There is some buzz going on related to an Open Cloud Manifesto. Microsoft and Amazon are not (yet) active participants...(ahem) two of the major cloud computing players...and there is already a bit of skepticism brewing.

Who is driving this manifesto? Who are they trying to benefit if they aren't involving Microsoft and Amazon early on? Why is it a secret until published this coming Monday?

Without seeing it first-hand it is hard to comment in detail. However, my gut tells me that a group got together wanting to beat others to forming a cloud-focused organization supposedly for the community’s benefit. This group wants ownership of the process, like a new OASIS or WS-I, so they (big mistake) tried to come up with a plan before showing Amazon, Microsoft and perhaps others – expecting them to be bullied into signing, instead of coordinating their early participation. Perhaps they were afraid they could not “run the show” if they showed their cards too early? Who knows.

Clearly Amazon and Microsoft are in agreement that they will not sign this manifesto “as-is”. Where is Google in this?

I’m skeptical that there needs to be a manifesto in the first place. Bottom line is companies will innovate and expose APIs, services and hosting capabilities as they see fit to win customers. They will provide SLAs that are either acceptable or not. They will either succeed or not based on their ability to deliver on their promises for 24/7 monitoring, uptime, deployment and management capabilities, features, and fair billing practices. Do we need a manifesto to tell companies how to do business? Where was the manifesto for companies that how our web sites? Where were they when I hosted my site with a vendor that went out of business and lost my files? Could a manifesto have helped me choose a better host?

As I said, cloud computing vendors will succeed or fail based on the value of what they offer to "their community" and how well they follow through. Do all vendors need to be grouped into a limited set of cloud computing requirements that could stifle innovation for a specific user base? Do all vendors have to price the same way? Should all of their SLAs be identical? I think not. 

I think that what WOULD be helpful is community guidance on what are good practices for cloud computing. There is a summary of a Cloud Computing Bill of Rights (see link below) already available. The problem is it that it currently sounds like they are trying to dictate what an SLA must provide, and how pricing should work (among other things) and it sounds almost like it will be used as ammunition for punitive actions. That is just wrong. I'll say it again: cloud computing vendors will succeed or fail by their own hand. There doesn't need to be outside governance to force Amazon, Microsoft or others to produce a decent SLA, pricing policy, safe hosting environment or valuable feature set.

It would be better to guide the community on things that they should look for in an SLA to feel comfortable hosting applications with a cloud vendor. No different than what I am already doing having written my share of 60 page SLAs for applications in my charge. Of course cloud computing is supposed to (among other things) make hosting applications more accessible for small businesses that can't hire an IT staff to manage 24x7 operations, and that can't afford to provision enough machines for period peak loads. Businesses should not just host and forget, however...they must still monitor how the provider is doing. This is where some education comes in...for it can be more difficult to know what to look for in an SLA to trust hosing with another company, and it can be difficult to know how to monitor how the vendor is doing. What we do know is that a cloud computing vendor can probably do a better job with their dedicated resources for hosting, failover, load balancing, peak load provisioning, and so forth. We need great SLAs, competitive pricing models, and follow through. I seriously doubt a manifesto is necessary to achieve this.

I’m missing the value proposition of this manifesto so far. I will be interested to read what the initial manifesto looks like. The details aren't clear at all from the current buzz.

Some links:

• There is a WIKI here: http://wiki.cloudcommunity.org
• There is an early look at a Cloud Computing Bill of Rights here: http://wiki.cloudcommunity.org/wiki/Cloud_Computing_Bill_of_Rights
• There is a Google group here: http://groups.google.com/group/opencloud

I just returned from SD West, a conference a speak at each year in Santa Clara. Here I delivered several tutorials and sessions, many embracing new subject matter that excites me lately. The list of tutorials and sessions are below. I am a little behind schedule here as I am just now in the process of posting links to the code for each session. See links and comments below. Email me with any questions.

