Posts Tagged ‘Windows Server 2008’

Security Exception when using AJAX Control Toolkit on Server 2008

October 2, 2009 Leave a comment

I am using the AJAX Control Toolkit for its tab UI and my compile and link cycles came and went without incident on my Vista development machine.  However when I deployed to our integrated unit test environment on Server 2008, I got the following error when accessing the page with tabs:

System.Security.SecurityException: Request for the permission of type ‘System.Web.AspNetHostingPermission, System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089’ failed.  Here is a screen shot for reference.


I did a lot of checking and I found articles that involved accessing the AJAX Control Toolkit on a different machine, but that was not my issue.  After publishing via Visual Studio to our server, all dll’s were in their normal folders.

The solution was to change one of the defaults on the application pool for this website.  The value is under the Process Model section in Advanced Settings and is Load User Profile.  By default it is set to false which will emulate IIS6 behavior of not loading the user profile for the application pool identity.  Setting it to true solved the problem.


That was it. Make sure you recycle your application pool and restart your web site.


A Practical Architecture for WCF – Part 3

August 26, 2009 Leave a comment

This is the third article in our WCF practical architecture series.  Part 1 is here, and part 2 is here.

At a certian point, setting up a WCF environment moves you away from programming and more toward networking.  That is what this article is going to cover, how to setup a WCF client on IIS7 using the net.tcp protocol.  We will be crossing machine and domain boundaries and will be suggesting a starting point for a secure environment.

We are going to do  two things in this post

  1. Configure your local development machine to host a service in IIS7
  2. Configure a seperate server to host a service in IIS7 and to recieve what you push from your local development machine.

First, lets get service hosting done on your local machine so you have something to push to your application server.  Right click on your solution and then Add and then New Web Site.  Then select WCF Service as shown in the image below.  I choose the name CheeseListIISHostedServices.  It’s important now to pick the name you will be living with because I am recommending that this name not only be the name of your local environment, but the name of the new A record you will create to point to your application server.


Then in the AppCode folder delete the IService.cs and Service.cs files as you won’t need them because you have a seperate service layer.  Next, right click your site and click on Add new ASP.NET folder, then click on Bin.

Change the name of the Service.svc folder to the name of your service.  Since my service is called BrandServices, I renamed it to that.  Then you will want to go into the svc file and change the Service attribute.  Make sure that you include the namespace of your service too.  Look at the image below for how I named my Service attribute in the svc file. 


Notice in the image above that the location has been removed from the original Service.svc.  We will not need this as we are going to establish a reference to the project that contains the services.  To establish a reference, right click on the web site and then click on Add Reference.  Go to the projects tab and then click on the project that has your services.  In this instance for me it is CheeseListServices as shown in the image below.


When you click on ok, your Bin folder will get filled up with all of the referenced dll’s in your service project including your newley created services dll.  Then, after a few more configuration details, you’ll have something to push out to your real services environment.

The next step is to configure the web.config file.  The two things to remember about the web.config file supporting services.  First it functions as the config file for the modules from the site we are wrapping with services, so all of its settings should be there, and we also have the services section.  Let’s take a look at the system.serviceModel section in the web.config in the figure below to look at how to configure our service for net.tcp and to be discoverable.


You can copy and past what is here and change the names to fit your names.  In the bindings section we have a netTcp binding tag.  There is more here than is necessary, but this binding section will support transactions and a certian level of security.  So for now just to get this running, this can be copyed and pasted.

In the services section we have three services, but two of them are collapsed because we won’t need them now, but we will later.  In the service for Brand services we set our binding protocol to net.tcp and we also included a few endpoints.  The mex endpoint is used by the client to generate service metadata. 

Since we are not using http but net.tcp as the service protocol, we cannot put the mex endpoint address into a browser and read the file, but we will be using the WCF Test Client to make sure our setup is working.  Normally, I never use the WCF Test Client because I’ll always have a client around with some sort of functionality to get myself off of the ground.  But I didn’t want to make you wait until we got done with the client to see if you had set up your services correctly.  So we are using the client here.  This part of the series is pretty long as it is.

Finally in the config is the behavior section.  In the serviceBehaviors tag we have additional information for our service.  You can cut and paste here too making sure that you have your service name correct.

Next, please check to see if your default web site has a net.tcp binding type.  To check it, click on the default web site and then right click and then click on Edit Bindings.  You should see net.tcp for port 808:*.  If you don’t, click on the add button and add it.  Later on in this post, we go into setting up bindings on IIS7 on Windows Server 2008.  Anyway, when you setup IIS7 on your workstation, all bindings should have been created by default.

