Mark Fussell's WebLog

More on Dublin and Windows Server.

Here are a links to a couple of videos about Dublin. 

Ron Jacobs has posted a video of a Dublin PDC Hands on Labs (HOL) on Endpoint TV here. This provides an introduction to deploying WCF and WF applications to Dublin, managing .NET workflows running on the server and showing some of the configuration support. This is a good first intro and of course there are many other features that I will cover in blog entries over the next few weeks.

Need more on Dublin? John Bristowe and the esteemed Canadian crew, pulled some of the product team together (myself, Miguel Susffalich and John Taylor) for an impromtu interview here at PDC on what Dublin provides for developers and why you should be interested in its capabilites if you currently develop, or plan to develop, WCF and WF applications and put them into production within your company.

Back up for air at PDC2008 with Dublin

I haven't written in my blog for a long time, well over two years. Sometimes you just loose the momentum! Now I am at PDC which is like a big school reunion and better still can talk about the product that I have been working on for the last two years, Dublin. Dublin is the set of server capabilities to make Windows a server for WCF and WF applications and integrated into the Application Server role in Windows Server.

Ok, so what does Dublin do for me? In the same way the the Visual Studio Expressions suite crossed the web designer to the developer divide, by allowing these two roles to be closely integrated, Dublin crosses the developer to the IT pro divide by enabling apps created by developers to be handed off to IT managers, who then have a common set of tools to manage these WCF and WF business apps. Dublin provides a configured hosting environment with databases for persistence state and tracking, enterprise services for reliability, scale-out and monitoring, along with a set of tools integrated into IIS Manager that enable you to manage your WCF and WF applications.I will post some screen shots and go more in depth to the feature set that Dublin provides over the next fews days.

So if you are around at PDC, come and find me under the big Dublin balloon for some tech talk.

Car Anti-Innovation

Here is an interesting fact that I read in the latest edition of the BBC Wildlife magazine which I thought summed up the car industry's attitude to fuel.

"US cars average 20.8 mpg. The Model T Ford managed 25mpg, the Ford Explorer SUV does 16mpg".

That's nearly 100 years of innovation! But, I can remotely eject 15 cupholders and flip down 5 TV screens from my car key fob.

So you want to learn WSE 3.0? A short primer on how and where to start.

A question that I often get asked is - How do I get started learning about WSE 3.0 and what considerations need to be made when building secure Web services?

 

So I have put together some essential steps to help get you started on the road with WSE 3.0 along with some estimated times. I have also included some projects to spark ideas that you can build, because in the end that is the only true way to learn.

 

1) First go to the WSE Home Page here

        Download the WSE 3.0 SDK and read the documentation introduction

        Run each of the WSE Quickstarts samples and look through the code.

        Work through the two detailed WSE 3.0 Hands on Labs (HOLs)

       Exploring Security

       Exploring Messaging

Total time - 2 days

 

2) Then go to the Patterns and Practices Home Page here

       Read the Scenarios, Patterns, and Implementation Guidance for Web Services Enhancements (WSE) 3.0

        Walk through the Web Service Security Guidance Quickstarts

        Listen to the Web Casts for the Web Service Security on the same page

Total time - 3 days

 

3) Then return to the WSE Home Page and read the following articles         Read “What's New in Web Services Enhancements 3.0“         Read “Protect Your Web Services Through The Extensible Policy Framework In WSE 3.0 “ Total time - 1 day   4) And if you still need more listen to the Ron Jacobs Arc Casts on WSE 3.0         http://channel9.msdn.com/Shows/ARCast_with_Ron_Jacobs Total time - 1 day if you are insane, spread over 1 week for mortals

Need some ideas? Here are some projects to build with WSE 3.0

1. Secure your existing Web services! Easy one this.
2. Get a finger print reader and using the fingerprint SDK create your own custom  fingerprint XML token type. Now you can authenticate to a Web service using your fingerprint, rather than a having to use password or a certificate.
3. Using the examples in the messaging hands on lab (HOL) implement the SMTP protocol and use this to securely post messages to a Web service. The interesting aspect here is that this is a store and forward scenario which does not have to have a permanent connection. This is a classic case where message level security is a suitable technology choice.
4. Integrate with AzMan and ADAM for application level authorization and authentication.
5. Set up a web service at work called "15 minutes of Fame" with a spare big screen monitor in the hallway for all to see. Write a service to give everyone in your group 15 minutes of fame with timeslots that they can book, securely of course. If you use Kerberos or X509 certificates for security (use the former if you have Active Directory) offer a prize for anyone who can hack the site to change the message on the screen (no access to the box allowed of course) Sit back an relax knowing that your prize is safe.

MapCruncher - A seriously cool map mashup creation tool

I went to a talk today on the newly released MapCuncher tool and was awed by its capabilities and posibilities. In a nutshell this tools enable you to take any map (PDF, bitmap etc), load up MSN Virtual Earth and then plot points between the two. After a minimum of 5-10 points it can nearly perfectly superimpose the two of top of each other. You are then able to generate a bunch of javascript and HTML files which can be published to any web site. The end result is that in a matter of 30 minutes to an hour you are able to generate your own dynamic, interactive maps which are superimposed on the satellite images from Virtual Earth.

Now, if you really want to see the route of that bike trail you can trace it exactly over the satellite image. Or if you take a national park map you can see the exact route of the hiking trail into the mountains. It is simply phenonenal given the simplicity of its use.

The site has several examples, but my favorites were how the developers, who are avid fliers, took their own digital photos out of an airplane window and then published aerial versions then those that already existed for a city called Forks in Washington state. The other MS internal one superimposed floor plans for MS Campus buildings onto Virtual Earth. We were left to consider how this technology can easily enable companies to not only show you the store that your item is in, but exacly the shelf and location in the store. A dream if you have ever visited a Fry's superstore to try an hunt down some elusive piece of computer equipment.

I expect to see a large number of mashup sites now given the extreme simplicity of this tool. Now I just need to dig out some electronic maps and get to work!

WSE 3.0 in June 2006 MSDN Magazine

Great to see Aaron continuing to give WSE 3.0 love in his Service Station column. Now I just have to finish my "WCF for WSE Developers" article which keeps looking back at me half finished from my desk as a pile of scribbled notes. Currently I am attempting to churn out the security conceptual documentation for WCF along with Gudge and Jan, so you can blame/praise us for the final version. Suffice to say that there is plenty to explain given that security is a sprawling topic :-)

Biztalk WSE 3.0 Adapter Ships

Jesus Rodriguez with Two Connect has filled the last gaping need for WSE 3.0 by delivering a Biztalk 2006 adapter which you can get here. We did a webcast together with Jesus doing a bunch of great demos to show off its capabilities. You can watch the webcast here.

The feature that has saved me many times with customers is the easy with which you can configure the WSE 3.0 policy pipeline processing. For example at the end of last week I faced a mail from a customer who wanted to do CertificateOverTransport secure communication between a WSE 3.0 client and a WCF service. Think a variant of UsernameOverCertificate. Although WCF has this feature built in through configuration it is not one of the pre-defined standard policy assertions shipped with WSE 3.0. No matter, we pulled out the code for the custom policy assertion from the WSE 3.0 SDK, added an X509 certificate to the message, signed with it and it just worked. WSE 3.0 is great like that, easy to adapt with a simple API.

So what has this got to do with the Biztalk WSE 3.0 adapter? The reason why this adapter is significant is that Biztalk 2006 is the best product for business integration and orchestration and you can deploy web services today using Biztalk. If you do, this is the adapter to use to provide a smooth upgrade and interoperability to WCF later. Jesus shows how the WSE 3.0 adapter can be easily used with custom policy processing as one of his many examples and certainly could have done my customer case with this Biztalk adapter. I have spoken to several MS field personnel who desperately need the WSE 3.0 adapter with Biztalk 2006.

I should also point out that WSE 2.0 SP3 is supported as a runtime component on .NET 2.0, which means that the WSE 2.0 Biztalk adapter (which has just shipped a Service Pack SP1) can also be used with Biztalk 2006. However WSE 2.0 SP3 will not interoperate with WCF services, almost entirely due to the differences in the WS-Addressing specification between these products.

Jesus, the WSE 3.0 adapter is a superb piece of work. I recommend that you to listen to the webcast here and download it here

WCF Loves ATLAS and the Windows Live Development Center

Two great pieces of Web development were announced today. Steve posted his work on getting WCF and the ATLAS development environment aligned. The significance of this is that it shows the spectrum of capabilities of WCF from simple REST services, through AJAX supoprt to the feature rich WS-* protocols. Expect WCF to be the fundamental plumbing in many MS products over the next few years.

The other announcement was the availability of Windows Live developer center. Now you can start to more easily builld Web applications using Windows Live services.

 

WSE 3.0 - Kerberos, Secure Conversation and Stateful SCTs

I thought that I would publish some discussion threads on WSE issues that I have had recently that highlight some common questions. A recent discussion question was this;

Question: "I need advice with WSE 3.0 and implementing a web service that requires a Kerberos token. It seems that my simple web service and Windows client should be straight-forward but I’m not able to get past the error “Security requirements are not satisfied because the security header is not present in the incoming message. System.Exception {System.InvalidOperationException}

Here is the client policy file. The server one is nearly identical:

<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy">
  <extensions>
    <extension name="kerberosSecurity" type="Microsoft.Web.Services3.Design.KerberosAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    <extension name="requireActionHeader" type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    <extension name="kerberos" type="Microsoft.Web.Services3.Design.KerberosTokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  </extensions>
  <policy name="KerberosClient">
    <kerberosSecurity establishSecurityContext="true" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
      <token>
        <kerberos targetPrincipal="host/MyServer" impersonationLevel="Impersonation" />
      </token>
      <protection>
        <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
        <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
        <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
      </protection>
    </kerberosSecurity>
    <requireActionHeader />
  </policy>
</policies>"

Answer: It turns our that there are times when secure conversation and Kerberos can clash. When establishSecurityContext is set to true in the policy files (see above), then WSE 3.0 tries to acquire a Security Content Token (SCT) from the service to establish a secure conversation. The Request Security Context (RST) message sent from the client to acquire the SCT using the policy above uses a KerberosToken to protect the message so that only the service can decrypt the message. By default, WSE 3.0 generates stateful SCT’s (see Stateful Session section in this link) which means that the state of the SCT is carried with the SCT itself as a cookie value in the message. This state contains the server's KerberosToken inside of it, which you can see by looking for the <cookie> element in the SCT.

Since Kerberos Tokens can *only* ever be used once, using this stateful SCT doesn’t work. This is because every time the client makes a request to the service, it protects the message with that SCT, which carries the state with it. But because this state has a "use once" KerberosToken, the request fails at the server.

There are two options to work around this:
1)       Don’t use SCT’s at all and hence do not use Secure Conversation. You can do this by setting establishSecurityContext to false in the policy file at both the client and the service.
2)       Use SCT’s (i.e. establishSecurityContext set to true)  but turn off stateful SCT by setting statefulSecurityContextToken to false inside <microsoft.web.services3> of web.config. e.g.

1) Has the disadvantage of not taking advantage of the performance improvement of using secure conversation when the number of messages is >2. However you may only send a single message and therefore not require secure conversation, which is fine.

2) Is a better option as it still allow secure conversation (where messages are >2) and works because the SCT state is no carried with the message and simply cached on the server side. The one difference is that you can no longer use secure conversation in web farms, but you can still use Kerberos on web farms at a slight performance decrease. If you really need the performance improvement in a web farm scenario using Kerberos Token using  secure conversation, then you need to maintain your own state on the server i.e. implement your own SCT cache using something like a SQL database as described in Managing Security Context Tokens in a Web Farm.

I will post more common discussion threads like this over the next few months. It is also worth sending questions to the Web Services Forum which we monitor on a regular basis

 

 

New WSE 3.0 Content

Plenty of content continues to get produced for WSE 3.0. Working with Ron Jacobs and Don Smith we produced some ARCasts on WSE and X509 certs that you can be listen to here. All of Ron's ARCasts make avid listening to, especially in the car on the way to work (download and burn onto a CD). You can also find kerberos versions published here with username and password best practices usage coming soon.

Next month in the April 2006 MSDN magazine Aaron Skonnard has a great article on WSE 2.0 to WSE 3.0 migration. Combine this with the WSE 3.0 docs and this migration video sets you up well to understand how to migrate your code.

WSE 3.0 Webcasts and MSDN Articles

Don Smith has posted links to some WSE 3.0 webcasts based on the WS-Security patterns and practices work that I have helped him with. We already have done a webcast on WSE 3.0 and X509 certificates usage which you can watch here with more to follow in the next two weeks. Read Don's posting for the details.

Also last  month's and this month's MSDN magazine has plenty of WSE 3.0 content. There is Aaron Service Station article and Tomasz Janczuk, who is the developer lead for WSE 3.0, wrote a great article on the policy framework in WSE 3.0.

 Tomasz and I also work together on WCF security (WSE is in fact owned by the WCF security feature team, so we ship multiple products) and what is interesting about this article is the description of the security header layouts in the message. When you start to use WSE and WCF as products you are in effect working with an API that enables you to generate messages that contain a <security> header element in a SOAP message according to the WS-Security (1.0 and 1.1), WS-Trust and WS-SecureConversation specifications. How these specifications are interpreted into messages on the wire is complex, especially to achieve interoperability across platforms. That is why the turnkey security scenarios introduced into WSE 3.0 and aligned with WCF simplify security by choosing preconfigure security header layouts in the SOAP message. These in turn come from reading the WS-SecurityPolicy spec to describe how the headers are built from assertions. In effect reading this article essentially gives you insight into not only the structure of WSE 3.0 messages but, also WCF messages where the turnkey scenarios overlap between the products.

Web Service Security Patterns and Practices

The PAG guys (Jason Hogg, Don Smith) have been getting some great WSE 3.0 Security content together. I suggest that you download this and spend some time with it. It will all carry you through to WCF, so this is long term knowledge on message level security.

 

What next?

Now that I have shipped WSE 3.0, a year to the day that I started on the project, a number of people have asked me, "What's next to fill the empty WSE void?" Well, WSE has always been very closely aligned with the security team in Windows Communication Foundation (WCF aka Indigo), so that is the natural place for me. Effectively I now work on getting the security features done in WCF, but I will still be writing WSE articles. The one that I have planned is "WCF for WSE 3.0 Developers" to help with the mental mapping between the two products.

WSE 3.0 and MSDN TV

I did this MSDN TV piece on WSE 3.0. Enjoy.

WSE 3.0 Docs now on MSDN

You can find them here. There is always more information that we would like to have in the documentation and so we are expecting to do a WSE 3.0 documentation refresh on MSDN at the start of December. Hence if you want the latest information it is usually best to look online.