Monthly Archives: February 2006

Debugging tools in production: You’ve got your web service all protected with WSE, so why can just anyone browse to the asmx?

WSE

I had an email today from someone asking this question. They have a web service and a client app that use WSE2 to encrypt, sign and otherwise secure their data.

However, they were able to open up the asmx file, the operation and look at raw xml data in a web browser over the web. No authentication, no encryption, no signing. I could see it, too!

What a nightmare after all of the work to secure this data.

The reason for this problem was another case of debugging tools getting deployed to the production web server. Something I tend to rant about occasionally.

In order to browse from their development machine to the web service on a remote web server, they had added

<webServices>
 <protocols>
   <add name=”HttpGet” />
   <add name=”HttpPost” />
 </protocols>
</webServices>

and left them in the web.config when it was deployed to the server.

I was able to guess this pretty quickly since I once learned this the hard way, too. Sadly most of our best lessons are the ones that leave bruises. ðŸ™‚

For some more web.config tricks to hide your web service from public view as well as the wsdl, see this msdn doc on configuring web services for deployment.

Don’t Forget: www.acehaid.org

ClickOnce and Forms Authentication – you’ve got to be kidding me!

dotNET

What do you think is going to be the most likely need for ClickOnce?

Deploying apps to anyone in the world? Not for me, I write custom apps for my client.

Deploying apps on the intranet? Sure, but we have had a very simple hack for that for a long time.

C’mon, think smart client….

Yep – deploying apps to users on the go over the web.

I need ClickOnce to work for mobile workers who need to be able to install and update their company’s custom software.

And what’s the best way to do this? You would think it was Forms Authentication. That’s what I want to use. Not all of these people have windows accounts or will be using VPN. But they do have logins to get to the company portal, fill out their timesheets online, etc. Additionally, we are already using web services as the back end to their smart-client applications so that they can do their work over HTTP.

But guess what – sure I have had two years to discover this, but I am just coming up for air on this one now – Forms Authentication is not supported for Click Once. See this msdn document.

Their suggestion? Just let anyone in the whole world download your client’s application and then use web service based authentication (which I just happen to already have built into this smart client app) to make sure they can’t use it.

No no no no no.  I do not think this would make my client very happy at all.

So I am struggling wtih hacking this together. The forms authentication works just great for accessing the installation page, but setup.exe and myapp.application are not protected by forms authentication. Anyone can browse right to them.

Next step is to feed them to ISAPI for this web app, which for some reason I can’t get to work yet.

I’m sure there have already been many discussions and rants about this problem but I have been focused on other things and am pretty late to the game.

Web deployment has become my a#1 pet peeve with .NET. I have been trying to use it since it was called zero touch deployment. ClickOnce is supposed to be my savior and I have ported their app to VS2005 just for ClickOnce. I won’t give up, but I might have to rant and rave every so often as I get this to work for me.

Don’t Forget: www.acehaid.org

Fun with .NET 1.1 and .NET 2.0 side by side on web server

dotNET

I put .NET 2.0 on my client’s web server the other day. Both 2.0 and 1.1 asp.net apps continued to run just fine.

Last night I was mucking with some of the mappings in .NET 2.0 and they weren’t taking. So I did an iisreset. Here’s where that led me (to the best of my recollection)

  • 1.1 apps: Server Unavailable, 2.0 apps okay
  • run aspnet_regiis -i  for 1.1
  • 2.0 apps Server Unavailable, 1.1 apps okay
  • iis reset
  • 1.1 apps: Server unavailable, 2.0 apps okay
  • aspnet_regiis -i for 1.1
  • 1.1 apps okay, 2.0 apps okay
  • close the MMC for iis
  • 1.1 apps okay, 2.0 apps server unavailable
  • aaargh!! That shouldn’t have happened.
  • aspnet_regiiis -i for 2.0
  • 1.1 apps: Server Unavailable, 2.0 apps okay
  • aspnet_regiiis -i for 1.1
  • both okay
  • don’t touch a damned thing
  • slept with my fingers crossed
  • this morning – both still okay but I realize that clickonce deployment on the 2.0 site is broken.

Most of the above problems could have probably been avoided if I used some of the other available parameters for aspnet_regiis, such as -sn for fixing the mappings on just one application.

Update, though using the -sn was a good thing, the root of the problem (thanks to some reminders in the comments) was that I had neglected to create a separate Application Pool for the .net 2.0 websites. They were running in the same process as the asp.net 1.1 sites. So far, everyone has been behaving properly.

Don’t Forget: www.acehaid.org

Windows Live Local (aka Virtual Earth) wins PC Mag Editors Choice

Virtual Earth

Congratulations to the Windows Live Local team on being selected for an Editors Choice Award by PC Magazine!!

I had to laugh when I saw the screen shot in the PC Mag article. One of the tags is for Ft. Green Park in Brooklyn. In a former life (my 20’s) I lived 1/2 block from that park.

(add’l plug for the WLL team: Want to join this “winning team”? They are hiring!!)



Don’t Forget: www.acehaid.org

Ken Levy goes to Windows Live

Community Cheerleading

Now here’s a guy about whom I can literally say “I knew him when.”

I knew Ken Levy when he was a wee lad (a teen) who had written the most popular add-in for professional FoxPro developers everywhere – GenScrnX!

This was so long ago that rather than an email, Ken used an ID of  76350,2610. Yep, Compuserve.

Ken, along with YAG, has been doing great things at Microsoft for a whole lotta years now. But now Ken is straying from the fold and got lured over to Windows Live.



Don’t Forget: www.acehaid.org

It’s the Patrick and Duane Show!!-Security MiniCode Camp in Waltham in March

dotNET

These guys are NOT to be missed if you are able to get to Waltham, MA on March 25th. It’s a “mini-code camp.” A one day one track event.

Patrick Hynds and Duane LaFlotte are two guys you want on YOUR side when it comes to hacking. Had Duane found a different mentor in his youth, he’d be the guy downloading all of your credit card companies most secure data! Phew, we lucked out.

Not only do they know amazing things about security, but they are one hell of an entertaining duo!

One word of advice though. If Patrick offers to drive you around Boston, do NOT, I repeat, do NOT sit in the back seat! 🙂

Don’t Forget: www.acehaid.org