Microsoft Technology Roadmap Tutorial

• I updated my "technology avalanche" tutorial to reflect today's long list of things we should care about including F#; parallel computing; technologies related to data access, windows, web, SOA and workflow; new security platforms; model-driven development with Oslo and cloud computing. Whew! I will post a separate blog entry dedicated to this session and all the resources you need to get set up to work with these technologies and reference it from here.
• Update: 04/17/09
• • Here is a link to the technology roadmap post: http://www.dasblonde.net/2009/04/17/MicrosoftTechnologyRoadmapLinksAndResources.aspx

Cloud Computing with the Azure Services Platform Tutorial

• Zoiner Tejada (a good friend and colleague) and myself presented a full day of cloud computing on Azure.
• Zoiner's code samples are here: http://www.dasblonde.net/downloads/CloudTutorialSamplesZoiner.zip
• My  code samples are here: http://www.dasblonde.net/downloads/CloudTutorialSamplesMLB.zip

A Lap Around Geneva Framework

• One of my favorite subjects - federated security!
• I wrote two MSDN articles on this subject which have links to the sample code as well:
  • http://msdn.microsoft.com/en-us/magazine/dd278426.aspx
  • http://msdn.microsoft.com/en-us/magazine/2009.01.genevests.aspx

Access Control Service: Federated Security in the Cloud

• Another favorite, all things federated!
• UPDATE: 05/21/09
  • Due to forthcoming changes in the ACS platform my article on the subject is delayed until later this year, so you should look to the SDK for now.

WS* or REST? Choosing the Right Approach for your WCF Services

• Many people in this session were new to WCF. All of my code samples for my book can be downloaded from here: http://www.thatindigogirl.com. Be sure to download the VS 2008 code.
• Here are my RESTful WCF samples: http://www.dasblonde.net/downloads/RESTfulWCF.zip

Architectural Scenarios for Workflow Services

• Get the code here: http://www.dasblonde.net/downloads/WorkflowServices.zip

As the press has been discussing these past days, Windows Azure had an outage on the weekend. I provided some comments to the press and was quoted here: http://www.crn.com/software/215900816

Only a few of my remarks made it into the article, so I thought I would provide here a complete picture of my comments on this issue. My message to the press, and to the community is that I don't think Microsoft should be judged harshly on this incident, but because they are Microsoft and people are watching...they probably need to kick it up a notch and act like they are already a production service - to inspire trust. It is that simple. They didn't do anything wrong, but people will take notice and therefore it is important. What is it they say? Dress for the job you want, not the job you have?

Here is my summary of the situation:

One question people might have is one of service levels and uptime guarantees. Right now, the Windows Azure platform is a CTP, not even a Beta product yet, so I don’t measure them against Salesforce.com or Amazon. I don't expect them to provide me with any service levels since there is not yet a service level agreement in place for services rendered. I do expect them to try not to have outages, and I do expect them to respond to outages quickly - and I think they are doing this. Last weekend's problem occurred from a routine update, recovery took longer than expected but they acted immediately.

I think the only mistake Microsoft made is not notifying the Azure account holders in advance that an update would be performed, in the event of something failing. This is an easy thing to do that will inspire confidence and trust.

Now, let’s put this into perspective. On the one hand, Microsoft is doing the community a great service by allowing access to Azure during this CTP phase of development. This also helps Microsoft immensely as the community will provide feedback on the platform which will influence the features and functionality of the final release. This is a really good thing. On the other hand, because they are live, CTP or not people will judge Microsoft now. I am hosting my own test projects with Azure, and I don’t like it when they are down, but I am a realist – I am using a CTP. I have no doubts about Microsoft’s ability to host a 24/7 operation and meet acceptable service levels when Azure is a production service. However, not everyone will see it this way.

This is a new space for Microsoft – hosting applications and services – and the community is watching closely. They may not be ready to produce an SLA, for this requires significant legal review as well, but they can at least give prior notice of downtime and the expected duration of that downtime. Or, if unexpected downtime occurs, immediately inform the community via emails to Azure account holders. Keeping people well informed of planned outages in the future would also be helpful. In a word – “communicate”. I expect that Microsoft will in future avoid downtime altogether by performing rolling updates of the system so that our hosted applications are not affected as machines are updated. My understanding is that their data centers are being set up to handle this when Azure goes live. In the meantime, one recommendation Microsoft provides is that we deploy multiple instances of each role (Web Role, Worker Role) so that there is redundancy and less risk of impact if there is another incident.

Microsoft will certainly be incorporating feedback from this incident and ongoing Azure CTP usage into their production release. To the community I say “it is a CTP, don’t worry, just give feedback on what you would have expected”. To Microsoft I say “try to put production-worthy notifications and rolling updates in place now to avoid negative opinions on the CTP basis”.

I recently presented at Dev Connections in Las Vegas - a few of my favorite WCF-related topics including routing, performance and scalability, and federated security of course! This post contains links to the latest code samples that I demonstrated in the session.

VWC303: Building a WCF Router for Your Applications

• I wrote a few articles for MSDN earlier this year that might be helpful:
• http://msdn.microsoft.com/en-us/magazine/cc500646.aspx
• http://msdn.microsoft.com/en-us/magazine/cc546553.aspx
• My latest routing code is here:
• http://www.dasblonde.net/downloads/routers.zip

VWC305: Practical Scenarios for Federated Security

• I wrote several articles describing my utilities for pre-Geneva federation with WCF:
• http://www.theserverside.net/tt/articles/showarticle.tss?id=ClaimsBasedSecurityModel
• http://www.theserverside.net/tt/articles/showarticle.tss?id=ClaimsBasedSecurityModel2
• I have two articles to be published in MSDN Magazine related to Geneva. See December and January issues. These are also posted online but I don't have a link yet.
• The code from my book includes my pre-Geneva federated security samples.
• http://www.thatindigogirl.com/LearningWCFReprintJuly2008.aspx (see \Security\ClaimsBased directory of samples)
• My Geneva samples are posted here:
• http://www.dasblonde.net/downloads/GenevaFrameworkWCFClaimsBasedSamples_CS.zip
• I will have more Geneva samples to post in a few weeks. I am working on updating my pre-Geneva claims-based samples to use Geneva Framework and in the process will provide updates to my utilities that will help you migrate to Geneva Framework more seamlessly. You can expect a blog post on this specifically.

VWC304: Load Balancing and Scaling Your WCF Services

• For my ASP.NET Pro column on WCF, I wrote two articles for the December and January issues - the first on load balancing and scalability issues, the second on dealing with SSL load balancing routers such as F5 / BigIP. You can view the most recent 3 issues at any time here:
• http://www.aspnetpro.com/PDF/asp_PDF_3Mags.asp
• Sample code from the talk includes the following:
• http://www.dasblonde.net/downloads/proxies.zip
• http://www.dasblonde.net/downloads/loadbalancing.zip

"Geneva" is the code name for Microsoft's claims-based access platform (CBA) which comprises three things:

• "Geneva" Framework, formerly known as code name "Zermatt"
• "Geneva" Server
• Windows CardSpace "Geneva", formerly known as CardSpace 2

Geneva Framework is a framework for building claim-based applications and services, simplifying how they work with claims at runtime to authorize access; is a framework for building custom security token services; and supplies functionality for issuing managed information cards (for CardSpace and other identity selectors) and functionality for building CardSpace-enabled ASP.NET applications.

Geneva Server is the next generation ADFS to support federation not only for web applications (passive federation), but also services (active federation). It is an enterprise worthy security token service that can handle federation and claims transformation.

CardSpace Geneva is the next generation of CardSpace.

I'll be writing about all of these technologies over the next while, starting with some upcoming articles in MSDN on Geneva Framework.

Here are the resources you might want to look at for my sessions from IASA/Architect Connections in San Francisco this week. Thanks so much for attending my sessions and for the great questions on my two favorite subjects (or, at least two of my top subjects...I suppose I have a handful of other favorites too!)

ARC15_Routing Patterns for Your SOA

• MSDN articles on routing:
  • http://msdn.microsoft.com/en-us/magazine/cc500646.aspx
  • http://msdn.microsoft.com/en-us/magazine/cc546553.aspx
• Routing samples (sometimes I add things beyond what was in the magazine so best to download this one):
  • http://www.dasblonde.net/downloads/routers.zip

IASA20_Federated Security Implementation Patterns

• Articles on claims-based security (pre-Zermatt)
  • http://www.theserverside.net/tt/articles/showarticle.tss?id=ClaimsBasedSecurityModel
  • http://www.theserverside.net/tt/articles/showarticle.tss?id=ClaimsBasedSecurityModel2
• Claims-based samples:
  • Download Zermatt and included sample code
    • http://connect.microsoft.com/site/sitehome.aspx?SiteID=642
  • Keep an eye on MSDN Magazine December for my article on building a claims-based security model with Zermatt and WCF and its associated samples
• Federation and SSO
  • See my posting on the TechNet lab for ADFS V1 here: http://www.dasblonde.net/default.aspx#a159ae45a-ce70-4da9-8a8a-01896764126e

If you have been wondering "where has Michele been?" for the past few months...I can tell you I have been VERY busy but not with the typical workload.

On May 26, 2008 my husband and I welcomed our first child, our son Juan Pablo...and things have been a little busy needless to say! He's a beauty! Here are a few pics to enjoy!

Of course I had all kinds of grand ideas about how I would fit in work, exercise, maybe pick up on the piano again, and brush up on my Spanish by reading some books. After all, I'm used to a heavy heavy workload, lack of sleep to meet deadlines, and so forth...well...am I ever eating my words to all those friends who said "you'll see...". Yep, babies keep you pretty busy...I am only just now able to get some work done, with the help of some day care assistance!!!! Whew!

Anyways, we absolutely adore our little man...couldn't be happier!

Here is my usual post-conference post with updated code samples related to the topics I presented on. I did 2 full day tutorials, and 4 sessions...enjoy!

Many of the demos come from my book, Learning WCF. Since there is setup required for most of the samples that illustrate security or rely on a database, it is best you download the entire package of samples and follow the setup instructions provided in the appendix. Here's the link: http://www.thatindigogirl.com/LearningWCFCode.aspx

TUTORIAL: Improve Your SOA: Designing a Secure, Reliable and Scalable System with WCF

• Samples from my book (see above) illustrate exception handling, MTOM, streaming, MSMQ, pub-sub, transactions, security for intranet/Internet/mutual certificate/claims-based/federated, multithreading, and throttling
• Get my latest routing samples here: http://www.dasblonde.net/downloads/Routers.zip
• Additional error handler code here: http://www.dasblonde.net/downloads/ErrorHandlers.zip
• I have additional samples related to proxies here, including a proxy wrapper to address timeouts and uncaught exceptions that fault the channel: http://www.dasblonde.net/downloads/Proxies.zip
• The chunking channel is in the SDK extensibility samples.

TUTORIAL: .NET Roadmap

• The following link has instructions for machine setup used for the demos, and numerous references to resources, and code samples demonstrated: http://www.dasblonde.net/downloads/TechnologyRoadmap0308.zip

SESSION: ADFS and ASP.NET: Supporting Single Sign-On in your Web Applications

• The code I demonstrated in this session is based on the Tech Net tutorial for setting up VPCs for WIndows Server 2008 and ADFS.here: http://technet2.microsoft.com/windowsserver2008/en/library/87e1a178-4d8a-4e89-98b0-d125f9c84c221033.mspx?mfr=true
• As it is published today, the lab has just a few issues that can get in the way of your success with the setup. The following blog post summarizes those issues if you have comments, but I also have a PDF that has a few screenshots here:  http://www.dasblonde.net/downloads/ADFSServer2008LabErrata.pdf

SESSION: Building a Router for your Applications

• I wrote two MSDN articles on this subject, the first is already published here: http://msdn2.microsoft.com/en-us/magazine/cc500646.aspx
• Get the routing samples for both parts here: http://www.dasblonde.net/downloads/Routers.zip
• The second part should be up within another month.

SESSION: Going Federated with WCF

• Most of the samples for this session come from my book code (see above). 
• An additional sample: http://www.dasblonde.net/downloads/SecurityTokenClaims.zip

SESSION: Load Balancing Considerations for WCF

• Samples for this instancing and throttling come from my book (see above).
• I have additional samples related to proxies here, including a proxy wrapper to address timeouts and uncaught exceptions that fault the channel: http://www.dasblonde.net/downloads/Proxies.zip

I recently spent a painful 30-40 hours setting up VPCs according to the Tech Net lab "Step-By-Step Guide for AD FS in Windows Server 2008. The lab is located online here: http://technet2.microsoft.com/windowsserver2008/en/library/87e1a178-4d8a-4e89-98b0-d125f9c84c221033.mspx?mfr=true

In fact, the process didn't have to be so painful except that there are just a few instructions that are less than clear, incomplete or incorrect. Of course, when things don't work as expected I automatically assume that I missed a step, executed a step incorrectly, or just plain didn't know something that the lab instructions assumed everyone knows. So, my natural instinct was to repeat the steps, which I did several times spending many hours since there are 4 VPCs and lengthy installation steps involved for each. As it turns out, just a few fixes to the lab instructions could have avoided all that.

A document summarizing the issues can be downloaded from here, with additional screenshots beyond what is discuss below: http://www.dasblonde.net/downloads/ADFSServer2008LabErrata.pdf.

I hope you find this helpful if you are trying to follow the lab. If you encounter different problems, please do let me know so I can post updates here.

Step 1: Preinstallation Tasks

• Section: Configure computer operating systems and network settings
  • Before you get started, make sure to turn off the firewall settings on all VPCs. The firewall gets in the way of DNS resolution between machines which causes problems with adding computers/users to domains, problems browsing to sites later on in the lab, and similar problems with redirections that take place when you run the lab.
  • During network setup, you don’t need to select server roles yet even though the chart lists them. Just set up the IP addresses at this time. The table listing is just a little misleading as it might lead you to think you need to set up the web server, federation server or domain controller at this point, but there are separate steps for this later.
  • Set IP addresses according to the table for IPv4 and disable IPv6. If you don’t disable IPV6, the AD DS setup will try to enable dynamic DNS and then your static IPs will be blown away.
• Section: Install and configure AD DS
  • The firewall on the adfsaccount machine must be off for this to work.
  • After installing AD DS, check your network IP settings again just to make sure the DNS settings are as you set them in the previous step. I found that sometimes the preferred DNS settings were reset.

Step 2: Installing AD FS Role Services and Configuring Certificates

• Section: Configure IIS to require SSL on both federation servers
  • You can skip this step completely!!!! After you install AD FS there is a new web application directory created under /adfs. The /ls subdir is already set up to require SSL and Ignore certificates. The /fs subdir is already set up to require SSL and Accept certificates. You don’t need to do anything more here. In fact, if you execute this step and set up the default web site to Accept certificates you’ll be prompted to supply a client certificate when you browse to the claims-aware application later on. This will not only confuse you, but prevent you from browsing to the claims-aware application successfully.
• Section: Export the adfsresource server authentication certificate to a file
  • There is no reason that you have to export the private key (.pfx) here. To establish trust only the public key cert (.cer) is required. Following the lab steps won’t hurt you here, but it is important to understand that exporting private keys is not traditionally recommended outside of the machine, domain or application that owns the key.
  • This also implies that the next section could import a .cer instead of a .pfx, depending which route you take.

Step 3: Configuring the Web Server

• Section: Configure IIS on the Web server
  • After completing step #7 to require SSL for the default web site, skip step #8. Leave the setting as require SSL and Ignore client certificates. You don’t want to Accept client certificates, this causes the browser to prompt for a certificate when you browse to the claims-aware application.
  • In fact, step #7 could be modified so that you don’t require SSL for the entire Default Web Site. Instead, you could just require SSL for the /claims-aware application directory which we will be browsing to.
• Section: Create and configure the claims-aware application
  • These instructions are fine, but the files from the Appendix A are incorrect for IIS 7. See my notes on this later on.

Step 4: Configuring the Federation Servers

• These steps are fine, but after you have completed these steps you’ll have to do a few more certificate installations to ensure self-signed certificates are trusted on appropriate machines. I have provided instructions on that below.

Running the AD FS Diagnostic Tool

• When I was trouble-shooting my own lab issues, Joe Kaplan pointed me to the AD FS Diagnostic Tool which is blogged about here: http://blogs.technet.com/adfs/archive/2007/11/01/adfs-diagnostic-tool.aspx. This really helped me to verify certificates were trusted, and that my AD FS configuration was ok. Run this tool and follow the instructions on the blog post. Note the following:
• You will get warnings on the resource server related to E-mail claims, but those do not cause any concern, just ignore it.
• If you do get any errors, fix the problems indicated in the error. I only encountered one or two errors related to self-signed certificate trust, which I explain how to fix in the next section.

Additional Configuration for Self-Signed Certificates

• Since you are using self-signed certs on all machines, it is best practice to install your public key certs into the Trusted Root Certification Authorities store on the machine that owns the cert, and on any machine that must trust the cert. Some of the lab steps address this, but there are a few missing steps and again this can confuse you if you aren’t familiar with certificate issues.
• The following instructions guide you first through exporting the certificates we need to work with. You may have already exported these certs in previous steps, and hopefully are using the same naming convention specified in the lab.

Exporting certificates, if you haven’t already:

• Machine: adfsaccount
  • The private key created for IIS is installed in the Local Machine/My store, called adfsaccount.adatum.com. Export the public key certificate (.cer) if you haven’t already and call it adfsaccount.cer.
  • The private key created for the federation server to sign tokens is installed in the Local Machine/My store, called Federation Server adfsaccount. Export the public key certificate (.cer) if you haven’t already and call it adfsaccount_ts.cer.
• Machine: adfsresource
  • The private key created for IIS is installed in the Local Machine/My store, called adfsresource.treyresearch.net. Export the public key certificate (.cer) if you haven’t already and call it adfsresource.cer.
  • The private key created for the federation server to sign tokens is installed in the Local Machine/My store, called Federation Server adfsresource. Export the public key certificate (.cer) if you haven’t already and call it adfsresource_ts.cer.
• Machine: adfsweb
  • The private key created for IIS is installed in the Local Machine/My store, called adfsweb.treyresearch.net. Export the public key certificate (.cer) if you haven’t already and call it adfsweb.cer.

Importing certificates, if you haven’t already:

• Machine: adfsaccount
  • Import both adfsaccount.cer and adfsaccount_ts.cer into the Local Machine/Trusted Root Certification Authorities store.
• Machine: adfsresource
  • Import adfsresource.cer, adfsresource_ts.cer and adfsaccount.cer into the Local Machine/Trusted Root Certification Authorities store.
• Machine: adfsweb
  • Import adfsweb.cer into the Local Machine/Trusted Root Certification Authorities store.
• Machine: adfsclient
  • In Step 5 you will be asked to install certificates through the browser. This should work just fine for you, thus no need to manually install to the certificate store. In the event you have issues, or if your client is not Vista o XP, you may need to manually install the certificates to trust the downstream services.
  • Import adfsaccount.cer, adfsresource.cer and adfsweb.cer into the Local Machine/Trusted Root Certification Authorities store. This tells IE that the web sites can be trusted even though the certificates are self-signed.

Step 5: Accessing the Sample Application from the Client Computer

• This is the section where I began to have issues, which of course led me to retracing my steps several times unnecessarily as it turned out since the problems were related to a few missing or incorrect steps.
• DNS Resolution:
  • The first problem I encountered was DNS resolution to adfsaccount. I consulted my friend Stephen Rose for this one, and we literally spend hours reviewing each VPC and its IP and DSN configuration, looking for issues. I learned a lot about DNS in the process (Stephen is the man) but we still ultimately had problems pinging one of the machines. As it turned out, the issue was the firewall was still on for one of the machines. Somehow we failed to see that.
  • Make sure you can ping each machine from the adfsclient machine using not just IP address, but actual DNS – check your firewall settings first if you can’t, then check your IP/DNS settings on each machine to match Step 1:
    • Ping adfsaccount.adatum.com
    • Ping adfsresource.treyresearch.net
    • Ping adfsweb.treyresearch.net
  • If DNS is working, you shouldn’t have any issues with the steps in this section of the lab.
• Requiring a Client Certificate:
  • The second issue I encountered was the client certificate issue. When I browsed to the claims-aware application, IE kept prompting me for a certificate with an empty dialog since I had no certificates. I consulted my friend Joe Kaplan for this, thinking I was missing something in my configuration. We extensively reviewed my setup, and in the process stumbled on the IE settings for Accept certificates. He educated me that the adfs/ls and /adfs/fs directories were already set up properly when you install AD FS on the machines…so I rolled back the step that incorrectly configured each web site for the Accept setting.
  • If you skipped the step to configure the web sites to require SSL and Accept certificates, you should be able to get through the steps in this section of the lab as well.
• Section: Configure browser settings to trust the adfsaccount federation server
  • You should get a certificate error in this step, since the certificate is self-signed. When prompted you can to install the certificate as instructed for the adfsweb site in a later step.
• Sections: Access the claims-aware application from a Windows XP client/Vista client
  • Either of these sections should behave similar though instructions to handle self-signed certificates are slightly different.
  • You may be prompted more than once to install certificates, as you are redirected to the adfsresource and adfsaccount servers. Be prepared to install several certificates.

