Mehran Nikoo's Notes

This is a link post with links to tutorials, samples and training courses covering the recent releases of Microsoft’s development platform tools and technologies.

Visual Studio 2010 and .NET Framework 4 Training Kit (June 2010)

Covers:

• C# 4
• Visual Basic 10
• F#
• Parallel Extensions
• Windows Communication Foundation
• Windows Workflow
• Windows Presentation Foundation
• ASP.NET 4
• Windows 7
• Entity Framework
• ADO.NET Data Services
• Managed Extensibility Framework
• Visual Studio Team System

Download Page

Identity Developer Training Kit (June 2010)

Covers:

• Windows Identity Foundation

Download Page

Windows Azure Training Kit (June 2010)

Covers:

• Windows Azure
• SQL Azure
• Windows Azure AppFabric Service Bus
• Windows Azure AppFabric Access Control Service
• Dallas
• Access and Identity in the Cloud
• Windows Azure Storage
• Windows Azure Deployment

Download Page

Windows Server AppFabric Samples (June 2010)

Covers:

• Windows Server AppFabric Cache
• Windows Server AppFabric Hosting

Download Page

Silverlight 4 Training (April 2010)

Covers:

• Silverlight 4
• WCF RIA Services

Download Page

Windows Server AppFabric simplifies the process of creating, scaling and managing web and composite applications that run on IIS and includes the following components:

• AppFabric Caching Services (code-named “Velocity”)
  • Caching services
  • Cache client
  • Cache administration
• AppFabric Hosting Services (code-named “Dublin”)
  • Hosting services
  • Hosting administration

You can get the RTW bits using the Web Platform Installer or downloading it directly from here.

The supported operating systems are both 32-bit and 64-bit editions of:

• Windows 7
• Windows Server 2008 R2
• Windows Vista SP2
• Windows Server 2008 SP2

You will also need a version of .NET Framework, depending on the features you want to use (more info):

• Hosting administration: .NET 4
• Hosting services: .NET 4
• Cache administration: .NET 4
• Caching service: .NET 4 and optionally .NET 3.5 (.NET 3.5 adds new capabilities)
• Cache client: .NET 4 and .NET 3.5 (depending on client application)

There are a number of additional resources linked from the landing page, including the Windows Server AppFabric wiki.

Last week, I had a enquiry from a customer about the Spanish locale for the United States. As he mentioned, it does make sense to have this locale, especially for the users based in the southern regions of the US. If you are running Windows XP or Windows Server 2003, there is no such locale supported by the operating system so if you try to access this locale in a managed application by writing this line of code:

CultureInfo cultureInfo = new CultureInfo(“es-US”);

you will get an ArgumentException, which says: “Culture name ‘es-US’ is not supported”. As a workaround, you can use the “es-MX” locale or create your own locale.

But the good news is that the support for the “es-US” locale was added in Windows Vista and Windows Server 2008 so if you are running one of these operating systems, you can now use the es-US locale (LCID = 21514) and the same line of code we used above will work fine.

This page has a complete list of the locale IDs assigned by Microsoft so if you thinking of creating your own locale, check this list first to make sure there is no conflict with the existing locales.

As we already know, apart from bug fixes, .NET Framework 3.5 SP1 includes major product enhancements such as ADO.NET Entity Framework, ADO.NET Data Services and enhanced LINQ to SQL (which now supports the new date and FILESTREAM data types in SQL Server 2008). Clearly, this is not an exhaustive list so please refer to the release notes for more information on the new features. It is also good to know that: 

• .NET Framework 3.5 SP1 introduces the concept of a client-only subset of the framework called “.NET Framework Client Profile”. The size of the runtime in the Client Profile is only 26.5MB so it is much smaller than the full framework. This allows solutions based on the client components such as WinForms, WPF and VSTO to be deployed much easier. Clearly, when you are developing your application, you need to make sure that you don’t use a feature that is not part of the Client Profile. When you install Visual Studio 2008 SP1, it adds a new property to the project settings in Visual Studio that will enforce the Client Profile policy. Enabling this option will prevent you from using the types in those assemblies that are not shipped as part of the Client Profile, which is exactly what you need.
• The setup package for .NET Framework 3.5 SP1 installs .NET Framework 2.0 SP2 and .NET Framework 3.0 SP2 first, which means you “technically” need to retest your existing .NET 2.0 and .NET 3.0 applications too.

More: Download Links, VS 2008 SP1 and NET 3.5 SP1 Dev Center

Microsoft will apply changes to its technology and business practices, which will cover high-volume business products including Windows Vista, Windows Server 2008, SQL Server 2008, Office 2007, Exchange Server 2007, Office SharePoint Server 2007 and all future versions of these products.

Here are some of the specific actions Microsoft is taking to implement these new interoperability principles: 

• Ensuring open connections to Microsoft’s high-volume products
• Documenting how Microsoft supports industry standards and extensions
•  Enhancing Office 2007 to provide greater flexibility of document formats
• Launching the Open Source Interoperability Initiative
• Expanding industry outreach and dialogue

You can find more about these initiatives here.

Here is the press release for Windows Server 2008 RTM and you can find more about Windows Server 2008 here.

As you may know, the great thing about this combined release is that Windows Server 2008 and Windows Vista SP1 share a large portion of their code base. This makes the desktop and the server operating systems more consistent when it comes to common features like security and networking. This is exciting news for developers as in the past; we had to deal with the difference in the behaviour of some of the components like IIS in the desktop OS (IIS 5.1 in Windows XP) and the server OS (IIS 6.0 in Windows Server 2008). Windows Vista and Windows Server 2008 are much closer in terms of their code base and behaviour and the combined release of Windows Vista SP1 and Windows Server 2008 brings them even closer to each other.

At the time of this writing, the following editions are available to MSDN Subscribers for download:

- Windows Server 2008 Standard (x64)
- Windows Server 2008 Enterprise (x64)
- Windows Server 2008 Datacenter (x64)

Please note that these editions come with the beta version of Hyper-V and can be updated when Hyper-V is released later in the year.

And the following editions will be coming soon:

- Windows Server 2008 Standard (x86)
- Windows Server 2008 Enterprise (x86)
- Windows Server 2008 Datacenter (x86)
- Windows Web Server 2008 (x86, x64)
- Windows Server 2008 for Itanium-Based Systems
- Windows Server 2008 Standard without Hyper-V (x86, x64)
- Windows Server 2008 Enterprise without Hyper-V (x86, x64)
- Windows Server 2008 Datacenter without Hyper-V (x86, x64)

More information on Windows Server 2008 editions.

Although the SP1 for Windows Vista has reached the RTM milestone, the broad release of Windows Vista SP1 is currently scheduled for mid-March. This will allow the hardware vendors to address the issues with their device drivers before SP1 is broadly released to the customers. You can read more about the release for Windows Vista SP1 here.

Update 1 (10 Feb 2008): Windows Web Server 2008 (x86, x64) and Windows Server 2008 Datacenter, Enterprise and Standard (x86) are now available for download via MSDN Subscriber Downloads.

Update 2 (14 Feb 2008): All editions mentioned in the above list can now be downloaded from the MSDN Subscriber Downloads.

Every time I have read about the Kerberos protocol in the past, I have just passed through the section that talks about the “Authenticator” and have never thought about its role in the authentication process. For some reason I decided to know more about it today so this post explains what it does and why we need it.

** As you may know, the Kerberos protocol is based on the concept of key distribution and a number of keys are involved in the authentication process so I have used color coding to simplify correlation. Items in the same colour are referring to the same key. **

When a Kerberos client wants to interact with a service (like a secured WCF service), it needs a service ticket to pass its credentials to the service and prove its identity. The client obtains this service ticket by sending a request to the Key Distribution Center (KDC). After verifying the user credentials, the KDC creates and returns the following items back to the client:

• A session key for the client to use with the service, encrypted with the user’s logon session key (which is kept securely by the client).


• The same session key mentioned above along with the user’s authorisation data, encrypted with the service’s long-term key (only known to the KDC and the service).

The session key and the service ticket are stored in the user credential cache on the client. From this point, the client sends the service ticket to the service when creating a new connection. Since the service ticket is encrypted with the service’s long-term key (which is only known to the KDC and the service), the service can trust the contents of the ticket and safely assumes that the ticket was created by the KDC. But what it can’t do is to make sure that the message was sent by the client specified in the service ticket as the ticket could have been stolen and played by a malicious node. This is where the “Authenticator” comes to the rescue.

Before sending the service ticket to the service, the client creates the authenticator, which includes the user name and the current time on the client. It then encrypts the authenticator with the session key created by the KDC for the client to use with the service. The client and the service are the only nodes who know this session key (the KDC encrypted the first copy with the user’s logon session key and the other copy with the service’s long-term key) so if the service can decrypt the authenticator successfully, we know that the client who is trying to access the service is not malicious. The service performs this verification by decrypting the service ticket (it knows its own long-term key), extracting the session key, decrypting the authenticator using the session key and comparing the user name in the authenticator to the user name in the service ticket.

We mentioned that the authenticator has another data element too: the current time on the client. This timestamp helps in preventing message replay by malicious parties on the network. The server does this by comparing the client timestamp embedded in the authenticator with its own time when the message is received. Now the question is, how can we make sure that a minor time difference caused by network latency and/or clock skew on either of the nodes does result in rejection of all messages by the server? There are two mechanisms to prevent this from happening:

• An error margin for the clock skew. As long as the time on the client is within few minutes (the default is 5 and is defined using a domain-wide group policy) of the server’s time, the service will ignore the difference and will accept the message.


• Time synchronisation. This is one of the major reasons why Active Directory controllers provide a time synchronisation service. If the time on the client computer goes out-of-sync (outside the defined range), it may experience problems when logging onto the domain and/or using the services on the domain.

To prevent replay attacks, the service keeps a log of the authenticators it receives in a replay cache and only accepts the authenticator if it can’t find it in its replay cache. Since the authenticators are valid only for few minutes, the service can purge the older items from its replay cache as those authenticators with an older timestamp will be rejected anyway.

So the authenticator plays two major roles in Kerberos and Active Directory:

• Enabling the service to verify that the sender of the service ticket is the client the service ticket was created for.


• Helping the service in preventing replay attacks by rejecting duplicate authenticators or those authenticators whose timestamp is out-of-sync.

If you want to know more about this topic, then go and read this TechNet article.

We had an announcement earlier this year about the combined launch of Windows Server 2008, SQL Server 2008 and Visual Studio 2008, which is scheduled for 27th Feb 2008. It is important to know that the launch date is not necessarily the same as the release date. The launch date is when the official promotion for the product is started and the global launch tours, training and readiness events are kicked off. As the name suggests, the release date is when the product is released to manufacturing (RTM).

Combined launch: Q1 2008 (27/02/2008)
Visual Studio 2008 release: expected in Q4 2007
Windows Server 2008 release: expected in Q1 2008
SQL Server 2008 release: later in 2008