If you getting errors signing assemblies on Vista like below you might want to check some security permissions.

Cryptographic failure while signing assembly '....' Access is denied.

To remedy the problem I simply opened an Explorer window as an administrator and altered the ACLs on the necessary directory.  I granted my user Full Control on %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\MachineKeys.  Simply restart Visual Studio (if it was open) and you should be off and rolling.

In some circumstances, you may need to test .NET web services outside of the localhost, but via the browser. By default, this is disabled in the machine.config. If you were to attempt to browse to a service from a different PC or to access a service under a host name, you'd receive a message stating: "The test form is only available for requests from the local machine." To circumvent this issue, open up the web.config and add:

<configuration>
    <system.web>
        <webServices>
            <protocols>
                <add name="HttpGet"/>
                <add name="HttpPost"/>
            </protocols>
        </webServices>
    </system.web>
</configuration>

I dont know if this is related to Vista. I thought I'd post how I fixed it to save someone 2 hours of their lives. I just went into the Window Local Computer policies and disabled rollback and set Windows Installer to always run with Elevated permissions. Insecure I know, but if Microsoft cant write MSI correctly what chance do we have. Lifes too short.

Microsoft's been talking this one up for some time now, but XNA Game Studio Express, the so-called "YouTube for games," has finally hit the big 1.0 and is now available for would-be game designers everywhere to get their hands dirty with. The software is a trimmed down version of the company's full-fledged XNA game devleopment platform, based on Visual C# Express and able to run on a standard Windows PC (XP for now, Vista later). The YouTube analogy is, of course, a bit of an overstatement as you'll need some honest-to-goodness programming skills to actually create something resembling a game. While the core software is available as a free download, to get the most out of it you'll have to sign up for the XNA Creators Club, which will run you $49 for a four month subscription or $99 for an annual sub through Xbox Live Marketplace. In addition to letting you play user-created games on an Xbox 360, it'll also give you access to a library of game assests, as well as sample products, white papers, and technical support. If you need an added incentive, Microsoft's also announced the "Dream-Build-Play" game design competition, though the only details they're providing at the moment are that you can win "fantastic prizes" and "global envy."

Just flipping /3GB isn't enough for most programs. It has the effect on the kernel, true, but unless your process's executable has the Large Address Space Aware flag set, Windows won't actually give you the full 3GB space. Link your executable with /LARGEADDRESSAWARE or use EDITBIN.

By default .NET 1.1 processes dont have the Large Address Space Aware flag set so you must do this yourself. As you dont have linker options inside Visual Studio for C# projects I did this using a post build step, something like this:

call "$(DevEnvDir)..\Tools\VSVARS32.BAT"
editbin.exe /LARGEADDRESSAWARE "$(TargetPath)"

Now all that extra RAM is mine! muhahaaha.

[Update: and of course if you have signed your executable assembly, you will need to re-sign it with the sn.exe tool.]

If you receive "Cannot generate SSPI context" when trying to connect to SQL Server using Integrated Security grab yourself a coffee, find a comfy seat and prepare yourself for several hours of hardcore debugging.

First read thru this article: http://support.microsoft.com/?id=811889

If you not familar with Kerberos or NTLM you might just want to give up now!

The solution I'm about to supply is for one of many problems that may cause this error message. It might sound simple when I list it out but believe me this is the result of many hours wasted in front of my laptop.

Firstly my sql connections were working fine. Then after a reboot - nothing but "Cannot generate SSPI context" errors.

Nothing had changed. Honest.

After a lot of debugging I realised that when it worked i was connected (via VPN) to my office's domain. Therefore I could see and communicate with the DC. Something that is required for Kerberos.

After the reboot I did not reconnect to the VPN, therefore Kerberos was not used. I believe that cached credentials are no good.

Therefore NTLM was being used this time around. By why wasnt this working?

Again many hours passed before I realised that the NT LM Security Support Provider service was not running on my box.

Starting this and performing a reboot to pick up new token got my application working again.

Sigh. Now for some real work.

[Update: 1 hour later!] I'm still having "issues". I'll post more if I figure this bugger out!

If anyone ever see strange dialogs (that look fairly unprofessional) appearing behind normal installation dialog during an install, here the explanation: your using Terminal Services. Atleast thats the best explaination I can find at the moment. Check out this thread for more details.

If you get warnings from IE about mixed security in your HTTPS pages, check this link below:

http://gemal.dk/blog/2005/01/27/iframe_without_src_attribute_on_https_in_internet_explorer/

I would have been stuck on this for hours! Thank god for blogging!

[edit: setting src = javascript:false; also works.]

For several days now I've been struggling with a problem involving Installshield 11.5 integration with Visual Studio 2005. I have been converting some C# projects over to .NET 2.0 and was also having to update their installers. I was using an evaluation copy of Installshield 11.5 which meant that every time you opened the solution it prompts to enter a serial number or continue the trial. I could live with that for 30 days whilst I tested it out. Things were going fine until one day every time dialog appeared Visual Studio would just hang.

To cut a long story short, it was not Macrovisions fault (no apologies though - you have plenty of other bugs to fix) at all, it appears that installing the latest security patch for Internet Explorer causes the problem. And from what I can tell its broken a lot of applications out there. The work around is to uninstall the patch (kb896688). You can do this via Add/Remove Programs in Control Panel (you might have to check Show Updates) or if you cant find it there manually by using the spuninst.exe found in the Windows directory under the folder with the patch name in it. ($NtUninstallKB899688$) for instance.

God damn - security. If its not hackers damaging boxes thru lack of security, its Microsoft breaking stuff by patching up the holes.

Now I need to update our automatic patching server to stop it spreading this diseased patch to every body here.

If you use Visual Studio 2005 Team Edition for Testers you will quickly come across this error message during load tests:

Could not Find Dependent Counter Needed to Apply Threshold Rule bug

To resolve this issue

Change the associated threshold rule to compare against a constant instead of another performance counter. This does not affect the results of the load test beyond failing to run the specified threshold rule and can be safely ignored.

Use the following procedure to change the counter:
1. Edit the load test and select Counter Sets/Load Test/Counter Categories/LoadTest:Request/Counters/Avg. Connection Wait Time/Threshold Rules.
2. Delete the Compare Counters Rule.
3. Right-click to add a Compare Constant rule.
4. In the rule, set Alert if Over to true, warning to .01 (10 ms) and critical threshold to .02 (20 ms).

By default, Microsoft Internet Information Services (IIS) 6.0 on Windows Server 2003 runs ASP.NET applications in application pools that use the NT AUTHORITY\Network Service account identity. This account is a least privileged machine account with limited permissions. An application that runs using this account has restricted access to the event log, registry, and file system. The account does have network credentials, which means you can use it to access network resources and remote databases by using Windows authentication. The network resources must be in the same domain as your Web server or in a trusted domain.

In some scenarios, using a custom domain service account is a better approach than using the Network Service account. You should use a custom domain service account if:

• You want to isolate multiple applications on a single server from one another.
• You need different access controls for each application on local and remote resources. For example, other applications cannot access your application's databases if access is restricted to your application's account.
• You want to use Windows auditing to track the activity of each application separately.
• You want to prevent any accidental or deliberate changes to the access controls or permissions associated with the general purpose Network Service account from affecting your application.

SQL Server

ASP.NET applications should use Windows authentication while connecting to a database. By using Windows authentication, you avoid storing database credentials in connection strings and you avoid passing passwords over the network to the database server.

With Windows authentication, your application's process account is used by default for authentication. To be able to access a database, your account requires:

• A SQL Server login on the database server.
• Permissions to the required objects (for example, stored procedures, views, or tables) in the required database.

Granting Access to a Local SQL Server

When the SQL Server is on the Web server, you must create a database login for the NT AUTHORITY\Network Service account.

