Sergey Shishkin

on agile software development

Running CardSpace STS Sample

As I mentioned before, even deploying new CardSpace samples on Vista RC1 is already a challenge. Running samples themselves could also bring up some surprises…

First, the SetSSLCertificate.bat script, that is needed to run the WCF SampleSecurityTokenService, uses the httpcfg.exe utility which was not installed on my machine 😦 However, the netsh utility from Vista now supports http context and can be used to set up required SSL certificate bindings. Here is my version of the script:

rem FIRST CLEAR ANY CERTIFICATE netsh http delete sslcert ipport=0.0.0.0:7001 rem SECOND, SET THE CERT FOR HTTPS to FABRIKAM's CERT (appid = any GUID) netsh http add sslcert ipport=0.0.0.0:7001 certhash=d47de657fa4902555902cb7f0edd2ba9b05debb8 appid={C61EC2E2-BC18-4522-903B-F44A56299787}

Note: appid parameter for the netsh http add sslcert command is required but is used only as a unique identifier of a binding – it has nothing to do with the application that will use the binding. It can be any valid GUID.

Now the service run but only with elevated privileges. To make it less eager for administrative rights, one needs to reserve all services’ endpoints’ URLs for service’s account. That can be done using the netsh http add urlacl command:

rem THIRD, REGISTER NAMESPACE RESOLVATION FOR EACH SERVICE'S ENDPOINT set SERVICE_ACCOUNT=MYCOMPUTER\MyService netsh http add urlacl url=http://+:7000/sample/trust/smartcard/ user=%SERVICE_ACCOUNT% netsh http add urlacl url=https://+:7001/sample/trust/smartcard/mex/ user=%SERVICE_ACCOUNT% netsh http add urlacl url=http://+:7000/sample/trust/selfissuedsaml/ user=%SERVICE_ACCOUNT% netsh http add urlacl url=https://+:7001/sample/trust/selfissuedsaml/mex/ user=%SERVICE_ACCOUNT% netsh http add urlacl url=http://+:7000/sample/trust/usernamepassword/ user=%SERVICE_ACCOUNT% netsh http add urlacl url=https://+:7001/sample/trust/usernamepassword/mex/ user=%SERVICE_ACCOUNT%

Advertisements

Written by Sergey Shishkin

05.10.2006 at 13:11

Posted in Uncategorized

%d bloggers like this: