|
>
 Thursday, April 24, 2008
 |
|
 |
|
|
|
|
|
I recently spent a painful 30-40 hours setting up VPCs according to the Tech Net lab "Step-By-Step Guide for AD FS in Windows Server 2008. The lab is located online here: http://technet2.microsoft.com/windowsserver2008/en/library/87e1a178-4d8a-4e89-98b0-d125f9c84c221033.mspx?mfr=true In fact, the process didn't have to be so painful except that there are just a few instructions that are less than clear, incomplete or incorrect. Of course, when things don't work as expected I automatically assume that I missed a step, executed a step incorrectly, or just plain didn't know something that the lab instructions assumed everyone knows. So, my natural instinct was to repeat the steps, which I did several times spending many hours since there are 4 VPCs and lengthy installation steps involved for each. As it turns out, just a few fixes to the lab instructions could have avoided all that. A document summarizing the issues can be downloaded from here, with additional screenshots beyond what is discuss below: http://www.dasblonde.net/downloads/ADFSServer2008LabErrata.pdf. I hope you find this helpful if you are trying to follow the lab. If you encounter different problems, please do let me know so I can post updates here. Step 1: Preinstallation Tasks - Section: Configure computer operating systems and network settings
- Before you get started, make sure to turn off the firewall settings on all VPCs. The firewall gets in the way of DNS resolution between machines which causes problems with adding computers/users to domains, problems browsing to sites later on in the lab, and similar problems with redirections that take place when you run the lab.
- During network setup, you don’t need to select server roles yet even though the chart lists them. Just set up the IP addresses at this time. The table listing is just a little misleading as it might lead you to think you need to set up the web server, federation server or domain controller at this point, but there are separate steps for this later.
- Set IP addresses according to the table for IPv4 and disable IPv6. If you don’t disable IPV6, the AD DS setup will try to enable dynamic DNS and then your static IPs will be blown away.
- Section: Install and configure AD DS
- The firewall on the adfsaccount machine must be off for this to work.
- After installing AD DS, check your network IP settings again just to make sure the DNS settings are as you set them in the previous step. I found that sometimes the preferred DNS settings were reset.
Step 2: Installing AD FS Role Services and Configuring Certificates - Section: Configure IIS to require SSL on both federation servers
- You can skip this step completely!!!! After you install AD FS there is a new web application directory created under /adfs. The /ls subdir is already set up to require SSL and Ignore certificates. The /fs subdir is already set up to require SSL and Accept certificates. You don’t need to do anything more here. In fact, if you execute this step and set up the default web site to Accept certificates you’ll be prompted to supply a client certificate when you browse to the claims-aware application later on. This will not only confuse you, but prevent you from browsing to the claims-aware application successfully.
- Section: Export the adfsresource server authentication certificate to a file
- There is no reason that you have to export the private key (.pfx) here. To establish trust only the public key cert (.cer) is required. Following the lab steps won’t hurt you here, but it is important to understand that exporting private keys is not traditionally recommended outside of the machine, domain or application that owns the key.
- This also implies that the next section could import a .cer instead of a .pfx, depending which route you take.
Step 3: Configuring the Web Server - Section: Configure IIS on the Web server
- After completing step #7 to require SSL for the default web site, skip step #8. Leave the setting as require SSL and Ignore client certificates. You don’t want to Accept client certificates, this causes the browser to prompt for a certificate when you browse to the claims-aware application.
- In fact, step #7 could be modified so that you don’t require SSL for the entire Default Web Site. Instead, you could just require SSL for the /claims-aware application directory which we will be browsing to.
- Section: Create and configure the claims-aware application
- These instructions are fine, but the files from the Appendix A are incorrect for IIS 7. See my notes on this later on.
Step 4: Configuring the Federation Servers - These steps are fine, but after you have completed these steps you’ll have to do a few more certificate installations to ensure self-signed certificates are trusted on appropriate machines. I have provided instructions on that below.
Running the AD FS Diagnostic Tool - When I was trouble-shooting my own lab issues, Joe Kaplan pointed me to the AD FS Diagnostic Tool which is blogged about here: http://blogs.technet.com/adfs/archive/2007/11/01/adfs-diagnostic-tool.aspx. This really helped me to verify certificates were trusted, and that my AD FS configuration was ok. Run this tool and follow the instructions on the blog post. Note the following:
- You will get warnings on the resource server related to E-mail claims, but those do not cause any concern, just ignore it.
- If you do get any errors, fix the problems indicated in the error. I only encountered one or two errors related to self-signed certificate trust, which I explain how to fix in the next section.
Additional Configuration for Self-Signed Certificates - Since you are using self-signed certs on all machines, it is best practice to install your public key certs into the Trusted Root Certification Authorities store on the machine that owns the cert, and on any machine that must trust the cert. Some of the lab steps address this, but there are a few missing steps and again this can confuse you if you aren’t familiar with certificate issues.
- The following instructions guide you first through exporting the certificates we need to work with. You may have already exported these certs in previous steps, and hopefully are using the same naming convention specified in the lab.
Exporting certificates, if you haven’t already: - Machine: adfsaccount
- The private key created for IIS is installed in the Local Machine/My store, called adfsaccount.adatum.com. Export the public key certificate (.cer) if you haven’t already and call it adfsaccount.cer.
- The private key created for the federation server to sign tokens is installed in the Local Machine/My store, called Federation Server adfsaccount. Export the public key certificate (.cer) if you haven’t already and call it adfsaccount_ts.cer.
- Machine: adfsresource
- The private key created for IIS is installed in the Local Machine/My store, called adfsresource.treyresearch.net. Export the public key certificate (.cer) if you haven’t already and call it adfsresource.cer.
- The private key created for the federation server to sign tokens is installed in the Local Machine/My store, called Federation Server adfsresource. Export the public key certificate (.cer) if you haven’t already and call it adfsresource_ts.cer.
- Machine: adfsweb
- The private key created for IIS is installed in the Local Machine/My store, called adfsweb.treyresearch.net. Export the public key certificate (.cer) if you haven’t already and call it adfsweb.cer.
Importing certificates, if you haven’t already: - Machine: adfsaccount
- Import both adfsaccount.cer and adfsaccount_ts.cer into the Local Machine/Trusted Root Certification Authorities store.
- Machine: adfsresource
- Import adfsresource.cer, adfsresource_ts.cer and adfsaccount.cer into the Local Machine/Trusted Root Certification Authorities store.
- Machine: adfsweb
- Import adfsweb.cer into the Local Machine/Trusted Root Certification Authorities store.
- Machine: adfsclient
- In Step 5 you will be asked to install certificates through the browser. This should work just fine for you, thus no need to manually install to the certificate store. In the event you have issues, or if your client is not Vista o XP, you may need to manually install the certificates to trust the downstream services.
- Import adfsaccount.cer, adfsresource.cer and adfsweb.cer into the Local Machine/Trusted Root Certification Authorities store. This tells IE that the web sites can be trusted even though the certificates are self-signed.
Step 5: Accessing the Sample Application from the Client Computer - This is the section where I began to have issues, which of course led me to retracing my steps several times unnecessarily as it turned out since the problems were related to a few missing or incorrect steps.
- DNS Resolution:
- The first problem I encountered was DNS resolution to adfsaccount. I consulted my friend Stephen Rose for this one, and we literally spend hours reviewing each VPC and its IP and DSN configuration, looking for issues. I learned a lot about DNS in the process (Stephen is the man) but we still ultimately had problems pinging one of the machines. As it turned out, the issue was the firewall was still on for one of the machines. Somehow we failed to see that.
- Make sure you can ping each machine from the adfsclient machine using not just IP address, but actual DNS – check your firewall settings first if you can’t, then check your IP/DNS settings on each machine to match Step 1:
- Ping adfsaccount.adatum.com
- Ping adfsresource.treyresearch.net
- Ping adfsweb.treyresearch.net
- If DNS is working, you shouldn’t have any issues with the steps in this section of the lab.
- Requiring a Client Certificate:
- The second issue I encountered was the client certificate issue. When I browsed to the claims-aware application, IE kept prompting me for a certificate with an empty dialog since I had no certificates. I consulted my friend Joe Kaplan for this, thinking I was missing something in my configuration. We extensively reviewed my setup, and in the process stumbled on the IE settings for Accept certificates. He educated me that the adfs/ls and /adfs/fs directories were already set up properly when you install AD FS on the machines…so I rolled back the step that incorrectly configured each web site for the Accept setting.
- If you skipped the step to configure the web sites to require SSL and Accept certificates, you should be able to get through the steps in this section of the lab as well.
- Section: Configure browser settings to trust the adfsaccount federation server
- You should get a certificate error in this step, since the certificate is self-signed. When prompted you can to install the certificate as instructed for the adfsweb site in a later step.
- Sections: Access the claims-aware application from a Windows XP client/Vista client
- Either of these sections should behave similar though instructions to handle self-signed certificates are slightly different.
- You may be prompted more than once to install certificates, as you are redirected to the adfsresource and adfsaccount servers. Be prepared to install several certificates.
Appendix A: Creating the Sample Claims-Aware Application - The code for default.aspx and default.aspx.cs are fine in this section of the lab.
- The web.config does not work for IIS7, and this can really throw you for a loop because you’ll get a generic “Internal Server Error” at the client machine…with NO IDEA what is behind it. This happened to me and I assumed once again that I had missed a configuration step. Joe Kaplan and I spent a bunch of time trying to trouble shoot my configuration for AD FS on all machines, thinking that was the cause…and then he eluded it might be an IIS issue. It turns out that if you browse to the /claimapp from the web server machine you can see the full error. Thanks to my friend Richard Campbell for suggesting I try that one! Since I have custom errors turned off in the web.config, I should have been able to see the error remotely…but apparently something else (perhaps in IIS 7 defaults) is overriding that behavior. I’ll have to look into that separately.
- When I was able to see the full error, it pointed to a configuration issue in the web.config related to the HTTP module configuration for the Web Agent (screenshot below). A new section must be added to the web.config, inside the <configuration> element, as follows:
<system.webServer>
<modules>
<add name="Identity Federation Services Application Authentication Module"
type="System.Web.Security.SingleSignOn.WebSsoAuthenticationModule,
System.Web.Security.SingleSignOn, Version=1.0.0.0,
Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null"
preCondition="managedHandler" />
</modules>
<validation validateIntegratedModeConfiguration="false" />
</system.webServer>
I have to say, it was an interesting ride trying to get this lab set up, and as it turns out there aren't too many errors in the lab but the few missing and incorrect steps was enough to cost me 30 extra hours at least of preparation time. I hope you do not have the same problem with the tips I have provided here. I have to thank once again my friends Stephen, Joe and Richard for their respective roles in helping me work through the issues. Especially Joe who really went out of his way to help me review the AD FS setup, even though it turned out that the lab was not incorrect on that front...he gave me lots of great insight in the process, not to mention some cool tools that I could use to troubleshoot. You guys are the best!!!!
Supporting Resources:
- Joe Kaplan is one of the very few and strongest authorities on AD FS out there today, and he was a tremendous help to me as I got up to speed on the environment. His web site and forum are as follows:
- ADFS for Developers – a nice high level article from Keith Brown on ADFS (for 2003 server):
- Understanding WS-Federation – to understand the protocols beneath federation, this is helpful:
|
|
|
 |
|
 |
|
|
|
|
|
|
|
|
|
A few weeks ago I was presenting a code sample that I created last year and discovered a mysterious problem. First, let me explain the sample. It is a proxy wrapper for WCF clients that illustrates how to swallow timeout exceptions and recreate channels automatically when there is an exception that faults the channel. The idea is this: - When a channel with a transport session times out, does the user need to see an error? Not really. But, the exception won't show up until you try to call the service, so my wrapper catches communication exceptions and if they are not faults it creates a new channel and retries the same call to the service once more. The theory is, if it fails again, we probably have a bigger problem. Otherwise, we will have successfully allowed the client to continue working without seeing an error.
- When an uncaught exception from the service faults the channel, the client channel will also be faulted if the call is not one-way. The user should see the error message, even if it is an uncaught exception, but the next time they use the proxy they should get a new channel so they can continue to work. So, the proxy wrapper creates the channel again if the channel is faulted, before making the next call.
I explained this in my ASP.NET Pro article on the subject. The latest code for this is here: http://www.dasblonde.net/downloads/Proxies.zip Well, the problem that In encountered is that all of a sudden my logic for checking if the channel was faulted after a timeout, was failing!!!! It was strange - from one stack frame to another, the channel went from Faulted to Created. But none of my code affected that change! So, of course I thought that something had changed in .NET 3.5 related to channel factory caching that might have had a side-effect of my code...and I didn't have time to investigate further until today while I was talking with my colleague Brian Noyes about the subject. Long story short, he ran the code, reproduced the problem, and remembered that there were some strange behaviors with SUO files for a solution that could cause this. He deleted the SUO and then the sample worked like it originally did!!!!! I did the same, and found the same result. This is really messed up! Apparently this is a common problem, but I have never heard about it before. The real annoyance is the time I spent troubleshooting this before I talked to Brian, and the doubts it put in my mind about new features of WCF and possible regressions....and yet I was wrong...it was the stupid SUO file. What the? Holy? This is an unacceptable bug. Who knows what kind of misleading issues this could cause developers in their day-to-day work. Technorati Tags: WCF, VS 2008 |
|
|
|
|
|
|
Wednesday, April 09, 2008
Saturday, March 08, 2008
|
|
|
|
|
|
|
|
|
I just wrapped up a week at SD West in Santa Clara where I delivered 2 full day tutorials and 4 sessions. This post will lead you to all the sample code for those sessions, enjoy! Tutorial: .NET Technology Roadmap Tutorial: Building an Enterprise SOA with WCF - Most of the samples for this tutorial come from my book. Download those samples with instructions here: www.thatindigogirl.com. In addition I also demonstrated some newer samples including the following:
Entity Framework, AJAX and REST - A look at Project Astoria Exploring Windows CardSpace Federation with WCF Scalability and Throughput Considerations for WCF
|
|
|
|
|
|
|
Thursday, February 28, 2008
|
|
|
|
|
|
|
|
|
I'm in the middle of preparing for a session at SD West next week where I talk about the Microsoft Technology Roadmap - basically an avalanche of technologies in one day. Each time I present this I have to update my resources with newer tools, usually extensions to Visual Studio environment, so that attendees can be successful at running demos. Here is my latest list of "setup instructions" for the CTPs I use, with links to where the sites are located. I can't guarantee how long these will be the latest, but you should be OK for at least the next month! This section describes core machine setup for the operating system, .NET 3.0 and SQL Server. · Enable IIS · Enable MSMQ · Install .NET 3.0 http://www.microsoft.com/downloads/details.aspx?FamilyId=10CC340B-F857-4A14-83F5-25634C3BF043&displaylang=en · Windows SDK Update for Vista (really, for .NET 3.0) http://www.microsoft.com/downloads/details.aspx?familyid=4377f86d-c913-4b5c-b87e-ef72e5b4e065&displaylang=en · SQL Server 2000/2005 or SQL Express o Install any service packs This section describes core machine setup for the operating system, .NET 3.0 and SQL Server. · Enable IIS/WAS · Enable MSMQ · NOTE: .NET 3.0 is already installed · Windows SDK for Vista (really, for .NET 3.0) http://www.microsoft.com/downloads/details.aspx?familyid=4377f86d-c913-4b5c-b87e-ef72e5b4e065&displaylang=en · SQL Server 2000/2005 or SQL Express o Install any service packs This section lists tools to install to set up your Visual Studio 2005 environment. For .NET 3.0 and 3.5 development, Visual Studio 2005 is sorely out of date on tools, so anything you install from this list below is likely not to work with newer code samples. You have been warned. · Visual Studio 2005 Extensions for WCF and WPF – November 2006 http://www.microsoft.com/downloads/details.aspx?FamilyId=F54F5537-CC86-4BF5-AE44-F5A1E805680D&displaylang=en · Visual Studio 2005 Extensions for WF – November 2006 http://www.microsoft.com/downloads/details.aspx?familyid=5D61409E-1FA3-48CF-8023-E8F38E709BA6&displaylang=en · Visual Studio 2005 LINQ CTP - May 2006 http://www.microsoft.com/downloads/details.aspx?familyid=1e902c21-340c-4d13-9f04-70eb5e3dceea&displaylang=en · Visual Studio 2005 ADO.NET vNext CTP – May 2006 http://www.microsoft.com/downloads/details.aspx?FamilyId=B68F6F53-EC87-4122-B1C8-EE24A043BF72&displaylang=en · Visual Studio 2005 Entity Data Model Designer Prototype CTP – May 2006 http://www.microsoft.com/downloads/details.aspx?FamilyID=74bda7b2-9ca9-4eea-a33f-31942ddc9dbe&displaylang=en This section lists tools to install to set up your Visual Studio 2008 environment. Many tools have been installed, but there are also many extensions for ASP.NET, AJAX, Silverlight and ADO.NET 3.5 features in this list. · NOTE: Tools for WCF, WPF, WF, AJAX and LINQ are built-in · Run this so that older projects will bind to older version of AJAX libraries http://download.microsoft.com/download/7/9/2/79268325-1006-4566-bd26-5581b8971f36/DisableAjaxPolicy.EXE · AJAX Control Toolkit for .NET 3.5 (includes the rich code sample for AJAX) http://www.codeplex.com/AtlasControlToolkit/Release/ProjectReleases.aspx?ReleaseId=4941 · ASP.NET 3.5 Extensions Preview – December 2007 CTP http://www.microsoft.com/downloads/details.aspx?familyid=A9C6BC06-B894-4B11-8300-35BD2F8FC908&displaylang=en · ADO.NET Entity Framework Beta 3 http://www.microsoft.com/downloads/details.aspx?familyid=15DB9989-1621-444D-9B18-D1A04A21B519&displaylang=en · Entity Framework Tools Beta 3 http://www.microsoft.com/downloads/details.aspx?FamilyId=D8AE4404-8E05-41FC-94C8-C73D9E238F82&displaylang=en · Silverlight 1.1 Alpha Refresh – September 2007 http://msdn2.microsoft.com/en-us/silverlight/bb419317.aspx · Silverlight 1.1 Tools Alpha for VS 2008 – November 2007 http://www.microsoft.com/downloads/details.aspx?familyid=25144c27-6514-4ad4-8bcb-e2e051416e03&displaylang=en · Expression Blend 2 Preview – December 2007 · http://www.microsoft.com/downloads/details.aspx?familyid=65177E23-C116-475A-9057-5A5071A379F6&displaylang=en · ASP.NET 3.5 Extensions Preview – ADO.NET Data Services Silverlight Add-On - December 2007 http://www.microsoft.com/downloads/details.aspx?FamilyID=fd9c2a29-7383-4b2e-9ec9-0c6120718d4f&displaylang=en Technorati Tags: Visual Studio, CTP, Setup |
|
|
|
|
|
|
Wednesday, November 14, 2007
|
|
|
|
|
|
|
|
|
Thanks to all that attended the full-day tutorial at Dev Connections last Monday - Improve Your SOA: Designing a Secure, Reliable and Scalable System. It was certainly an avalanche of rich topics related to SOA and WCF. At last I have compiled the long list of resources from the day, including references to some getting started resources for those new to WCF. Getting Started Demos Code from the book is organized by subject matter. I specifically illustrates samples from these subdirectories: \Exceptions, \Security, \Security\ClaimsBased, \Instancing, \Concurrency, \Bindings, \QueuedMessages, \Transactions, \ReliableSessions. If there are other resources you are looking for specifically, please drop me an email and I'll add to this post. Thanks! Technorati Tags: Dev Connections, WCF, SOA |
|
|
|
|
|
|
Monday, November 12, 2007
|
|
|
|
|
|
|
|
|
I just returned from another fantastic Dev Connections conference in Las Vegas. For the four sessions I delivered, this post lists the code samples and resources I referenced. If you are looking for something specific and can't find it here, shoot me an email. Tutorial resources will be posted separately. Enjoy! Introduction to C# 3.0 Exploring Windows CardSpace ASP.NET and WCF: Meet Your New Web Service Architectural Considerations for ASP.NET Applications - GalleryDemo20 - This sample illustrates different globalization techniques including the use of generated resources for page content, the use of resources to select localized images and dynamically loaded user controls, the use of localized database tables, and caching based on theme, culture and query string params
- CustomResourceProviders - This sample illustrates the use of custom localization expressions and custom resource providers. The code is based on this article: http://msdn2.microsoft.com/en-us/library/aa905797.aspx and updated for VS 2008.
- Extending the Visual Studio IDE for localization - I wrote a follow on article on this for MSDN, it has not yet been published, hopefully soon (backlog) but I will post the code here in an update to this post, after a quick review later this week.
- Distributed Boundaries - This sample was based on the ConnectionOrientedBindings lab from Chapter 3 of my book Learning WCF. All the code for my book is here: http://www.thatindigogirl.com/LearningWCFCode.aspx. This particular sample shows how to use a WCF service behind your ASP.NET applications to introduce a security boundary between NETWORK SERVICE and access to data and other resources. I talked about this in two articles for the server side, long ago:
- TransactionsOverHttp - This shows how to flow transactions over WCF web services, but I have many more examples of WCF transactions here: http://www.thatindigogirl.com/LearningWCFCode.aspx
- MessagingIntermediaryVia - Illustrates a pass-through router over HTTP where even reliable messaging headers can pass through both directions.
- MessagingIntermediaryDuplex - Illustrates a duplex router that supports reliable messaging headers two-way out of band over named pipes.
|
|
|
|
|
|
|
Monday, October 22, 2007
Sunday, September 16, 2007
|
|
|
|
|
|
|
|
|
I have working with, writing about and presenting on CardSpace for over 2.5 years now...and in the process refining how I describe to people the benefits of information cards for improving security for end-users. In particular, end-users that are not like us developers...every day people that don't know how to choose which sites are unsafe, which links to click in email, and so on. Consider the following malicious PayPal email: 
You can see that the "Click here to verify your information" link is not really sending you to the PayPal site. I see this because I hover over the link to verify the destination...but most non-developers won't know to do this. For those unsuspecting users the story might play like this: - They go to the destination site, which might look just like the PayPal site.
- They try to log in, it fails repeatedly. In the meantime, they enter every combination of username and password they use in various sites...perhaps including their online banking site.
- The malicious site collects these combinations of username and password.
- The user gives up logging in.
- The malicious sites now tries to log in to the real PayPal account, or worse, to some of the major well-known online banking sites.
- If they are lucky, and the user is unlucky, one of those username and password combinations will work at the online banking site, and they can write themselves a check, or otherwise play havoc on the user's bank account.
It is that easy to lift a username and password combination. So, how do information cards issued by CardSpace (or, any other identity selector) help? Let's assume that the user has associated a personal card with their PayPal account...if PayPal supported information cards. The same scenario might go like this: - The user get's the evil email. They click the link and head to the malicious site that looks just like PayPal.
- If the site doesn't support information cards, the user will be suspicious because they always log in with a card.
- If the site shows support for information cards, the user may fall for it and click on the "log in with personal card" link which takes them to CardSpace.