To access a local SQL Server database using Network Service

1. Start SQL Server Enterprise Manager.
2. Expand the folders in the left panel and locate the Security folder for your local SQL Server.
3. Right-click Logins in the Security folder, and then click New Login.
4. In the SQL Server Login Properties - New Login dialog box, in the Name box, enter NT AUTHORITY\NETWORK SERVICE. Accept the defaults for the other settings, and then click OK.
5. Expand the Databases folders, and then expand the Pubs (or equivalent) database.
6. Right-click Users, and then click New Database User.
7. In the Database User Properties - New User dialog box, select the NT AUTHORITY\NETWORK SERVICE account.
8. In the Permit in Database Role list, select the db_datareader check box.
9. Click OK, and then close the SQL Server Enterprise Manager.

The Network Service account now has permission to read the data in the tables of the designated database.

In practice, your application's requirements may be more complex. For example, you might want to allow read access to certain tables and allow update access to others. The recommended approach to help mitigate the risk posed by SQL injection is to grant execute permissions to the Network Service account on a selected set of stored procedures and provide no direct table access.

Granting Access to a Remote SQL Server

If you are accessing a database on another server in the same domain (or in a trusted domain), the Network Service account's network credentials are used to authenticate to the database. The Network Service account's credentials are of the form DomainName\AspNetServer$, where DomainName is the domain of the ASP.NET server and AspNetServer is your Web server name.

For example, if your ASP.NET application runs on a server named SVR1 in the domain CONTOSO, the SQL Server sees a database access request from CONTOSO\SVR1$.

To access a remote SQL Server using Network Service

To grant access to a remote database server in the same domain or a trusted domain, follow the steps described earlier for a local database, except in step 4, use the DomainName\AspNetServer$ account to create the database login.

Note   In production environments, you should place the network service account into a Windows group and create a SQL Server login for the Windows group.

from MSDN

I've been getting quite a few errors from dasBlog recently with invalid viewstate. After chatting with Scott Hanselman about possible causes, we've narrowed it down to two possiblities:

1. someone is tampering with my site
2. IIS is recycling whilst a postback occurs

The IIS recylcing sounds more likely, although I'm actually hosting this site on Windows 2000 with IIS5 which I didnt think recycled ever 20 minutes like IIS6.

Anyhow to rule that out I've set a manual machineKey for my dasBlog application: here's an example:

<machineKey  
validationKey="21F090935F6E49C2C797F69BBAAD8402ABD2EE0B667A8B44EA7DD4374267A75D7
               AD972A119482D15A4127461DB1DC347C1A63AE5F1CCFAACFF1B72A7F0A281B"           
decryptionKey="ABAA84D7EC4BB56D75D217CECFFB9628809BDB8BF91CFCD64568A145BE59719F"
validation="SHA1"
decryption="AES"
/>

That way if IIS does cycle during a request we should also use the same keys instead of getting new AutoGenerated ones. The same principle applys if you are using a web farm. Different servers might serve the inital request from the postbacks.

BTW: if you need to generate those keys above, here's some code:

using System;
using System.Text;
using System.Security;
using System.Security.Cryptography;

class App {
  static void Main(string[] argv) {
    int len = 128;
    if (argv.Length > 0)
      len = int.Parse(argv[0]);
    byte[] buff = new byte[len/2];
    RNGCryptoServiceProvider rng = new 
                            RNGCryptoServiceProvider();
    rng.GetBytes(buff);
    StringBuilder sb = new StringBuilder(len);
    for (int i=0; i<buff.Length; i++)
      sb.Append(string.Format("{0:X2}", buff[i]));
    Console.WriteLine(sb);
  }
}

private AdomdConnectionException(SerializationInfo info, StreamingContext context) : base(info, context)
{
 this.exceptionCause = ConnectionExceptionCause.Unspecified;
 this.exceptionCause = (ConnectionExceptionCause) info.GetValue("ExceptionCauseProperty", typeof(AdomdErrorCollection));
}

Has anyone else seen this? Or have a workaround?

I've posted an article on an MSDN forum just in case someone from M$ spots it!

If you find this post via google hopefully someone has answer my questions.

DCOM, XP SP2, and Remote Debugging
(This guy deserves a medal - and his page should be ranked much higher in google)

• Added random wallpaper control, with links to my changer application plus the current wallpaper for the half hour.
• Added my streaming radio control - ported over to new dasBlog macros.

Many developers consider Web services the de facto solution in their everyday work. While Web services do work in many situations, there are alternatives that may be more appropriate depending on the project. Remoting is a good example, but deciding when to use remoting as opposed to a Web service can be difficult. Let's take a closer look at both technologies, focusing on when and where they may be used.

Remoting

The .NET Framework includes remoting in the CLR (Common Language Runtime). It provides classes to build distributed applications, as well as network services that send messages over channels.

Remoting allows you to utilize one of two channels, HTTP and TCP, and it replaces DCOM (Distributed Component Object Model). You may use remoting in any .NET application type, including console, Windows form, Window services, and so forth.

There are a variety of serialization formats available for use with remoting. By default, the HTTP channel utilizes SOAP (Simple Object Access Protocol) and TCP uses binary. These are only defaults; channels may use either serialization format.

Multiple options are available for implementing a remoting application. This includes the following:

• SingleCall: Each client request is serviced by a new object with the object disposed when the request has finished.
• Singleton: All incoming client requests are processed by a single server object.
• Client-activated object: This is the old stateful DCOM model, whereby the client receives a reference to the remote object and holds that reference (thus keeping the remote object alive) until it is finished with it.

The main aspect of remoting is that each endpoint in the process must utilize the .NET Framework. In turn, object types are easily passed between the endpoints since they are using the same environment. Each object has a lease time. Upon expiration, the object is disconnected from the .NET runtime remoting infrastructure. The passing of an object reference results in the same object being accessed using the reference thus the necessity of .NET on each end.

A remote object is implemented in a class derived from the System.MarshalByRefObject class. A client makes method calls via a proxy object, which invokes the necessary method on the remote object. Every public method defined in the remote object is available to the client. A good name for remoting is peer-to-peer. Let's take a quick look at Web services before contrasting the technology with remoting.

Web services

Web services are Microsoft's mantra these days. That said, Web services are much more flexible than their remoting counterpart. Web services give us a loosely coupled messaging architecture that scales across the Internet. This Web service architecture is standards-based, modular, and general purpose. All of the endpoints do not have to be using the same environment, so a .NET application can easily utilize a Web service developed with Java and vice versa. Standards are the backbone of Web services. This includes, but is not limited to, the following technologies:

• XML (Extensible Markup Language): A simple, very flexible text format derived from SGML. XML is playing an increasingly important role in the exchange of a wide variety of data on the Web and beyond.
• UDDI (Universal Description, Discovery and Integration): Defines a registry service for Web services and for other electronic and non-electronic services.
• WSDL (Web Services Description Language): An XML format for describing network services as a set of endpoints operating on messages containing either document-oriented or procedure-oriented information.
• XSD (XML Schema Definition): Provides a way to define the structure, content, and semantics of XML documents.

ASP.NET Web services rely upon SOAP to package and transport data over the HTTP protocol. You may utilize a variety of serialization formats to work with objects.

Choosing between Web services and remoting

When designing an application, performance is always a big factor. If you are working in a controlled environment, like a LAN or WAN, remoting is a good choice given its support of TCP (which is much faster than HTTP). This removes a wrapper like SOAP where data must be packaged for transfer and unpackaged on the other end. On the same note, remoting uses .NET on each end, so you may utilize inherent data types without problems.

In addition, while you can build stateful Web services, it is much easier to implement this feature utilizing remoting. This depends on application requirements. Basically, if you know each point or tier in the application will utilize .NET, thenremoting is a solid choice. On the other hand, an application tier could change in the future, so Web services provide more flexibility if that occurs. Web services are standards-compliant, so working with other systems are not (or should not be) a problem. However, they can be troublesome if you're working with wireless channels.

In the end, the ultimate decision rests in the hands of the application architect. However, some issues can make the decision much easier. For instance, if all of the application tiers are not using .NET, then remoting is not a viable choice. Remoting requires a tight coupling of application clients; therefore, its peer-to-peer nature may not be well-suited or desired for an application. It is much faster if the architecture is in place. Web services are more flexible, so any future changes in the application tiers may warrant its selection. They offer more hooks to build on down the road, which will come in handy if in the future you may need to do authentication or leverage any of the WSE (Web Services Enhancements) features.

During the course of trying to optimize an application I'm writing I kept seeing the stored procedure "sp_reset_connection" being executed. Yet the application never calls it!

Here's the explanation after some googling:

Data access API's layers like ODBC, OLE-DB and SqlClient call the (internal) stored procedure sp_reset_connection when re-using a connection from a connection pool. It does this to reset the state of the connection before it gets re-used, however nowhere is documented what things get reset. This article tries to document the parts of the connection that get reset.

sp_reset_connection resets the following aspects of a connection:

• It resets all error states and numbers (like @@error)
• It stops all EC's (execution contexts) that are child threads of a parent EC executing a parallel query
• It will wait for any outstanding I/O operations that is outstanding
• It will free any held buffers on the server by the connection
• It will unlock any buffer resources that are used by the connection
• It will release all memory allocated owned by the connection
• It will clear any work or temporary tables that are created by the connection
• It will kill all global cursors owned by the connection
• It will close any open SQL-XML handles that are open
• It will delete any open SQL-XML related work tables
• It will close all system tables
• It will close all user tables
• It will drop all temporary objects
• It will abort open transactions
• It will defect from a distributed transaction when enlisted
• It will decrement the reference count for users in current database; which release shared database lock
• It will free acquired locks
• It will releases any handles that may have been acquired
• It will reset all SET options to the default values
• It will reset the @@rowcount value
• It will reset the @@identity value
• It will reset any session level trace options using dbcc traceon()

 sp_reset_connection will NOT reset:

• Security context, which is why connection pooling matches connections based on the exact connection string
• If you entered an application role using sp_setapprole, since application roles can not be reverted

Arrgggg... I just realised I've written my first blog on SQL Server!!!! Hell may now freeze over...

Just completed an upgrade to DasBlog 1.8. Went pretty smooth. Found a few bugs with Firefox

More cookie issues with ASP.NET forms authentication that I expect to run into during QA testing with some of our more security conscious customers (e.g. using SSL). Thanks again Scott for sharing this stuff. Now if I only had time to test my code...

We use Forms Authenication in .NET 1.1 (using cookies) and as Scott warns there are some gottas with ASP.NET 2.0 if you dont recompile. Basically to allow support for cookie-less forms authenication you might find that you application goes stuck in an infinte redirect loop when users sign out. To prevent this, add the following to your web.config:

 <forms cookieless="UseCookies" name=".AUTH" protection="All" timeout="60" path="/"/>

Maybe I'm being thick. Or perhaps its the speed I'm having to code at. But I think I've found a bug in Reporting Services.

Basically we have implemented custom security so that our logins to the Report Server are using details in a custom database. They are not Windows usernames/passwords. However when we use the web service api (ListSubscriptions) to return user's subscriptions we get nothing? After digging further with my best friend Reflector I found the following code in M$'s assemblies:

public ArrayList ListSubscriptions(string user, string report)
{
      ArrayList list1 = new ArrayList();
      string text1 = "select
             S.[SubscriptionID],
             S.[Report_OID],
             S.[Locale],
             S.[InactiveFlags],
             S.[DeliveryExtension],
             S.[ExtensionSettings],
             SUSER_SNAME(Modified.[Sid]), 
             Modified.[UserName],
             S.[ModifiedDate],
             S.[Description],
             S.[LastStatus],
             S.[EventType],
             S.[MatchData],
             S.[Parameters],
             S.[DataSettings],
             A.[TotalNotifications],
             A.[TotalSuccesses],
             A.[TotalFailures],
             SUSER_SNAME(Owner.[Sid]),
             Owner.[UserName],
             CAT.[Path],
             S.[LastRunTime],
             CAT.[Type],
             SD.NtSecDescPrimary
            from
             [Subscriptions] S inner join [Catalog] CAT on S.[Report_OID] = CAT.[ItemID]
             inner join [Users] Owner on S.OwnerID = Owner.UserID
             inner join [Users] Modified on S.ModifiedByID = Modified.UserID
             left outer join [SecData] SD on CAT.[PolicyID] = SD.[PolicyID] AND SD.AuthType = @AuthType
             left outer join [ActiveSubscriptions] A with (NOLOCK) on S.[SubscriptionID] = A.[SubscriptionID]";

      InstrumentedSqlCommand command1 = Storage.NewSqlCommand(text1, CommandType.Text, base.Connection, base.Transaction, base.SqlCommandTimeout);
      command1.Parameters.Add("@AuthType", WebConfigUtil.AuthenticationType);
      if ((user != null) && (user != ""))
      {
            this.AddClause(ref text1, ref flag1, "Owner.[Sid] = @UserSid");
            command1.Parameters.Add("@UserSid", Native.NameToSid(user));
      }

  <removed code>
}

Now the interesting bit is:

            this.AddClause(ref text1, ref flag1, "Owner.[Sid] = @UserSid");
            command1.Parameters.Add("@UserSid", Native.NameToSid(user));

Why are they trying to lookup a SID for my custom username? Of course this fails, which results in a WHERE clause that fails to grabs our subscriptions.

Has anyone else found this? Am I completely wrong?

BTW: I'm using Reporting Services SP 2.

The following information is provided for informational purposes only. Neither my employer or I provide this information as a means to exceed you licence limit for InstallshieldX. Dont be a moron.

How to Disable InstallshieldX licence checks when opening VS.NET solutions

On to business:

1. Fire up regedit
2. navigate to HKLM\Software\Installshield\10.0\Professional
3. Change string key 'VSDotNet11SCKey' to point to a non-existant file. E.g. change existing value by adding a '2' to the end of the filename. Here's my settings: C:\Program Files\Microsoft Visual Studio .NET 2003\Common7\IDE\devenv.exe /command "View.ShowWebBrowser file://C:\PROGRA~1\INSTAL~2\Program\0409\GETSTA~1.HTM2"
4. restart VS.NET

job done.

In one of my current projects some strange errors have been tracked down to cookies, more specifically their implementation in ASP.NET. Here's is a handy guide found by a colleugue:

golden rules of the cookie: http://www.codeproject.com/aspnet/aspnetcookies.asp

thread discussing similar issues: http://www.dotnet247.com/247reference/msgs/57/289969.aspx

Scott's 10 Utilities in 10 Minutes Golktalk is now available. Podcast the whole lot.

The Bungie.net site is the online companion to the wildly successful Halo 2 video game for Xbox, released in November 2004 by Microsoft. The site also acts as the community hub for all things related to Bungie games. Built with the Microsoft .NET Framework, Bungie.net serves up more than 4 million pages per day, accumulating 300 gigabytes of online game statistics per month from more than 1 million games played daily. Deemed "Most Innovative Design" by IGN Entertainment in 2004, the site provides innovative ways for users to view game statistics and details as well as interact with each other through forums and team Web pages. The release of the Bungie.net site represented a milestone in online console game play. This case study provides insight into this accomplishment.

 Bungie.net Technical Case Study

New on MSDN TV:

Using the New Visual Studio 2005 Report Controls

Report Authoring Tips and Tricks

Developing a Model for Report Builder and End-user Report Authoring

Making more of the code I'm writing this week redudant. Sigh...

Finally figured out why UltraEdit sometimes screws up xml files when edited. It’s not a bug.

They are writing an industry standard Byte Order Mark (BOM) header to Unicode files.

These screw up some Microsoft XML parsers including .NET and IE6. They don’t follow the industry standard!

Open the Advanced - Configuration - General dialog and scroll to section Load/Save/Conversions.

Set Automatically convert to DOS format, if necessary.
Enable Auto detect UTF-8 files.
Activate Save file as input format.

Turn off Write UTF-8 BOM header to ALL UTF-8 files when saved.

Turn off Write UTF-8 BOM on new files created within this program

Because you want all files as UTF-8 files, go to section Editing.
Enable Always create new files as UNICODE.

Change your settings now and save hours of wasted time.

Narrowing down the development/system tools that you must try from the Ultimate List to just 10 - Scott Hanselman's TechEd Groktalk

One of my favourite blogs has just released an updated list of must have developer tools. Best start downloading!