Anders Revsgaard

Architecture and federated security in .NET

Needs to track time?

Sortingtime makes it easy to track time on tasks and gives you a quick overview of registered time. You can afterword’s select tasks or groups and send PDF reports as well as invoices. Furthermore, you get a overview of the expected monthly turnover and historically turnover.


Brug for at registrerer tid

Sortingtime gør det nemt at registre tid på opgaver og giver et hurtigt overblik over registreret tid. Efterfølgende kan du vælge opgaver eller grupper og sende PDF rapporter samt fakturaer. Sortingtime giver dig overblik over månedens forventede omsætning og historiske omsætning.

Configuren Logging in WCF and WIF

Logging is configured the same way in WCF web services and WCF clients which is both using WIF. The logging functionality is configured as shown in the following steps.

1. Creating a system.diagnostics element. This one is logging all information’s.



      <source name=”Microsoft.IdentityModel” switchValue=”Verbose”>
          <add name=”wif” />
      <source name=”System.ServiceModel.MessageLogging” logKnownPii=”false” switchValue=”Verbose”>
          <add name=”wcf” />
      <add name=”wcf” type=”System.Diagnostics.XmlWriterTraceListener”
           initializeData=”C:\logs\SomeAppl_WCF.svclog” />
      <add name=”wif” type=”System.Diagnostics.XmlWriterTraceListener”
           initializeData=”C:\logs\SomeAppl_WIF.svclog” />
    <trace autoflush=”true” />

2. Configuring logging for WCF. There is no more configuration needed regardig WIF.





      <messageLogging logEntireMessage=”true”



Create test certificates for custom STS and ADFS 2

How to create test certificates with OpenSSL for custom STS deployed on IIS and ADFS 2.

Download OpenSSL for windows her.

Set the path to OpenSSL bin folder in cmd prompt: PATH=%PATH%;c:\OpenSSL-Win32\bin

And set OpenSSL config path in cmd prompt: set OPENSSL_CONF=c:\OpenSSL-Win32\bin\openssl.cfg

Create CA root certificate

  1. openssl req -x509 -nodes -days 3650 -subj /C=DK/L=Denmark/O=TestCompany/OU=TestDepartment/ -newkey rsa:2048 -keyout testCARootPrivateKey.key -out testCARootCertificate.crt
  2. openssl pkcs12 -export -out testCARootCertificate.pfx -inkey testCARootPrivateKey.key -in testCARootCertificate.crt

Create SSL certificate for IIS, which trusts the root certificate

  1. openssl req -nodes -days 3650 -subj /C=DK/L=Denmark/O=TestCompany/OU=TestDepartment/ -newkey rsa:2048 -keyout testsite.mydomain.comPrivateKey.key -out testsite.mydomain.comCertificate.csr
  2. openssl x509 -req -days 3650 -in testsite.mydomain.comCertificate.csr -CA testCARootCertificate.crt -CAkey testCARootPrivateKey.key -CAcreateserial -out testsite.mydomain.comCertificate.crt
  3. openssl pkcs12 -export -out testsite.mydomain.comCertificate.pfx -inkey testsite.mydomain.comPrivateKey.key -in testsite.mydomain.comCertificate.crt

Create Signing certificate, which trusts the root certificate

  1. openssl req -nodes -days 3650 -subj “/C=DK/L=Denmark/O=TestCompany/OU=TestDepartment/CN=STS Signing –” -newkey rsa:2048 -keyout “STS Signing – testsite.mydomain.comPrivateKey.key” -out “STS Signing – testsite.mydomain.comCertificate.csr”
  2. openssl x509 -req -days 3650 -in “STS Signing – testsite.mydomain.comCertificate.csr” -CA testCARootCertificate.crt -CAkey testCARootPrivateKey.key -CAcreateserial -out “STS Signing – testsite.mydomain.comCertificate.crt”
  3. openssl pkcs12 -export -out “STS Signing – testsite.mydomain.comCertificate.pfx” -inkey “STS Signing – testsite.mydomain.comPrivateKey.key” -in “STS Signing – testsite.mydomain.comCertificate.crt”

Create Encrypting certificate, which trusts the root certificate

  1. openssl req -nodes -days 3650 -subj “/C=DK/L=Denmark/O=TestCompany/OU=TestDepartment/CN=STS Encrypting –” -newkey rsa:2048 -keyout “STS Encrypting – testsite.mydomain.comPrivateKey.key” -out “STS Encrypting – testsite.mydomain.comCertificate.csr”
  2. openssl x509 -req -days 3650 -in “STS Encrypting – testsite.mydomain.comCertificate.csr” -CA testCARootCertificate.crt -CAkey testCARootPrivateKey.key -CAcreateserial -out “STS Encrypting – testsite.mydomain.comCertificate.crt”
  3. openssl pkcs12 -export -out “STS Encrypting – testsite.mydomain.comCertificate.pfx” -inkey “STS Encrypting – testsite.mydomain.comPrivateKey.key” -in “STS Encrypting – testsite.mydomain.comCertificate.crt”

ADFS 2 CRL configuration

ADFS 2 has CRL (certificate revocation list, from the issuing CA) checking enabled by default. This will result in an error if you have a Claims Provider Trust to an ADFS 2, using test certificates. The problem is solved by changing the CLR checking to none.
This is done by running the set-ADFSClaimsProviderTrust PowerShell command for the Claims Provider Trust in this example named “trust to sts”.

set-ADFSClaimsProviderTrust –TargetName “trust to sts” –SigningCertificateRevocationCheck None

The same is the case having a Relaying Party Trust to a ADFS 2, using test certificates.

set-ADFSRelyingPartyTrust –TargetName “other relying sts” –EncryptionCertificateRevocationCheck None