Appendix A: Creating the Sample Claims-Aware Application

• The code for default.aspx and default.aspx.cs are fine in this section of the lab.
• The web.config does not work for IIS7, and this can really throw you for a loop because you’ll get a generic “Internal Server Error” at the client machine…with NO IDEA what is behind it. This happened to me and I assumed once again that I had missed a configuration step. Joe Kaplan and I spent a bunch of time trying to trouble shoot my configuration for AD FS on all machines, thinking that was the cause…and then he eluded it might be an IIS issue. It turns out that if you browse to the /claimapp from the web server machine you can see the full error. Thanks to my friend Richard Campbell for suggesting I try that one! Since I have custom errors turned off in the web.config, I should have been able to see the error remotely…but apparently something else (perhaps in IIS 7 defaults) is overriding that behavior. I’ll have to look into that separately.
• When I was able to see the full error, it pointed to a configuration issue in the web.config related to the HTTP module configuration for the Web Agent (screenshot below). A new section must be added to the web.config, inside the <configuration> element, as follows:

<system.webServer>
  <modules>
    <add name="Identity Federation Services Application Authentication Module" 
type="System.Web.Security.SingleSignOn.WebSsoAuthenticationModule, 
System.Web.Security.SingleSignOn, Version=1.0.0.0, 
Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null" 
preCondition="managedHandler" />
  </modules>
  <validation validateIntegratedModeConfiguration="false" />
</system.webServer> 

I have to say, it was an interesting ride trying to get this lab set up, and as it turns out there aren't too many errors in the lab but the few missing and incorrect steps was enough to cost me 30 extra hours at least of preparation time. I hope you do not have the same problem with the tips I have provided here. I have to thank once again my friends Stephen, Joe and Richard for their respective roles in helping me work through the issues. Especially Joe who really went out of his way to help me review the AD FS setup, even though it turned out that the lab was not incorrect on that front...he gave me lots of great insight in the process, not to mention some cool tools that I could use to troubleshoot. You guys are the best!!!!

Supporting Resources:

• Joe Kaplan is one of the very few and strongest authorities on AD FS out there today, and he was a tremendous help to me as I got up to speed on the environment. His web site and forum are as follows:
  • http://www.joekaplan.net
  • http://directoryprogramming.net
• ADFS for Developers – a nice high level article from Keith Brown on ADFS (for 2003 server):
  • http://msdn2.microsoft.com/en-us/magazine/cc163520.aspx
• Understanding WS-Federation – to understand the protocols beneath federation, this is helpful:
  • http://msdn2.microsoft.com/en-us/library/bb498017.aspx

A few weeks ago I was presenting a code sample that I created last year and discovered a mysterious problem.

First, let me explain the sample. It is a proxy wrapper for WCF clients that illustrates how to swallow timeout exceptions and recreate channels automatically when there is an exception that faults the channel. The idea is this:

• When a channel with a transport session times out, does the user need to see an error? Not really. But, the exception won't show up until you try to call the service, so my wrapper catches communication exceptions and if they are not faults it creates a new channel and retries the same call to the service once more. The theory is, if it fails again, we probably have a bigger problem. Otherwise, we will have successfully allowed the client to continue working without seeing an error.
• When an uncaught exception from the service faults the channel, the client channel will also be faulted if the call is not one-way. The user should see the error message, even if it is an uncaught exception, but the next time they use the proxy they should get a new channel so they can continue to work. So, the proxy wrapper creates the channel again if the channel is faulted, before making the next call.

I explained this in my ASP.NET Pro article on the subject. The latest code for this is here: http://www.dasblonde.net/downloads/Proxies.zip

Well, the problem that In encountered is that all of a sudden my logic for checking if the channel was faulted after a timeout, was failing!!!! It was strange - from one stack frame to another, the channel went from Faulted to Created. But none of my code affected that change! So, of course I thought that something had changed in .NET 3.5 related to channel factory caching that might have had a side-effect of my code...and I didn't have time to investigate further until today while I was talking with my colleague Brian Noyes about the subject.

Long story short, he ran the code, reproduced the problem, and remembered that there were some strange behaviors with SUO files for a solution that could cause this. He deleted the SUO and then the sample worked like it originally did!!!!! I did the same, and found the same result.

This is really messed up! Apparently this is a common problem, but I have never heard about it before. The real annoyance is the time I spent troubleshooting this before I talked to Brian, and the doubts it put in my mind about new features of WCF and possible regressions....and yet I was wrong...it was the stupid SUO file. What the? Holy? This is an unacceptable bug. Who knows what kind of misleading issues this could cause developers in their day-to-day work.