Just thought I might share some useful dev tools I have either found or have had recommended to me.

The first is a must if you are doing any LINQ action in your code (…and most of us are in some degree these days).
Check out LINQPad. I am blown away how useful this tool has been. Think SQL Management Studio for LINQ!

Another great tool I have been using lately is Neudesic’s Azure Storage Explorer

Essential for generating and managing Azure table storage data during development.
Plays nicely with both developer storage and Azure storage accounts.

Released just last week, this codeplex project aims to make developing WP7 apps that talk to cloud storage easier to develop. Having been down that path over the last few days I was keen to test it out.

We get some nice new project templates:

But most importantly we get

• A “working” version of the OData client library (System.Data.Services.Client)
• A Windows Phone 7 Azure StorageClient library (WindowsPhoneCloud.StorageClient)

Just in time

I am finding that the development storage emulator has a few “undocumented features”. A few days ago, I was happily working through the Windows Azure Training Kit and things were going well. Today I was putting together a PoC using pieces learnt from the labs. I kept hitting a problem when trying to insert an entity into the newly created table storage (running on the local Storage Emulator). I was getting the generic error message when querying the collection:

“one of the request inputs is not valid”

var match = (from c in this.context.Clients

              where c.Name == name

              select c).FirstOrDefault();

Some things I tried that didn’t help:

• Restarting the Storage Emulator a few times.
• Restarting the machine (always worth a shot!)
• Deleting the entries in the TableContainer and TableRow tables in the development storage DB.
• Recreating the development storage DB using DSINIT /forceCreate.
• Running around the office naked.

After hunting around for quite some time (including running the lab code again and getting them same result) I tracked it down to the table storage schema not being created after issuing

CloudTableClient.CreateTablesFromModel(

   typeof(MyDataServiceContext),

   storageAccount.TableEndpoint.AbsoluteUri,

   storageAccount.Credentials);

Note: This worked happily when I was working through the labs a few days ago. Neither my code nor the lab code was working now.

Looking at the underlying DB (using SQLEXPRESS on my VM) I found no schema populated

After some frustrating searching, I came across this post that suggested an ugly work around > azure-table-storage-what-a-pain-in-the-ass. It suggests that on the local storage emulator you need to “convince” the table service provider that you know what you are doing by inserting some dummy entities. This only appears to be needed when you have no data in your tables. So I added the following code in my data source constructor so it gets called by my service before performing any CRUD operations. 

// [WORK AROUND] See http://deeperdesign.wordpress.com/2010/03/10/azure-table-storage-what-a-pain-in-the-ass/

//  Generate some inserts to populate empty table

var client = new Client("dummy", "dummy");

this.context.AddObject("Clients", client);

this.context.SaveChanges();

this.context.DeleteObject(client);

this.context.SaveChanges();

var post = new Post("dummy", "dummy");

this.context.AddObject("Posts", post);

this.context.SaveChanges();

this.context.DeleteObject(post);

this.context.SaveChanges();

Ugly but it jumps the hurdle and allows me to get back to building out the rest of the solution. Just remember to comment it back out after you verify the schema xml has been populated successfully and your CRUD operations are going through.

HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials.

"If I had a dollar for every time I’ve seen this…”

And yet the solution appears to be different each time. Or at least to me when it comes to issues with integrated Windows Authentication and Kerberos. Today the solution lay in forcing IIS to use NTLM authentication as suggested by the following KB article

http://support.microsoft.com/kb/871179

To work around this behaviour if you have multiple application pools that run under different domain user accounts, you must force IIS to use NTLM as your authentication mechanism if you want to use Integrated Windows authentication only. To do this, follow these steps on the server that is running IIS:

1. Start a command prompt.
   
2. Locate and then change to the directory that contains the Adsutil.vbs file. By default, this directory is C:\Inetpub\Adminscripts.
   
