Thank you to everyone who attended the webcast this morning on interop. I wanted to share with you some resources I have on interoperability, and some future plans happening at IASA.

First, resources:

• My latest article on The Server Side .NET summarizes my webcast demonstrations and more...plus links to the code: http://www.dasblonde.net/CategoryView.aspx?category=Interoperability#a96e93182-d627-4625-b671-9b024c9381d0
• Architcture podcast on WS*, see podcast 1-4 here: http://www.microsoft.com/architecture/default.aspx?pid=share.podcast&abver=FEEB2E89-4412-4C58-A7F8-9B2CA0E0BDAC
• WSE links that have code showing off customization of WSE for interop among other things:
• http://www.dasblonde.net/PermaLink.aspx?guid=b2518a69-c715-49e9-b2bc-e71415263032
• http://www.dasblonde.net/PermaLink.aspx?guid=e3db75c6-02c5-4b0d-a681-b733035f112f

IASA plans:

• Earlier this year I kicked off 3 interop events for IASA (International Association of Software Architects). They were user group driven events, where java and .NET communities (among others) united to enjoy some human interop as well as get some top notch interop experts to show their stuff. If your user groups want to do this locally, IASA can help. And don't worry, we are non-profit...and the events can be free if there is enough support of the community and sponsorship. All we need is to get the user group leads to buy in and say “we want an interop event too!!!“
• We are building knowledge communities (just now!) related to architecture, including interop...I have not had a chance to post much there yet (blogs links, articles) but we 'd love to get your feedback, and referrals if you run across something poingnant that should be referenced here...let me know and participate in the growth of the community resource!

More stuff...

• I found some very interesting things as I tested WSE 3.0 and Workshop 8.1 SP5 - keep an eye on this blog for more on that!
• WebLogic 9.0 is the go forward stack to use, since it supports more WS* and will have an integrated IDE summer-ish 2006...to replace Workshop today. Use Workshop if you need WS* today and can't take the time to be a plumber...if you can, use the WL 9.0 stack now (already released with better WS-Security among other standards support)
• We have another big interop event coming at SD West 2006, so you can expect some content out of that one in Q1 2006, including some of the original Apache Axis founding members helping us out!

Well folks, it's that time again...MSDN is pulling together a “best of” series for the webcasts presented this year. I'm presenting two of those web casts. The links below will take you to the master list of webcasts coming up...and remember they are free! From there you can find my two events and register.

In this webcast I'll be showing off the new globalization features. I was taped doing this presentation at Tech Ed this year, but the VS Beta was bombing on me, a few times, so we didn't have a good run at it...this time will be on the RTM and I can tell you it works just beautifully from my presentations last week at Dev Connections :)

Thanks to everyone who attended the SDSIC event last night hosted at WebSense. I had the honor of moderating the event as a favor to Brian Loesgen your usual moderator, and really enjoyed hearing from the panelists:

• Alex Shah, Team SOA (ashah@teamsoa.com) (slides)
• Tom Castiglia, Hershey Technologies (tom@hersheytech.com) (slides)
• David Pallmann, Neudesic (david.pallmann@neudesic.com) (slides)

Thank you also to the panelists for bringing their insight to the challenges with web services today, and how they worked around them. Quite enjoyable!

I for one had a great time yesterday at the launch. Bernard Wong invited Tim Huckaby and myself to help out presenting smart client and ASP.NET, respectively, while he demonstrated code from the Visual Studio 2005 launch event.

For all of you who attended, I offered some content that you might find relevant to ASP.NET and ClickOnce. All of my content references are in my most recent blog entries from DevConnections (see below) but the most relevant are these two:

• ASP.NET - http://www.dasblonde.net/#ab95d2c9b-05c9-4fde-8a47-d77526b457b4
• Smart Client - http://www.dasblonde.net/#aa0a9bfcc-b878-4a68-a50b-30b713c5e7a0

I also wanted to make sure you all know about the .NET course curriculum at UCSD Extension. You can get links to all the courses from our new community blog here: www.ucsdxcommunity.com We'll post special advanced classes here, and also link you to our new course blogs (this is new, not a lot of content yet). I am the advisor to the program (since 1993!) so if you have any special requests, ask away!

<blatant_sales_pitch>

At IDesign we do architecture consulting, but we also do training. I teach the official IDesign Master Class at UCSD 2x per year (www.ucsdxcommunity.com/masterclass) and also do on site training, someone asked about this as well. See www.idesign.net for more information about those courses.

</blatant_sales_pitch>

I hope you enjoyed the day, please keep in touch!

I have a myriad of resources for this talk, once again a jammed talk with lots of vertical topics you want to dive into.

• The short list of performance tips are in the slides. I have uploaded them for those who don't have a copy:
• Data caching - see my blog entry for the data session
• IIS and ASP.NET - this article was written long ago, probably could use an update, but I think my buddy Rick Strahl did a great job document this for 2.0 already
• Asynchronous Handlers - my colleague Brian Noyes wrote this one for 1.1, plus Jeff Prosise and Fritz Onion wrote in-depth articles on the subject for 1.1 and 2.0 as well, these concepts still apply for 2.0, but I will update the web services sample I demonstrated for 2.0 and post it here
• Enterprise System Design
• See my security articles on the server side mentioned in this blog post
• I also wrote this article describing how to leverage Enterprise Services for a scalable Web application:
  http://msdn.microsoft.com/asp.net/community/authors/mlb/default.aspx?pull=/library/en-us/dnaspp/html/aspnetscal.asp. In the article post on MSDN, the SQL script is missing from the installation so, I reviewed the sample tonight, and decided to write up some instructions to help you run the code as well. Download this here:ASPNETScalability.zip
• Other resources:
• http://www.dotnetdashboard.net/sessions/handlers.aspx
• http://www.dotnetdashboard.net/sessions/soapext.aspx
• http://www.dotnetdashboard.net/resources/scalability.aspx

Please let me know if you can't find what you are looking for. Enjoy!

This talk was jammed with advice on building a professional ASP.NET app, and we covered a lot of ground in 1 hour...but I know you want more...so here it is, samples, references to articles...dig in!

• Main Sample - This code samples illustrates many of the points in this talk, but below I'm adding specific references for more details
• Master Pages Article - I wrote this MSDN article long ago, and they will post an update to it in the next week on the release bits...code samples on this site are up to date on RTM
• Dynamic Navigation - extra code sample
• Data Binding & Caching - my other blog entry with data samples
• Localization - my other blog entry with globalization references
• Security Articles
  • ASP.NET Security - This article will be updated on MSDN next week for release bits, until then my code samples are current on this blog
  • Sandboxing Components Part 1 - based on .NET 1.1 and Code Access Security
  • Sandboxing Components Part 2 - based on .NET 1.1 and Enterprise Services, also illustrated component distribution!
• Scalability and Consistency - MSDN article based on .NET 1.1, employing Enterprise Services and transactions

Here are the samples I used (or referred to) in this presentation, enjoy!

• ConfigurationUtility – illustrates how to encrypt a connection string, also shows complext data binding statements, early bound (not using Eva() evil)
• DataDemos – some simple demos of master-details and caching, not presented but consider it extra code!
• PhotoUploadApp – this is the application I demonstrated in the talk

Regarding the SQL cache dependency that didn’t quite work on stage…I forgot to “enable” it on the control, simple silly mistake…I cracked under pressure what can I say?!?

Let me know if you have any questions!

For my globalization talk, I illustrated how to architect Windows Forms and ASP.NET applications for localization, leveraging .NET resources where appropriate. Here are the samples:

• Globalized Windows Sample
• ClickOnce and Globalization
• ASP.NET Globalization

Don't forget to read the instructions for the Web application, it requires a database restore step. If you have any trouble, let me know!

Additional globalization resources:

• http://www.theserverside.net/articles/showarticle.tss?id=LocalizationPractices
• http://msdn.microsoft.com/asp.net/community/authors/mlb/default.aspx?pull=/library/en-us/dnvs05/html/asp2local.asp
• http://msdn.microsoft.com/asp.net/community/authors/mlb/default.aspx?pull=/library/en-us/dnaspp/html/aspnet-globalarchi.asp
• http://www.dotnetdashboard.net/sessions/globalization.aspx
• http://www.microsoft.com/globaldev

Cheers!

I delivered these two WCF/Indigo talks at DevConnections last week, and this post contains sample code demonstrated in both talks.

NOTE: I am building all sample code with November 2005 bits, so they will NOT work with PDC bits. I will update these samples for the very next public CTP so you can look for that.

• HelloIndigo – a simple WCF service, decoupled host
• ComplexTypes – serialization via DataContract
• ComplexTypesV2 – serialization of base types and interfaces
• CustomMessage – my WS-Transfer implementation is not compiling with the current build I have, so I will update this when the issue is resolved
• Messaging – illustrates sessions and instancing
• SimpleQueue – simple msmq example
• WindowsAuthentication – windows auth and security context information display
• SecureService – windows auth and username auth demo, with custom membership provider

I am also posting the slides from this talk. I took this talk over at the last minute for Clemens, and we didn’t have time to get the slides in for the printed books.

VID307DesigningServicesWithIndigo.zip (55.37 KB)

I also promised a tutorial, and my plan is to get permission from my publisher to post a few labs from each chapter in my book, including the security tutorial I showed in the security session. I will update this post to let you know where that will be found…stay tuned for a few more days.

For this half day smart client tutorial, I talked about UI design, globalization, deployment, versioning, security, offline data and download on demand using the System.Deployment APIs. The sample code uploaded here is drawn from my demos, and a few extras listed here:

UI Design

• GDI Watermark
• OpacityDemo 
• GDI+
• CustomBrowser
• SplashScreen

Thread Safety

• BackgroundWorker
• BackgroundWorker (VB)
• SafeControls

Globalization

• Globalized Windows App

ClickOnce

• Tutorial Demo - includes smart client that handles offline data, deployment on demand (for globalization), security elevation
• Offline/Online Smart Client

Also, we have number of other advanced samples on the IDesign site, don't forget to check out our downloads section of the site.

Thanks for attending the tutorial, and let me know if you have any questions about the code samples.

Cheers!

-Michele

Just a quick post to let you know about a new article I completed for TheServerSide.NET...enjoy:

http://www.theserverside.net/articles/showarticle.tss?id=InteropWSE

What a great conference! I talked to many attendees throughout the week in Las Vegas for Dev Connections...and was really pleased to hear about all the interesting enterprise systems (not just applications :)) that folks are buliding on .NET 2.0, and later technologies like WCF and WWF. Very cool.

Now, to business...if you attended any of my tutorial or 6 other talks...I will post a single entry PER TALK this weekend, with code. If you are looking for code I have already posted on this blog that is similar, search under the RSS for Speaking/Events. However, keep in mind, those samples will be pre-RTM for the 2.0 stuff. My posts this weekend will ALL be RTM content :)

First, I have a client to take care of today and tomorrow...so stay tuned after Sunday for the posts!

I hope you enjoyed your entire experience at Dev Connections...it has become one of my absolute favorite conferences to speak at, because of the overall quality of speakers that they have been able to get, and the organization of the entire event, not to mention the people that run it...so if you liked it, tell your friends to come to the Spring conference in Orlando, or come back next year to Vegas!

In my tutorial yesterday here at DevConnections I tossed the slides for the last half (those are for your reference) and basically spent the time demonstrating varioius aspects of ClickOnce: deployment, versioning, security, download on demand, globalization and offline data deployment. Whew, even without slides that was a lot to cover, and we opened many a can of worms that just leads to additional questions on the entire lifecycle of a smart client app deployed with ClickOnce.

