Tuesday, September 30, 2008

How to quickly get thumbprint of a cert without removing space?

In powershell, you can get the thumbprints of certs with this command:

Get-ChildItem -path cert:\localmachine\my

localmachine can be currentuser.
This command also list the subject clearly so that you can use winhttpcertcfg.exe easily.


To see the detail of a cert, use this command:

Get-ChildItem -path cert:\currentuser\my\EEBAC2D21C1E5B2E22070CC9547CB806EE98B9A8 | format-list -property *

How to debug cert related error?

* After change server cert, make sure it is used in https setting in IIS.

* Check cert permission using winhttpcertcfg.exe or UI in mmc. For example, my portal's app pool uses Network Service account. To setup SSL channel with the web service server, I need to give "Network Service" account permission to both the server authentication cert and the client authentication cert on the portal server. It is easy for me to forget granting permission after updating a cert.

* Carefully check whether all certs on the chain exist. Note: I came across the situation where the cert status shows normal but actually one middle cert does not exist. Furthermore, I got server authentication cert and client auth cert from the same site so they have the same chain. When one middle cert does not exist, the server auth cert works fine but the client auth cert does not. So anything can happen.

* Whether the correct thumbprint is used in WCF's web.config.

* If any built-in accounts (e.g. networkservice, localsystem) are used, make sure the required cert is installed in LocalMachine and the web.config is searching cert in LocalMachine.

How to configure certs for my portal which uses WCF services?

The portal server need:

1. client authentication cert: needed for the portal to resolve the web reference of WCF service, to send request to the web service server, to setup SSL channel.

2. server authentication cert: needed for the portal to setup SSL channel (encryption) with the web service server.

Note, server authentication cert is not used for client authentication. In other words, in the web service's web.config, section should use portal server's client authentication cert. In the portal's web.config, section should also use portal server's client authentication cert.

Note: both client auth cert and server auth cert are required for SSL channel setup.

How to disable SSL so that I can use svcutil to generate proxy for a WCF service?

Two steps:
1. Disable SSL for this web service in IIS.
2. Set clientCredentialType="None" in web.config.

Cannot find the X.509 certificate using the following search criteria: StoreName 'My', StoreLocation 'LocalMachine', FindType 'FindBySubjectName'

I tried to hook up my portal with a WCF service but got error: Cannot find the X.509 certificate using the following search criteria: StoreName 'My', StoreLocation CurrentUser, FindType 'FindBySubjectName', FindValue.

The app pool of this portal uses NetworkService account. The cert is there in CurrentUser store. Why portal server cannot find this cert?

It is because NetworkService will not search cert in CurrentUser store. Current User is only my logon account. Since the portal can run without a user logon or with multple users logon, NetworkService may not know which "CurrentUser" account to search the cert.

Two solutions:

(1) Use a cert in LocalMachine then NetworkService is able to find it.

(2) Using my own logon account instead of the built-in accounts for the app pool also resolved the problem.

Possible solution:
You may use NetworkService account but create a CurrentUser cert store for NetworkService. To do this, in MMC, create a cert store for WWW service. Then NetworkService may consider this store as its "CurrentUser" store and seach certs in it. I have not tried this.

On 2/26/2009, I encountered the same issue. I did not find anything wrong by doing all verification. The cert is not expired, the permission is correct, cert chain is normal, etc. Finally, I had to delete and reinstall the cert. Then it worked. This means the cert store can cheat somehow.

How to check the permission of a certificate?

When I hook up my portal with the WCF service, I got "Cannot find the X.509 certificate using the following search criteria: StoreName 'My', StoreLocation 'CurrentUser', FindType 'FindByThumbprint', FindValue 'b55d97f9f04d6115d138416b65f9b4100884339f'. "

I suspect maybe I have not grant the permission of the client certificate to the right account(s).

To check which accounts have been granted access to a cert, use:
winhttpcertcfg.exe -l -c Current_User\my -s "Issued to"

I used below command to grant permission to iis related accounts, use:
winhttpcertcfg.exe -g -c Current_User\my -s "Issued to" -a "ASPNET"
winhttpcertcfg.exe -g -c Current_User\my -s "Issued to" -a "IIS_WPG"

A lesson is "Issued to" (which is subject actually) will find the first cert matching(or including) the searching keyword. If you have two certs sharing the same "Issued to", then you have no way to use winhttpcertcfg to check the permission of the second cert.
So remember when you apply cert, pay attention to giving a good subject.

