Troubleshooting!

1. m_safeCertContext is an invalid handle

I got this issue when try to assign a X509SigningCredentials to the custom STSConfiguration.


this.SigningCredentials = new X509SigningCredentials(cert);

Solutions:

Make sure don’t call cert.Reset() before passing the cert to X509SigningCredentials constructor

2. Keyset does not exist

Solutions:

http://stackoverflow.com/questions/602345/cryptographicexception-keyset-does-not-exist-but-only-through-wcf

http://msdn.microsoft.com/en-us/library/aa702621.aspx

3. A potentially dangerous Request.Form value was detected from the client (wresult=”<trust:RequestSecuri…”).

Solutions:

Make sure you have this setting in your web.config (under system.web)


<httpRuntime requestValidationMode="2.0"/>

http://social.msdn.microsoft.com/Forums/en-US/Geneva/thread/b6428ea6-e705-4c66-a6fe-8e9f51f73311

http://volkanuzun.com/blog/post/2010/10/14/A-potentially-dangerous-RequestForm-value-was-detected-from-the-client-(wresult3d3ctrustRequestSecuri).aspx

Run Windows Explorer as Administrator

Have you ever frustrated when right click on Windows Explorer icon and select “Run as Administrator” but still got some kind of “Access Is Denied” message? The reason is Windows Explorer still doesn’t run under Admin right. Below is how to solve the problem according to http://www.msfn.org/board/topic/144776-unable-to-open-an-elevated-windows-explorer-window/

But I just want to put it here for my reference
1. Run dcomcnfg.exe
2. Flow screens below

This is particularly useful when you want to install assemblies into GAC in your production servers those don’t have Windows SDK.

Understand WCF claims-based Security (I)

A lot of information related to WCF Claims-Based security can be found from the web, below are some links

Building a Claims-Based Security Model in WCF
Fundamentals of WCF Security

Understand the WCF Identity Model is one of the key to successfully build a custom security solution. This post is just my notes when I am trying to build a Federated Security System.

Accessing ClaimSets

We access the claimsets from ServiceSecurityContext object

foreach (ClaimSet cs in
   operationContext.ServiceSecurityContext.AuthorizationContext.ClaimSets)
{
   // do something
}

Service Authorization Manager

ServiceAuthorizationManager is part of the WCF Identity Model Infrastructure, more details information can be found here. Below is how to use a custom service authorization manager and a simple service authorization manager looks like

<behaviors>
  <servicebehaviors>
    <behavior name="ServiceBehavior">
      <serviceauthorization principalPermissionMode="None"
        serviceAuthorizationManagerType=
          "ServiceAuthorizationManagers.AccessChecker,ServiceAuthorizationManagers" />
      <servicemetadata httpGetEnabled="true"/>
    </behavior>
  </servicebehaviors>
</behaviors>

AccessChecker implementation, CheckAccessCore is the core method, in this implementation, it finds the “name” claim and uses a Roles Provider to do the authorization

public class AccessChecker : ServiceAuthorizationManager
{
   const string NAME_CLAIM = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name";
   private Dictionary<string , string&#91;&#93;> _requirements = null;

   public AccessChecker()
   {
      // initializing...
   }

   protected override bool CheckAccessCore(OperationContext operationContext)
   {
      string header =
         operationContext.RequestContext.RequestMessage.Headers.Action;
      string[] requiredRoles;
      if (!this._requirements.TryGetValue(header, out requiredRoles))
      {
         return false;
      }

      foreach (ClaimSet cs in
         operationContext.ServiceSecurityContext.AuthorizationContext.ClaimSets)
      {
         foreach (Claim c in cs)
         {
            if (string.Compare(c.ClaimType, NAME_CLAIM, true) != 0)
               continue;
            foreach (string role in requiredRoles)
            {
               // c.Resource contains the user name
               if (Roles.Provider.IsUserInRole((string)c.Resource, role))
                  return true;
            }
         }
      }
      return false;
   }
}