3. Type the following command, and then press ENTER:
   
   

   cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"

   
   
4. To verify that the NtAuthenticationProviders metabase property is set to NTLM, type the following command, and then press ENTER:
   
   

   cscript adsutil.vbs get w3svc/NTAuthenticationProviders

   
   The following text should be returned:

   NTAuthenticationProviders       : (STRING) "NTLM"

On a recent project I needed to resolve the identity of clients calling an orchestration exposed as a WCF service. Clients would use a X.509 certificate to sign the message. Configuring the WCF service was easy enough but I was not getting the party resolution piece working correctly. The WCF adapter (I was using WCF-CustomIsolated) was not populating the context property (BTS.SignatureCertificate) that the party resolution component uses to lookup the party even though the client certificate was being validated. The WCF adapter was dumping the soap headers into the context. I was left either to parse the headers manually and find a way to grab details of the signing certificate or somehow get the WCF adapter to do this work for me (as it was already validating the client certificate and checking we had the corresponding public key in the certificate store). Fortunately, I found a way we can get the adapter to help out.

The solution was to create a WCF service behavior extension to intercept message processing by the adapter (note this takes place before the message is presented to the receive pipeline). The custom behavior looks for a client certificate and if found writes the thumbprint into a custom soap header. The WCF Adapter would then write my custom header into the message context and I could grab it in a custom pipeline component. I chose to write a component to execute before the OOTB party resolution component and populate the BTS.SignatureCertificate context property with the value of certificate thumbprint. I could of done this all in one component and performed custom party resolution but thought this might be a bit cleaner.

So looking at the WCF service behavior

   1:  using System;

   2:  using System.ServiceModel;

   3:  using System.ServiceModel.Dispatcher;

   4:  using System.ServiceModel.Channels;

   5:  using System.ServiceModel.Description;

   6:  using System.IdentityModel.Claims;

   7:  using System.ServiceModel.Configuration;

   8:   

   9:  namespace Breeze.WCF.ClientCertificateContext

  10:  {

  11:      public class MessageInspector : IDispatchMessageInspector, IServiceBehavior

  12:      {

  13:          #region IDispatchMessageInspector Members

  14:   

  15:          object IDispatchMessageInspector.AfterReceiveRequest(ref Message request, IClientChannel channel, InstanceContext instanceContext)

  16:          {

  17:              object correlationState = null;

  18:              string thumbprint = "";

  19:   

  20:              try

  21:              {

  22:                  // Gather thumbprint of signing certificate used by the client

  23:                  foreach (ClaimSet set in request.Properties.Security.ServiceSecurityContext.AuthorizationContext.ClaimSets)

  24:                  {

  25:                      foreach (Claim claim in set.FindClaims(ClaimTypes.Thumbprint, Rights.Identity))

  26:                      {

  27:                          thumbprint = BitConverter.ToString((byte[])claim.Resource);

  28:                          thumbprint = thumbprint.Replace("-", "");

  29:                      }

  30:                  }

  31:   

  32:                  // Write this away as a custom message header

  33:                  if (!String.IsNullOrEmpty(thumbprint))

  34:                  {

  35:                      MessageHeader header = MessageHeader.CreateHeader("ClientCertificate", "http://schemas.breeze.net/BizTalk/WCF-properties", thumbprint);

  36:                      request.Headers.Add(header);

  37:                  }

  38:   

  39:              }

  40:              catch (Exception ex)

  41:              {

  42:                  System.Diagnostics.EventLog.WriteEntry("WCF MessageInspector", String.Format("Exception caught: {0}", ex.ToString()));

  43:              }

  44:   

  45:              return correlationState;

  46:          }

  47:   

  48:          void IDispatchMessageInspector.BeforeSendReply(ref Message reply, object correlationState)

  49:          {

  50:          }

  51:   

  52:          #endregion

  53:   

  54:          #region IServiceBehavior Members

  55:   

  56:          public void AddBindingParameters(ServiceDescription serviceDescription, ServiceHostBase serviceHostBase, 

                                                System.Collections.ObjectModel.Collection<ServiceEndpoint> endpoints, BindingParameterCollection bindingParameters)

  57:          {

  58:              return;

  59:          }

  60:   

  61:          public void ApplyDispatchBehavior(ServiceDescription serviceDescription, ServiceHostBase serviceHostBase)

  62:          {

  63:              foreach (ChannelDispatcher channelDispatcher in serviceHostBase.ChannelDispatchers)

  64:              {

  65:                  foreach (EndpointDispatcher endpointDispatcher in channelDispatcher.Endpoints)

  66:                  {

  67:                      endpointDispatcher.DispatchRuntime.MessageInspectors.Add(this);

  68:                  }

  69:              }

  70:          }

  71:   