One thing that really hit home is the “rights” users have to install applications. There are a variety of answers to that question, some of which were only vaguely answered in our discussion, and one item I wanted to follow up on...which I did with my colleague Brian Noyes.

Q. Who can install a click once application?

Any user can click a link to a ClickOnce application and install the application. If the appilcation requires greater trust than the zone they are installed from will grant (Intranet, Internet, My Computer) they will be prompted to approve the installation.

HA! That's that part I wasn't expecting (thanks Brian)...because I thought that ClickOnce was secure by default, meaning...users can't just click “ok“ to accept the download and elevation of application privileges...apparently I'm wrong...and I could swear I remembered speaking to someone “who knew“ about this in the past...but my memory may fail me...too much stuff in there I guess.

Q. What's the prompt for?

The download prompt is for one thing only: do you want to elevate security of this application you are downloading, beyond the security settings for its zone?

Are you sure? Are you REALLY sure?

And away we go, the app gets all the security it needs to run...that is, if there is sufficient permissions to complete the installation...

Q. Are users ALWAYS prompted to elevate security?

They are prompted every time the application is updated if it requires additional permissions beyond what the zone allowed.

UNLESS...the certificate is installed in the trusted publishers section of the certificate store, and if the issuer of the certificate is installed in the trusted roots section. Administrators can push the certs out to machines within the domain so that users are not prompted to elevate security for trusted publishers.

For non-trusted publishers, users will continue to be asked...WHAT??!? Yep, users by default have the right to “decide“ if they want to trust an application...and yes, it could be an application that when run deletes that special project they have been slaving over...or some other malicious behavior... and all because they were asked a question to which they responded...

duh...ok!

Q. Can administrators protect users from downloading untrusted applications?

Yes. If the prompting behavior is turned off, only applications that are trusted (cert has been installed) will be allowed to elevate security. Other apps can only run within the confines of the zone they belong to. So, if you install the application with an MSI, you get My Computer zone, and that grants full trust by default. Internet or Intranet downloads are granted less.

To turn off prompting behavior, set up the registry key:

To make life difficult for users? no

To make life difficult for Mort? no

To make it difficult to accidentally trust a malicious third party and give them full access to the machine? yes, absolutely

So, administrators get your SMS push ready and get that registry setting up and running...pronto! Unless you don't concern yourself with the users ability to install apps to the corporate domain.

Conclusions:

• by default anyone can install an application and elevate trust unless admins turn off the prompting features
• applications that have publisher certificates installed are trusted to elevate security
• application installations over the Web or via MSI still may need administrative if the bootstrapper calls for adding components to the GAC, or downloading SQL Server Express which requires an admin as well...so ClickOnce is not necessarily removing the pain of installing complex applications...but it sure makes it easy for apps that don't require admin installation privileges
• in any case, once installed updates that don't bootstrap additional functionality that requires admin installation rights...can be easily handled by any user

Hope this is helpful to those that were new to ClickOnce...since we really couldn't get through all the nit picky details in my talk.

Please visit my collegue Brian's talk tomorrow for more:

Wed 2:00-3:15pm - VSM351: Secure Smart Client ClickOnce Deployments

Unless you want to come to my talk on Indigo/WCF security:

Wed 2:00-3:15pm - VID304: Indigo and Security: Experience the Magic

See you around!

I decided to get BlogJet working for my Dev Connections posts…in honor of the Smart Client tutorial I’m giving Monday afternoon. In fact, if you are wondering why I (once again) went dark on posting to the blog for a while, well, I ended up getting an extra WCF slot at the conference, along with my 5 other talks (now 6!) and tutorial…so it has been busy busy busy as usual…getting ready to head to Vegas…after all, I have to try and enjoy some time at the black jack table too!

Speaking of black jack…maybe you saw in my latest post I lost bad in the Microsoft After Dark game…but it was for a good cause…I’ll do much better in Vegas I think, I’m more careful with my own money!

So, if you are coming to Dev Connections (I don’t see why you wouldn’t, it is now the biggest and best independently run Microsoft technologies conference out there!!!) here’s what I’ll be doing…come by and say hello…maybe give me some blackjack tips!

Here are my sessions at the conference…whew…this one is going to be busy busy busy…

Monday, November 7th

VPR203: Return of the Smart Client – What the heck do I do now? (1:00 PM - 4:00 PM)
Before the Web took over, developers spent their time designing, developing and building deployment strategies for rich client applications. End-users expected that rich user interface where tab-order and keyboard-only access was perfectly tuned, and perfectly tailored controls delivered functionality and ease-of-use. At first, the masses cringed at the less functional Web experience – and then ASP.NET came along making it incredibly easy to deliver a fairly rich experience, deployed to any Internet-connected PC. Now, we face a new paradigm shift. Users want it all: rich, user-friendly interfaces; no-touch deployment; automatic updates; offline work capabilities with applications that can later connect to central data stores. The Smart Client experience promises to deliver all of these requirements and more – but, we are entering a new phase where developers have to re-acquaint with best practices for rich client user interface design, and deployment and update strategies. They also have to learn how to handle the complexity introduced by supporting offline functionality, and hosting services for connected synchronization.  This session will review the concepts every developer should know to handle the return to the new thick smart client.

Tuesday, November 8th – MICROSOFT DAY!!!

Wednesday, November 9th

VPO357: Best Practice Approaches to .NET 2.0 Localization Architecture
When the .NET Framework was released, a new paradigm for localization architecture was born – simplifying some of the tedium of loading and managing resource lifetime, and selecting the best match for the user’s selected culture at runtime. Through IDE integration, robust assembly deployment and versioning features, and built-in support from localization class libraries, both Windows and Web applications were more easily localized. Built on this strong foundation, new localization features have been introduced with .NET 2.0 to bringing strongly typed resources, tighter IDE integration, and a much better localization story for ASP.NET applications. In this session you will be provided with a step by step, best practices approach to localizing your applications. You’ll learn how to control culture selection, how to work with XML resources and satellite assemblies, and see demonstrations of best practice deployment models.

VID304: Indigo and Security: Experience the Magic
The Indigo platform will unify our programming model for how components communicate: be they distributed or not, accessible beyond firewalls, or available through interoperable interfaces. Transport level and SOAP message security features, like other aspects of Indigo, can be enabled through XML configuration or programmatically through the Indigo API layer. In this session, you’ll learn the difference between single hop and message level security; how to apply security through endpoint binding configuration and behaviors; and see first hand how quickly you can secure your messaging layer. More importantly, you’ll see demonstrations that illustrate the amount of security goo that is encapsulated in the Indigo plumbing, in particular the elegance of its Web services security implementation which shields you from the XML that handles policy exchange, message authentication, integrity, confidentiality, and key exchange.

APF301: Performance Tuning and Monitoring your ASP.NET Applications
Sometimes the smallest details can make all the difference. This statement is true also of ASP.NET application performance. This session will provide you with a checklist designed to help you squeeze every dime of performance from your applications. You’ll learn techniques for reducing pressure on the garbage collector, best practices for state management, and how to reduce page load footprint. In addition, you’ll learn how to employ output and data caching mechanisms, leverage database caching, trigger batch site compilation, and avoid common pitfalls. Lastly, you’ll see how to leverage performance counters to baseline site performance and monitor statistics to meet service level agreements.

Thursday, November 10th

VID307: Designing Services with Indigo (Windows Communications Framework)
Services are the natural evolution of distributed components and RPC, providing greater possibilities for reuse and distribution from earlier component-oriented approaches. The Windows Communications Framework (WCF) introduces interesting possibilities for enterprise system design, specifically with regards to service design. Services are not RPC or Remote objects however they do solve the same problems. With WCF a service design approach applies to accessing functionality near or far, and satisfies the same implementation goals of Enterprise Services, Remoting and Web Services all in one. In this session you’ll see several examples of exchange patterns and transfer modes and see how to apply WCF principles to system design. You’ll learn how various WCF contracts and configurations can be applied to specific exchange patterns, how application-level messaging improves upon the parameter list approach, and see how common enterprise system design practices can now be more easily approached with the progressive service design and distribution support of the WCF.