Ok, we are getting really close to fireing up our service.  We just have to get the address of our service to feed to the WCF Test Client and then we are good to go.  Here is how to do that.  In IIS7, click on the website that is hosting your services and then in the center pane at the bottom click on Content View.  Then find the svc file for your service, click on it and then click on browse.  You should get something in your browser like the figure below.


If you got this, you are really in good shape, that means your site is setup correctly and you do not have any gross errors in your config file.  What you want is the address up close to the top right after svcutil.exe.  Copy and then pull up the WCF Test Client at C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\WcfTestClient.exe.  When you get it up, click on File and then Add Service.  Past the address into the end point address edit box like the figure below. 


Then click on OK and after a bit you should see a dialog box appear with a progress bar saying “Adding”.  When finished you should see your service under My Service Projects along with the service method.  In the figure below, you can see my ListAll() method.  I clicked on the listAll() method and then got a ListAll panel on the right.  Then I clicked on the Start a new proxy checkbox near the Invoke button and then clicked on the Invoke button and got the result below (click through the security warning).


The results are the return of the BrandList object from the ListAll() service.  If you click on the XML tab on the bottom, you can see the Request and Response messages.  If you got this far, you are in really good shape.  If not, please post your questions and I’ll answer them asap.

The next part of this post explains how to create an application server using IIS7 and the net.tcp protocol in your enterprise.

Every enterprise has its own security requirements and what configuration is necessary to meet those requirements.  So, this article is not intended to be then end all and be all of security, however, for traffic within your LAN, it is my opinion that what we are talking about here will be reasonably secure.

Also, as pointed out earlier in this series, we’re not going into all the options available, but are pointing out one simple and practical approach.  Resources for a more detailed discussion of options are here.

Ok, now on to the client.  WCF services can either self host, or use IIS.  We are going to look at how to host WCF Services with IIS7.  We are also going to be using the net.tcp protocol to do it.  The reason to use net.tcp is that by doing so you can expose your services equally to a web site or to a windows forms application.  You can do it using http or https, but net.tcp is much faster, and although it is a little harder to configure, it is really worth it.

What we are doing here is to setup the service on its own machine and with its own domain.  First thing is to create the DNS domain internally.  The default domain on our network is and we also use equally.  The Windows domain name is  We also have a number of other domains as we host and do development for clients.  We created a new domain called and are using it for hosting services.  However the windows forms desktop client is on the domain.  Below is a screenshot of the domain after it was configured with the cheeselistiishostedservices A record.


The next step is to create the site on IIS7 that will do the hosting.  To that, first you have to add the IP address you want to use for the site into your NIC configuration.  I never use the default web site, and always add additional IP’s for each website I need.  The screen shot below shows the configuration of the NIC. 

To get there you go to Control Panel / Network Connections and click on the NIC you want to configure.  Then click on the properties button and then on the Internet Protocol Version 4 item.  Then click on the advanced button and on the top of the dialog box, you’ll see IP addresses.  Add the IP there.  Aftering adding the IP, make sure you can ping it from your workstation using the fully qualified domain name you setup in the DNS Manager.  In this case it is


Next, create the actual site.  My convention is to create a site name that is the same as the A record I created.  Under binding make sure you pick the new IP Address you created and leave the rest to default values.  We are going to go back and change a few things.

After creating the website, create an application pool where the Managed Pibeline Mode is Integrated.  Now comes the fun and controversial part.  I change the identity in the Process Model section from the NetworkService to something else.  That identity is a regular windows login for each application.  Users don’t know anything about it, it’s purpose is to be an administrative or application service account.  This account is used as the identity of the website as well as the login to the database.  We use an SSPI login to talk to the database so we don’t have to embed a login id and password into the web.config.

So, lets talk about this for a bit.  What I want to do as an architect is balance security with maintenance and prevent deployment errors.  So, I have at least three and sometimes 4 environments.  Each environment will have a complete set of machines; database, web and or services.

  1. Development
  2. Integrated Unit Test
  3. QA
  4. Production

For each application in each environment, I will create a windows login.  In each database I create a database role and then assign the application service account to that role.  Each environment has the same database role, but each environment will have a different application service account.  This makes it very easy to migrate database changes between environments; from dev to IUT to QA and then to production.  I don’t have to make any manual changes to any script because I am granting permissions on the role in the database. 