Granting these permissions did not resolve the issue described at the beginning of this article. I need to investigate further.

Monday, September 29, 2008

Why context.User.Identity.Name is null or empty?

Problem:
I set my portal to use window auth but context.User.Identity.Name is always null or empty. I checked the iis log and found my alias has been corrected used.

Solution: add below section resolved the problem.


Saturday, September 27, 2008

How to use DataTable and DataView

DataView cannot exist without a DataTable (or a Linq query).

Here is how to create a DataTable programmatically:
1. Define table schema by adding columns;

2. Adding row. To add rows to a DataTable, you must first use the NewRow method to return a new DataRow object. The NewRow method returns a row with the schema of the DataTable

Why I got NullReferenceException when using DataView.AddNew()?

Code:
DataView dv = new DataView();
DataRowView drv = dv.AddNew(); // throw NullReferenceException

Reason:
If you create a DataView using the constructor that does not take any arguments, you will not be able to use the DataView until you have set the Table property.
http://msdn.microsoft.com/en-us/library/hy5b8exc(VS.71).aspx

Friday, September 26, 2008

What is the difference between RegisterClientScriptBlock and RegisterStartupScript?

The RegisterClientScriptBlock method inserts the client-side script immediately below the opening tag of the Page object’s [form runat=”server”] element. The code cannot access any of the form’s elements because, at that time, the elements haven’t been instantiated yet. This explains why hdnView variable had a null value in my case. The RegisterStartupScript method inserts the specified client-side script just before the closing tag of the Page object’s [form runat=”server”] element. The code can access any of the form’s elements because, at that time, the elements have been instantiated. The choice of which method to use really depends on the “order” in which you want your script to be run by the browser when rendering the page.

(http://treasure4developer.wordpress.com/2008/02/05/difference-between-registerclientscriptblock-and-registerstartupscript/)

RegisterClientScriptBlock is meant for functions that should
be "available" to the page. For this they are rendered at the start
of the HTML file.

RegisterStartupScript is meant for commands that should execute on
page load (at the client), so tha page needs to be available for the
script. This script is rendered at the end of the HTML file.

(http://bytes.com/forum/thread278475.html)

What is the order of content page_load and master page_load?

This is the sequence of events that get fired when a content page is
merged with a master:

Master page controls Init event
Content controls Init event

Master page Init event
Content page Init event

Content page Load event
Master page Load event

Content page PreRender event
Master page PreRender event

Master page controls PreRender event
Content controls PreRender event


From http://www.velocityreviews.com/forums/t123348-master-pages-pageload-is-backwards.html

Thursday, September 25, 2008

Why my controls are displayed but disabled?

This took me a lot of time to figure out and is a big lesson for me.

The reason is I set z-index=-1 for the div containing these controls.

I think any layer with z-index<0 is not editable.

Setting z-index=0 or removing z-index setting (0 by default) resolved the issue.

Wednesday, September 24, 2008

How to copy all files and sub-folders from one folder to another?

xcopy /E/I/V bin\_PublishedWebsites\PartnerPortal %sitedir%

How to delete all files and sub-folders in a folder?

rd /s/q c:\temp

What is the reason of certificate error on IE address bar?



Reason: there is problem with server cert.

For example, if server SSL cert is applied for mymachine.mydomain.com and you try to access the site using http://mymachine/myservice.svc, then the cert "issued to" does not match the host name. In this case, using http://mymachine.mydomain.com/myservice.svc will resolve the cert issue.

Another possiblity is that the root of the server cert is not installed in the client machine. Check your root and intermediate stores to see whether you need to install them.

Where are bcz defined in CoreXT?

C:\enlistments\maa2\tools\build\aliases\aliases.pub

This file also defines below variables:

.. cd .. && cd $*
... cd ..\.. && cd $*
.... cd ..\..\.. && cd $*

This file defines team-wide aliases.

developer\build\aliases.pub defines personal aliases.

IIS KBs

IIS KBs - October 2007 (More IIS 7 Status Code)
942067 Error message when you try to run a Web application that is hosted on a server that is running IIS 7.0: "HTTP Error 403.7 - Forbidden"
942057 Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 502.2 – Bad Gateway"
942032 Error message when users visit a Web site that is hosted on a server that is running Internet Information Services 7.0: "HTTP Error 404.3 - Not Found"
942036 Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 403.2 - Forbidden"
942053 Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 404.5 – URL Sequence Denied"
942065 Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 403.1 - Forbidden"
942061 Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 403.16 - Forbidden"
942077 Error message when you visit a Web site that is hosted on a server that is running Internet Information Services 7.0: "HTTP Error 404.10 - REQUEST_HEADER_TOO_LONG"
942076 Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 404.11 – URL_DOUBLE_ESCAPED"
942038 Error message when you try to visit a Web page that is hosted on Internet Information Services 7.0: "HTTP Error 403.17 (Forbidden) - The client certificate has expired"
942040 Error message when you try to visit a Web page that is hosted on IIS 7.0: "HTTP Error 404.2 – Not Found"
942050 Error message when you visit a Web site that is hosted on a server that is running Internet Information Services 7.0: "HTTP Error 406 - Not Acceptable"
942055 Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 500.19 – Internal Server Error"
942059 Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 502.1 – Bad Gateway"
942063 Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 403.13 - Forbidden"
942074 Error message when you visit a Web site that is hosted on a server that is running Internet Information Services 7.0: "HTTP Error 404.13 - CONTENT_LENGTH_TOO_LARGE"
942079 Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 401.4 – Authorization failed by filter"
942078 Error message when you visit a Web site that is hosted on a computer that is running IIS 7.0: "HTTP Error 401.5 – Authorization failed by ISAPI/CGI application"
942051 Error message when a user visits a Web site that is hosted on a server that is running Internet Information Services 7.0: "HTTP Error 405.0 - Method not allowed"
942071 Error message when you visit a Web site that is hosted on a server that is running IIS 7.0: "HTTP Error 404.15 – Not Found"
942034 You are not prompted to select a client certificate from the local certificate store in IIS 7.0
943240 FIX: Error message when IIS 6.0 receives the entity body for an HTTP POST request while an application pool is recycled: "The underlying connection was closed"

From http://msmvps.com/blogs/bernard/archive/2007/11/14/iis-kbs-october-2007-more-iis-7-status-code.aspx

NotSupportedException: The SSL settings for the service 'None' does not match those of the IIS 'Ssl, SslNegotiateCert, SslRequireCert, Ssl128'.

Problem:
I deployed a WCF service in IIS7. This WCF requires client cert. When I browsed the SVC using IE, I got error page: NotSupportedException: The SSL settings for the service 'None' does not match those of the IIS 'Ssl, SslNegotiateCert, SslRequireCert, Ssl128'.

Reason:
I should select "Require client certificate" in IIS7 to match the WCF configuration. Ignore or accept client certificate does not work.

WCF service on IIS7, Window 2k8 server: HTTP Error 404.3 - Not Found

How to debug:
1. see the error messages: "It is possible that a handler mapping is missing", "The feature you are trying to use may not be installed".

2. check handler mappings in IIS7 to see whether there is svc type. I did not find svc.

3. start optionalfeatures.exe to see whether WCF activation is enabled or not.


4. enabled WCF activation, then you can see svc appears in handler mappings.

5. 404.3 error goes away.

Monday, September 22, 2008

Friday, September 19, 2008

What does ".Buttons a.Enabled" in CSS mean?

.Buttons a.Enabled
{
background-image: url("./images/NavigationButtonEnabled.png");
}







Explain: LinkButton will be parsed as a link. So ".Button a.Enabled" means any descendant LinkButton (in this example) having Enabled attribute under the div whose class is Buttons.

System.Resources.MissingManifestResourceException was unhandled by user code

Problem:
My localization of a web app throws exception:"Could not find any resources appropriate for the specified culture or the neutral culture. Make sure "MyResource.resources" was correctly embedded or linked into assembly "WebApplication1" at compile time, or that all the satellite assemblies required are loadable and fully signed.".

Solution:
You cannot use VS 2005 way in VS2008.

In VS2005, you can use:
Assembly asm = Assembly.Load(assemblyName);
ResourceManager rm = new ResourceManager(baseName, asm);

In VS2008, you have to include the web application name in basename:
ResourceManager rm = new ResourceManager(".", Assembly.GetExecutingAssembly(), null);

Furthermore, I found I cannot put the resource files in App_GlobalResources directory. It may be possible but it is not straightforward at least. I have to create a new resource file under the project root directory.

