3 minutes read

Creating Authority-Signed and Self-Signed Certificates in .NET

Whenever I get some free time I like to tackle certain projects that have piqued my interest. Often times I don’t get to complete these projects, or they take months to complete. In this case I’ve spent the last few months trying to get these samples to work. Hopefully you’ll find them useful. In the world of security, and more specifically in .NET, there aren’t a whole lot of options for creating certificates for development. Sure you could use makecert.exe or if you’re truly masochistic you could spin up a CA, but both are a pain to use and aren’t…

42 minutes read

Windows Azure Pack Authentication Part 3 – Using a Third Party IdP

In the previous installments of this series we looked at how Windows Azure Pack authenticates users and how it’s configured out of the box for federation. This time around we’re going to look at how you can configure federation with a third party IdP. Microsoft designed Windows Azure Pack the right way. It supports federation with industry protocols out of the box. You can’t say that for many services, and you certainly can’t say that those services support it natively for all versions – more often than not you have to pay extra for it. Windows Azure Pack supports federation,…

20 minutes read

Windows Azure Pack Authentication Part 2

Last time we looked at how Windows Azure Pack authenticates users in the Admin Portal. In this post we are going to look at how authentication works in the Tenant Portal. Authentication in the Tenant Portal works exactly the same way authentication in the Admin Portal works. Detailed and informative explanation, right? Actually, with any luck you’ve read, and were more importantly, able to decipher my (probably overly complicated) explanations in the last post. The reason for that is because we’re going to go a bit deeper into the configuration of how authentication is configured.  If that’s actually the case then…

31 minutes read

Tamper-Evident Configuration Files in ASP.NET

A couple weeks ago someone sent a message to one of our internal mailing lists. His message was pretty straightforward: how do you prevent modifications of a configuration file for an application [while the user has administrative rights on the machine]? There were a couple responses including mine, which was to cryptographically sign the configuration file with an asymmetric key. For a primer on digital signing, take a look here. Asymmetric signing is one possible way of signing a file. By signing it this way the configuration file could be signed by an administrator before deploying the application, and all…

4 minutes read

Making the X509Store more Friendly

When you need to grab a certificate out of a Windows Certificate Store, you can use a class called X509Store.  It’s very simple to use: X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser); store.Open(OpenFlags.ReadOnly); X509Certificate2Collection myCerts = store.Certificates.Find(X509FindType.FindByThumbprint, "…", false); store.Close(); However, I don’t like this open/close mechanism.  It reminds me too much of Dispose(), except I can’t use a using statement.  There are lots of arguments around whether a using statement is a good way of doing things and I’m in the camp of yes, it is.  When they are used properly they make code a lot more logical.  It creates…

6 minutes read

Claims Transformation and Custom Attribute Stores in Active Directory Federation Services 2

Active Directory Federation Services 2 has an amazing amount of power when it comes to claims transformation.  To understand how it works lets take a look at a set of claims rules and the flow of data from ADFS to the Relying Party: We can have multiple rules to transform claims, and each one takes precedence via an Order: In the case above, Transform Rule 2 transformed the claims that Rule 1 requested from the attribute store, which in this case was Active Directory.  This becomes extremely useful because there are times when some of the data you need to…

2 minutes read

Certificates and ADFS 2.0

One of the problems with pushing all this data back and forth between Token Services and clients and Relying Parties is that some of this information really needs to encrypted.  If someone can eavesdrop on your communications and catch your token authorization they could easily impersonate you.  We don’t want that.  As such, we use certificates in ADFS for EVERYTHING. The problem with doing things this way is that certificates are a pain in the neck.  With ADFS we need at least three certificates for each server: Service Communication certificate: This certificate is used for SSL communications for web services…

2 minutes read

Working with Certificates in Code

Just a quick little collection of useful code snippets when dealing with certificates.  Some of these don’t really need to be in their own methods but it helps for clarification. Namespaces for Everything using System.Security.Cryptography.X509Certificates; using System.Security; Save Certificate to Store // Nothing fancy here. Just a helper method to parse strings. private StoreName parseStoreName(string name) { return (StoreName)Enum.Parse(typeof(StoreName), name); } // Same here private StoreLocation parseStoreLocation(string location) { return (StoreLocation)Enum.Parse(typeof(StoreLocation), location); } private void saveCertToStore(X509Certificate2 x509Certificate2, StoreName storeName, StoreLocation storeLocation) { X509Store store = new X509Store(storeName, storeLocation); store.Open(OpenFlags.ReadWrite); store.Add(x509Certificate2); store.Close(); } Create Certificate from byte[] array private X509Certificate2 CreateCertificateFromByteArray(byte[]…