MSDN Webcast: Windows Communication Foundation Top to Bottom (Part 11 of 15) - Federated Security

This series is being presented by Michele Leroux Bustamante (Chief Architect, IDesign Inc, Microsoft Regional Director for San Diego, MVP XML Web Services) and author of Learning WCF (O'Reilly, 2007) and touches on the fundamentals and practical approaches of WCF development.

This session covered:

• Underlying claims-based support in WCF
• Reasons to move toward a claims-based security model
• Steps to adopting claims-based security
• How security token services (STS) supports federated security models
• The relationship to federated security and security tokens that carry claims

Key points from this session:

• Limitations of role-based security
• Insufficient
• Roles change
• Permissions granted to roles change
• Not all credentials can be mapped to roles
• Better to base authorisation on permissions, not roles
• Permissions should not change
• Establish permissions required for features
• Associate permission demands with features
• Can add new permissions for new features
• Not built in, nor is it always enough, nor are permissions guaranteed
• Benefits of claims-based security
• Richer than permissions
• Carry information about
• User identity
• Roles or permissions
• Other useful information about the user
• Guaranteed by their issuer
• If issuer is trusted, claims are trusted
• WCF identity model is claims-based
• Credentials sent as security tokens
• Security tokens are mapped to claims
• Claims are accessible through the ServiceSecurityContext for the request
• One or more claim sets may be granted
• Multiple security tokens
• Multiple authorisation policies
• Security tokens, claims, and claim sets
• Security tokens
• Are a serialized representation of a set of authentication credentials
• Usually binary or XML
• Usually signed to guarantee authenticity
• Serialized in security headers of a SOAP message, can be interoperable
• Claims
• Describes an individual right or action
• Identity claim
• Can represent a Windows or X.509 token, a username, or another type of identity
• Proof of Possession Claim
• Can represent additional information such as e-mail address, first and last name, birth date. etc
• Can be custom application claims
• Claim sets
• Collection of claims by a particular issuer
• System issuer for Windows and X.509
• ASP.NET issuer for membership provider
• CardSpace issuer for self-signed tokens
• Security token services (STS) or custom authorisation policies
• Claim sets get generated from security tokens
• Claims authentication and authorisation
• Security principle attached to the request is still role-based
• IPrincipal type created by role
• WCF 1.0 does not have built-in claims authentication
• Why use claims-based authorisation
• Useful for issued tokens
• SAML tokens carry claims
• Normalizing authentication of multiple credential types
• Delegation of authentication to STS
• Issuance of application claims for rich authorisation
• Federation scenarios with STS
• Can decouple authentication and authorisation from applications and services
• Better performance on Web and application servers
• Greater flexibility with authentication
• Ability to use claims-based authorisation checks or delegate checks to another service
• Security token services (STS)
• A.K.A. identity provider or token issuer
• SAML tokens contain a set of claims
• Granted by token issuer
• Signed by token issuer
• Session Summary
• Claims-based security is built into WCF
• Some work required to leverage
• Normalization claims can be performed with
• Custom IAuthorizationPolicy
• Delegated to STS using WSFederationHttpBinding
• Federated security model supports single sing-on and claims authorisation
• Custom STS, ADFS vNext, PingTrust

This webcast is available for download from here along with a copy of the Powerpoint deck. The next Webcast (session 12) is scheduled for 29th August 2007 and is titled "Reliable Messaging". A schedule on the complete series can be found here.

SQL Down Under Code Camp 2007 - Draft Timetable

Details of speakers and sessions for SQL Down Under Code Camp 2007 have been posted.

This year Greg Low suggested we do something different and set aside 1 session each day, made up of 3 x 15min slots, for new speakers. Well, we did and here is the list of people who put their hand up:

Slot 1 - Saturday 11:30-12:30

• Mahesh Krishnan - Reporting Services Tips andS Tricks
• Mai Low - Moving SQL Server System Databases
• Ducas Francis - Using Looping Containers in Integration Services

Slot 2 - Sunday 13:00-14:00

• Marc Ridey - Using SQL CE from SSMS
• Rob Sanders - Using SMO and Scripter to generate feature rich DDL scripts
• Chris Hewitt - ADO.NET Entity Framework

I will be presenting "SQL Server Compact Edition: A DBA's Primer" on Saturday @ 15:30 and Peter Ward is presenting a session titled "If only they taught SQL Server at Kindergarten" on Saturday @ 10:30. All he's told me is that he thought of the session over a few alcoholic drinks while listening to his favorite band Bon Jovi! Apparently they had a smash hit in the 90's with a chorus that went something like "The servers running slow, and your to blame. You give SQL Server a bad name". Sounds intriguing; yet disturbing. Think I'll give drinking with Peter a miss for a few years!

2007 PASS Community Summit

The 2007 PASS Community Summit is the worlds largest SQL event and is being held in Denver on 18th-21st September 2007.

Last year Peter Ward presented a session on SQL Server Automation & SQL SMO which attendees voted as one of the most informative sessions of the event. This year Peter has been invited back as a 'Spotlight Speaker' and will presenting Engineering 101 for the DBA which he's presented at various Australian SQL Server User Groups and SQL Server Open World in Denmark earlier this year. The list of speakers for the event is very impressive, perhaps daunting, but those of us that know Peter know that he'll knock 'em dead (again).

As usual, Peter is making the most of his trip to Denver and has decided to turn this into a SQL Server Road Trip. Peter and Jay Dee (his beautiful wife) have decided to drive from Los Angeles to Denver and along the way present a session on 'An Introduction to SQL Server 2008' (based on his popular AskaSQLGuru screencast series) at the SQL Server Society of Las Vegas on 10th September 2007 and the Utah Country SQL Server User Group on Friday 14th September 2007.

Have fun and don't forget the postcard :-D

MSDN Webcast: Windows Communication Foundation Top to Bottom (Part 10 of 15) - Security Fundamentals

This series is being presented by Michele Leroux Bustamante (Chief Architect, IDesign Inc, Microsoft Regional Director for San Diego, MVP XML Web Services) and author of Learning WCF (O'Reilly, 2007) and touches on the fundamentals and practical approaches of WCF development.

This session covered:

• Core security settings for WCF services
• Applying appropriate binding security configurations for common scenarios
• Authenticating with Windows, certificate, and username credentials
• Authorising against the Windows domain or custom credential stores

Key points from this session:

• Core security concepts
• Mutual Authentication - Means for sender and receiver to identify one another
• Authorisation - Determining what the authenticated party has rights to do
• Confidentiality (Encryption) - Ensuring only the intended recipient can view information
• Integrity (Digital Signatures) - Ensuring that messages are not altered by malicious parties
• Reliability - Preventing replay and DoS
• Transfer Security
• Transport security is on the wire
• SSL, TLS, IPSec
• Point-to-point
• Applies to entire message
• Message security can traverse network nodes
• WS*
• Secure to ultimate message receiver
• Secure message parts
• WCF security settings
• Security mode
• Transport, Message (default) or Mixed - configured via binding
• Internet - Should use message
• Intranet - Should use transport
• Protection level
• Levels:
• None, Sign, EncryptAndSign (Default for secure bindings)
• For transport protection, set binding properties
• For message security, set contract properties. 
• Also used to require a minimum level of protection for transport or message level  
• Client and service credentials
• Client
• Credential Options:
• Windows
• Username and password
• X.509 certificates
• SAML (including Windows CardSpace claims) or custom tokens
• Discussed in next webcast
• Selections vary for binding configurations
• Service
• Credential options:
• Windows
• X.509 certificates
• Where clients use Windows credentials, so does the service
• Where clients use third-party credentials, service must provide a certificate
• SSL or by associated service behavior
• Impersonation
• Service
• Can control impersonation level
• OperationBehaviorAttribute
• ImpersonationLevel:
• NotAllowed, Allowed, Required
• Can control for all service operations
• ServiceAuthorization behavior
• Client
• Can control impersonation level
• TokenImpersonationLevel
• None, Anonymous, Identification, Impersonation, Delegation
• Credential negotiation
• Service credentials can be negotiated
• Windows credentials rely on SPNego
• Third-party credentials rely on TLSNego
• Requires a service certificate
• Transport protection uses SSL
• Message level uses WS-Trust as tunnel
• Negotiation removes the need to provision certificates to clients ahead of time
• Is not interoperable
• Secure session
• Reduce the overhead of one-off key exchange and validation
• Secure Client Token (SCT) generated for authentication and message protection
• Enabled by default for most HTTP bindings
• Authentication and authorisation behaviors
• Can control authentication settings for each credential type
• ServiceCredentials behavior
• Can configure authorisation with behaviors
• ServiceAuthorization behavior
• PrinciplePermissionMode: None, useWindowsGroups, UseAspNetRols, Custom
• Controls the type of security principle
• WindowsPrincipal, RoleProviderPrincipal
• Used for role-based security checks
• Session Summary
• WCF provides granular control over security through bindings and behaviors
• WCF also supports rich federated and claims-based security models

This webcast is available for download from here along with a copy of the Powerpoint deck. The next Webcast (session 11) is scheduled for 27th August 2007 and is titled "Federated Security". A schedule on the complete series can be found here.

MSDN Webcast: Windows Communication Foundation Top to Bottom (Part 09 of 15) - Concurrency, Throughput, and Throttling

This series is being presented by Michele Leroux Bustamante (Chief Architect, IDesign Inc, Microsoft Regional Director for San Diego, MVP XML Web Services) and author of Learning WCF (O'Reilly, 2007) and touches on the fundamentals and practical approaches of WCF development.

This session covered:

• Throttling and concurrency settings for WCF Services
• Protecting services and resources from concurrent access
• Controlling throughput for requests, service instances, and sessions
• Impact of instancing mode and sessions on load-balancing scenarios

Key points from this session:

• Currency modes
• WCF services protected from concurrent access by default
• ConcurrencyMode enumeration (ServiceBehaviorAttribute)
• Single
• Concurrent requests cannot be processed by the same service (default)
• Lock is acquired while a request is processed. Other threads are queued
• For PerCall services, a new service instance is allocated for each thread so concurrency is not an issue
• Single mode has no impact on throughput
• Concurrent calls can be processed
• For PerSession services, service instances are protected against multithreaded clients
• Single mode impacts throughput of single client
• Multiple clients can get through
• Concurrent calls can be processed
• For singleton services, service instances are protected against any concurrent calls
• Single mode impacts throughput of singleton
• Multiple threads and clients can not get through
• No concurrent calls can be processed
• Reentrant
• Useful when services issue callbacks to clients
• Services release the acquired lock upon exit to make the callback
• Another thread is able to acquire the lock
• Return from callback will queue
• PerCall
• In Single mode, deadlock guaranteed
• In Reentrant mode, no problem
• PerSession and Singletons
• PerSession services allow a multithreaded client to access the service instance
• Singleton services allow any threads to access the service instance
• Multiple
• Can increase throughput of
• PerSession services with multithreaded clients (avoid)
• Singleton services any number of clients
• No lock is acquired when requests are being processed
• Multiple threads access the service instance
• Shared resources must be protected
• Monitor, Mutex, Semaphore, ReadWriterLock and Interlocked
• Custom multithreading protection required
• Instance Throttling
• Several factors influence throughput
• Instancing mode
• Concurrency mode
• Throttling behavior
• ServiceThrottleBehavior
• MaxConcurrentCalls - Limits concurrent requests (Default 16)
• MaxConcurrentInstances - Limits number of service instances
• MaxConcurrentSessions - Limits active sessions (default 10)
• Load Balancing and Failover
• Sessions influence load balancing
• Without sessions, requests can be directed to any machine
• With transport session like TCP, require sticky IP
• With reliable and secure sessions, or application sessions, requires sticky sessions
• Failover not supported by default
• Summary
• Avoid reentrant and singleton concurrency modes where possible
• Design services for one-way callbacks
• Limit singletons to low throughput environments
• Consider throttling behavior carefully
• Leverage performance counters to measure overall throughput and tweak settings
• Do the math on expected concurrent requests and sessions
• Consider sessions and load balancing

This webcast is available for download from here along with a copy of the Powerpoint deck. The next Webcast (session 10 - Security Fundamentals) has already been delivered and I will blog about this shortly. A schedule on the complete series can be found here.

Canberra Windows User Group - Times are Changing

UPDATE: I need to clarify that Dave is not leaving the community altogether; he's just stepping down as Lead of the Canberra Windows User Group but will continue to help out across all Canberra UG's as needed. Check out Dave's blog for more clarification of his new role.

It's a sad day for the Canberra user group community with David Mackie resigning as the leader of the Canberra Windows (Infrastructure) User Group. Just want to say thanks Dave for all the hard work and effort you've put in over the years and wish you well for the future. Don't be a stranger!

Now for the good news. Athena Pawlowski (Branch Manager, dotNET Solutions) has taken over the reins and will be running the user group from now on. Athena currently runs the Canberra .NET Users Group and although she's got some big shoes to fill, there's no doubt the user group will continue to thrive. Here's a peak at some of the great presentations already lined up for the rest of the year:

Sept - Scott Deakon from Microsoft on 'How Hot Fixes and Service Packs get delivered'
Oct - Jeff Alexander from Microsoft on 'Deploying High Performance and Scalable Networking with Windows Server 2008'
Nov - Rocky Heckman from Microsoft on Security - yet to be finalised
Dec - Peter Ward (SQL MVP) from WARDY IT Solutions on Engineering 101 for the SQL DBA

Time & Location: 2nd Tuesday each month
Lunch Time
King O'Malley's Irish Pub
131 City Walk, Canberra City
12:30 - 1:30 — Finger food and presentation

Evening
Microsoft Canberra Office
Level 2, 44 Sydney Avenue, Barton
17:30 — Pizza and networking
18:00 - 19:30 — Presentations

Look forward to seeing you all there.

Cheers
Jeff

MSDN Webcast: Windows Communication Foundation (Level 200)

Well, it's 4:40am Saturday morning and I'm sitting here waiting for the Webcast to start and I can't help but wonder whether I'm completely insane (Laura thinks so) as I don't get enough sleep as it is or whether WCF is such an important step forward for Service-Oriented Architecture (SOA) development that it's all worth the pain.  I'll let you know tomorrow once reality sets in :-)

This morning's webcast is being delivered by Glen Gordon, Developer Evangelist (Love that title and want to steal it!), Microsoft Corporation.  Originally from New York, Glen Gordon earned a degree in applied psychology from Georgia Institute of Technology, where he studied the learning process and how humans interact with computers. Glen has more than 13 years of experience as a software trainer and presenter, and he knows how to design for scalability, usability, and supportability. His current passion is mobile applications. Glen lives near Atlanta with his wife and three children, and his hobbies include playing the piano and improve comedy.

In this webcast we will work with the DinnerNow application to build and consume services created with Windows Communication Foundation (WCF). We will get the chance to build both services and clients while learning about the security and manageability features of Windows Communication Foundation and see how the Windows Communication Foundation provides a single, unified communications API by also building a Plain Old XML (POX) service that returns data for HTTP Get requests.

Yay, it's starting.....

Agenda

• What is WCF
• How does it work
• How do I use it?
• How do I deploy it?
• A demo
• What else should I know?

Ok, the Webcast is over and I'm looking back on what I've blogged about and all I see is the Agenda.  No I didn't fall asleep; I just didn't see anything that was really worth blogging about (or at least stuff I hadn't already blogged about).  Yes we saw how to implement a very basic WCF Service to return a Menu for the DinnerNow application and Glen provided a good introduction to WCF, we didn't however look into any "security and manageability features of WCF".  About the best thing I got from this Webcast was how to use the Microsoft Service Configuration Editor to help with creating and configuring WCF Configuration Bindings (which I will blog about later once I'm a little more awake) and where to find WCF Virtual Labs.

All-in-all, Glen's presentation skills where A+ and what he did cover he did so well. IMOA this Webcast should have been a Level 100 and not a 200 as advertised.  I'm off to bed to try and get some shut-eye before bubs wakes up......

MSDN Webcast: Windows Communication Foundation Top to Bottom (Part 08 of 15) - Instancing Modes

This series is being presented by Michele Leroux Bustamante (Chief Architect, IDesign Inc, Microsoft Regional Director for San Diego, MVP XML Web Services) and author of Learning WCF (O'Reilly, 2007) and touches on the fundamentals and practical approaches of WCF development.

This session covered:

• Instancing modes available for WCF services
• State-unaware services
• Requirements and considerations for session-full services
• Appropriate use of singleton services
• Impact of instancing modes on exception handling, resource allocation, and overall scalability

Key points from this session:

• Instancing (InstanceContextMode) mode controls the lifetime of the service instance
• PerCall Mode
• A new service object is created for each call
• Increases overall throughput
• State not maintained between calls
• Less memory consumption
• Concurrency not an issue
• Sessions
• Four Types
• Transport such as TCP or Named Pipe
• Reliable
• Secure
• Application (subject of this discussion)
• PerSession Mode
• A new service object created for each client/proxy
• Less throughput, greater memory consumption
• State maintained
• Concurrency issues for multithreaded clients
• Session lifetime defaults to 10 minutes
• Controlled by receiveTimeout setting on each binding
• Can explicitly control lifetime via OperationContract attribute
• IsInitiating
• IsTerminating
• Single Mode
• Single service object is created for all calls from all clients
• Least throughput
• Potentially greater memory consumption
• State maintained by service instance
• Concurrency issues
• Summary
• Prefer PerCall services where possible
• For scalability and throughput
• Use PerSession services only when necessary
• Beware the overhead of sessions and potential for timeout
• Avoid singletons almost always
• Could be useful on client machines for shared functionality

The eighth webcast is available for download from here along with a copy of the Powerpoint deck. The next Webcast (session 9) is scheduled for 15th August 2007 and is titled "Concurrency, Throughput, and Throttling". A schedule on the complete series can be found here.

MSDN Webcast: Windows Communication Foundation Top to Bottom (Part 07 of 15) - Messaging Patterns

This series is being presented by Michele Leroux Bustamante (Chief Architect, IDesign Inc, Microsoft Regional Director for San Diego, MVP XML Web Services) and author of Learning WCF (O'Reilly, 2007) and touches on the fundamentals and practical approaches of WCF development.

This session covered:

• Messaging patterns and related considerations for WCF
• Request/reply, one-way and duplex calls
• Publish and subscribe
• Handling large messages

Key points from this session:

• Request/Reply Operations
• Request/Reply operations are the default behaviors for all service operations
• WSDL shows <input> and <output> methods for each operation of the service
• Message can contain parameter or return data, an empty <body> element (VOID), or a SOAP fault on return
• One-Way Operations
• Set IsOneWay attribute to true and use VOID or SUB as method type
• WSDL only shows <input> method
• No response sent and no exceptions reported
• This does not mean that the exception won't tear down the server channel and cause problems for the client
• If clients want message arrival guarantee they should use
• Client should use Reliable messaging for transient reliability
• MSMQ
• One-way operations are useful for callbacks using Duplex Operations
• Duplex Operations
• Operations may be request/reply or one-way
• WSDL shows <output> message only for callback contract operations
• Good for Publish/Subscribe scenarios
• Bindings have message size quotas - Default 64k
• Can increase to support larger payloads
• Can address overhead issues with
• Message Transmission Optimization Mechanism (MTOM)
• Interoperable standard that reduces the overhead of binary data
• Removes bloat and processing overheads of base64 encoded data
• Improves overall message transfer performance
• Entire message is still loaded into memory
• SOAP messages sent as MIME
• Streaming
• Reduces memory usage for data transfers
• WCF will close the stream after the final read
• For services returning streams
• For clients sending streams
• You must close the stream after the final read
• For clients reading a returned stream
• For services reading an incoming stream
• Chunking messages into smaller parts

The seventh webcast is available for download from here along with a copy of the Powerpoint deck. Session 8 (Instancing Modes) has already been delivered and I will blog about it tomorrow. The next Webcast (session 9) is scheduled for 15th August 2007 and is titled "Concurrency, Throughput, and Throttling". A schedule on the complete series can be found here.

"How Do I?"; Videos for Devices

Another thing I've been ploughing through in my spare time is the "How Do I?" Videos for Devices series.

This series has been designed for novice to professional developers in an effort to get them developing with the .NET Compact Framework. Each video runs for about 10 to 30 minutes, includes step-by-step instructions, and has complete working sample code available for download in both C# and Visual Basic .NET.

This is a great little series and the idea of restricting each session to a maximum of 30 minutes means that it is easily slip one of them in during your lunch break or while you’re waiting for all those annoying TV shows to finish (such as Australian Idol!). You can also download sessions in various Audio formats so you can listen to them on the bus instead of ears-dropping on the local gossip. Hmm, maybe I'll just watch the videos :-)

Check them out.......

MSDN Webcast: Windows Communication Foundation (Level 200)

There is a Webcast scheduled for Friday, August 17, 2007 @ 12pm US & Canada Pacific Time (5am Saturday 18th August for us Aussie's) that shouldn't be missed by those serious about developing with WCF.

According to the event overview, "you will work with the DinnerNow application to build and consume services created with Windows Communication Foundation (WCF). You will get the chance to build both services and clients while learning about the security and manageability features of Windows Communication Foundation. In addition, you will see how the Windows Communication Foundation provides a single, unified communications API by also building a Plain Old XML (POX) service that returns data for HTTP Get requests."

The DinnerNow application demonstrates how to develop a connected application using several new Microsoft technologies such as IIS7, ASP.NET Ajax Extensions, Linq, Windows Communication Foundation, Windows Workflow Foundation, Windows Presentation Foundation, Windows Powershell, and the .NET Compact Framework. This is a great reference application which will provide you with an excellent grounding in WCF development and I highly recommend that you make an effort to participate in this Webcast. I'll definitely be getting up early for this one!

WiX: Installing a Windows NT User-Defined Service for Windows NT Applications

A person by the name of Dan asked if I knew how to use WiX to install a Windows NT User-Defined Service using the INSTSRV.EXE and SRVANY.EXE files supplied with the Windows NT Resource Kit. 

I didn't, but after reading Microsoft Knowledge based article 137890 I put together this little sample that seems to work just fine.  Hope it works for you too Dan.  Enjoy :-)

You can download this sample from here. 

<?xml version="1.0" encoding="UTF-8"?>

<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi"

     xmlns:util="http://schemas.microsoft.com/wix/UtilExtension">

  <!--This WiX package was created based on the MS knowledge base article "How To Create a User-Defined Service"

    http://support.microsoft.com/kb/137890

  -->

 

  <Product Id="a619b377-59a6-4a91-b32f-82eb3c71374e"

           Name="MyNotePadService" Language="1033" Version="1.0.0.0"

           Manufacturer="MyCompanyName"

           UpgradeCode="6d7aa4d3-1148-4af0-b2a9-7f36d47f4998">

    <Package InstallerVersion="200" Compressed="yes" />

 

    <Media Id="1" Cabinet="SRVANY.cab" EmbedCab="yes" />

 

    <!-- This should reflect the path where Instsrv.exe and Srvany.exe are installed-->

    <Property Id="RESKIT"

              Value="C:\Program Files\Windows Resource Kits\Tools\" />

    <!-- This should reflect the path of the application you want to run as a service -->

    <Property Id="TARGETDIR"

              Value="C:\Windows\System32\" />

    <!-- This should reflect the name you want to give the Service-->

    <Property Id="SERVICENAME" Value="Notepad" />

 

    <!-- Replace Notepad.exe with the name of the application you want to run as a service-->

    <Directory Id="TARGETDIR" Name="SourceDir">

      <Component Id="C_Registry"

                 Guid="{2B4934D1-9AAE-4f68-888C-CEC4EA7B42EA}">

        <RegistryKey Root="HKLM"

                  Key="SYSTEM\CurrentControlSet\Services\[SERVICENAME]\Parameters"

                  Action="create" />

        <RegistryValue Root="HKLM"

                  Key="SYSTEM\CurrentControlSet\Services\[SERVICENAME]\Parameters"

                  Action="write" Name="Application"

                  Type="string"

                  Value="[TARGETDIR]Notepad.exe"/>

      </Component>

    </Directory>

 

    <!-- Command line to install the service-->

    <CustomAction Id="CmdLine1"

                  Property="CmdLine1_PROP"

                  Value="[SystemFolder]cmd.exe" />

    <CustomAction Id="CmdLine2"

                  Property="CmdLine1_PROP"

                  ExeCommand