Mehran Nikoo's Notes

Visual Studio 2008 Trial

The Visual Studio 2008 release includes the (free) Express editions of the product but if you want to evaluate the full version of the product, you can download the 90-day evaluation version from here. The following products are (or will be made) available:

• Visual Studio 2008 Professional Edition (Coming Soon)
• Visual Studio Team System 2008 Team Suite
• Visual Studio Team System 2008 Team Foundation Server
• Visual Studio Team System 2008 Test Load Agent

Visual Studio 2008 and .NET Framework 3.5 Are Released

According to the plan, Visual Studio 2008 (x86 and x64 WoW) and .NET Framework 3.5 were released to web this morning and they are both available for download on MSDN Subscriber Downloads. Enjoy :)

The Authenticator in Kerberos and Active Directory

Every time I have read about the Kerberos protocol in the past, I have just passed through the section that talks about the "Authenticator" and have never thought about its role in the authentication process. For some reason I decided to know more about it today so this post explains what it does and why we need it.

** As you may know, the Kerberos protocol is based on the concept of key distribution and a number of keys are involved in the authentication process so I have used color coding to simplify correlation. Items in the same colour are referring to the same key. **

When a Kerberos client wants to interact with a service (like a secured WCF service), it needs a service ticket to pass its credentials to the service and prove its identity. The client obtains this service ticket by sending a request to the Key Distribution Center (KDC). After verifying the user credentials, the KDC creates and returns the following items back to the client:

• A session key for the client to use with the service, encrypted with the user's logon session key (which is kept securely by the client).
• The same session key mentioned above along with the user's authorisation data, encrypted with the service's long-term key (only known to the KDC and the service).

The session key and the service ticket are stored in the user credential cache on the client. From this point, the client sends the service ticket to the service when creating a new connection. Since the service ticket is encrypted with the service's long-term key (which is only known to the KDC and the service), the service can trust the contents of the ticket and safely assumes that the ticket was created by the KDC. But what it can't do is to make sure that the message was sent by the client specified in the service ticket as the ticket could have been stolen and played by a malicious node. This is where the "Authenticator" comes to the rescue.

Before sending the service ticket to the service, the client creates the authenticator, which includes the user name and the current time on the client. It then encrypts the authenticator with the session key created by the KDC for the client to use with the service. The client and the service are the only nodes who know this session key (the KDC encrypted the first copy with the user's logon session key and the other copy with the service's long-term key) so if the service can decrypt the authenticator successfully, we know that the client who is trying to access the service is not malicious. The service performs this verification by decrypting the service ticket (it knows its own long-term key), extracting the session key, decrypting the authenticator using the session key and comparing the user name in the authenticator to the user name in the service ticket.

We mentioned that the authenticator has another data element too: the current time on the client. This timestamp helps in preventing message replay by malicious parties on the network. The server does this by comparing the client timestamp embedded in the authenticator with its own time when the message is received. Now the question is, how can we make sure that a minor time difference caused by network latency and/or clock skew on either of the nodes does result in rejection of all messages by the server? There are two mechanisms to prevent this from happening:

• An error margin for the clock skew. As long as the time on the client is within few minutes (the default is 5 and is defined using a domain-wide group policy) of the server's time, the service will ignore the difference and will accept the message.
• Time synchronisation. This is one of the major reasons why Active Directory controllers provide a time synchronisation service. If the time on the client computer goes out-of-sync (outside the defined range), it may experience problems when logging onto the domain and/or using the services on the domain.

To prevent replay attacks, the service keeps a log of the authenticators it receives in a replay cache and only accepts the authenticator if it can't find it in its replay cache. Since the authenticators are valid only for few minutes, the service can purge the older items from its replay cache as those authenticators with an older timestamp will be rejected anyway.

So the authenticator plays two major roles in Kerberos and Active Directory:

• Enabling the service to verify that the sender of the service ticket is the client the service ticket was created for.
• Helping the service in preventing replay attacks by rejecting duplicate authenticators or those authenticators whose timestamp is out-of-sync.

If you want to know more about this topic, then go and read this TechNet article.

Free SQL Server 2008 E-Learning Offer

Via Shailan: We have a new (and free) e-Learning offer for SQL Server 2008, which is a 3 hour online collection and covers the following areas:

• What's New in SQL Server 2008 for Enterprise Data Platform
• What's New in SQL Server 2008 for Business Intelligence
• What's New in SQL Server 2008 for Database Development

Register here.

DataContract Constructors in WCF

When svcutil.exe is used to generate the proxy for a WCF service, it creates a copy of the service contract (interface) and the data contracts used by that service contract. If you use the DataContractSerializer on the service (the default option), you are implying that you want to share the contracts and not the types so the copy of the data contract created by svcutil.exe only includes the fields and properties decorated with DataMemberAttribute and does not include other members of the type like the constructors. This means that any additional constructor(s) you may have created for the data contract on the server side will not be present on the client.

So how should we design our application if we want to use the constructors on the client side? Typical consulting answer: "It depends".

• If you want to have a constructor with the same signature and implementation on the client, then sharing the types is an option. You can share the types by adding a reference to the assembly containing the data contract. You can then instruct svcutil.exe to use the referenced types instead of creating copies of those types using the /reference option (which is the default behaviour when you use "Add Service Reference" in Visual Studio). You need to understand that sharing the types will result in type fidelity and you will need to change the data contract on both sides every time you modify it. If you are building a service-oriented application, then you should try to avoid sharing the types as it does not follow the "Share the contract, not the type" tenet of service orientation.
   
• If you want to have one or more constructors on the client side but these constructors are not the same as those available on the server side, you can use svcutil.exe to generate the copy of the data contract on the client and then add the constructors you need on the client side. If you look at the type definition for the data contract svcutil.exe generates on the client, you will notice that it is marked as partial. So you can create a new file and define the constructors you want to add to the partial class. Note that you should not make any modifications to the generated class as you will lose your changes when you regenerate the class and in fact, this is one of the main reasons why partial classes are supported by the compilers.

Something that you need to be aware of is that the parameter-less constructor for the data contract is only called when the object is instantiated by your code. So for example, when you call a WCF service and the service returns a data contract, WCF runtime on the client side does not call the parameter-less constructor, which makes sense as the returned message includes all the state you need and there is no point in running the constructor. If you need to perform an operation when the message is received by the client, you can use OnDeserializingAttribute or OnDeserializedAttribute defined in System.Runtime.Serialization namespace.

In order to see how this works, let's have a look at an example. The Customer class is a data contract defined on the server side. It has one constructor that takes the customerId as the parameter.

We don't need any other constructor on the server side as the only place we need to instantiate the Customer class is in GetCustomer operation and the Customer object is passed into the rest of operations.

As we mentioned earlier, svcutil.exe does not generate any constructors on the client side but what we can do is to create a file that adds the required constructors to the data contract, which is defined as a partial class. The following code segment shows how to add the additional constructor to the partial class. We have also added two methods that are decorated with serialization attributes, which we will talk about later in this post.

The constructor on the client side takes a string parameter instead of int as the client knows about the name of the new customer but not their ID. The following code segment shows how we can use this constructor on the client side:

This is one of the benefits of a shared contract design as we can define a different constructor on the client side to suit the specific needs of the client application.

We mentioned that WCF does not call the constructor when the Customer object is deserialized so we need to use the serialization attributes if we want to perform an initialisation operation. In this case, we want to make sure that the client application does not change the ID for an existing customer so we record the original customer ID when the Customer object is received by the client and compare the ID property with the original value when it is being serialized and before it is sent back to the server.

So it is important to understand the difference between the constructors and the methods decorated with serialization attributes. The constructors are called when you create instances of the data contracts in your code whereas the decorated methods are called by the WCF runtime before (or after, depending on the attribute you are using) the data contract object is received/sent by a party in WCF.

Sample code download: 
                                          

Visual Studio 2008 Will Be Released in November 2007

Somasegar has more on this and here is the press release.