Wednesday, September 17, 2008

How to open a link in a new window when clicking a button by using javascript?

OnClientClick="Javascript:window.open('Privacy.aspx','mywindow', 'width=500,height=600');return false;"

CS0433: The type 'CLASS' exists in both 'dll1 and 'dll2'

Problem:
I used VS2008 to create a web app and deployed it to windows server 2k8.
For WLID, I copied the expirecookie.aspx from the sample to my wlid directory.
Note: this expirecookie.aspx does not have code behind file. Instead, it has inline script.
Then when I tried to access https://mysite.com/mysite/wlid/expirecookie.aspx, it throws the error message as the subject.

Reason:
Either net3.5 or the project created in VS2008 does not support the aspx file having inline script. After I added a new aspx having a code behind file in VS2008, the error went away.

Tuesday, September 16, 2008

How to check how much battery left in a laptop?

Use windows mobility center.
Shortcut: windows+x

How to get more diagnostic info when building project using corext+msbuild?

set msbuild_verbosity=diag

msbuild_verbosity modes: QUIET, MINIMAL, NORMAL, DETAILED, DIAGNOSTIC. Default=NORMAL

Saturday, September 13, 2008

Why I cannot sign out WLID on Vista, IIS7?

Reason: the expirecookies.aspx is not created for signout.

You should be able to browse https://mysite.com/wlid/expirecookies.aspx to verify whether this page is ready or not.

This problem has nothing to do with OS although it is known that RPS has been fully tested on win server 2k3 and win server 2k8.

Friday, September 12, 2008

How to cobrand WLID sign in page?

Assume using RPS6.0 http module, there is the steps.

Steps:
1. Add string IDs in Login UI section in MSM;
2. Add localized strings for each ID and each locale in Localization section in MSM;
3. Set propbag to load these cobranding strings:

LiveIdentity LiveID = HttpContext.Current.User.Identity as LiveIdentity;
Microsoft.Passport.RPS.RPSPropBag authPropBag = LiveID.CreateNewRPSPropBag();
authPropBag["WLContext"] = "mytitle$mysubtitle$myimage$myupselltext1$myupselltext2$myupselllearnmorelink";
WLIDSignInOutLiteral.Text = LiveID.GetTextTag("mysite", "nexus.passport-int.com/public/partner/rpsnetwork4.xml", authPropBag);

How to make return url effect when using RPS 6.0 httpmodule

Problem:
Environment: IIS7, vista, RPS 6.0.5135.0

Repro:
1) Install rps;
2) Configure RPS http module according to RPS beta doc;
3) Register my site in MSM, providing return url as “….\landing.aspx”;
4) Configure rpsserver.xml, specifying the same return url in the site node;
5) Open ie and go to the un-authed page default.aspx;
6) Click sign in button;
7) On the signin page, you can see the return url embedded in the request url is “…\default.aspx” instead of “landing.aspx”.
8) After signin, it directs to default.aspx instead of landing.aspx.

I also tried this:
1) Open IE and go to landing.aspx;
2) Click sign in button;
3) On the signin page, you can see the return url embedded in the request url is “…\landing.aspx”;
4) After sign in, it directs to landing.aspx.

According to above repro, it sounds like WLID always use the incoming url to construct the return url and ignore any configured return url in my case.

I have downloaded the site xml and verified that the return url is landing.aspx.

How can I make the return url effect?


Solution:
Use PropBag when setting WLIDSignInOutLiteral.Text. The PropBag will load the configuration of this site node in rpsserver.xml. So if you set return url correctly in rpsserver.xml for this site, then it takes effect.

Microsoft.Passport.RPS.RPSPropBag authPropBag = LiveID.CreateNewRPSPropBag();
WLIDSignInOutLiteral.Text = LiveID.GetTextTag("Sitename", "nexus.passport-int.com/public/partner/rpsnetwork4.xml", authPropBag);

Thursday, September 11, 2008

Why windows live signup does not work on my site?

Problem:
I used windows live signup by:
(1)check "Windows live enabled" checkbox in MSM (this makes sign in page use Windows live theme);
(2)fill up the "Windows Live upsell URL" textbox using "https://signup.live.com/signup.aspx" (this makes signup page use Windows live theme).

However, when I click signup button on the signin page, I got error image:


Note: my return url is not in live.com domain.

