Workflow Services in .NET 4 allow you to do long running processes. But when you do that, there's an interesting question: when a workflow has been suspended, under which user is the workflow running when it is active again. To answer this question I created a simple workflow that writes the user in the current thread to a log. On the initial call, the user making the call was logged (in this case I used Windows Identity Foundation to authenticate, but this should be the same for all types of authentication). After a Delay of a minute that user was gone, and instead the user in the current thread was unauthenticated. This means that any code you call from the workflow can't rely on Thread.CurrentPrincipal to get the proper authorizations. You have to save the user, and somehow reinstate principal so it runs under the original context. Alternatively you can use some form of delegation.

Working with Windows Idnentity Foundation can be quite a minefield. Solve one issue, and the next creeps up. Because it's all these little tweaks to make it work, I often find myself thinking "How did I solve that last time?" One of those issues is the exception

Could not establish trust relationship for the SSL/TLS secure channel with authority 'somesite.runningunder.ssl'

There are two reasons why you can run into this exception, each discussed below.

The certificate isn't trusted and/or the URL doesn't correspond with the URL in the certificate. If this is the case, you get certificate warnings when you browse to the service WSDL with a browser. The best way to solve the former is to have your (development) environment work with certificates it trusts. This means setting up a Certificate Authority (Active Directory Certificate Services), placing the root CA certificate in the Trusted Root Certificates of the machine your clients (and services) run on, issuing the needed certificates from the CA, and placing these where they are needed. Alternatively, you can just add a single line of code to your client so it ignores certificate issues before you do any service call:

System.Net.ServicePointManager.ServerCertificateValidationCallback =
    ((sender, certificate, chain, sslPolicyErrors) => true);

WARNING! ONLY USE THE ABOVE CODE FOR DEVELOPMENT PURPOSES. IT IS NOT SECURE.

If after you've done the above you still get an exception, the above code is likely not even being hit. That means you (also) have the problem below.

You've setup identity trust in your client, and the certificate reference is incorrect. This often happens when you copied some configuration from somewhere, and forgot to change the corresponding certificate reference. The red stuff in the client configuration below (which is much longer in a real configuration) is the culprit. It should contain the encoded certificate.

<system.serviceModel>
  <client>
    <endpoint address="https://YourServer/Service1.svc"
              binding="customBinding"
              bindingConfiguration="CustomBinding_IService1"
              contract="ServiceReference1.IService1"
              name="Service1Binding">
      <identity>
        <certificate encodedValue="MIIF5jCCBM6gAwIBAgIKYSt2tQA..."/>
      </identity>
    </endpoint>
  </client>
</system.serviceModel>

To solve this, you need to get the base64 encoded certificate string, and paste it in place of what's in there now. To get it you can do the following:

1. Browse to the endpoint with your browser.
2. View the certificate information.
3. Save the certificate to file.
4. Open the certificate with notepad.
5. Copy the encoded value between the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- placeholders.
   

I've been working with WCF for quite a while, and every so often I run into this exception:

ArgumentException: The provided URI scheme 'https' is invalid; expected 'http'.Parameter name: via

The problem is obvious. You're trying to access a service under HTTPS, but it's being called with HTTP. Under most bindings you can solve this by adding somehting like this to the client binding configuration:

<binding name="MyBinding"> 
  <security mode="Transport"> 
    <transport clientCredentialType="None" /> 
    <message clientCredentialType="None"
             negotiateServiceCredential="false"
             establishSecurityContext="false" />
  </security> 
</binding>

When you use a (custom) ws2007FederationHttp binding, for instance when working with Windows Identity Foundation, the above won't work. In that case you need to look in the binding for the <httpTransport> element and replace it with <httpsTransport>.

It is typically a good idea to separate general authorizations of a user from application specific authorizations. This is why we invented Application Roles (Settings Administrator), which are separate from Organizational Roles (System Administrator).When using Application Roles, we can map these roles to Organizational Roles. In organizations using Active Directory, Organizational Roles are typically stored in AD. Application Roles can then be stored using Authorization Manager (AzMan) in XML or AD in Application Mode (separate from the organization AD).

Over the years I've built quite a few applications that use the above model, and it works well if you authorize with roles. But these days I do most of my work using things like Claims Based Authorization, so the question is "Does this translate to teh CBA world? And if so, how?". The answer is that yes, it does translate (very well actually), at least in Windows Identity Foundation.

