  • Minutes before the snake “dropped”, I had been scanning side-to-side on the trail, looking for snakes, but had stopped and let my guard down. Not that it would have made much difference!
  • I had my Zune cranking with some heavy jazz-rock fusion, a highly-modulated continuous wall of sound playing on high-end ear buds through which I should NOT have been able to hear ANYTHING external. Somehow, that faded into the background and I heard a rattle, although I’m not 100% certain if it was real or imagined (everything happened VERY quickly)
  • Apparently my contorted arc through the air was an impressive/amusing thing to watch, unfortunately there is no video! I’d love to see what my body did. All I know is I hurt my arm a bit absorbing the impact of re-entry

 

 

From Tamara:

“My official title is "field herper."  Field herping is a hobby that involves viewing "herps" (reptiles and amphibians) in their native environment.  Some field herpers collect the herps as pets, but most (like me) just take photos.  And to prove that I’m not alone, I’m a member of the North American Field Herping Association (NAFHA).  NAFHA members document their herp finds and enter the information into a database.  Researchers and professional herpetologists can then request to use that information relating to certain species or geographic areas.  So our rattlesnake from today will end up as an entry in that database, in case anyone is ever interested. ”

[HERP stands for Herpetological Educational and Research Project ]

Given what seems to be my natural ability to have wildlife encounters (snakes, sharks, bears in remote regions, mountain goats, still looking for cougars/mountain lions), I will consider joining this group. It’s a cool idea, the public becomes the field eyes accumulating data that could not effectively be gathered otherwise.

And hey, if snakes keep seemingly dropping from the sky in front of me, seems to me I should mention it to someone

BizTalk Server 2010 RTM notes

by | Sep 26, 2010 | BizTalk Community Blogs via Syndication

I generally try not to blog about the same thing as countless others do, but being a BizTalk MVP I feel obliged to make some notes about the release of BizTalk Server 2010 as it really is big news.

BizTalk Server 2010 has actually been RTM for a while and available to Volume License customers for a short period of time already. It will become available for general purchase on October 1st – or so the official announcement on the BizTalk Team Blog says. That post does a good job of covering the news in the release, as does the microsoft.com New Features in BizTalk Server 2010 page. For an even more comprehensive write-up download the Microsoft BizTalk Server 2010 Technical Overview white paper.

There are also numerous other MS web pages that have been updated. I’ll try to highlight a few of the things I haven’t seen mentioned so far and provide links to the more important ones:

  • Editions
    • The Development Edition is now a FREE download and the page clearly states that it’s the one to use for development and testing environments, which is a relief since it’s a discussion I’ve been in more than once regarding the use of MSDN licenses.
    • The BizTalk Adapter Pack is no longer licensed separately. You need at least STD for this.
  • Pricing and Licensing Overview
    • BizTalk Server has gotten slightly more expensive for the production environments ($44k ENT, $10k STD).
    • Current limitations with STD are still there: Single Server, Two procs AND as it seems limited 64-bit support. The technet 64-bit Support pages seems to confirm that STD still has a 64-bit exception when compared to other versions.
    • The AppFabric Connect feature is an installation option. Since I see now real licensing info about it I’m assuming it’s not stand alone. And since the pre-requisite of the Adapter Pack that makes some of that magic happen is packaged with STD (and up) I can only assume at this point that using the mapper in production also requires at least STD. I would still argue that it could be well worth it to enable scenarios like this.
  • Pricing and Licensing FAQ
    • There is a running discussion on how long Microsoft can continue to license per socket instead of heading in a slightly different direction as the number of cores become more and more. Whenever (if ever) that happens. It’s not now. BizTalk continues to be licensed per proc.
    • The ISV Licensing (formerly Runtime Editions) is still there. This is not a really well known possibility but essentially it allows you to package BizTalk as part of you product. The customer can’t use it with any products except your own. It’s hard to get a quote for this as it isn’t publicly listed anywhere, but it’s way cheaper that ordinary licenses. I have a quote, but I don’t want to put it out there. You could probably just call your local MS rep or Licensing partner to get your own.
  • System Requirements
    • You should not be fooled by the fact that it says minimum 2GB of RAM. If you install BizTalk on a 64-bit system you will want at least 4GB or RAM. And I’m saying that even though Windows Server 2008 (R2) says that its minimum system requirements are 512MB. I suppose no one reading would want to try that either.
  • BizTalk Developer Center
    • Has been updated with a lot of new content for BizTalk Server 2010 and October’s theme is the BizTalk Server 2010 Launch.
    • There’s also a BizTalk Server 2010 Training Kit available. It contains 6 labs for the Developer and 3 for the Admin that highlight new features. It’s great to see the Admin getting some much needed love on the training side. There is also 6 videos available weighing in at a 823MB download.
    • Alot of other online content like the tutorial scenarios seems to have been getting an overhaul as well (as you would expect) showing of screenshots of the new mapper and other new features.
  • Microsoft BizTalk Server 2010 Help
    • Except for the updated online version there are numerous downloadable documents. The Installation and Upgrade guides as well as the CHM – which personally, I couldn’t do without.
  • MSDN Subscriptions
    • So far there is no availability through this channel. I would love to see an .iso for the Developer Edition as I’m not to fond of keeping extracted catalogs around, or self-executable zip files. Keep this feed in your feed reader to be notified when it arrives.
  • Upgrading from Beta
    • Although some people (like Brian Loesgen) seems to have been able to upgrade seamlessly from the beta, I couldn’t. I got an exception saying that the Enterprise version was installed and that I had to uninstall before installing. Fair enough. My Beta version does register as Enterprise in the Add/Remove programs dialog.
  • Errors and issues
  • Misc new features and updated tools