  72:          public void Validate(ServiceDescription serviceDescription, ServiceHostBase serviceHostBase)

  73:          {

  74:              return;

  75:          }

  76:   

  77:          #endregion

  78:      }

  79:   

  80:      public class MessageInspectorElement : BehaviorExtensionElement

  81:      {

  82:          public override Type BehaviorType

  83:          {

  84:              get { return typeof(MessageInspector); }

  85:          }

  86:   

  87:          protected override object CreateBehavior()

  88:          {

  89:              return new MessageInspector();

  90:          }

  91:      }

  92:   

  93:   

  94:  }

Tip: Don't forget to implement the BehaviorExtensionElement. You’ll need this to apply the service behavior via configuration (in the receive location) rather then having to do it programmatically. You will also need to sign, GAC and register the service behavior extension element in the machine.config (or service’s web.config in IIS)

With the WCF service behavior bits done, we need to add it to our receive location:

If you were to test the solution now, you’ll get the thumbprint of the client certificate written to your custom context property (http://schemas.breeze.net/BizTalk/WCF-properties#ClientCertificate) and will look something like this:

   1:  <ClientCertificate xmlns="http://schemas.breeze.net/BizTalk/WCF-properties">11C3E164C41ADC8DBA0EA6558784B9FAE19E398D</ClientCertificate>

I had thought I might be able to get away with writing this directly into the BTS.SignatureCertificate context property but the format is clearly different. The BTS.SignatureCertificate property needs just the certificate thumbprint string and obviously we have the xml wrapper. So we must create a simple pipeline component to sit somewhere before the party resolution component to grab the certificate thumbprint out of our custom context property and write it into the context property the party resolver component is looking for.

After deploying and setting the receive pipeline to use the custom one above, I got party resolution working like a bought one with the BTS.SigningCertificate, BTS.SourcePartyID and MessageTracking.PartyName context properties populated.

I guess I was a little surprised that all this was needed. WCF does a great job of abstracting out all the transport and security bits and moving them to configuration time (no additional code in our service or client). In the HTTP and SOAP adapter days, the MIME/SMIME pipeline component was used to decrypt and validate the signing certificate as well as populating the required context properties. Why doesn’t the WCF Adapter perform this part in the same way? I mean, its doing the decoding, decrypting and certificate validation. So why not the populating of these context properties? Perhaps there is secret squirrel checkbox somewhere I missed. Love to hear comments if anyone has done this differently?

[Updated: 19-10-2010]

Thanks to Thiago (see comments section) we have been able to simplify this further. The WCF adapter provides some “special” namespaces that allow us to instruct the adapter to write context properties in a more controlled way. Specifically we can instruct the adapter to write directly into defined property schema elements (e.g. OOTB BizTalk property schemas or deployed custom property schemas). This allows us to write the certificate thumbprint directly into the BTS.SigningCertificate context property and avoid the need for the custom pipeline component to move the value from the custom header property into the BTS.SigningCertificate property as described above.

To do this we simply change the IDispatchMessageInspector.AfterReceiveRequest to make use of these special namespaces.

                // Write this away as a custom message header

                if (!String.IsNullOrEmpty(thumbprint))

                {

                    // Write the thumbprint directly to the BTS.SigningCertificate context property

                    //  Thanks to Thiago http://connectedthoughts.wordpress.com

                    // Create a collection of context properties we want the adapter to write/promote for us                    

                    XmlQualifiedName clientCertificateProp = 

                        new XmlQualifiedName("SignatureCertificate", "http://schemas.microsoft.com/BizTalk/2003/system-properties"); //Maps to BTS.SignatureCertificate

                    List<KeyValuePair<XmlQualifiedName, object>> promoteProps = new List<KeyValuePair<XmlQualifiedName, object>>();

                    promoteProps.Add(new KeyValuePair<XmlQualifiedName, object>(clientCertificateProp, thumbprint));

                    // Add the property collection to the request

                    //  Use the http://..../Promote to have the adapter promote the context prop

                    //  or use  http:/...../WriteToContext to just have the property written but not promoted.

                    request.Properties.Add("http://schemas.microsoft.com/BizTalk/2006/01/Adapters/WCF-properties/Promote", promoteProps); 

                }

Now we can do away with the custom pipeline component bits and use the OOTB XMLReceive pipeline (as it contains the party resolver component already). The certificate thumbprint will be written directly into the BTS.SigningCertificate context property (and promoted) ready for the party resolver component to use.

Nice work Thiago.

Hold the phone!. Didn't I just pull that folder up in Explorer

Ah…good old File System Redirector. Turns out that on x64 machine’s this folder is located here

C:\Windows\SysNative\AppFabric

We can browse to this location when adding references to the Windows Server AppFabric assemblies to our VS 2010 projects.

All is well again in the universe

Of course the official site can be found here > http://australia.msteched.com/

I have been avoiding this for sometime now. That is, adding new activity items to the current BAM deployment in production. Production has been running for months now and in this high volume system we partition the BAM activities every week and archive each month (giving the client a rolling month worth of activity data). I was concerned that during the update of the BAM definition this data was going to be blown away (an experience that has caused much embarrassment in the past).

So the procedure I used this time did the trick…well almost

• Took a “backup” of the current BAM definition using BM.exe
  
  

  bm.exe get-config -FileName:MyConfig.xml

  
  
• Added the new activity items using Excel and edited the views
• Exported the new BAM definition to xml
• Removed the existing views using BM.exe
  
  

  bm.exe remove-view -Name:MyView

  
  
• Deployed the new definition using BM.exe and the update-all command – FAILED
  
  

  bm.exe update-all -DefinitionFile:MyNewDef.xml

   
  The error message in the command window was:

All queries combined using a UNION, INTERSECT or EXCEPT operator must have an 
equal number of expressions in their target lists.

 
Upon investigation, I found that the partition tables did not get updated with the new activity items. As the view spans both the current activity tables and all the partition tables the view creation failed. Interestingly, the BAM Archive tables did get updated.


• “Upgraded” the partition tables using the script from this blog post
  
  I did need to make a slight change to avoid some errors that cropped up with partition tables already archived and as such no longer present in the BAMPrimaryImport database (although the original script works).
  
  I changed the CURSOR definition to filter out those tables already archived:
  
  

  DECLARE partition_cursor CURSOR LOCAL FOR
     SELECT InstancesTable
     FROM [dbo].[bam_Metadata_Partitions]
     WHERE ActivityName = @activityName       
          AND ArchivedTime Is Null   -- Added additional filter
     ORDER BY CreationTime ASC
  

• Deployed the new definition again using BM.exe and the update-all command – SUCCEEDED
• Re-applied security to the Views using BM.exe
  
  

  bm.exe add-account -AccountName:TheStig -View:MyView

  
  

Unfortunately all my BAM Alerts got blown away . Makes sense as the alerts reference the view that was removed. Luckily taking the backup in step one allowed me to pull out the original alert definition and paste them into my new definition file. I re-deployed that using the update-all command and alerts are back to normal.

I did come across this KB 969558 article for BTS 2006 R2 that appeared to address the partition tables issue. It looks as though this did not make it into BTS 2009.

Just lost a couple of hours I will never get back…

I am in the process of upgrading one of our RFID applications to 2010 beta. The upgrade went through without a hitch and I found myself the proud owner (or at least caretaker) of a brand-spanking new BizTalk RFID Server 2010.

(No visible differences to BizTalk RFID Server 2009 – except for the icon)

I then proceeded to upgrade my Visual Studio 2008 projects to VS 2010. WOW!!! Build succeeded first time…I am on a roll baby!

So I imported my Process into RFID Manager and fired her up…

The WCF service was not responding. So I open up IIS Manager (my VM is Windows Server 2008 so I’m running IIS 7) and try to browse to the hosting.svc under my RFID process VD and I get a http 401.3 error. Where do I start to hunt this down. I have installed .NET Framework 4.0, VS 2010, BizTalk RFID Server 2010 (plus Silverlight 4, Windows Azure platform AppFabric 1.0, … ).

So I check:

• Application pool identities are correct – Tick
• Application pool framework version – v4.0 Classic mode
• Authentication set to Anonymous – Tick
• Anonymous user set to application pool identity - Tick
• NTFS permissions on the VD - Tick
• Test Pass-through authentication – Green Lights
• IISRESET (last desperate attempts of a beaten Sco)

Still no go. I get on the “bat-phone” to Ninja Mick and explain what's happening. He just laughs…”What! Another 401 error. That’s about the sixth this week”. He points me off to a KB article about disabling the loopback check (I am using host headers on my RFID Services site). Still no go but it hinted at the problem…host headers.