In the CBA world an application receives a token with claims about the user. Like with roles, this should typically be claims not specific to the application, unless the only source for the claim information lies within (or is only accessible to) the STS. This serves two purposes:

1. The token is generally usable across applications, so the STS can deal with this more easily.
2. Tokens are not stuffed with a lot of claims.

The latter is actually more important than you might think. Adding more claims means a bigger token, and there comes a point where the token is so large that for instance ASP.NET rejects the request, because it is bigger than the accepted request size (which you should only increase if really necessary).

Now, one of the great things about CBA is that it enables me to create business logic which checks the authorization based on meaningful values, rather than a role. On top of that, I wouldn't want to have a hybrid security system for the claims stuff and the application specific stuff. Fortunately, In Windows Identity Foundation I can add claims to a claims identity, and these claims then behave the same as the claims acquired from the STS token. The only difference is that the issuer is set to LOCAL AUTHORITY, rather than the STS, which means these claims are really only usable locally in my app (or service). The code to add a local claim is easy:

IClaimsPrincipal claimsPrincipal = Page.User as IClaimsPrincipal;
IClaimsIdentity claimsIdentity = (IClaimsIdentity)claimsPrincipal.Identity;
claimsIdentity.Claims.Add(new Claim("http://MyApp/SomeAppClaim", "SomeValue"));

You can execute code like this when a session starts, and add all application specific claims for the user (identified by an STS claim) to the claims identity. The local claims then get the same lifetime as the claims originally from the token, so you only have to add them once. This way adding application specific claims is still separated from the functional code. Which was the benefit to start with.

Although the above code will definitly work, there is another option when using WCF, known as Claims Transformation. With Claims Transformation you can define policies that define ClaimSets to add to a user's token. This model is much more flexible, as explained in the MSDN article Service Station: Authorization in WCF-Based Services (jumps straight to the Claims Tranformation section). That article is from the pre-WIF era, but you can do similar stuff with teh ClaimsAuthorizationManager in Microsoft.IdentityModel.

Op het SDN Event van 13 december heb ik twee presentaties gegeven. Hieronder kun je de aantekeningen downloaden die ik gemaakt heb op de tablet (voor wie er niet bij was: ik heb in plaats van slides mijn sessie gedaan met behulp van tekenen in OneNote).

• ASP.NET_Aanpassen (1.05 MB)
• Wegwijs_in_Moderne_Beveiligingstechnieken (2.06 MB)

De demo's bij ASP.NET Aanpassen volgen op korte termijn (vermoedelijk komend weekend... leuk speelgoed voor de kerst).

At my company we we're looking at creating a generic STS that does not require Active Directory Federation Services 2.0, and we were also thinking about putting it up on CodePlex. Dominick Baier from Thinktecture beat us to it with StarterSTS. He's also posted some webcasts on how to use it. Good stuff, so instead rolling our own, we'll be using/extending this one.

Windows Identity Foundation introduces a new ClaimTypes class. It contains predefined claim type URIs for claims defined by OASIS and Microsoft. In the WIF SDK project templates for a custom STS this ClaimTypes class is mixed with the one already in System.IdentityModel.Claims, which is rather confusing. So, what's the difference?

Functionally: None. All claim type URIs in Microsoft.IdentityModel.Claims.ClaimTypes are identical to corresponding types in System.IdentityModel.Claims.ClaimTypes. That said, Microsoft.IdentityModel.Claims.ClaimTypes adds a few new claim types.

Technically: Claim types in System.IdentityModel.Claims.ClaimTypes are defined as static read only string properties, whereas in Microsoft.IdentityModel.Claims.ClaimTypes the claim types are string constants.

My advice: for clarity always use Microsoft.IdentityModel.Claims.ClaimTypes.

Windows Identity Foundation, formerly known as "Geneva", has shipped. I've been talking about Geneva/WIF on several occasions and I absolutely love it. It opens the door for a whole new realm of authentication/authorization scenario's. SharePoint 2010 will be the first Microsoft Product to support it, apart from the new Active Directory Federation Services 2.0, which was part of the development effort and was formerly known as "Geneva" Server. Be sure to check it out!