Friday, June 27, 2008

Silverlight and REST for corporate (intranet) applications

Danger Will Robinson, Silverlight 2 beta 2's WebClient implementation does not support passing integrated security credentials. I was hoping to implement a RESTful services tier for my intranet Silverlight application using Windows Integrated Security. While this does work brilliantly when using IE as a client, the Silverlight client cannot call the services. There seems to be no good workaround: I could use ASP.NET authentication services using Forms authentication against AD, but I would have to present the client with a login prompt.

FYI, the service configuration for WCF REST and integrated security is as follows:

<behavior name="webBehavior">

<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />

<binding name="integratedWebHttpBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows"/>

<service name="AppNamespace.Service">
<endpoint address=""
contract="AppNamespace.Service" />

Wednesday, June 25, 2008

MOSS and Kerberos on Windows Server 2008 - a gotcha

I've been through the Kerberos mill repeated times--getting the SPNs lined up, making sure the computer and service accounts are trusted for delegation, making sure the times on the servers are within 15 minutes, etc. But I couldn't make Kerberos authentication work on my MOSS web applications on a Windows Server 2008 server.

I opened a ticket on this with Microsoft and discovered that IIS 7.0 has kernel mode authentication turned on by default. MOSS has a problem with this and it will completely break Kerberos for those web applications. To turn this off:

In Server Manager, select the web application for which you want to fix Kerberos authentication:

Select its Authentication tool:

Now choose Advanced Settings:

Finally, make sure the "Enable Kernel-mode authentication" checkbox is UNCHECKED:

Apply your changes and you should be good to go. It is not necessary to reset IIS or bounce the application pool to make it take effect. Don't forget that you still have to configure the web in MOSS Central Administration to use Kerberos (Negotiate) authentication instead of NTLM in addition to all the other normal domain-based Kerberos setup steps. Cheers.

** UPDATE 24 Mar 2009 **
Apparently the kernel mode authentication setting also breaks NTLM authentication on WS 2008, so this is not specific to making Kerberos work.

Friday, June 13, 2008

Moving Silverlight 2 beta 1 applications to beta 2

With new times come a new Silverlight beta, released last week. I set out to update my beta 1 applications to beta 2. First, I let it run the project through the upgrade wizard. After that, I found there were several more steps, starting with fixing your installation...

Remove and Re-Add System.Windows References

This includes:
  • System.Windows
  • System.Windows.Browser
  • System.Windows.Controls.Data
  • System.Windows.Controls.Extended (this one will likely not be needed now as many controls have moved into the base assemblies)
Update Namespaces of the Silverlight User Control and Application Objects

Make this change in App.xaml and any other user control (*.xaml) objects.

This avoids mystery "invalid XAML" errors from the Silverlight control on web pages:
Sys.InvalidOperationException: Invalid XAML for control 'Xaml1'. [] (line 1, col 229): The element is not valid in the given namespace.
Update the Deployment Node Namespace in AppManifest.xaml

<Deployment xmlns="" xmlns:x="" EntryPointAssembly="HCHB.ServiceRequests" EntryPointType="HCHB.ServiceRequests.App" RuntimeVersion="2.0.30226.2">
<Deployment xmlns="" xmlns:x="" EntryPointAssembly="HCHB.ServiceRequests" EntryPointType="HCHB.ServiceRequests.App" RuntimeVersion="2.0.30523.6">
Update the Silverlight Control Declaration

Find the Silverlight control on the web page(s) in your site and update the node accordingly, from:
<asp:Silverlight ID="Xaml1" runat="server" Source="~/ClientBin/Silverlight1.xap" Version="2.0" Width="100%" Height="100%" />
<asp:Silverlight ID="Silverlight1" runat="server" Source="~/ClientBin/Silverlight1.xap" MinimumVersion="2.0.30523" Width="100%" Height="100%" />
Change the Cross-Domain Access Policy

This prevents 404 errors when calling my web services.

<?xml version="1.0" encoding="utf-8"?>
<?xml version="1.0" encoding="utf-8"?>
<allow-from http-request-headers="*">