Answer:
This is an answer got from an expert.

The return URL can only be to a URL with the following domains.

PROD
live.com,microsoft.com,msn.com,live.jp,windowslive.jp,msn.co.jp

INT
live-int.com,microsoft-int.com,msn-int.com,live-int.jp,windowslive-int.jp,msn-int.co.jp,live.com,microsoft.com,msn.com,live.jp,windowslive.jp,msn.co.jp

You realize that the signup page you are using is designed for Windows Live and not partners outside of Windows Live such as MSDN and Microsoft.com.

However, we heard from other experts that windows live signup can be used by sites outside of live.com. So I still need to follow up.

What do the parameters mean in WLID url?

ru - return url

regru - return url after WLID registration. If there is no regru, then ru is used after registration.

wreply - the url overriding the default return url

wa - ?

wasignin=1.0 This parameter triggers RPS to look for RPS Compact ticket and process it if one is present

What is the shortcut of turning on/off features on Vista?

optionalfeatures.exe

Wednesday, September 10, 2008

Why window authentication does not prompt credential dialog

Problem:I created a website (which has only a default.htm for testing purpose) and enabled window authentication by doing:
(1) Enable window authentication in IIS;
(2) Disable anonymous access in IIS;
However, there is no credential dialog popping up when I visit default.htm.

Solution: here is how to debug.
Windows Integrated Authentication will be silently submitted by Internet Explorer if the web server challenges the user.

Looking at your web logs (C:\inetpub\logs\LogFiles\W3SVC1) for the website, you should see one or two 401s before a 200 response containing the username - this means it is working.

If you do not, and only ever see blank-username 200s, authentication isn't configured correctly yet.

If you desire a prompt, disable IE's Automatic Logon settings in Internet Options -> Security tab -> Custom level.

WLID sign up button does not work in WLID sign in page

Problem:
I registered my site in http://msm.live.com. In the WLID sign in page, the sign in button works fine but sign up button directs to a page containing the error message.



Solution:

In msm.live.com, edit the upsell textbox with https://signup.live-int.com/signup.aspx

How to tackle the issue that using hosts prohibits accessing internet?

Problem: if I disable "automatically detect proxy" in IE for enabling hosts, the internet access is disabled. How to enable both at the same time?

Solution: install ISA firewall client.

Tuesday, September 9, 2008

What is the location of AppCmd.exe?

%systemroot%\system32\inetsrv\

Explain the certificate formats

Personal Information Exchange (PKCS #12)

The Personal Information Exchange format (PFX, also called PKCS #12) enables the transfer of certificates and their corresponding private keys from one computer to another or from a computer to removable media.

Because exporting a private key might expose it to unintended parties, the PKCS #12 format is the only format supported in this version of Windows for exporting a certificate and its associated private key.


Cryptographic Message Syntax Standard (PKCS #7)
The PKCS #7 format enables the transfer of a certificate and all the certificates in its certification path from one computer to another, or from a computer to removable media


DER Encoded Binary X.509

DER (Distinguished Encoding Rules) for ASN.1, as defined in ITU-T Recommendation X.509, might be used by certification authorities that are not on computers running Windows Server 2003, so it is supported for interoperability. DER certificate files use the .cer extension.


Base64 Encoded X.509

This is an encoding method developed for use with Secure/Multipurpose Internet Mail Extensions (S/MIME), which is a popular, standard method for transferring binary attachments over the Internet.

Because all MIME-compliant clients can decode Base64 files, this format might be used by certification authorities that are not on computers running Windows Server 2003, so it is supported for interoperability. Base64 certificate files use the .cer extension.


IIS7 document

what are the differences between CEK cert and SSL cert?

(1) CEK (cookie encryption key) cert can be obtained from local hosted Microsoft certificate services included in windows server 2k3, or micorosoft internal cert application sites.

SSL cert must be obtained from a public certificate authority, such as Verisign.

(2) CEK cert name does not need to match the site while SSL cert must match.

Monday, September 8, 2008

How to load a txt file using notepad in powershell scripts?

function hosts
{
[System.Diagnostics.Process]::Start('notepad.exe', 'C:\Windows\System32\drivers\etc\hosts');
}

no alias needed.

Sunday, September 7, 2008

How to edit the profile for powershell?

1. create a new profile:
new-item -type file force $profile

2. edit it
notepad $profile