- CardSpace will ask you to confirm the site by reviewing its privacy statement and site identity. This should trigger an indication to the user that this is not the site they think it is, since they would normally only get this the first time they hit the site. If they have logged in to PayPal before with a card, they wouldn't see this screen:
- Assuming this isn't enough to tip off the user, and they continue, the next strange behavior will be that they are asked to select a card to send to the site...but there will not be any list of cards already used at this site.
They should have seen at least one personal card present as shown here: 
- Assuming this is still not enough to tip off the user, and they decide to select a card to send...the destination site will receive a security token with the requested claims which may include any personal information that you can enter into a personal card such as name, address, phone number, date of birth, and your card's private personal identifier (PPID). BUT, if the site requests more claims than PayPal, there are still more indicators of the malicious site. The first is that you'll be informed that the site is requesting new claims:
- This should really stop the user in their tracks, but they can preview the data requested and decide if they are comfortable sharing this data as shown here:
- If the malicious site wants any data I never share with PayPal, the user would probably stop here. But, let's say they continue and add the data, or, let's say they already had entered the data for this card so it wasn't necessary to provide it here. For example, I might create a personal card with my home and business details in full...but that doesn't mean I send all those claims to every site. Perhaps only to my online banking site because they require an address and phone number to help prove who I am sending the card. So, if the card already has all the details, the user is still warned that new claims were requested and should be approved:
- The user can (and should) preview the requested data. In fact I think that CardSpace should force the user to preview it the first time. Furthermore the new data requested should be called out in red here...so it is obvious.
- Now, the user is ultimately responsible for approving sending the information to the malicious site after all of these indicators that something is amiss. But, let's say that they proceed and send the information. What happens then?
- The site get's a signed security token with your name, address, phone number, date of birth details. Nothing so risky as a SSN or passport number.
- The same token carries the card PPID, however this PPID will not be the same PPID as that used for PayPal because every site gets its own PPID for the card.
So, what can the malicious site do with all this information? Can they log in to PayPal now? - No, because they don't have the PPID and presumably PayPal has associated their own PPID with the account, not the same as the one the malicious site received.
What else can go wrong? A malicious party could somehow get their hands on the PPID information. This wouldn't be so easy, since the security token issued by CardSpace is always encrypted when sent...but once it arrives to PayPal site it is open and available for view, and someone could look over your shoulder as you view your card to send to PayPal and see the PPID for PayPal right there. If this happens, there is another security measure available. Each personal card has a private key associated with it - called a master key. That master key is used to sign the security token sent to the site. Only your exact card installed in CardSpace can sign the token with this private key. Thus, if the site associates the PPID + hash of the master key cert with your account, only tokens signed with the correct private key carrying the correct PPID will be authenticated. A malicious party cannot get the master key unless they export your cards from the machine, and import to their machine. Hopefully the user has a password on their laptop. Hopefully if they export cards and import to another machine, they do it safely and destroy the copy they put temporarily on the USB drive to transfer the cards. Still, this is MUCH MORE SECURE than the username and password we use today...because now a malicious party has to get physical access to a user's machine or USB drive with exported cards...and figure out the password protection in the latter case since exported cards are encrypted. Hopefully this helps explain how CardSpace and personal cards HELP sites to protect users...better than username and password to today.
|
|
|
|
|
|
|
|
|
ON THIS PAGE
|
|
|
|
SEARCH
|
|
|
|
CATEGORIES
|
|
|
|
ARCHIVES
|
| | Sun | Mon | Tue | Wed | Thu | Fri | Sat | | 30 | 31 | 1 | 2 | 3 | 4 | 5 | | 6 | 7 | 8 | 9 | 10 | 11 | 12 | | 13 | 14 | 15 | 16 | 17 | 18 | 19 | | 20 | 21 | 22 | 23 | 24 | 25 | 26 | | 27 | 28 | 29 | 30 | 1 | 2 | 3 | | 4 | 5 | 6 | 7 | 8 | 9 | 10 |
|
|
BLOGROLL
|
|
|
|
|
 |
|