SQL Server Error - The token supplied to the function is invalid

I am in the process of updating one of my ASP .NET applications from .NET 1.1 to 2.0. During my testing, I received an error "A connection was successfully established with the server, but then an error occurred during the pre-login handshake (provider: SSL Provider, error: 0- The token supplied to the function is invalid) (Microsoft SQL Server)" while attempting to connect to my local SQL Server (2000 to be exact)

Thank you Microsoft, as that error was about as non descript as the classic "Object reference not set to an instance of an object"

Anyway, the problem I had with the error was that I wasnt connecting via SSL.. its my localhost for crying out loud!

The solution to "my" problem wasnt anywhere out there on the Internet, which is why I am posting this blog. For some reason, my local account no longer had the access required to properly start the SQL Server 2000 service. To fix I had to:

• Go into services (right click "My Computer" and click manage, then click Services),
• Find the SQL Server Service (since its 2000, it was "MSSQLSERVER")
• Right click the service and click "Properties"
• Click the "Login" tab
• Under "Log On As", check "Local System Account"
• Restart the service (if its already running)

Again, I don't know why all of a sudden my local account (which IS an admin account) cannot start the service properly. I didn't receive any errors on starting the service, so I assumed all was OK. The only thing I can think of is that recently I installed a new wireless adapter on my PC. Perhaps my system doesnt recognize my account properly because of this change? Anyway, if you aren't trying to use SSL for SQL Server auth, try the change described above.

Oh yeah, if you are trying to use SSL for your SQL Server authentication, check out this link - http://support.microsoft.com/kb/276553/ I wasn't trying to do this.. but it looks like it would be useful if I was ;)

Installing CyberSource on ASPDNSF ML 6.0

A few years ago, I purchased the VB.NET version of the ASPDotNetStorefront ML 6.0. We had done some work on it, then put it on the back burner. Very recently, we picked it up again, and wanted to integrate CyberSource as the payment gateway. Unfortunately, support for ML 6.0 is not longer available, as ASPDotNetStorefront is up to version ML 7.0.

I had stumbled through how to integrate CyberSource into ML 6.0, but eventually figured it out. Considering ASPDNSF is a popular product, I thought I would document the steps to integrate.

Again, this is how to integrate CyberSource into ASPDotNetStoreFront ML 6.0

Step 1 - Install SDK

Install the CyberSrouce SDK onto the PC. Note: This install's dll's into the .Net Frameworks GAC, so this needs to be installed on every server that will host the application.
You can get the SDK here - http://apps.cybersource.com/cgi-bin/pages/dev_kits.cgi?kit=_.NET/_.NET2.0

Step 2 - Update Cybersource.vb
If you haven't already done so, open up your project with Visual Studio 2005.

• Within the Gateways Project (AspDotNetStorefrontGateways) add a reference to Cybersource.Clients.dll
  
• Within Cybersource.vb, uncomment top line
  VB .NET does not have a #define statement
  Rewrite top line to #CONST CYBERSOURCE = True
  
• Comment out the existing section:
  #If CYBERSOURCE Then
  Imports CyberSource.Soap
  Imports CyberSource.Soap.CyberSourceWS
  #End If
  
• Replace the commented section with:
  #If CYBERSOURCE Then
  Imports CyberSource.Clients.SoapWebReference
  Imports CyberSource.Clients.SoapClient
  #End If
  
  This is because the SDK has been updated since ML 6.0 came out, so the libraries are different.
  
• Update the methods "ProcessCard" Input Parms.
  Change the types for UseBillingAddress and UseShippingAddress to use 'AspDotNetStorefrontCommon.Address'

Step 3 - Use WSE 3.0

• http://www.cybersource.com/support_center/implementation/downloads/soap_api/SOAP_toolkits.pdf - Follow examples on Page 11 to setup WSE 3.0 within this project

Step 4 - Generate CyberSource Gateway Key:

• Follow the steps to generate your CyberSource Gateway key, found here: http://www.aspdotnetstorefront.com/manual/html/cybersource_gateway.htm

An introduction to code sandboxing

One of the latest buzz words surrounding application development is "sandboxing", and it's becoming a buzz word for a reason. Incase you haven't heard much about sandboxing your code, take a few minutes to get up to snuff.

Overview

Code Sandboxing is the idea that you can keep all application resources contained within one build. Look at it like this... if you don't sandbox your code, and if you share a web server for a variety of web applications, if one application is compromised, all are compromised... and beyond that, your server as well!

The idea behind sandboxing is that you can isolate the security permissions behind each build, so if there is a security leak behind one application, the rest of your server is still off limits. And incase you haven't figured it out, it's as if you put each application in its own.. say it with me.. sandbox.

How do I Sandbox?