Back into RFID Manager and look at the Advanced Server Properties

Even though these settings are technically correct and BizTalk RFID Server creates the provider and process services without error, I needed to set the Host IP address to the host header name I am using. This appears to have changed between either BizTalk RFID Server 2009 > 2010 or a change to IIS, Windows Update, .NET 4.0 … your guess is as good as mine?

After setting this to the host header name all worked fine and I’m back to sending my tag read events into BizTalk RFID Server 2010

During the CTP(s) one way we could provide client credentials to authenticate with the Service Bus was to use username and password. We were writing code that looked something like this:

// create the credentials object for the endpoint
TransportClientEndpointBehavior userNamePasswordServiceBusCredential = new TransportClientEndpointBehavior();
userNamePasswordServiceBusCredential.CredentialType = TransportClientCredentialType.UserNamePassword;
userNamePasswordServiceBusCredential.Credentials.UserName.UserName = this.solution;
userNamePasswordServiceBusCredential.Credentials.UserName.Password = this.password;

The UserNamePassword credential type is no longer supported in the v1.0 release. The types of supported client credential types are now:

• Saml: this option specifies that the client credential is provided in the Security Assertion Markup Language (SAML) format, over the Secure Sockets Layer protocol. This option requires that you write your own SSL credential server.
• SharedSecret: This option specifies that the client credential is provided as a self-issued shared secret that is registered with AppFabric Access Control through the AppFabric portal. This option requires no additional settings on the Credentials property.
• SimpleWebToken: This option specifies that the client credential is provided as a self-issued shared secret that is registered with AppFabric Access Control through the AppFabric portal, and presented in the emerging industry-standard format called simple Web token (SWT). Similar to the shared secret option, this option requires no additional settings on the Credentials property.
• Unauthenticated: This option specifies that there is no client credential provided. This option avoids acquiring and sending a token. It is used by clients that are not required to authenticate, based on the policy of their service binding. Note that this setting might leave data nonsecure if not used together with another security measure.

[See Choosing Authentication for an AppFabric Service Bus Application for more details]

So where we used to use UserNamePassword, the corresponding credential type is now SharedSecret (although you should check out the other authentication options as well). Here is what your code now looks like:

// create the credentials object for the endpoint
TransportClientEndpointBehavior sharedSecretServiceBusCredential = new TransportClientEndpointBehavior();
sharedSecretServiceBusCredential.CredentialType = TransportClientCredentialType.SharedSecret;
sharedSecretServiceBusCredential.Credentials.SharedSecret.IssuerName = this.issuer;
sharedSecretServiceBusCredential.Credentials.SharedSecret.IssuerSecret = this.secret;

Default issuer name and secret are generated for you when you activate your AppFabric account. Create additional ones using the Windows Azure platform AppFabric Access Control Management Tool (Acm.exe) that is installed as part of the SDK.

I am getting a few reports that after a recent windows update (or installing .NET Framework 4.0) the ESSO service fails to restart. Microsoft have released a hotfix to address this (http://support.microsoft.com/kb/2252691)

Microsoft Reports:

This issue occurs after installing .NET Framework 4.0. The registration of the assembly used by ENTSSO to access SQL Server does not specify the correct version of the .NET Framework. When .NET Framework 4.0 is installed, the assembly will try to use the newer framework and then fail to load

To resolve this manually:

32-bit Server

1.       Open a command window
2.       Go to C:\Windows\Microsoft.NET\Framework\v2.0.50727
3.       Type: regasm “C:\Program Files\Common Files\Enterprise Single Sign-On\ssosql.dll”

64-bit Server

1.       Open a command window
2.       Go to C:\Windows\Microsoft.NET\Framework64\v2.0.50727
3.       Type each of the following and hit ENTER:

32bit:  regasm “C:\Program Files\Common Files\Enterprise Single Sign-On\win32\ssosql.dll”
64bit:  regasm “C:\Program Files\Common Files\Enterprise Single Sign-On\ssosql.dll”

Note On a 64-bit server, regasm will need to be run for both the 32-bit and 64-bit versions of ssosql.dll.

Hope this helps