Microsoft will be presenting some very interesting stuff at the PDC this year. One of the much-anticipated Oslo-related messages came last week, ahead of the conference, with the public announcement of "Dublin", an Application Server and host for WF / WCF applications.  And get this: There will be CTP BITS available for .NET Framework 4.0 and Dublin at the PDC!

Essentially, Dublin offers significant feature additions to the WAS (Windows Process Activation Services - remember?) that ship with Server 2008 and Vista, and will include functionality that previously was only available in Microsoft's messaging platform, BizTalk Server. Undoubtedly this is great news for anyone who has been developing standalone non-HTTP WCF services and hosted WF workflows. Dublin will be a Windows 2008 Server Role and will support:

• Message-based correlation
• Message forwarding service
• Content-based message routing (CBR)
• Long-running transactions with compensation
• Scale-out of stateful workflow applications
• Persisting and rehydrating workflow state for high scalability
• Enhanced management and monitoring functions
• Tracking of workflow events
• Low-latency messaging
• Plus, it will support the “Oslo” modeling platform

With this feature set, Windows Server with Dublin and .NET 4.0 support a variety of Business Process and Messaging scenarios, such as highly asynchronous transaction processing, scalable messaging deployments, automation of long-running workflows, durable, as well as low-latency non-durable messaging, and coordination of processes across heterogeneous environments.

Anyone interested in the future direction of BizTalk and Oslo technologies will recognize a rather clear forking into Application Server services (Dublin) and Integration Services (BizTalk).  Let's have a look at what BizTalk offers today in addition to messaging and hosting services listed above:

• Accelerators such as HIPAA, HL7, SWIFT, EDI
• Host connectivity (HIS)
• Trading Partner Management
• RFID support
• BAM
• Mapping
• XLANG orchestration host
• Services Registry (to ship with BizTalk Server 2009)
• ESB services provided by the ESB Guidance

What about adapters?  Well, the new wave of Line-of-Business adapters is built on the WCF Adapter Framework and allows us the flexibility to use adapters anywhere, not exclusively in BizTalk. The BizTalk LOB Adapter Pack (currently packaged with BizTalk, but also available as a separate SKU) lets you connect to 3rd party business systems today from any custom-developed .NET application, SQL Server–based BI solution, or Office Business Application (OBA).  This likely means that they will work in Dublin / .NET 4.0 WCF, and is the reason I did not include it in the list of deltas.

Many have probably also heard Microsoft talk about the plan to eventually replace the XLANG orchestration engine with WF. With the announcement of Dublin, I believe a more accurate way to say this would be that Future BizTalk will sit on top of Dublin to provide integration services and accelerators, as well as offer backward compatibility with XLANG processes.  Similar to the way that MOSS sits atop of WSS.

BAM, in my opinion, is the interesting question and feature that has not found a clear "home" yet.  While Dublin offers tracking services, I have not seen a plan for the comprehensive (, well-designed and extremely useful) infrastructure that BizTalk BAM offers today for building reports, data structures and cubes, and process instrumentation. 

How did we get from Oslo to Dublin? 

To put all this into context -- Oslo is an initiative that spans multiple products and technologies. More and more we hear about the "Oslo Modeling Platform" and the "Oslo Repository" -- those are the key areas of development in this initiative.  And “Dublin” provides a runtime environment into which model-driven "Oslo" applications can be deployed.

Service Pack 2 is now available for Commerce Server 2007.  No features have been added, but a lot of product compatibility and some bug fixes:

The amazon.com web site has been unavailable since around 11:20 am PST with a "Http/1.1 Service Unavailable" message and nothing else.  It is possible to access the site through https://www.amazon.com, but not through http.  Were they hacked or attacked or sabotaged?  In this day and age of redundant hardware it is hard to believe that an Amazon would suffer such a massive failure.  

Interestingly, the stock price took an immediate hit as well with a 3.85% decline since the outage started. It will be very interesting to hear just how much revenue Amazon lost in that 1/2 hour.

12:10 pm update: After a good 40 minutes, some of the farm servers came back up, but now everything went down hard again.  Some pages show a new error message:

Stock price  -4.11%.

12:30 pm update: Down for more than an hour. No explanation yet.  Somebody is sweating bullets...

12:40 pm update: Site seems to be back up again with the exception of some crucial pages like the shopping cart. The outage only affected the US site, none of the international domains.

Stock price - 4.40%.

Join my colleagues of the Magenic Technology Council (MTC) at the first annual Technology Summit in Chicago on June 20, 2008.  This geeky, two-track, day-long mini-conference is packed with great sessions and keynotes by Rocky Lhotka and Jay Schmelzer, Group Program Manager on the Microsoft Visual Studio team. In the Developer track, members of the MTC will present on code quality, the ASP.NET MVC framework, LINQ indexing techniques, WPF and Silverlight in UX design.  The Server track offers sessions on SharePoint branding, SQL Server 2005 health, TFS, and RFID with BizTalk 2006 R2.

It will be difficult to decide which track to attend. Make sure to bring a colleague!

This is a free event by invitation only. Contact your Magenic Account Executive, send email to sales@magenic.com, or contact me through this blog. 

More information and session abstracts.

Recently, while getting fired up for a family Rockband session, our XBox died. Red ring of death. Put down the guitar controller - the third one nonetheless - first one got its strum bar stuck, second one had a miscalibrated tilt sensor - and go through the routine... call, ship, wait. We'd only done it three times in the last two years, so yes, we know the routine.

Two weeks later (life without an XBox isn't all that bad, really - did you know there's a whole world outside the front door) the box shows up on our doorstep (...get the guitars ready). Together with a letter that said that we had tampered with our XBox and they won't fix it, so here, have your brick back. WTF?  Given that none of us have a need to, care to, or even know how to "tamper" with our XBox, the only explanation I can come up with is that this is a machine that had been previously opened by Microsoft's repair engineers. This cannot really be happening, right?

Several hours (days) on the phone with patient, but completely unempowered customer service personnel we know now that there allegedly is a broken seal behind the faceplate, as evidenced by some photograph - now attached to our file. So with the engineer's remote help (as we've never done it before) we take off the faceplate and have a look. Nothing. Not the minutest crack. WTF?  I guess this is how Microsoft's mitigates the rising cost of supporting their extension of warranty to 3 years. By refusing to fix them.

So as it stands right now we have a nice-looking brick, a useless (with or without the Xbox) HD DVD player, an extensive library of games, and a bunch of ugly plastic instruments sitting around our living room. Anyone interested? The PS 3 is starting to look really good....

UPDATE:  My well-connected colleague Chris Williams  set some things in motion and some well-meaning Microsoft folks made it happen. Customer Service reps suddenly became very helpful (it was like magic) and we were asked to send our box in again.  I'm happy to report that we have now received a replacement box and a month of XBox Live for "our troubles".   Thank you Chris, and especially Brian from Microsoft!  

Rock on!

I recently put together a glossary of common security-related terms to aid in discussions around "Single Sign-On" scenarios. I've experienced this a few times now -- a level-set on terminology is almost always needed to make security discussions productive from the start.  Oftentimes the terms are confused, misused, or ambiguously defined.  I have attempted to stay general with the definition of terminology, however, since I'm a Microsoft consultant the examples and products mentioned are Microsoft's.

User

A person using a system through a user interface (as opposed to a system).

Credentials

A set of claims used to prove the identity of an entity (typically a User). They contain an identifier for the client (a "user name") and a proof of the client's identity (a "password"). They may also include additional information, such as a third-party digital signature, indicating that the issuer certifies the claims in the credential.

Authentication

The process of identifying an individual based on evidence provided. Evidence may be presented in the form of credentials such as a username - password pair, pin numbers, access codes, or a hardware device such as a smart-card, or thumb-print reader.

Multi-factor authentication implies use of more than one distinct method of authenticating a user. Often, two-factor authentication is based on “something the user knows” as well as “something the user has”, such as password plus a cryptographic device.

Individuals who have not (yet) authenticated with a system are commonly referred to as anonymous users.

Authorization

Authorization is the process of granting the identified individual or system access to resources. An ACL (Access Control List) on a file folder is an example of an authorization mechanism. Authorization always typically happens after the user has been authenticated, however, it should include rights granted to or denied from anonymous users.

In application-terms, authorization is often referred to as role-based security.

Role = container for permissions (for example, a “Contributor” has rights to read, write and delete a record in a table)
Group = container for user accounts (for example, “Human Resources Group” contains all users in the HR department)
Authorization best practice = Associate Groups with Roles.

Resource Access Pattern

An application that accesses secured external resources, such as databases, a file shares, external web services or software systems, typically uses one of two high-level patterns to present security claims:

Delegation

The process of propagating a security identity from a caller to the resource. Delegation requires access to the user's full set of credentials (Impersonation). If the destination system does not accept the same type of credentials as the authenticating system, a Single Sign-On (SSO) intermediary can be used (see below).  Delegation requires the user to have permissions to access the destination system.

Trusted Subsystem

This is a process where a trusted business identity (a "service account") is used to access a resource on behalf of the client. In this model, the user does not need to have direct permissions to the destination system, and no SSO solutions are required. 

An example of a Trusted Subsystem is an ASP.NET / IIS web application running on Windows Server 2003, that will use the configured Application Pool Identity account to access a SQL Server database, if Impersonation is disabled (default) in the web.config, and the connection string specifies SSPI (Windows) authentication. This is the most commonly used scenario for database access.

To switch to a Delegation model, turn on Impersonation in the web.config. In this case the user identity will be passed to the database. If, however, IIS is set to allow Anonymous, that user identity will be the Anonymous user account configured on the web application. So take care with Impersonation!

Single Sign-On

Since it is not always possible to have one central credential store that is used by all enterprise systems, Single Sign-On (SSO) is used to work around the need for a user to remember multiple different credentials in order to authenticate with different systems. SSO enables the user to authenticate once and gain access to multiple systems in real-time. Portals, mash-ups and messaging systems are often the brokers for SSO solutions. All participating systems typically retain their credential stores.

Different methods for SSO exist, some require modification of source systems, others don’t. Enterprise SSO solutions involve a credential mapping process and secure storage of user’s credentials for participating systems as it relates to a central logon. Participating systems do not require modifications in order to support Ent SSO. This is sometimes referred to as “assembled identity”. Alternatively, real-time SSO can be achieved with Identity Federation solutions.

It makes sense that Enterprise Single Sign-On solutions would be part of messaging platforms (BizTalk Server 2006) and portal systems (SharePoint Server 2007), but I still have a hard time understanding why Microsoft does not offer a standalone EntSSO solution. Both products above started with the same EntSSO code-base, which have since branched and are independent.

Federated Identity

The term Federated Identity refers to infrastructure that does not attempt to unify credential stores (usually across organizational boundaries), nor does it attempt to provide central credential mapping services. Federation of authentication and authorization is achieved through contracted mutual trust. It is easiest to explain Identity Federation in an example:

Brian, an employee of Contoso Ltd. wants to purchase goods at a Fabrikam’s shop service. The employee privacy policy of Contoso Ltd. does not permit that PII (personal identifiable information) from employees is exposed to an outside partner such as the other company. It also would be an administrative burden to make all identities of authorized employees from Contoso available to the shop and to keep that list up to date. Additionally, the employee’s identity inside Contoso will probably be meaningless to the Fabrikam shop, because the shop is in another trust domain.

The solution is to have WS-Trust exchanging existing security tokens into different ones that are understood by the other party:

The employee’s shopping application sends a SecurityTokenRequest message to Consoto’s Security Token Service (STS), requesting a SAML token that will be accepted at Fabrikam (Step 1): “I am employee Brian from our IT department and I have to invoke the Fabrikam shop web service at this and that address.” The claim “I am employee Brian” is proved, for instance by signing that request message with the employee’s private key or by attaching a valid Kerberos token from Contoso to the message. After internal checks (such as “Is our employee Brian authorized to buy at Fabrikam’s shop of behalf of Contoso?”), the STS from Contoso sends back a security token to Brian (Step 2). That security token may include two things: It must include (a) a security token that Brian can attach to the web services invocation and it may include (b) a proof token for Brian with which he can prove that he possesses the security token. The security token may state that “The entity possessing this or that cryptographic key is an employee of Contoso and may purchase goods on our behalf”. This security token is attached to the shop message (Step 3). ‘Attached’ means that the shopping request is signed with the token. The shop’s web service cannot interpret the semantics of the token, and asks the Fabrikam’s STS to validate the token (step 4). The STS from Fabrikam may return a new security token containing information like: “The owner of this or that cryptographic key is employee of one of our gold customers” (Step 5). After checking that the message from step 3 is signed with the specified cryptographic key and that the security token from step 5 contains a claim that access is granted, the shop request is executed and the results are sent back to the customer (Step 6).

Standard protocols, such as WS-Trust, WS-Federation and SAML tokens are in development supporting the process of identity federation across different software vendors. Microsoft’s Active Directory Federation Services provide the infrastructure to supply STS services, as well as standard protocol and token support. 

Applications and services need to explicitly support a Federated Identity model, i.e., require modifications to authentication and authorization modules.A framework for this is in the works from Micrsooft that enables integration of claims-based identity and authentication into .NET applications. It's code-named Zermatt and available as a Beta download.

Identity Selector

Identity Selectors are client applications that enable users to provide their digital identity to online services in a secure and trusted way. They shortcut Federated Identity scenarios by giving the User control over which identity to present.

Windows CardSpace (previously code-named InfoCard) is an example of an Identity Selector. It is what is known as an identity selector:  when a user needs to authenticate to a web site or a web service, CardSpace pops up a special security-hardened UI with a set of “information cards” for the user to choose from.

Each card has some identity data associated with it – though this is not actually stored in the card – that has either been given to the user by an identity provider such as their bank, employer or government or created by the user themselves. The CardSpace architecture – consisting of subjects, identity providers and relying parties – is called “The Identity Metasystem”, a shared vision across the industry as to how we can solve some of the fundamental identity challenges on the Internet today.

An application or service must be capable to explicitly support Information Card sign-in.

Identity Lifecycle Management

Identity Lifecycle Management is the process of managing and automating the process of managing accounts and user identities throughout its appropriate life-time. The goals of such an infrastructure are to

• improve productivity of repetitive tasks
• reduce the security risk of failing to complete these tasks (such as de-provisioning of employee accounts when they leave)
• provide audit trails on identity change events
• reduce TCO associated with managing and integrating identity information across the enterprise.

Services provided by Identity Lifecycle Management tools should include at a minimum:

• Provisioning and de-provisioning of accounts across systems and platforms in heterogeneous security environments.
• Ongoing synchronization of identity information across various directory and non-directory identity stores (such as HR systems).
• Password synchronization and re-set, allowing the user or IT representatives to centrally manage all passwords across multiple systems.

Microsoft Identity Integration Server (MIIS) is a centralized service that stores and integrates identity information for organizations with multiple directories. The goal of MIIS 2003 is to provide organizations with a unified view of all known identity information about users, applications, and network resources.

Adding references to WCF services is trivially easy with Visual Studio 2008, but if you're still working with 2005 there are a few things that need to be considered when referencing WCF services instead of using Add Web Reference. 

The following step-by-step is meant to help particularly those who have not developed WCF services but just need to consume them.  It applies to both, VS 2005 and VS 2008.

Prerequisite installs for Visual Studio 2005

If you are in a library, console, or Windows forms project, you should be seeing an Add Service Reference item in your project's context menu. If you don't see this, you are missing some prerequisites. Download and install the following packages:

1. .NET Framework 3.0 Redistributable
   These are the libraries that contain the WCF namespaces, such as System.ServiceModel and System.Runtime.Serialization. This package also contains WF and WPF runtime libraries.
2. Visual Studio 2005 "Orcas" Extensions
   The WCF and WPF (Windows Presentation Foundation) extensions that enable IDE integration into Visual Studio 2005.
3. .NET Framework 3.0 SP1
   

You should not have to install the Windows SDK (it's a huge download) to enable IDE integration, even if the Extensions install complains that it's not present. Ignore this message if you are only interested in consuming WCF services.

VS 2005 web site projects

In Visual Studio 2005, you will not see an Add Service Reference command in web site projects, even after installing above prerequisites.  Apparently this was an oversight and didn't quite make it into the Extensions CTP release, because VS 2008 has this option.  To work around this you have two options:

• Create a class library project, add it to your solution, and create your service references there. You will need to transfer generated app.config sections to your web.config (see below). 
• Generate your proxy classes and configurations using svcutil.exe utility, and include the generated files in the web site project.

Adding the Service Reference

1. Test the service from your web browser. Navigate to the .svc file. If everything checks out, copy the URL from the Address bar.
2. Right-click on the project in the Solution Explorer window and choose Add Service Reference. In VS 2005, you'll see the following dialog.
   
3. Enter (paste) the URL to your service's .svc file. (.svc?wsdl works as well)
4. Give the service a short but descriptive name. This will become a part of your proxy class' namespace (more about that later).

In VS 2008, you see more a bit more information about the service, plus you get a lot more control over generated data types through the Advanced options dialog:
        

This will generate several files. What files are generated differs between VS 2005 and VS 2008, and between non-web and web projects in VS 2008. Essentially you will come out of this operation with a proxy class and some configuration values.

The client proxy class

When you expand the tree under the service reference, you'll find a .cs file (VS 2005) that contains your proxy class. Note that it adopted the root namespace of the project it was generated in. I mention this because this is an important difference from how .asmx references were created, and also from how svcutil.exe creates your proxy.

To instantiate the proxy class, use the following naming pattern:

ProjectRootNamespace.ServiceReferenceName.ServiceNameClient myServiceClient =
               new ProjectRootNamespace.ServiceReferenceName.ServiceNameClient("EndpointConfigurationName");

Notice the class name ends in Client.  Where do you get the EndpointConfigurationName from?  Glad you asked. Read on...

Configuration considerations

Besides generating a proxy class, Visual Studio's also writes a section into your .config file when you Add a Service Reference. This section is bounded by

<system.serviceModel>  </system.serviceModel>

tags. If you generated the proxy in a class library project, you will have to copy this section to the executing assembly project's .config file. 

One of the nice advantages of using a service reference over a web reference is that you have complete control over the channel stack, security, protocols, etc. through configuration. The generated configuration mimics the service's configuration on the server. The things to understand are:

• Endpoints, in the <client> node, consist of an Address, a Binding and a Contract.  A service can expose multiple endpoints, but since you are pointing your reference tool at a specific endpoint, and not the service directly, you will only ever get one from the tool. The endpoint has a name, which you need when instantiating a the client proxy (so EndpointConfigurationName above would be replaced with MyWCFServiceBasicHttp in this example).
• The Binding defined in the <bindings> node defines the communication patterns. It is referenced by the endpoint with the bindingConfiguration attribute.
• The Contract defined by a fully qualified interface name. Notice that the namespace is NOT the namespace defined in the service, but the one your proxy class resides in. This may be confusing especially if you also developed the service.  If you instantiate your proxy class with above example, you don't need to care about the interface .

Again, remember to copy these sections into the executing assembly's .config file!

Updating a service reference

If the service implementation changes without data- or service contract (method signature) changes, you don't need to do anything at the client. If the contract or address has changed, however, you need to re-generate your proxy and may need to update your configuration. This can also be done through the IDE. 

• Right-click on the reference in Solution Explorer and choose Update Service Reference.
  This will also replace the .config section, regardless of server config changes or not. If you made config changes in your client config, be aware that you may end up with double entries with names such as MyWCFServiceBasicHttp1 (to use the example above). You should clean those up, or you will end up with a holy mess after a while.

If your service moved, or you want to test, say, the staging or production service, the procedure differs between VS2005 and 2008:

• VS2005:  Open the  .map file under the service reference. It looks something like this:
  
  Edit the ServiceReferenceUri only, and save the .map file, and Update Service Reference as before.  You will see the EndPoint Address change automatically as the service is contacted, a new proxy is generated and the .config file is updated.
• VS2008:  Right-click the reference in Solution Explorer and choose Configure Service Reference.  You will see the Service Reference Settings dialog (see above). Change the Address value, click OK, and everything that needs to happen happens.

Remember again, to copy the config section into your executing assembly if you are operating in a class library.

Using svcutil.exe

You can do all the above and more using the command line tool, svcutil.exe.  In VS2005, this may be your best option if you want to establish service references in a web site project.

Note that the tool resides in different locations for the different VS versions:

• VS2005: C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\
• VS2008: C:\Program Files\Microsoft SDKs\Windows\v6.0A\Bin\

Open a command prompt, navigate to your project directory, and use this simple command line to generate a proxy and config:

"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\svcutil.exe" http://localhost:4068/MyWCFService/Service.svc /out:MyWCFService.cs

This is the basic command line, you may want to investigate into other options for lots more control. For more information see http://msdn2.microsoft.com/en-us/library/aa347733.aspx.

Configurations will be written into an output.config file. CAUTION: If you use the /config switch, do not directly reference your application configuration file, as it will be overwritten. If you had other config sections, you have just lost them. The VS IDE is much smarter about diffing the .config files first.

Notice that the namespace of the generated proxy class is based on the service's namespace if you don't specify it explicitly through the commandline.

Include the proxy class in your project (in a web project, in your app_code folder), and copy the config sections into the executing assembly config ... done!

Here's an easily misinterpreted error when consuming a WCF service that's hosted in IIS (vs. a self-hosted service):

The content type text/html;charset=iso-8859-1 of the response message does not match the content type of the binding (text/xml; charset=utf-8). If using a custom encoder, be sure that the IsContentTypeSupported method is implemented properly.

This typically happens with a mis-configured service. Anything that will result in a configuration or compile error will be returned as a 500 error by IIS. This error renders as HTML, and thus is the wrong encoding and not recognized by the client channel stack. Any exceptions thrown once the service code executes will result in a properly formed FaultException, which traverses the channel stack just fine and can be handled by client code.

To resolve this error, double-check the service's configuration file and make sure the service compiles. Test by bringing it up in a browser that has "Show friendly HTTP error messages" disabled.

This is great news! 

There is a lot of very good documentation available on planning for capacity and availability planning for SharePoint Server. But Microsoft has not been idle.  They have been working on a set of tools and models for SharePoint Capacity Planning, now in Beta. The tool can be downloaded from the Microsoft Connect site if you are a program participant.  It allows you to explore the necessary infrastructure and hardware requirements based on projected usage.

This tool uses the System Center Capacity Planner 2007 (SCCP) as an engine to provide for data collection, visualization, simulation and report writing. The tool can be used in pre-sales and feasibility study of a deployment project to give you a rough estimate of hardware requirements.

Apply for participation in this program here: https://connect.microsoft.com/programdetails.aspx?ProgramDetailsID=1602