Tuesday 16 October 2012

DDD North 2 Resources

At the end of my talk at DDD North 2 there was a massive amount of URLs for people to reference later. Here is a copy of all of those links

ASP.NET Resource

•Web session management security - http://www.isecpartners.com/files/web-session-management.pdf

•OWASP Top 10 by Troy Hunt - http://www.troyhunt.com/2011/12/free-ebook-owasp-top-10-for-net.html

•ASP.NET Security Guidance - http://wiki.asp.net/page.aspx/48/security-guidelines-and-recommendations/

•MSCASI tool - http://support.microsoft.com/kb/954476

•AntiXSS Toolkit - http://wpl.codeplex.com/

•ASP.NET Security Guidance - http://blogs.msdn.com/b/nunoc/archive/2006/03/04/543631.aspx

•Advice from SDL - http://blogs.msdn.com/b/sdl/archive/2008/05/15/giving-sql-injection-the-respect-it-deserves.aspx

•ASafaWeb - http://www.asafeweb.com

IIS Resources

•Security Guidance for IIS - http://technet.microsoft.com/en-us/library/dd450371.aspx

•IIS Lockdown tool - http://technet.microsoft.com/en-us/library/dd450372(v=ws.10).aspx

•URLScan – http://www.iis.net/learn/extensions/working-with-urlscan

•IIS Configuring security - http://learn.iis.net/page.aspx/88/configuring-security/

•IIS Security Tools - http://www.iis.net/community/Security

Additional Resources

I will upload a copy of the source files later as a separate post as worked through examples.

Tuesday 10 July 2012

Fixing an SCSM System.Security.Cryptography.CryptographicException

Whoa, that’s a long title!

This morning, I was asked to check our System Center Service Manager portal as it wouldn’t load at all. The error was the banal Internet Explorer cannot display the webpage.

There were a few issues that had to be sorted once I read through the event logs. I sorted them and thought, no problem, the portal should be running again and tried it. IE did its usual spinning circle thingy and I waited while it decided what it would do. Eventually when it did return it said the usual error .. Internet Explorer cannot display this webpage.

When I checked the event logs, I noticed that there was an ASP.NET error repeating itself .. (warning long error coming)

An unhandled exception occurred and the process was terminated.

Application ID: /LM/W3SVC/2/ROOT/CustomEndUser

Process ID: 6820

Exception: Microsoft.EnterpriseManagement.ConfigurationReaderException

Message: Feature of type 'Microsoft.EnterpriseManagement.ServiceDataLayer.ISecureStorageManagerFeature, Microsoft.EnterpriseManagement.DataAccessService.Core, Version=7.0.5000.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' cannot be added to the container.

StackTrace:    at Microsoft.EnterpriseManagement.ConfigurationReaderHelper.ReadFeatures(XPathNavigator navi, IContainer container)
   at Microsoft.EnterpriseManagement.ConfigurationReaderHelper.Process()
   at Microsoft.EnterpriseManagement.ServiceDataLayer.DispatcherService.Initialize(InProcEnterpriseManagementConnectionSettings configuration)
   at Microsoft.EnterpriseManagement.ServiceDataLayer.DispatcherService.InitializeRunner(Object state)
   at System.Threading.ExecutionContext.runTryCode(Object userData)
   at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Threading.ThreadHelper.ThreadStart(Object obj)

InnerException: Microsoft.EnterpriseManagement.ComponentActivationException

Message: The constructor for the component threw an exception. Please see the inner exception for more details.

StackTrace:    at Microsoft.EnterpriseManagement.ComponentActivator.Activate[T](ActivationContext`1 context)
   at Microsoft.EnterpriseManagement.SingletonLifetimeManager`1.GetComponent[K]()
   at Microsoft.EnterpriseManagement.LifetimeManagerWrapper`2.GetComponent[K]()
   at Microsoft.EnterpriseManagement.FeatureContainer.GetFeatureInternal[T](Type type, String featureName)
   at Microsoft.EnterpriseManagement.FeatureContainer.AddFeatureInternal[T,V](ActivationContext`1 context, String featureName)

InnerException: System.Security.Cryptography.CryptographicException

Message: The profile for the user is a temporary profile.