Then in any web environment where I am using SSPI logins, the identity in the application pool is what is used to login into SQL Server.  Sometimes when moving scripts around, it is possible and likely that you will at one time or another, you will point to a database in the wrong environment.  However having a different application service account for each environment will cause an exception to be thrown and you’ll know immediately that the name of the server is wrong.

The reason you need to care about the database login for the service is that we are wrapping an existing website’s dll’s and they need a way to login to the database.  You could if you wanted create a different application service account to be used by services from the one used by the website.  It does not matter as long as that user gets added to the appropriate database role in the right database and it is the same as the identity in the application pool.

It may seem like a lot of work to create so many users and to do this extra configuration, but you will be glad you did the moment your development process comes under stress.  Its much better to see an immediate error telling you that you tried to get into the wrong database, than to realize that you have been pointing to the wrong database and now your data is screwed up, not to say what will happen with your credibility with the users having to re-enter data and trying to remember what they did.

So, right click on the new application pool and then click on advanced settings and change the name of the Identity to your application service account as shown in the image below.


After changing your site’s identity, you need to add a binding to support net.tcp.  So, right click on the website that you are going to use to host the service and click on Edit Bindings.  Then click on the Add button, and like the image below shows, select net.tcp from the dropdown and enter a port number followed by an asterick.  I choose 808:*.  then click ok.


Now the website is setup with its own application pool and custom binding and is ready to be published to.  So, lets put our programmer’s hat back on and open Visual Studio.  We want to change the base address and point to the website we just set up, so change it from localhost.  In my case the new address is net.tcp://  Once you are done with the configuration changes, then go ahead and publish to your new server.  You can test it just like you did when you were getting services to run for the first time on your local machine.

Ok, that is it for this part.  There was a lot here, and I know this piece stayed pretty high level.  Remember there are WCF Learning Resources here on the Computer Mutt.  Also, if you have any questions, post them and I’ll answer them ASAP.  Next up we will create a web and windows forms client.  After that we will dive into transactions and then to exception handling.

A Practical Architecture for WCF – Part 1

August 20, 2009 Leave a comment

This is the first in a series of articles designed to provide an example of a practical architecture for WCF in its support of a services oriented architecture.

We are going to look at how you could take an existing web site and wrap its functionality in services to be consumed by either a web site or a windows forms application.  We will show you how to configure your network and servers to offer these services across domains and machine boundaries.  We’ll also take a look at how to structure data contracts to provide robust objects and lists of objects across the wire with exception reporting.  Finally we’ll look at how to configure support for distributed transactions and some suggestions for structuring projects to make testing and deployment easier.

There are a few references that I recommend using as you are learning WCF and they are posted here on the Computer Mutt.  Those resources will address a wider range of WCF concepts much more in-depth than I will here as this article is focused on providing an approach to a particular problem, and not structured to review all options that are available.  Michelle Leroux’s introduction in the chapter on working with WCF in Visual Studio 2008 which covers SOA and WCF is total gold, and every time I re-read it I get something out of it.

Ok, let’s take the first step look at what we have and what we want to wind up with.  We are starting out with a current web site that site is a very simple ASP.NET 3.5 public web application in production that provides a list of cheese brands and cheese types that are made without animal rennet.   It has discreet layers consisting of a data layer, business layer and presentation layer in the form of web pages.  The data layer talks to Microsoft SQL Server 2008 and runs on IIS7 on Windows Server 2008.  Everything is 64 bit and everything is on a single box.  Basically it is simple running website and thus a good candidate for a first step.

Here is a network diagram showing the current architecture of the website we are going to transform:

Current Architecture

The diagram below is what the architecture will look like after we transform it.  The differences are that major components are separated by machine boundaries.  The database has its own box, services has its own box, and the web site has its own box.  On the services box we also have the original business and data layers along with IIS.  

Once we transform our original website and began offering services, we are simply serving content to presentation layers both inside and outside of your network allowing you to use either browsers or Windows Forms applications.  In the case of a browser, the user points to a URL to get content, in your Windows Forms application, you can configure an endpoint to point to, either way, desktop configuration and support can be much simpler as a result.

Configuring the environment for services behind the firewall is simpler than offering them over the network, and the scope of this series is for services on the inside of the firewall.  In a subsequent article, I’ll walk you through the steps necessary to offer secure services over the internet.