ADX352: Beyond Drag & Drop Data Access: How to Decouple ASP.NET 2.0 Data Binding from Presentation
You can build data-centric Web sites in fewer steps than ever before with ASP.NET 2.0, but as always this can lead to poor design practices. This session first shows you how to leverage Server Explorer to quickly build prototypes of your data-bound Web pages, and subsequently shows you how to shuffle generated code into appropriate layers to promote decoupling and reusability, distribution and scalability, and reduction of maintenance overhead. You will see examples that employ the richness of the new GridView and DetailsView controls; learn best practices for employing data source controls to support decoupled two-way data-binding; learn how to employ data caching for performance; and techniques for storing and encrypting connection strings – all while maintaining a level of re-use and maintainability.

AGN351: 10 Essentials for a Professional ASP.NET 2.0 Application
Every ASP.NET application should be designed with a few essential requirements in mind. With the release of ASP.NET 2.0, developers need an updated checklist for constructing applications that follow some simple best practices. In this session, you'll be provided with 10 essential guidelines for  developing professional ASP.NET 2.0 applications, including best practices for page layout and design, navigation, error handling, caching, state management, authentication and authorization, configuration and encryption, component design and deployment, component security and sandboxing, and more. At the end of this session, you'll have access to samples that demonstrate each of these guidelines, with some reusable application templates to help you build secure, maintainable and professional ASP.NET 2.0 applications.

Feel free to ask questions about what I’m covering in more detail…or tell me what you are hoping to get out of any of these sessions you are attending…see you in Vegas babies!

I had the distinct honor to sit at the blackjack tables at Microsoft Studios in Redmond…just a few weeks ago. This event – called “Microsoft After Dark” – is in honor of the upcoming launch this week in San Fransisco. Basically, we chatted a bit about the products tied to the launch, and I was commissioned to “ask the tough questions” that our clients have been wondering about…so the heat was on, hot studio lights, hot topics, and hot competition at the tables…WHEW!

Of course, I should have known I was doomed when I opened the game saying something along the lines of “I’m going to crush you all…”. THAT was a mistake…because with $100,000 to play with (about 1000x more than I would ever consider bringing to the blackjack table) I figured…why not take some big risks…

The real problems started once I decided to up my bet to $50,000, and I had a PERFECT hand for double-down…argghh…and the dealer didn’t bust!!! I lost almost everything right there…oh well…ahem…letting…the VPs win was probably strategically smart given I was kind of pointed with my questions…and you know they had great answers for all of them :)

I’m afraid to watch this…so let me know what you think of it…

Speaking of Vegas…Dev Connections is coming…next week…and many of us are going to blog about our talks and sessions…plus…I’ll definitely try my hand at blackjack with my buddy Kimberly Tripp…join us :)

There have been a few more updates to our architecture podcast (I mentioned if first here: http://www.dasblonde.net/PermaLink.aspx?guid=9a692932-8a4c-47b1-b780-7db4bd1cb83b)...

We have one more round of comments for the 4th podcast to go live...and I think that will wrap up the podcast on WS*...but there will be more podcast in store. Check out the latest here:

http://www.microsoft.com/architecture/default.aspx?pid=share.podcast&abver=FEEB2E89-4412-4C58-A7F8-9B2CA0E0BDAC

What did you think about this discussion, and its flow. It was kind of interesting, we each recorded our comments over the phone, separately, in response to one another...I thought it was an effective way to get collect our opinions, and it didn't take much time to do (important when you are travelling, busy, deadlines, etc).

I can't wait to see the next set of topics and speakers...