StackTrace:    at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
   at System.Security.Cryptography.RSACryptoServiceProvider.ImportParameters(RSAParameters parameters)
   at System.Security.Cryptography.RSA.FromXmlString(String xmlString)
   at Microsoft.EnterpriseManagement.Security.AsymmetricKeyManager.Initialize(Byte[] publicKey)
   at Microsoft.EnterpriseManagement.Security.AsymmetricKeyManager..ctor(Byte[] key, Boolean self)
   at Microsoft.EnterpriseManagement.Security.SecureStorageManager.Initialize()
   at Microsoft.EnterpriseManagement.ServiceDataLayer.SecureStorageManagerFeatureImplementation..ctor()

Yeah its a lot!

The main thing that stood out amongst all this was the InnerException

InnerException: System.Security.Cryptography.CryptographicException

Message: The profile for the user is a temporary profile.

A quick check online about temporary profiles revealed how to check and find these profiles in the registry. Browsing to the following registry key, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList I could see that there were a couple of keys with the extension .bak. The keys are the SIDs for the user accounts. The application pool account was there and the normal account had a .bak extension. I deleted the existing one, and removed the .bak from the old key.

I recycled the application pool and the portal resumed working as normal.

One of those weird and wonderful errors that pop up to confuse you.

Tuesday 29 May 2012

DDDSW Roundup and Resources

On Saturday 26th I presented Defensive Programming 101 at DDD Southwest. As you may or may not be aware, the Developer Developer Developer or DDD brand of events are free one day events for the community by the community. Speakers submit their sessions and the attendees decide which ones they would like to see. The sessions with the most votes make it into the conference.

This was my fourth DDD event as I have been lucky enough to present at DDD Scotland twice and DDD North. This time at DDDSW, I got the pre-lunch slot, so to be fair to the attendees, I usually speed up a bit so that they can get out for lunch a wee bit earlier and skip the queues.

DDD Southwest was very well organised, with plenty of food, good facilities and good technical gear on site. This makes your job when you are presenting a lot easier. They even managed to sort out some amazing weather for the event and even so there was still in excess of 300 people at the event. My thanks again to the organisers, for minding us and making sure we had a great conference experience.

Thanks again to those who made it to my session and as promised, here is a list of the resources slide (which as always gets skipped at the end because there is way too many links on it)

Resources Slide 1

Resources Slide 2

As I said in my talk, many thanks to Troy Hunt for his kind permission on using some of the information on the ELMAH configuration errors which is detailed here

Monday 21 May 2012

Using the Azure CDN

A while back I toyed with the idea of moving all my blog assets (images, downloads, etc) over to a CDN just as a proof of concept and to show how it could be done and as a very handy way to get inspiration for a blog post. This evening I finally got around to it. And this post details how to do it.

So first a few basic things about the whole concept of a CDN.

What is a CDN?

A Content Delivery Network (CDN) according to Wikipedia is “a large distributed system of servers deployed in multiple data centres in the Internet. The goal of a CDN is to serve content to end users with high availability and high performance”. Its a large system of caching servers located around the world, speeding up the delivery of your content by reducing the distance between your users and your content and providing higher redundancy.

Why use a CDN?

One of the main reasons to use a CDN is more servers hosting your files, means higher availability meaning that if a node is down, the request will rollover to the nearest node after that.

Also it reduces the latency for your files when you have people accessing your site outside your hosting catchment for example, if your server is hosted in Dublin and a significant amount of your traffic comes from APAC. By using a CDN, your static resources that you have on your blog/site are cached in different locations around the world. When a user requests a file that is hosted on your CDN, the file is served where possible from the closest node in the CDN.

About the Azure CDN

The Windows Azure Content Delivery Network (CDN) caches Windows Azure blobs and the static content output of compute instances at strategically placed locations to provide maximum bandwidth for delivering content to users. You can enable CDN delivery for your content providers using the Windows Azure Platform Management Portal. CDN is an add-on feature to your subscription and has a separate billing plan.

Azure CDN nodes are located worldwide and you can get a list of them here

Setting up on the Azure CDN

This is one of the easiest things to do with Azure. As in absurdly easy. You will need an Azure account and you can sign up for a 90 day free trial at the Windows Azure Portal. You will need a credit card when you sign up to verify but you will not be charged and if you go over your free limit, it will just stop however you can allow it to run and charge to credit card if you so wish.

Once you have your account, sign into the management portal.

Now create a new storage account. This is where you will serve your static resources from. You do not need a hosted account to serve the files.

Type in the name and select the region for the storage and then once done wait for the storage to provision

Once the storage is ready, click on the CDN folder on the left of the management panel. You will see your newly created storage account. Click on the New Endpoint from the top menu and select the defaults.

The CDN endpoint will provision and you will eventually get a URL like XXXXXXX.vo.msecnd.net which is fine but most people want to have their own domain or subdomain on the CDN and this is very easy to do.

Click on the CDN endpoint and select Custom Domain from the top menu. You can insert the address that you want the CDN to resolve to. For example the one for this blog is assets.certsandprogs.com.

A verification CNAME will be created which points to verify.azure.com and you will need to create this CNAME in your domain management of your provider.

Once you have done this, go have a cup of tea or coffee because you will need the new CNAME to propagate and this could take a bit of time depending on your provider. For example, with GoDaddy, it took about 5 minutes but on a previous test, it took two hours on a different provider.

You can click validate to check and once its working you will see Allowed in the custom domain line.

The final thing you need to do now, is create a CNAME that points to your Azure CDN endpoint address. Once all this is done you will be able to use your brand new shiny CDN.

Getting files into the CDN for non programmers.

There are plenty of tutorials on how to get your data into blob storage so you can use your search engine of choice to find these. However, for the non programmers among you (why are you reading this blog?), there are a couple of programmes you can use to get your data into blob storage and onto your newly provisioned CDN

Azure Storage Explorer on Codeplex allows you to see your blob storage in a logical view as well as creating containers and upload objects to your containers.

So that’s about it, a fairly painless way to migrate to the cloud without needing any code.

All the images that in this post are being served from the CDN and I will migrating all the scripts used in the blog over to the CDN over the coming weeks. If I manage to create a nice little migration tool, I will share it on this blog.

Thursday 3 May 2012

Windows 8 Developer Day

Today I presented on the new features in Visual Studio 11 as part of the Windows 8 Developer Day in Oslo

The resources slide is replicated here

If you managed to make it here then the QR code worked!

Sunday 25 March 2012

The best of VS11 (Talk from Dev11 Launch)–Demos

Continuing on from my previous post on the best bits of Visual Studio 11, these are the demos that I showed as part of that talk.

Testing integration

As part of the new test runners integration, this demo shows how to run different testing frameworks easily within the same project. To show the testing frameworks in  Unit Test Manager windows, you will need to install the xUnit.net test runner and the nUnit test adapter via the Extension Manager or from the Visual Studio Gallery. br />Once these are installed when you build the application you will see the 3 different unit testing frameworks appearing in the Unit Test Manager pane.
Download the demo project.

OAuth and OpenID providers

One of the new features that appeared with WebMatrix 2 Beta Refresh  (now with added Unicorn sauce) and Web Pages 2 Beta are the OpenID and OAuth providers which allow you to build applications that support these systems such as Facebook, Twitter and Google logins.
Currently these are only available in ASP.NET WebPages but as part of the whole one ASP.NET concept these features will be released for ASP.NET MVC and WebForms later.
This project comes from the WebMatrix starter site. It shows how to use the Google, Twitter and Facebook logins.

Using Google OpenID

Google OpenID is one of the simplest providers to implement. In the _AppStart.cshtml file add the following after the WebSecurity.InitializeDatabaseConnection

In the Account/login.cshtml you can modify the social login section to look like
<section class="social" id="socialLoginForm">
<form method="post">
<h2>Use another service to log in.</h2>
<legend>Log in using another service</legend>
<input type="submit" name="provider" id="google" value="Google" title="Log in your Google account" />

Using Yahoo for OpenID is the same procedure

Using Twitter OAuth

Twitter OAuth requires you to create a Twitter application first because the Oauth provider requires a consumerKey and consumerSecret tokens.

Head over to the Twitter developers site and create a new app. If you are developing on localhost, Twitter may not accept this as a valid domain name so you can use the loopback address instead for the WebSite field in the new application creation.

Once you have your Twitter application setup just take note of the Consumer Key and Consumer Secret values.

Back to _AppStart.cshtml add the following
consumerKey: "",
consumerSecret: "");

Insert you own consumerKey and Secret and then add the new input in your socialLoginForm and viola Twitter login integration!

Download the sample

Maps Helper

The final demo of the day is using the new Maps feature. This one also comes with WebMatrix 2 Beta Refresh but you can use it in MVC or WebForms right now. You need the new v2 of Microsoft.Web.Helpers assembly. You can get this assembly from the Bakery starter site in WebMatrix 2 Beta or from conveniently from here

To add a Google map to your website is as simple as the following lines of code.
<section id="map">
<div style="margin-bottom: 5px; font-weight: bold;">UiS Stavanger</div>
@Maps.GetGoogleHtml("Kjell Arholmsgt. 41, 4036 Stavanger", zoom: 15)

The map types that are supported right now are Google, Bing, Yahoo and MapQuest.

Download the sample.

Some handy information

You can get more on the new features of Web Pages 2 Beta here. Some of the new features that are in Web Pages now, will appear in the other parts of ASP.NET in line with the one ASP.NET vision.

Thursday 22 March 2012

Visual Studio 2010 & VS11 Side by Side on Windows 8 Consumer Preview

As part of my talks on VS11, I wanted to show some of the new templates that are shipped out of the box in Dev11 (VS11). As I detailed in my previous post, the new templates are only available when you are running on Windows 8.

This posed a bit of a dilemma because I was also doing a session on building a hybrid Windows Azure application. The Azure tooling story for VS11 is that it will be included at a later date but it didn’t ship with the beta. For the moment, Azure development is done in VS2010.

So I decided to bite the bullet and install a new copy of Windows 8 Consumer preview and see what happens when I install VS2010 and VS11 side by side. It was a lot less painful then I thought. Your mileage may vary depending on your installation.

The order of installation was

  1. Visual Studio 2010
  2. Visual Studio 2010 Service Pack 1
  3. Visual Studio 11 Beta
  4. Some Windows configuration voodoo
  5. Windows Azure SDK 1.6

I installed Visual Studio 2010 first and then updated to SP1. This also allows me to demo round tripping quite easily. After that, it was over to VS11 Beta and install that. VS11 Beta did its install thing quickly and I was good to go from a basic install standpoint. Both IDEs started as expected and no issues. Didn’t get any errors or collisions so I was happy at this point.


Now we get to the tricky side of the install. If you are used to working with the Azure SDK, you normally fire up the Web Platform Installer to install it. But Windows 8 doesn’t ship with .NET 3.5 activated. The install will fail even if you select to install .NET 3.5 for Windows 8. Of course, the error was a bit cryptic as they usually are so I tried configuring some stuff and manually enabling .NET 3.5 etc. Finally after some swearing and muttering I decided to read the manual! This limitation is detailed on the install notes.


So I followed the details on installing the Azure tooling on the Windows Azure development site.


I configured the features as detailed in the install notes and added some of the additional ones that I use such as IIS6 compatibility. I also installed SQL Server 2008 R2 Express edition without the tools as I already have SQL Server 2012 running on the default instance with full tooling support.

Once I had configured it, I installed the Azure tooling in the following order

  1. WindowsAzureEmulator-x64.exe
  2. WindowsAzureSDK-x64.exe
  3. WindowsAzureLibsForNet-x64.msi
  4. WindowsAzureTools.VS100.exe

WorksOnMyMachineAzureProjectThe installation went smoothly and I opened up VS2010 and viola there was the Azure tooling and I could work away. The experience was ok, once I read the manual (honestly who reads the manual!).

As with all beta software there are a full caveats and not everything will be compatible with your installation such as installing the async CTP for VS2010. This has caused a few issues for people so be careful.

Tuesday 20 March 2012

The best of VS11 (Talk from Dev11 Launch)

This evening I have just finished a talk on the best bits of the new VS11 beta entitled turned your Web Development up to 11 (thanks to Glenn Henriksen for the inspiration). Coincidently Scott Hanselman, also published a post today while I was speaking with some of the stuff that I was talking about.

Anyways, here is a quick recap of the session for those that missed it.

The new IDE

The new VS11 IDE has a slimmer new design with Metro styling all the way through it. It has a faster startup time in its Beta version as compared to its older brother VS2010 when both are in their out of the box just installed configuration. I currently have VS2010 SP1 and VS11 Beta running on Windows 8 Consumer Preview side by side without any problems. It makes it very easy to show the new project round tripping feature (discussed later) and removing some of the pressure of trying to run Windows 8 with your existing development environment tools.

New Templates

There are new templates available when running on Windows 8 which are not included in VS11 when running it on Windows 7. And this is because they are Metro specific. These include the new Metro style applications in C# and in JavaScript.


Search overhaul

One of the one of the biggest overhauls in VS11 is the search and specifically the new Quick Launch. In my talk, I asked how you would change the references for intellisense for JavaScript (which leads into another feature in VS11 .. again which I will say later!). In VS11 it meant, playing hide and seek with the menus and trying to figure out where in the extensive options pane this setting lived. In VS11 it’s a quick case of using the shortcut Ctrl + Q and typing javascript  which will show the different options including changing the references for JavaScript.


You can also use this Quick Launch function to learn keyboard shortcuts as it shows you in the results the shortcut along with the description of the item where applicable.


This search overhaul has continued into the Solution Explorer where you can type some text and get any files or classes containing that text. You can even use regular expressions in this search.


Search has been improved in the Add References dialog as well


In the code view, find now works as expected. In VS2010, pressing Ctrl + F would bring up the Find and Replace dialog box which really didn’t make sense. Now it brings up the Find dialog and you can search across different scopes and again you can use regular expressions if you so wish

The new preview window

Ever get tired of opening files to just see what’s inside of them and those files hanging around cluttering up your tabs because you forgot to close them when you were finished looking in the file? Well that’s all changed now in VS11 with the new preview window. This window opens when you click on a file allowing to preview its contents without actually opening it. But wait there’s more! If you decide that you actually like what you see. And they have finally added the Close All Documents button!!! Before you had Close Document, Close all documents but this. Now you have that final part of the triad, Close All Documents. It’s the tiny things that make a difference

Preview CloseAll

Templates are now extensions

How often do templates that ship with Visual Studio get updated or refreshed. The answer is simple, when the next version of Visual Studio ships. Now they are extensions or VISXs meaning that templates can be updated and added out of band. Now for those of you thinking ahead you can see why this would be one of the excellent little things hidden inside of VS11

Project Round Tripping

One of the biggest problems when a new version of Visual Studio comes along be it in Beta or in its RTM edition is that it has updated the solution file making it impossible for you to work with it in the previous versions. This breaking of solutions meant that all developers had to upgrade at the same time or projects had to be built in only one version of Visual Studio meaning you kept previous versions installed so you could open them. Also if you had clients that you were developing for, who weren’t upgrading that project stayed in the old version.

Of course there were hacks such as two SLN files but this led to developer frustration when someone added a new project to the solution but didn’t upgrade both SLN files. Well this is no more. With the new Project Round Tripping feature in VS11, you can use *nearly all* of your existing VS2010 SP1 projects in VS11 without having to upgrade or break your SLN file. Not all projects are compatible though and there is an article on MSDN detailing which projects will work and which won’t work.

This feature works with Visual Studio 2010 and SP1 and you can’t use it with Visual Studio versions older than 2010. Additionally if you use any feature that is specific to the new version of Visual Studio such as changing the framework version to 4.5 then the project cannot be opened again in VS2010.

Page Inspector

Quite simply, if you use FireBug, you will love this. If haven’t used FireBug before prepare to be amazed. This is honestly one of the best new features for Web Developers in VS11.

Page Inspector allows you to view your page in a number of different ways such as Files Mode which shows you which files in your solution make up this page. Extremely handy if you are brand new to a well established project that combines multiple files into one view.


You also have inspect mode which shows what control or place in your file generated that piece of HTML. Genius! Forget adding silly text or test calls to find where in the code is generating the output, just hover over the piece in the HTML view that you are curious about and Page Inspector will show you the rest.


You can also play with the source and Page Inspector will see that it has changed and update accordingly once you refresh. It will also prompt you that it has changed.


This feature gives you the tools to expertly find where and what is happening in the HTML of your application with more power in actually finding it than FireBug has. Don’t get me wrong, I love FireBug but it doesn’t have the ability to show where in the files is generating the HTML that you are looking at. I also see Page Inspector as a great training tool for anyone trying to learn a new aspect of ASP.NET from junior developers all the way up the food chain.

New HTML editor features

Some of the irritations that you ignored when you started development but grew as you became more and more proficient have been fixed. Such as smart indent. This is where you type a tag and press return and in VS2010 it would start at the same position as the tag rather than tabbing in. Now it does.

Another frustration was when you changed a tag, you had to go find the corresponding closing tag and change that. Now it does.

For those of your who used ReSharper or CodeRush or another IDE extension, you probably wont remember a time where you couldn’t generate a method stub of a control from the Code View. Now you can.


The new Smart Task feature for controls gives you access to the same functionally that you had on a control when in Design view but from the Code view.


And finally the improved Intellisense reduces options and it shows you the bits as you type.

It’s the little things that just make life a bit easier for developers.

New CSS editor features

Do know what the shortcut command CTRL + K, C means? Its means to comment out the piece of code you have highlighted or the line you are on. You know where it never worked. In the CSS editor.. well it does now. It may not sound like a big thing, but when you expect that shortcut chord to work across the editor uniformly and it doesn’t in one spot it because an annoyance.

The new color picker is a simple yet very effective addition to the editor. Before if you didn’t know a hex value for a colour (yes I spell it the British English way!), you had to use something like Paint.NET to find the colour code. Now its built into the editor and it appears when you type color: in the CSS editor.

The Testing Framework

Unit testing is now a complete first class citizen in VS11. There has been a massive amount of investment in this area and Peter Provost has a great series of articles on his blog about this.

This is just a quick overview of some of the features that I like.

VS11 now has a test runner framework which allows test runner extensions to be installed into VS11 so that your unit tests will appear in the Unit Test Explorer window and all run as part of the series of tests regardless of the testing framework you use. So if you use MSTest, Nunit and xUnit.NET in the same solution, no problem. Just download the test runners for Nunit and xUnit and install them and off you go they will appear in the Unit Test explorer. And what is the most important information you want to see about your unit tests? It’s the one that fail and these come up first on the Unit Test explorer window.


Also you can set your unit tests to run automatically on build!


The Code Demos

I finished off with some code demos which I will do in the follow up post to this. I did this like a sprinting lap around VS11 and I hope people got a decent glimpse of the real new goodies in VS11.

If you haven’t already downloaded the beta, you can do get it from here

Monday 16 January 2012

Request for speakers NNUG Online

Last year I ran a series of online Live Meetings under the brand NNUG Online. NNUG Online was an idea I had on trying to get around the issue of how to get more international speakers to the local Norwegian .NET User Groups. One of the benefits of MVP program is a Live Meeting account so I used that to host these meetings and from there, the issue was to find speakers.

Through the magic of twitter and some networking connections made at the MVP Summit & previous Norwegian Developer Conferences, I was able to line up some excellent speakers and its started with K Scott Allen. Over the year we had Jon Skeet, Scott Hanselman, Scott Guthrie, Hadi Hariri, Jon Galloway and Einar Ingebrightsen.

This year I would like to continue on with NNUG Online as I think it has brought something extra to the Norwegian developer community.

So if you are interested in speaking at one of these meetings please just drop me a line. The meetings range from 60 to 120 minutes including questions. They can be on any topic in programming provided that they can be included in .NET so for example things like Open Source, GIT and such are fine. It is done through Live Meetings so you will need that client on your machine. It is normally scheduled for 20h00 CET (which is 12h00 PST in Seattle for example and 15h00 EST in New York) at the end of the month, though we are quite flexible.

If you are interested in doing a session, please email stavanger@nnug.no with overview of your talk, estimated running time and dates that you can do it.