We are going to use Visual Studio 2008 with .NET 3.5 along with WCF Services Templates to code services.  Development is on a Vista machine.  An aside on Vista first.  I’ve heard how Vista sucked and to avoid it, however when I switched to developing and supporting ASP.NET apps on Windows Server 2008 & IIS7, I found that using Vista simplified development. 

First, Vista uses IIS7 (which is the version on Server 2008) and it understands the web.config files generated by Visual Studio 2008.  I can also configure those web.config files once in one place in the file, unlike developing on XP where you have to configure the same thing in several places in the file.  Yes, UAC blows, but you can turn it off and I have had no problems using it.  I’m not advocating that you switch from XP if you want to develop services to run on Windows Server 2008, I’m just passing along that I found with Vista I created a less error prone development environment.

One last word on environment.  While you will be able to do everything in this series of articles on one machine, it will work out better for you in the long run if you have an Active Directory environment with at least three dedicated boxes; Web, Services, Database.  If you have limited equipment, consider creating seperate environments using Hyper-V.  Go to my recent post for help on creating and cloning Hyper-V environments. 

I really want to emphasize that it is in your interest to invest the sweat in creating seperate environments to run the examples in this series.  The reason is that a lot happens by default when you run everything on a single box and you’ll never realize it until you begin to move things around, and by then you’ll have to spend an undetermined amount of time to backtrack to uncover your mistakes.  Also, nobody is really going to be running this stuff on a single machine in a production environment anyway, so you might as well get used to it right off of the bat.  If you understand what the network requires to support WCF you’ll be more valuable to your company and customers.  

Before finishing this introduction, some thoughts on the Web Client Software Factory (WCSF).  This tool will allow you to code WCF services using a visual designer in Visual Studio.   One of its strengths is that it forces a particular format on project directory structure which can be advantagous since everyone on the team will be forced to structure their work the same way.   I began working in WCF using this tool, and I have to say it was a very confusing time for me as took a lot of effort to understand where the tool left off and WCF began; it was unnecessairly complex.

Furtheremore, once you start a project in the tool and need to make changes, you must go back and make them through the designer.  There are some other very severe side effects to.  One is that the tool will create directory and filenames that will break Visual Studio and this goes double if you are using Team Foundation Server.  Having outlined some of my concerns, you have to that creating such a tool is a huge accomplishment, and although this tool is just in its beginning stages, over time I am certian refinements will be introduced smoothing out some of its early difficulties.

In my mind it is best to start out simply and do everything manually so you get a clear understanding of what you need to do to support WCF services.

Next up – A Practical Architecture for WCF – Part 2 which will demonstrate the creation of services.

Cloning Virtual Machines using Hyper-V Without the Pain

April 20, 2009 5 comments

This post will explain how to create and then clone virtual machines using Microsoft’s Hyper-V virtual machines.  There are a few speed bumps you may encounter along the way that are helpful to know of in advance, and we’ll cover an approach to get over them.

I have been a long time user of VMWare for creating virtual machines, but, I ran into problems with hosting Microsoft’s ISA Server inside of a VMWare virtual machine.  With the release of Windows Server 2008 and Hyper-V the story is different now.  Microsoft supports ISA Server and their beta ISA Server product called TMG (Threat Management Gateway) in a virtual machine environment.  See: and and finally Jim Harrison’s presentation on virtualizing ISA at  Now it is possible to model an entire network along with ISA Server inside virtual machines.  Additionally, the cloning of virtual machines, although a manual process, is sustainable.

That is the good news, however there are two gotcha’s:

  • SID creation
  • Mouse not captured in Remote Desktop Session

Let’s look at solving SID creation problems first, since that is the last thing I worked with and is freshest in my mind.  If you are running stand alone machines, and are cloning from a parent virtual machine or vhd file, all of your vm’s will have the same SID.  This is not a problem for you.  If, however, you need to clone vm’s and then join a domain, you will have problems if you do not create a unique SID for each VM. 

One way to do this is to use Microsoft’s sysprep tool, the other is to use a tool called NewSID located here, which the rest of this post will cover.  There are some problems that the SYSPREP tool has as is reflected in this Microsoft Knowledgebase post:

I choose NewSID because it only does two things; generates a new SID and renames the machine.  And, that is all I need.  If you have other requirements, SYSPREP is the way to go.

Ok, gotcha one. You will need to check for a specific registry entry in your seed virtual machine that will throw NewSID into an infinate loop which will cause it to run out of resources and crash.  You need to see if you have the following registry key.  If you don’t then you can go to the next step.  The key to check for is HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Wow6432Node.  The following blog post alerted me to the problem:  After deleting the key in my seed vm, I had no further problems.

