May, 2011

  • Patterns for Great Architecture

    ApplicationPoolIdentity and IIS

    • 0 Comments

    Ever faced the requirement of giving permissions to any resource (like folder) while your ASP.NET application’s pool is running under ApplicationPoolIdentity? Few points to understand:

    • There is no fixed account for this so you would not find any account under in built accounts while trying to set ACL permissions.
    • Corresponding to each AppPool that you have a new account is created when the AppPool starts. The naming convention is: “IIS APPPOOL\your_app_pool_name”. So if you have an application is running under “Classic .NET AppPool” then the local user account created is IIS APPPOOL\Classic .NET AppPool.
    • Just grant permissions to this account and you are set to go.
    • The benefit of this approach is that without you taking the trouble of creating any local user account under a system, you can configure to have your application run under different identity. Different applications can run simultaneously without any possibility to access each other’s data. Automatic provisioning also becomes easy.
    • Since this account actually doesn’t exist on the system there are less chances that you would have given any other rights to this account and as a result any hacking threat doesn’t compromises your system.
    • But in order to best use this feature you need to make sure that for such compartmented security requirement, you need to run your application under a dedicated custom Application Pool.

    Rahul Gangwar

  • Patterns for Great Architecture

    ADFS 2.0; The Service is Unavailable Error

    • 0 Comments

    Hi,

    I just came to understand that while using the Step by step guides for ADFS 2.0 alongwith combination of the Virtual machines that are present at connect Microsoft website, you might receive "Service Unavailable" errors while trying to navigate to ADFS asmx services or FederationMetadata.xml file.

    The virtual Machines present at Microsoft connect location (below) have the Token-signing certificate and token-decrypting certificates on ContosoDC server expired on April 22 2011. Because of this ADFS is not able to build the certificate chain for these operations and as a result metadata endpoints are not exposed. An end user trying to work with these labs simply doesn’t see federationmetadata.xml file.

    Temporary Resolution:

    While it would take time to get the VMs updated, you can work ahead by renewing the certificates manually. In order to do so folow below steps:

    1. Log in as Administrator on ContosoDC

    2. Open Powershell in administrative mode and enter the command: "Add-PSSnapin Microsoft.Adfs.Powershell"

    3. Enter following commands one by one. After hitting enter, you need to wait till the command prompt returns back.


    Update-ADFSCertificate -CertificateType: Token-Signing -Urgent:$true

    Update-ADFSCertificate -CertificateType: Token-Decrypting-Urgent:$true

    VM Location: http://connect.microsoft.com/site642/Downloads/DownloadDetails.aspx?DownloadID=29506

     Rahul Gangwar



     

  • Patterns for Great Architecture

    ADFS 2.0; The Service is Unavailable Error

    • 3 Comments

    Hi,

    I just came to understand that while using the Step by step guides for ADFS 2.0 alongwith combination of the Virtual machines that are present at connect Microsoft website, you might receive "Service Unavailable" errors while trying to navigate to ADFS asmx services or FederationMetadata.xml file.

    The virtual Machines present at Microsoft connect location (below) have the Token-signing certificate and token-decrypting certificates on ContosoDC server expired on April 22 2011. Because of this ADFS is not able to build the certificate chain for these operations and as a result metadata endpoints are not exposed. An end user trying to work with these labs simply doesn’t see federationmetadata.xml file.

    Temporary Resolution:

    While it would take time to get the VMs updated, you can work ahead by renewing the certificates manually. In order to do so folow below steps:

    1. Log in as Administrator on ContosoDC

    2. Open Powershell in administrative mode and enter the command: "Add-PSSnapin Microsoft.Adfs.Powershell"

    3. Enter following commands one by one. After hitting enter, you need to wait till the command prompt returns back.


    Update-ADFSCertificate -CertificateType: Token-Signing -Urgent:$true

    Update-ADFSCertificate -CertificateType: Token-Decrypting-Urgent:$true

    VM Location: http://connect.microsoft.com/site642/Downloads/DownloadDetails.aspx?DownloadID=29506

     Rahul Gangwar



     

Page 1 of 1 (3 items)