As part of the review process at Waterstons we have to set objectives to try and achieve throughout the coming year. I want to orientate mine around stuff I didn't know but wanted to know - here is my list:-

We are currently working with a client who requires two BizTalk web services to talk to each other, however because they are in different locations there is no common account we can use to secure the communication. Below shows an example of the setup:

BizTalk Server 1:

This orchestration has an input port (which accepts an xml file) – this message is then passed to a request reply port (which will call a webservice hosted on BizTalk server 2). The response is then passed to the output port (which is saved to an xml file).

BizTalk server 2:

This orchestration is a simple webservice which accepts a message, does something with the contents and returns the new message.

This posting assume you have two orchestrations already talking to each other using wcf without any authentication

Ok that’s the scenario defined – lets get onto the more interesting part!

Configuring BizTalk server 1 (The WCF consumer):

Since we are going to be securing the webservice with certificates lets start by generating the client certificate. Run the following code on the server which will be connecting to the webservice (BizTalk server 1 in my case) in a command prompt:

makecert -r -pe -n "CN=ClientCertName" -b 01/01/2005 -e 01/01/2100 -sky exchange -ss my

To view the certificate type mmc into command prompt, then go to file add/remove snap in, and select Certificates. You should be given an option to select select who you will be managing the certificates for – select “My user account”

Now if you look in the Personal folder you should see your certificate. We will need to install this same certificate in a few other places so right click on it and select export. Ensure you include the private key (you actually don't need the private key on the BizTalk server hosting the webservice, but for this demo I have included it).

Now we need to install this certificate in two different locations. On BizTalk server 1 we need to install it under the user account running the host instance. To do this open up a command prompt and type:

runas /user:DOMAINNAME\USERNAME mmc

then type the password for the user. In the management console again select the certificate add in. You can then import the certificate by right clicking on personal and selecting import.

Now we can configure this server to use the certificate you have added. Go into the send port you have generated and ensure you used the type wcf-wshttp – then click configure. For the address modify the url to use Https, then go to the security tab. Here you want to change the security mode to Transport with transport client type: certificate. Then in the client certificate panel click browse. Here you should be able to select the certificate you have just generated.

That’s the first server configured.

Configuring Server 2 (The WCF Provider):

On the second server go to the receive location and select your WCF port. Click configure and go to Security. Set the security mode to Transport, and the client credential type to Certificate.

Now we need to configure IIS to host the ssl web service.

Firstly we will need to get another certificate to allow ssl to occur – so right click on the web site and go to properties, then Directory Security and click server certificate. Click the “Create a new certificate” and next followed by “Prepare the request now, but send it later” (You may be able to click send the request immediately to an online certification authority depending on your setup) Fill in all the details ensuring the field named “Common Name” is the dns name used to connect to this machine from Server 1. This will generate a text file which you can then give to a certificate authority to get a valid ssl certificate (this will have to be a certificate authority trusted by Server one – so possible a public authority like VeriSign).

Once you have your certificate you should be able to add it by re-running the above wizard.

Now what we need to do is install the client certificate generated on server 1 – ensure this is installed into the Local Computer certificate store so IIS can access it. Remember for security this certificate should not really include the private key.

After you have added your certificate click the edit button shown below

Then select the following “Require Secure Channel”, “Require Client Certificates” and “Enable Certificate Trust List”, then click New...

This Wizard will allow you to specify the client certificates which can be used to access the webservice. Click Add from store then select the client certificate installed above. Click next, give it a friendly name, next and Finish. Then select the certificate list:

You will probably have to restart IIS now before this works correctly (and I had to restart IIS every time I changed the certificate trust list).

And thats it! Transport security with client certificates DONE.

Here are some error messages you might get and how to fix them:

The adapter failed to transmit message going to send port "SendPort1" with URL "https://ServerName/TestWebserviceCommunication/TestWebserviceCommunication_ProcessMessage_SendAndRecieve.svc". It will be retransmitted after the retry interval specified for this Send Port. Details:"System.InvalidOperationException: Cannot find the X.509 certificate using the following search criteria: StoreName 'My', StoreLocation 'CurrentUser', FindType 'FindByThumbprint', FindValue '23D68B9999C21FC93702D259736DD0CC1C752B61'.
   at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStoreCore(StoreName storeName, StoreLocation storeLocation, X509FindType findType, Object findValue, EndpointAddress target, Boolean throwIfMultipleOrNoMatch)
   at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStore(StoreName storeName, StoreLocation storeLocation, X509FindType findType, Object findValue, EndpointAddress target)
   at System.ServiceModel.Security.X509CertificateInitiatorClientCredential.SetCertificate(StoreLocation storeLocation, StoreName storeName, X509FindType findType, Object findValue)
   at Microsoft.BizTalk.Adapter.Wcf.Runtime.WcfClient`2.ApplyClientCertificate(ClientCredentials clientCredentials)
   at Microsoft.BizTalk.Adapter.Wcf.Runtime.WcfClient`2.CreateChannelFactory[TChannel](IBaseMessage bizTalkMessage)
   at Microsoft.BizTalk.Adapter.Wcf.Runtime.WcfClient`2.InitializeValues(IBaseMessage message)
   at Microsoft.BizTalk.Adapter.Wcf.Runtime.WcfClient`2..ctor(IBaseMessage message, WcfTransmitter`2 transmitter)
   at Microsoft.BizTalk.Adapter.Wcf.Runtime.WcfTransmitter`2.GetClientFromCache(String spid, IBaseMessage message)
   at Microsoft.BizTalk.Adapter.Wcf.Runtime.WcfAsyncBatch`2.BatchWorker(List`1 messages)".

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

This error is because your client certificate is stored in your cert store, but not the cert store used by the biztalk host instance. Look at the step above showing how to run mmc as another user to fix this problem.

The adapter failed to transmit message going to send port "SendPort1" with URL "https://ServerName/TestWebserviceCommunication/TestWebserviceCommunication_ProcessMessage_SendAndRecieve.svc". It will be retransmitted after the retry interval specified for this Send Port. Details:"System.ServiceModel.Security.MessageSecurityException: The HTTP request was forbidden with client authentication scheme 'Anonymous'. ---> System.Net.WebException: The remote server returned an error: (403) Forbidden.
   at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
   at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelAsyncRequest.CompleteGetResponse(IAsyncResult result)
   --- End of inner exception stack trace ---

Server stack trace: 
   at System.ServiceModel.AsyncResult.End[TAsyncResult](IAsyncResult result)
   at System.ServiceModel.Channels.ServiceChannel.SendAsyncResult.End(SendAsyncResult result)
   at System.ServiceModel.Channels.ServiceChannel.EndCall(String action, Object[] outs, IAsyncResult result)
   at System.ServiceModel.Channels.ServiceChannel.EndRequest(IAsyncResult result)

Exception rethrown at [0]: 
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at System.ServiceModel.Channels.IRequestChannel.EndRequest(IAsyncResult result)
   at Microsoft.BizTalk.Adapter.Wcf.Runtime.WcfClient`2.RequestCallback(IAsyncResult result)".

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

This error is because the service you have used was not trusted on the Server 2, ensure you have the correct client certificate selected in IIS.

If you use Microsoft SQL 2005 (or 2000, and probably 2008) then Sometimes you just have to shrink the transaction log in a hurry especially if you get this error:-

The transaction log for database 'DB NAME' is full. To find out why space in the log cannot be reused, see the log_reuse_wait_desc column in sys.databases

I can never remember the command to truncate the log before you can use the inbuilt tools to shrink it.

In case you have the same problem here is the command:

BACKUP LOG [DBNAME] WITH Truncate_only

you should then be able to shrink the log without issue

P.S. There are reasons why you wouldn't want to do this (mainly around data recovery) so only do this on a test/dev environment.

Thanks

Ross

Here are my five most useful tools

A great tool that you probably all know about. Lets you keep files and folders sync'd across platforms (PC, Mac and smartphone at the moment). What I love most about mesh is the direction its heading, the sync bit is pretty cool (but foldershare was sorta doing that anyway) as James blog shows there will be four types of 'things' which can interact with the mesh.

1. Creators - These are things like digital cameras (even standard digital cameras using eye-fi could use this! how cool).
2. Consumers - devices like mp3 players and digital picture frames
3. Rich end points - Pcs and Macs are the main things here, but may also include printers as shown below - this I REALLY like!
4. Processors - These are more applications that run on the mesh, things like backup to another cloud app.

You can watch the recent PDC talk here: http://channel9.msdn.com/pdc2008/BB35/ on it.

You can also use this to remotely control your pcs from anywhere - its great as it traverses firewalls really well, much more secure than opening your pc remote desktop port to the world!

This is wild speculation but I wonder how long before microsoft's Office Live (http://www.liveside.net/main/archive/2008/10/31/office-in-the-cloud.aspx) will be integrated into your mesh live desktop, and you could print to your home printer which is also in your mesh... very exciting Im sure you will agree!

IDrive

I love this tool. It is essentially an online backup tool which just works. You get 2GB for free or 150gb for $50 (annoyingly the set up recurring billing, and they didn't email me to remind me it would be coming out - even though they swear they did!). The backup and restore speeds are pretty decent, and the "continues backup" mode is a life saver - the first time you recover a file you deleted by accident you know it was worth the £30 ish quid!

IDrive also supports a history mode allowing you to roll back to a previously version - very handy (and this also doesnt come out of your space allowance). Im very impressed with the security, and cant recommend this tool enough!

Acronis True image

This tool is similar to Norton ghost but a lot more user friendly and cheap! For those who dont know Norton Ghost this allows you to take and restore an image of your pc. If you do this once a month your machine will run very quick.

This help prevent issues with activating software multiple times (starting to become more essential with the DRM included in just about everything).

If you use this with Live mesh then after you restore your pc, live mesh will automatically sync your latest files to your pc from the cloud - ideal!

Google Reader

Keep yourself up to date with all your favourite web sites everywhere you go (you can read it on your mobile to!)

My Sip Switch

Im just starting to get into using VOIP at home, and I have loads to learn still, but My Sip Switch is proving to be a very good starting place. I aim to go into a lot more detail soon, but currently Im able to use my sip switch for the following setup:-

I have two numbers from Sipgate, My Sip Switch is registered with both of them. One of the numbers (my personal number) will ring the house phone automatically, the second number will only ring the house phone during allowed hours(I will use this number for companies I dont trust!).

Sipgate Also provides a voicemail service, which get email to you. I am going to use the following tool to be alerted when I get an email:-

maybe a bit tacky, but its very useful to know when you have an email!

My sip gate also allows you to notify of calls via Google Talk, so I can tell when the house phone has called (and who called) when Im at work!

Using Fring I can also receive and make the voip calls via my smartphone, and Phonerlite to get the calls via my PC. For my home Im looking at a few different possible solutions for my home phone including a SPA3102 and a SPA1001. Both cost under £50.

Still havent quite decided how Im going to use for outbound calls, but the great thing is about My Sip Switch is that you are not tied into a particular provider. You can pick which provider you use for which calls, whether you sent your Caller ID or not, and implement redundancy (if one provider fails to call out then you can fail over to another).

Finally you dont need to worry about emergency calls anymore, Sipgate allows you to make 999 calls after you set a home location.

Hope you find some of these tools useful - if you do let me know!