The second gotcha involves the creation of a VM using remote desktop; basically, you can’t do it, and in my mind is one of the most lame and frustrating things about Hyper-V.  It is simple to create virtual machines using remote desktop with VMWare’s product and I don’t know how Microsoft could have let this out the door without remote desktop support, but they did.

So, you need to be physically in front of your host machine to install Microsoft’s Virtual Machine Integration Services to be able to use a mouse when working with virtual machines remotely.  After you create your virtual machine and login, it’s a single mouse click to install these services, but you have to be physically at the console. 

Now that the gotcha’s are out of the way here are the steps we will follow in creating a virtual machine in Hyper-V that is clonable.

  1. Create and configure seed vm.
  2. Copy the virtual hard disk or vhd file.
  3. Tweak child.

Before you can use Hyper-V you’ll need to create the Hyper-V role.  And, before you create the role, it is important that you have enough physical NIC cards to support it.  At least two are preferable.  One for remote access, the other to use for the creation of virtual networks.  When I created my Hyper-V role, I chose External for the network on my second NIC card which is used for by the virtual machines. 

When you create your first vm, my advice is to select the defaults and let the Hyper-V manager put things where it wants to so you can learn where things go.

Before we continue – I am only explaining how to create vm’s with default values just to get you started.  After creating your vm and working with it a bit, you’ll need to decide if the file structure is right for you along with naming conventions.  I am just interested in providing a very basic orientation to this process to get you up in the air to circle the field a few times and then land. 

The first thing to do is to create your virtual hard disk or the vhd file.  This file is what will be cloned later.  For now, create a new vhd with all defaults intact.  To create the vhd file, click on the new link in the action pane on the right hand side at the top. After creating the vhd, then click new again to create a vm that will use the virtual hard disk you just created.  Again, use the defaults until you get to connections.  Choose the network you created when you created the Hyper-V role.  The image below shows where the action menu is to complete these tasks.


After creating the vhd and vm, then click on it in the virtual machines pane in the top center.  On the right you’ll see where you can change settings and start and connect.   At this point you’ll want to install an OS on your new vm.  Put your distrubution CD into the sever and click on start and follow the prompts to install your OS.  There are other locations you can use for installing the OS such as a network install point.


After you get the OS installed, login to the machine and install the Virtual Machine Integration Service.  To do that, click on the Action menu and select Insert Integration Services Setup Disk.  It’s a virtual (what else!) CD that starts up automatically.  Again follow the prompts and select defaults.  You’ll need to restart the machine after tArehe install.  At that point you can leave the console and the vm can be used via remote desktop.


This is the point where you tweak your vm until it is ready to distrubute.  One of the items I strongly recommend you add is the NewSID program along with the registry change outlined earlier in the post.  Also, one of the things I do with my seed vm is to never run it for general use, but only use it for creating clones and running them.

At this point we are ready to clone the vm.  Go to the folder that houses your single vhd file and copy it and then give it a meaningful name.  I usually give it the same name as the netbios name of the vm and the physical vm name, something like vm-mmant<n> where <n> is the last octet of the ip address in the subnet I use for my vm’s.


After the copy, create a new virtual machine and give it the same name you used for your vhd.  Select the defaults until you get to the networking section and select your virtual network.  In the next section, select the “Use an existing virtual hard disk.”  It will give it the name of your machine and if your vhd is named the same you have one less step to take and everything ties together.  Finish creating the vm and when you are done, click on start in its management section and wait a few seconds until it starts.  Then click on connect and login.  When the vm comes up, you can click on the Action menu and select the Ctrl-Alt-Delete option and then login.


The first thing to do is to change the IP address.  Then fire up NewSID and select a new SID and then select a new netbios name for the vm and click ok.  In a few minutes NewSID will finish and will reboot the box.  When it comes back it will have its new SID, IP address and netbios name.  The following images below display the steps in using NewSID to generate a new SID.






When the vm comes back and you login and are happy with the way everything is set up, I recommend that you create a snapshot before adding new roles and features.  You can than go back to any snapshot if something gets messed up.  Also, when you are done with the vm, you can go back to the original snapshot and use the vm for something else.

I hope that you found this post useful.  If you have any questions or suggestions to make any of this more clear, please post and I’ll do my best to answer your questions.

%d bloggers like this: