Written by stevey on September 8th, 2011
From a somewhat obscure blog here http://msdn.microsoft.com/en-us/library/aa717039.aspx, I found the source code and compiled it myself. As it turned out, this was included in a huge WCF and WF Samples download at http://www.microsoft.com/download/en/confirmation.aspx?id=21459. When it was unzipped, there were over 1200 files extracted! After that, went into folder: W:\Development\Downloads\Microsoft\WF_WCF_Samples\WCF\Setup\FindPrivateKey\CS, opened FindPrivateKey.sln and compiled it.
Then I went into the bin folder and run it like this :
DirectoryWhereFileIsLocated>FindPrivateKey My LocalMachine -t “af 50 4e f4 3b 57 ea f0 26 a8 b0 35 bf a7 0a a7 87 ef 10 5b” -a
And it returned:
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\Ma
eKeys\3f67f438e6678b37604ae90622d1a568_3b18c4e6-fe0f-4826-b709-bc8b80bca037
Explanations of switches:
t=find by thumbprint
a=Outputs the absolute file name
Get examples of how to use FindPrivateKey from here http://msdn.microsoft.com/en-us/library/ms732026.aspx#1
Posted in .Net Framework, ASP.Net, Security, Security, WCF, X509Certificate, X509Certificate | No Responses »
Written by stevey on September 6th, 2011
Last post was about how to request and install a server-side certificate in preparation for authenticating WCF service client using client certificate. Once the server-side certificate is in place, it’s time to get the client certificate in order. Here were the steps I took a few days ago for requesting, issuing and installing a client certificate in a Windows 2003 server machine:
- Went to Http://localhost:8080/CertSrv – >Request a certificate ->Browser certificate
- Submiited the request by following on-screen instruction (entered Name, e-mail, Company, department and chose key strength, 2048)
- Went into CA (Start->Administrative tools -> Certificate Authority ->Pending requests folder
- All tasks -> Issue and issued the client or browser certificate.
- Went into Issued Certificates folder and double clicked on the certificate request item ->Details – >Copy to file, the “Welcome to the Certificate Export
wizard” pop up, Next and chose “Based-64 encoded X.509 (.Cer) option, same as the server-side cert created previously, Next
- Copied to c:\ClientCert.cer, Next and “Completing the Certificate Export wizard” showing “File Name, Export Keys (No), Include all certificates in the certification path (No), File format (base64-coded X.509)”, Finish
- Went into c:\ClientCert.cer and double clicked to open the Certificate – >Install certificate – >Next – >”Automatically select a certificate store,..” -> Next -> Finish
Posted in .Net Framework, ASP.Net, Security, WCF, Web Development | No Responses »
Tags: Client certificate
Written by stevey on September 6th, 2011
To use client certificates for authentication, first need to install a server-side certificate. The steps here were what I took to Request, Issue and Installed a server-side certificate for certificate auhtentication with Microsoft certificate Services and IIS6 in Windows 2003 environment:
- IIS6->Websites->Default website (at this point, verify the CertSrv is shown in as a Virtual directory under this site) – > Right click on Default website node and selected Properties ->Directory Security ->Server Certificate.
- If there is no certificate already installed on the server, click on Create New Certificate; as I already had certificates installed on my local machine, the only options at this point are “Renew the Current certificate”, “Remove the current certificate”,”Replace the current certificate”, “Export the current certificate to a .pfx file”, and “Copy or Move the current certificate to a remove server site”.
- For this project, I chose “Renew the current certificate“, and next
- Chose “Prepare the request now, but send it later” (default option) and next.
- Certificate request file name: leave as default at c:\certreq.txt
- Open the c:\certreq.txt file and copied the content to clipboard.The content is a big chunk of mumble-jumble ASCII letters like these: “—–BEGIN NEW CERTIFICATE REQUEST—–MIIDTDCCArUCAQAwcTELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExDjAM
BgNVBAcTBVRhbXBhMRcwFQYDVQQKEw5CaXNrIEVkdWNhdGlvbjEQMA4GA1UECxMH…
—–END NEW CERTIFICATE REQUEST—–“
- Now I went to http://localhost:8080/CertSrv and a page titled Microsoft Certificate Service came up (I had trouble to open this page from http://localhost/CertSrv initially but then realized my default website is not in http://localhost; rather my default website is configured to run from port 8080 instead of the default 80).
- Click on Request a certificate and select submit an advanced certificate request on next page
- There are two options on next page: “Create and submit a request to this CA.” and
“Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. “, selected the second one.
- Now paste the content from clipboard to the Base-64-encoded certificate request (CMC or PKCS #10 or PKCS #7) textarea or I could use the “Browse for a file to insert” feature. Then clicked Submit
- If submitted successfully, the next screen said, “Your certificate request has been received. However, you must wait for an administator to issue the certificate you requested..Please return to this web site in a day or two to retrieve your certificate.”
- Now I went to the CA MMC (Start – >Administrative Tools -> Certificate Authority) and I saw the request sitting under the “Pending Requests” folder. I right clicked on the request and Issued it (All Tasks -> Issue) and the request moved to Issued Certificates” folder
- Next step was to copy certifcate to a .cer file. To do that, double clicked on the Requested certificate to view it, clicked on Details tab and Copy to a file. On “Export File Format” selected the “Base-64 encoded X.509 (.Cer) and saved to “c:\ServerCertificate.cer”
- Now I went into IIS6 ->Default website->Properties ->Directory Security -> Server Certificate ->Next – > select “Process the pending request and install the certificate” and opend the “c:\ServerCertificate.cer” file from “Process a Pending reqeust” screen
- Next screen asking about “SSL” port, leave it as default 444 and clicked Next, Next and Finish.
To verify that the server-side certificate was installed successfully, I went back to IIS6, picked a virtual directory, for example, “WcfSecure” and open “Properties” window->Directory Security->Edit (Under Secure Communication) and checked “Required secure channel (SSL), and for client certificates, selected “Accept client certificates” for now; then I browsed to a .svc file without https, such as http://localhost:8080/WcfSecured/Demo.svc; at this point I got browser error message asking me to add https to the address; so I changed to https://localhost:8080/WcfSecured/Demo.svc (or can be demo.aspx or demo.ashx page), and as expected, now the page showed correctly. That confirmed that the server-side certificate had been installed correctly. Next is to request and issue a client certificate so we can authenticate WCF Service client.
Posted in .Net Framework, Security, WCF, Web Development | 1 Response »
Tags: Client Certificate Authentication, Secure Communication
Written by stevey on August 31st, 2011
I am in a project that requires me to use client certificate to authenticate web users who make request to using my WCF service hosted in a SSL secured website. During development phase, I just want to be able to test out the proof-of-concept, so I need to be able to self-request client certificates and grant them using localhost Certificate Authority (CA). The first step is to install the Microsoft Certificate Service on my local machine, a Windows 2003 Server. Here were the steps I went through to get this done:
- Went to Start->Control Panel -> Add/Remove Programs – > Add/Remove Windows Components
- Checked the “Certificate Services” and clicked Next
- CA Type: there was only two options enabled: “Stand-alone root CA” and “Stand-alone subordinate CA”.
The two Enterprise level CA were grayed out probably due to that my machine is not an actual Domain Controller. I left the default option “Stand-alone root CA”
alone and clicked Next
- CA Identity: I entered my machine name to the “Common name for this CA” box, and moved on.
- Next screen is “Certificate Database Settings” and just leave everything as it is (Certificate database:
c:\windows\system32\CertLog, Certificate Database log: ibid, Shared folder: C:\CAConfig) and clicked on Next
- At this point, I was prompted with a Windows message “To complete the installation, certificate Services must temporarily stop the
Internet Information Services. Do you want to stop the service now?”, answered Yes
- Well, then I ran into the screen that asked for Windows Service Pack 2 CD”, changed location to c:\I386 and it went through.
- Another Message box about enabling ASP on IIS popped up, clicked Yes, and the installation was completed successfully.
- To verify the CA is installed correctly, go Start->Administrative Tools ->Certificate Authority and the CA MMC should come up showing local machine as root and four folders named “Revoked Certificates”, “Issued Certificates”,”Pending Requests” and “Failed Requests”. In the next post, I will cover the steps I went through to submit Certificate requests that will be showing under the “Pending Requests” here
Reference: http://www.ehow.com/how_5143670_install-microsoft-certificate-services.html
Posted in .Net Framework, ASP.Net, WCF, Web Development, Web Services | No Responses »
Tags: "Client certificate" "certificate authentication" "certificate service"
Written by stevey on August 7th, 2011
Creating a self-signed certificate on Windows 7/IIS7 was quite a different experience and it took me more time to set it up and work correctly (in retrospect, it should have been easier as most of things can be configured with GUI tool). Anyway, I don’t want to repeat the pain and relearn how this is done, let me summarize the steps here to share with others and to help me find it easier in a rainy day:
- Open IIS7 (If IIS7 is not available from Administrative tools, go to Control Panel – > Programs – > Turn Windows Features On or Off.
- Click on machine node then double click on “Server Certificates” on the IIS pane
- Select “Create self-signed certificate” from the “Action” pane and give a friendly name such as “WcfSecure” in this case.
- Once the server certificate is created, view the certificate detail and write down the Thumbprint, something like ae 8f b2 b4 b0 b6 07 16 8e 73 51 35 38 cd 6b bb 7e 1f 12 d5, and remove the spaces to become ae8fb2b4b0b607168e73513538cd6bbb7e1f12d5, copy it to notepad for later use.
- Next, configured the Certificate to port, using VS2010 Guid tool to generate a GUID and run VS2010 Command prompt (must run as admin):netsh http add sslcert ipport=0.0.0.0:8080 certhash=ae8fb2b4b0b607168e73513538cd6bbb7e1f12d5 appid={0270078A-39C3-47E8-845C-07D904672C71}
- Created a website to use the certificate so that WCF Service can be hosted in https mode; to do that click on Sites node and right click ->Add Web Site ->Named it “WcfDemo” and assign to Port 444 (443 and 442 have already been taken)
- Assign the certificate to the new website by choosing Binding type “https”, and pick the certificate from the Certificate drop down; certificate is on machine or server level, so there could be multiple certificates and multiple site can use same certificate.
- Refer to MSDN article at http://msdn.microsoft.com/library/ff406125.aspx for more in-depth detail.
It is important to note, that In IIS7, whenever a new website is created, it automatically creates a new application pool named the same as website, in this case, WcfDemo is the new app pool. And it automatically defaulted to use .Net Framework version 2.0, so be careful to manaully change it to the version that your Wcf app is using, in my case, changed to .net 4.0. Pay attention to Identity; by default, the Identity uses ApplicationPoolIdentity, other options are LocalService, LocalSystem, NetworkService, these are under Built-in account dropdown; you can also use Custom account and use the Windows user account for the application pool identity. If sqlexpress database is used for storing Membership users and if the security mode is set to use Integrated Security=true, then the
Application pool identity must use Localsystem or an “An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail.” error will throw when WCF client calls the Wcf Service from this website.
If, however, the sql database uses “SQL Server Authentication” mode and passes in a predefined username and password in the sql connection string, then you can leave the default ApplicationPoolIdentity alone.
Posted in .Net Framework, ASP.Net, C#, WCF, Web Services | 2 Responses »
Tags: Certificate, IIS7, SSL, WCF
Written by stevey on July 12th, 2011
During the development of a WCF app, I needed to issue a self-signed certificate to my local Windows 2003 server in order to test out ways to secure WCF server-client communication. For IIS6 this was a bit trickier than IIS7. I needed to download the IIS6 resource tool kit and then run selfssl.exe to create the certificate. IIS7 could do it right on its GUI. Here were the detail steps that I went through to create a SSL-enabled hosting environment (via certificate) on my local development machine (credited this very useful posting here):
- Downloaded IIS6 resource kit from here http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=17275 and installed it.
- Start ->All Programs -> IIS Resources-> SelfSSL
- This launched into command line:C:\Program Files\IIS Resources\SelfSSL>selfssl /N:CN=localhost:8088 /K:1024 /V:365 /S:437690215 /T
Explanations:
- localhost:8088 – this is where the https site is to be hosted; as port 80 already taken by another web host, I used 8088 for the new site;
- /K: is the key size – 2048 is recommended (but 1024 worked for my case);
- /V: days of validity – 365 is recommended (I actually used 730 or 2 years for development convenience)
- /S: number for your web site identifier in IIS (437690215 is site id for Wcfhost, default website usually is 1, found it under the root of the website property)
- /T makes the certificated trusted
- Answered “Y” at the next prompt.
- The message:”The self signed certificate was successfully assigned to site 437690215″
Go back to IIS6 and now there is a Certificate under the Directory Security
For creating a self-signed certificate in IIS7, follow this article at MSDN. http://msdn.microsoft.com/library/ff406125.aspx
Posted in .Net Framework, ASP.Net, WCF, Web Development, Web Services | No Responses »
Tags: Secure Communication
Written by stevey on June 28th, 2011
When I tried to send email from my main site hosted at Winhost.com, I got this permission error: “Request for the permission of type ‘System.Net.Mail.SmtpPermission, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089′ failed..”. Winhost support forum has responded to this problem and suggested adding “<trust level=”Full”> under the <system.web> in web.config. I did that and the problem went away.
Thanks to folks at winhost support forum, I was also able to call Winhost smtp client, using Network credentials given to my hosting account, directly from my development local machine and sent email out by port 587. This sample code at Winhost KB was the right place to get start with Winhost smtp mail: http://support.winhost.com/KB/a650/how-to-send-email-in-aspnet.aspx.
Posted in .Net Framework, ASP.Net, Web Development | 3 Responses »
Tags: mail, smtp, smtp mail winhost mail, winhost
Written by stevey on June 23rd, 2011
Finally got fed up with the slowness of WP hosting at Godaddy, I decided to move my WP blog there to winhost. Yeah, Godaddy has many features that are powerful and convenient, but that exactly was my problem with them – there are too many flashy features that crowded the site and slows down the UI experience. It was easier to install WordPress and/or other open source apps on Godaddy as they are collectively located and a few button clicks was all it needed. But once my blog was setup, browsing to it was a pain and sometimes even showed time out error.
Winhost is a million mile apart from Godaddy’s flashy world. It is simple, clean and down to earth, and the price is right too. Although at the beginning I felt frustrated for lack of custom tools but then I figured out everything I needed can be found in Forum or/and KB. I first relocated my main site yangsoft.com which is in ASP.Net 4.0 and the site is already loading 10 times faster. I have been using WordPress for my blogs since early 2010 and liked it a lot, so I wanted to transfer the old blogs from Godaddy to Winhost. The way to do it seemed to be backing up mysql db from Godaddy, download it to local drive, then use Mysql Workbench to open the sql file and execute it against the newly created mysql db on Winhost server. It seemed to be working but when I browsed to the blog.yangsoft.com at Winhost, the links on right side-bar always want to point back to my old site at Godaddy. If I cannot fix this in next day or so, I will just resolve to the old fashion way – copy and paste.
At this point, I installed WordPress from scratch to yangsoft.com/blog and the installation process was very smooth and clean. Just followed the instruction given by Winhost forum at http://forum.winhost.com/showthread.php?t=5198
Posted in .Net Framework, Announcement, ASP.Net, Web Development | No Responses »
Written by stevey on June 17th, 2011
I had a .net project that was initially written in C# .Net 2.0, then upgraded to 3.5, and recently to 4.0. So naturally the project have both Linq to SQL class (dbml) and Entity Framework data model class (edmx).
Then this error occurred when I was compiling a ASP.Net page that referenced a EF method call from the data layer, “Error 36 The type ‘System.Data.Objects.DataClasses.EntityObject’ is defined in an assembly that is not referenced. You must add a reference to assembly ‘System.Data.Entity, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089’….”
This message actually turned out to be related to something else – System.Data.DataSetExtensions. Because after I removed the v2.0 reference to this assembly and replaced with v4.0 version, I got a different error: “The type or namespace name ‘TypedTableBase’ does not exist in the namespace ‘System.Data’ (are you missing an assembly reference?) c:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET…”. I finally tracked down the culprit: there were a few auto-generated dataset classes that were added when I created some SQL server reporting service reports to the solution while I was still in .Net 2.0. To prove that, I temporarily exclude all those Reporting Services related files from the web project that is referencing the data layer, then all the compiling errors were cleared.
Posted in .Net Framework, Entity Framework | 1 Response »
Written by stevey on June 9th, 2011
Today, I read an outstanding article by Gail Shaw at simple-talk.com about the best way to identify the stored proc or t-sql query that is the culprit of a slow performance website. The basic technique, as suggested by the author, is to use SQL Profiler GUI to create the trace definition, focusing on TextData, CPU, write, reads, and duration data columns; run Profiler for a short period and stop, save the trace definition file. Author highly recommended that we should not run Profiler for too long as it will compete for server resource and sometimes can bring the server to a halt.
After trace is run, the results are exported to a table and by querying that table, sorted by CpuImpact, IOImpact, and TimeImpact, we can easily identify the stored proc name that costs most. It was a great writing, very clean and truck load of useful information. Click here to access the part I of the article…
Posted in Uncategorized | No Responses »
