1. m_safeCertContext is an invalid handle

I got this issue when try to assign a X509SigningCredentials to the custom STSConfiguration.

this.SigningCredentials = new X509SigningCredentials(cert);


Make sure don’t call cert.Reset() before passing the cert to X509SigningCredentials constructor

2. Keyset does not exist


3. A potentially dangerous Request.Form value was detected from the client (wresult=”<trust:RequestSecuri…”).


Make sure you have this setting in your web.config (under system.web)

<httpRuntime requestValidationMode="2.0"/>


Generating Federation Metadata using WIF APIs

Just like all the Service Oriented approaches, metadata is the key, for example, with web services, you just have to build the service (using ASMX file or WCF) it will generate the WSDL file for your service automatically, so the client code can easily consume. We expect the same thing with WIF, unfortunately, we cannot just build a STS and then somehow it exposes the federation metadata for that.

Most of the samples in WIF SDK and the Programming WIF book are showing you how to generate the metadata from a Visual Studio template. But there is almost no documentation on how to create the federation metadata manually (or dynamically), especially when you build a custom STS using MVC (hopefully we will have the template for MVC soon, but still not solving the dynamic issue).

WIF itself does provide APIs for this task, below are some very simple codes (I copy most of them from I just tried to put thing together and see how to use the WIF metadata API. For a more complete sample, please see the link above.

const string _endpoint = "";

static void Main(string[] args)
 string endpointId = _endpoint;
 EntityDescriptor entityDescriptor = new EntityDescriptor(
 new EntityId(endpointId));

 // Signature, I created a certificate using portecle and installed
 // it under TrustedPeople/CurrentUser
 X509Certificate2 cert =
 StoreName.TrustedPeople, StoreLocation.CurrentUser, "CN=HoaSTSCert, C=US");

 entityDescriptor.SigningCredentials = new X509SigningCredentials(cert);

 SecurityTokenServiceDescriptor roleDescriptor = new SecurityTokenServiceDescriptor();

 // required protocols supported
 roleDescriptor.ProtocolsSupported.Add(new Uri(WSFederationMetadataConstants.Namespace));
 roleDescriptor.Contacts.Add(new ContactPerson(ContactType.Administrative));

 // This section is for key descriptor
 SecurityKeyIdentifierClause clause = new X509RawDataKeyIdentifierClause(cert);
 SecurityKeyIdentifier ski = new SecurityKeyIdentifier(clause);
 KeyDescriptor signingKey = new KeyDescriptor(ski);
 signingKey.Use = KeyType.Signing;

// This section is for endpoint
 string activeSTSUrl = _endpoint;
 EndpointAddress endpointAddress = new EndpointAddress(
 new Uri(activeSTSUrl),

 // Active endpoint
 // Passive endpoint

 roleDescriptor.ClaimTypesOffered.Add(new DisplayClaim(ClaimTypes.Role));
 roleDescriptor.ClaimTypesOffered.Add(new DisplayClaim(ClaimTypes.Name));


 // Serialize process...
 MetadataSerializer serializer = new MetadataSerializer();

 //MemoryStream stream = new MemoryStream();
 string fileName = @"FederationMetadata.xml";
 XmlWriter writer = XmlWriter.Create(fileName);
 XmlWriterSettings settings = new XmlWriterSettings();
 settings.Indent = true;

 serializer.WriteMetadata(writer, entityDescriptor);


 Console.WriteLine(string.Format("Output: {0}",
 Path.Combine(Environment.CurrentDirectory, fileName)));

ASP.NET Error pages

That is interesting that my previous post talked about error pages in and yesterday I got this (see image below) when I tried to access blackberry online shopping site

That is good to know that this website is built using ASP.NET MVC, WCF and a Controller-Service-Repository pattern, so instead of disappointed cause the website crashed, I felt like this is built by some of my “friends” 🙂

PS: the good news is it was fixed right after that!

404 on MVC

If you are running IIS 7.x, there is a very simple solution to handle 404 (Page Not Found). I found this solution from

<httpErrors errorMode="Custom" existingResponse="Replace">
<remove statusCode="404" />
<error statusCode="404" responseMode="ExecuteURL" path="/Error/PageNotFound" />

Database diagram support objects cannot be installed…

This is the second time I ran into this issue and think I should copy it here so that I don’t have to google it next time. The solution has been posted on

Below is the script from that post

EXEC sp_dbcmptlevel 'yourDB', '90';
use [yourDB]


Run Windows Explorer as Administrator

Have you ever frustrated when right click on Windows Explorer icon and select “Run as Administrator” but still got some kind of “Access Is Denied” message? The reason is Windows Explorer still doesn’t run under Admin right. Below is how to solve the problem according to

But I just want to put it here for my reference
1. Run dcomcnfg.exe
2. Flow screens below

This is particularly useful when you want to install assemblies into GAC in your production servers those don’t have Windows SDK.