|BAM Alerts configuration bug - spaces in passwords||Wednesday 23rd March 2016|
I seemed to have stumbled across a bug with the BizTalk 2013 R2 configuration application that I'd share here just in case somebody else encounters it.|
When configuring the 'BAM Alerts' tab in the 'BizTalk Server Configuration' application, you are required to provide a service account for the 'BAM Alerts User'. If this user has a space in its password then you'll receive an error on applying the configuration:
ERROR: Failed to set up BAM database(s). In traditional Microsoft fashion, this isn't very helpful. If you look at the log file that is created you should see an exception logged along the lines of:
The alert infrastructure was not created.
Failed to install service. Cannot proceed because the created process returned with -1
[Info] BAMTools System.IO.FileNotFoundException: Could not load file or assembly 'file:///[your temp directory]/[last part of your password]' or one of its dependencies. The system cannot find the file specified..Obviously, you might want to eradicate your log as it contains a partial password.
I haven't explored this in much detail and merely set a password without a space in it to workaround the problem. I don't think there is any reason why you cannot then reset the password back to your original via Windows Services control panel plugin.
|MVC5 Default values in a Dictionary||Monday 21st March 2016|
I encountered a strange bug where there was an unexpected value in a Dictionary object that was being bound from a form post. The dictionary had two null entries keyed, "controller" and "action". Switching my Dictionary to take strings as vaules too displayed they were being assigned the path routing information. And it didn't matter where I placed the dictionary (or what I called it) in the method signature.|
This seems to be related to passing in of path information by default, and the cause was the form didn't have any values to post in this scenario, so there was no mapping taking place and the routing information was being put in instead.
I believe in MVC6 you'll be able to use the [FromForm] attribute on your Action's parameters. In the mean time, you need to work around this by providing an empty placeholder entry in your form (e.g. @Html.Hidden("MyDictionary")).
Remember to sanitise your inputs.
|IIS Client Certificate mapping - Unauthorized||Wednesday 2nd March 2016|
I have wasted a couple of days trying to setup client-certificate mapping in IIS8.5 to authenticate and ultimately authorise client connections. Whilst I thought I was doing everything correctly I was receiving an 401.2 - Unauthorized error from IIS 8.5. Digging in a little further the cause was a very generic 0x80070005 - aka "Access is denied.".|
For the uninformed client certificate mapping is a method in IIS to associate a client (not server) provided x509 certificate to a Windows user account. A certificate (either self-signed or signed by a certificate authority) is presented by the client connection, derived from their private key. It authenticates that the connection has they private key (which one hopes is in turn password protected and not taking the form of the digital version of a post-it-note).
To setup Client Certificate Mapping you need to add the Windows Role: Web Server (IIS) / Security / IIS Client Certificate Mapping Authentication. NB. there is also 'Client Certificate Mapping Authentication' - this version plugs into certificates bound to AD accounts and works in a different fashion - not what I'm talking about here.
This authentication mechanism isn't enabled through the Authentication tab of your IIS directly, but instead helpfully buried in the config. So you have to add the details through the Configuration Editor icon in IIS. Now the crucial thing here that had me wound up for days is that you must do this on the Site Root level and not on the (virtual) directory that you want to secure. Whilst there is nothing stopping you from configuring at the directory level it simply won't work and you'll get a vague 'Access is denied' error. Finally alluded to me with thanks to MSDN Blog post by Saur212.
To add in the certificate mapping you need to navigate to system.webServer/security/authentication/iisClientCertificateMappingAuthentication in the IIS Configuration Editor (at the site level), set Enabled to true, oneToOneCertificateMappingsEnabled to true and then expand the mappings property.
You can then add as many mappings as you want, and despite the name, you can map multiple certificates to one login. What you need to enter is fairly self-explanatory apart from the certificate field itself. For this you need to enter the Base64 encoded version of the certificate without the BEGIN/END CERTIFICATE lines that traditionally wrap them. The dialogue seems to struggle with spaces too, so you'll need to unwrap and clean out any spaces when you export your certificate.
For the directory you do want to secure you need to set the SSL settings to Require Client Certificates (which means you need to Require SSL). Disable any other authentication mechanisms for that directory, especially Anonymous, and you should be good to go.
You can utilise certificate authentication then to authorise access to objects. For a standard web-directory you can set file permissions on the file-system to only allow the accounts you want to pass. Or if you're using ASP.NET etc., then you will have the authenticated user information passed into the application to use.