That ended up being quite a lengthy post. But then again I’m a superstar and that’s how I do it! I hope it helps.

How to use the new “FTPS adapter” with BizTalk 2010

by | Sep 26, 2010 | BizTalk Community Blogs via Syndication

First of all – there is no new FTPS adapter. The already existing FTP adapter has been extended to support FTPS, which is really all you need anyway. However, several publications from Microsoft states there is a new FTPS adapter, which might be somewhat confusing.

So what is FTPS?

The support for FTPS was added with IIS 7.5, and is FTP over SSL, similar to HTTPS. Although it lacks some of the underlying infrastructure. When you visit an HTTPS site, you might be given various warnings if the certificate is not among your trusted ones. If you chose to ignore these warnings (and recommendations), you’re provided with the option of installing the public key in your certificate store. This logic is provided by your browser, and is a helpful way to manage your trusted sites.

The FTPS client (BizTalk in this case), however,  require the public key to be installed manually before it can use it. When you’ve installed it, it works like a charm.        

 

Create a Certificate

First you’ll need a certificate, a private key. There are several ways to create a certificate, but for the purpose of this sample, I’ll create one using IIS 7.5 manager.

Select the site root in the Connections pane on your left side. In the Action pane on your right, click the “Create Self-Signed Certificate”.

This will open a new dialog, where you can set a friendly name of your certificate:

When you’ve clicked Ok, you should be able to see the certificate in the list of Server Certificates. Select your newly created certificate and click “Export” in the Action pane. Set the path and password, and click Ok. this step will export the public key, which we’ll use later on.

 

Enable FTPS on your FTP site

As we now have a certificate created and registered on our server, we can proceed to enable our FTP site to use it. Select your FTP site, and double-click the “FTP SSL Settings” icon on your FTP Home page.

In the SSL Certificate dropdown list, select your certificate. You can choose either to Allow or to Require SSL connections. In this case I’ve chosen to “Require SSL Connections”. Click “Apply” in the Action pane, before you continue.

While in the FTP Home page, you might want to overlook the “FTP Authentication”, and “FTP Authorization Rules”.

Install the Public Key

Your FTP server is now ready to accept incoming SSL connections, and we can pursue with setting up the client (BizTalk). But first we need to install the public key, which you exported earlier. In my case, I’m logged in as Administrator, which happens to be the same account I use for my host instance. Hopefully, this is not the case for you, why you’ll need to log off, and log in as the same account as you’re running the host instance with.

Logged in as the host instance account, browse to the folder where you exported the certificate to. Double click the certificate, and proceed with default values.

(PS there is probably a better way to do this, without having to log on as the service account. If you know how, please let me know) 

When you’re done installing the certificate, log off again, and log back on as your regular user.

 

Extract the Thumbprint

Open the Certificate Manager (Start->Run->certmgr.exe), browse to the Trusted Root Certificate Authorities\Certificates folder, and double-click the certificate. Select the “Details” tab on top. Scroll down to the Thumbprint field, select it, and copy the value.

Configure Your BizTalk Port

I assume you are familiar to the normal FTP transport settings, so when you’re done configuring the server, port, username and password, paste the thumbprint in the “Client Certificate Hash” property. Set the “Use SSL” property to “true”. Start the portYou are done!

HTH