Sandboxing is as simple as adding a value to your web config. In your web.config, add the following key:

<trust level="Medium" originurl="" processrequestinapplicationtrust="true" />

There are 5 Out-Of-The-Box values for the level, Full, High, Medium, Low, and Minimal.

Now, you have 2 choices here, sandboxing a new application, or an existing application. As you might have guessed, a new application is easier, and so we will start there. Therefore, go ahead and develop your project. What the key above does is only give you access to any processes that are configured for "Medium" trust. So, as you are developing, you will receive security permission errors if you go outside of your Medium trust. For example, with Medium trust, you have no File IO Permissions. So attempt to perform File IO, and you'll receive an error. In this instance, you have two options, remove your File IO Code and find a different method.. or add File IO to the security permissions (more on that later).

The tricky part is sandboxing an existing application. The whole idea behind sandboxing is giving your app partial-trust. So if you build an app on top of partial-trust, anytime you stumble upon a security issue, you can fix it accordingly. Therefore, when dealing with an existing app, you need to identify any area's that go outside the normal boundaries. How do you do that? Well, you can hire yourself about 10 interns and feed them coffee and peanuts until they identify/fix every issue... or you can use permcalc.

Permcalc is a Microsoft tool that analyzes an assembly of your application, and generates an XML document stating all the methods that need any type of security access. To use it, open up the Visual Studio Command Prompt, navigate to your applications bin directory, and perform the following command:

permcalc -show

A new browser window will load with each method that is used within the assembly, along with showing what security features are needed.

How do I resolve my security issues?

OK, so at this point you took my advice above and added a trust key to your web.config, but you get to a certain line of code and an error is thrown. Just because you receive a security issue doesn't mean that you give your application a higher privelage! You have two options, create a security policy that contains all of the access that you need (recommended), or grant temporary access (NOT recommended).

Remember up above when you assigned the level of trust to "Medium"? That references a policy file on the server that grants access to the different permissions. So you can copy/paste the existing Medium File, rename it, and reference the new file (yes, you can just update the Medium trust policy file... but c'mon.. lets not cut corners here).

So, to get started, navigate to the .Net Framework's config location (try C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG) and look for the config files. Namely, you'll be looking for web_mediumtrust.config. Copy/paste it, and rename it. Then, add the permission set you need. Next, in your global web.config, create a reference to your new policy file by adding an entry within the securityPolicy section, such as:

<trustlevel name="MyPolicy" policyfile="MyPolicy.config"/>

Finally, in your app's web.config, set the trust level to "MyPolicy", and now your code has access, while still running at partial-trust.

Above was just an overview of sandboxing, but hopefully it provides you enough of an idea so you know how to do it, and the importance of sandboxing. For more information, I strongly recommend that you read about Partial-Trust - http://msdn2.microsoft.com/en-us/library/ms998326.aspx. And if that doesn't give you enough information to quench your thirst, check out Dominick Baier's book - Developing More-Secure Microsoft ASP.NET 2.0 Applications - http://www.amazon.com/Developing-More-Secure-Microsoft%C2%AE-Applications-Developer/dp/0735623317. Chapter 8 is devoted to this topic. Finally, the most recent cover story of Redmond Developer News was dedicated to sand boxing, and provides a nice overview.. probably better than mine was ;) http://reddevnews.com/features/article.aspx?editorialsid=2386

A Web Developers 2008 Technology Wishlist

I try to do my best to not date any of my blog posts, but this is one of those that timing is everything! As Christmas, 2007 approaches, so does the inevitable feelings of a fresh start for all things we wish we could improve. Saving more money, losing weight, learning how to set a clock on a VCR... then again... getting rid of the VCR altogether!

As we approach 2008, we should also take stock of our development practices. We should start asking ourselves questions like "what are we developing with", "what are we offering", and "what are we doing better than our competitor's". However, I'm going to do you a favor... I'll answer some of those questions for you!

Below is a technology wish list. If we could ask Santa what to bring our web applications, below is a list of some of the technology/idea's that we should start making use of.

• Web 2.0 Principles - Let's start the list with a generality, by focusing on embracing Web 2.0. I recently purchased an MP3 player, mainly because it was a great deal from woot. It's a Sansa e250, refurbished, holds 4 GB of data, plays music, video, shows pictures... and I got it for 50 bucks total. However, all of my friends call it my "fake iPod". Even though I love it, it works just as well as an iPod, was cheaper, and I don't need the dreaded iTunes to use it... I've been labeled an outsider.
  
  Web 1.0 is on the way to the same stigma. Even though your web applications are working well, they're just not "cool" enough. Now, you may be asking yourself, "what's the ROI on making your web applications cool"? Excellent question! Look at upgrading your applications as more of an investment in the future of application design. It's the way of the future. Embrace it... challenge yourself.. understand what the movement is and hop on the wave of change! As you develop future applications, make use of the newer technologies that are getting released every day. These new technologies are meant to make your applications more dynamic, easier to use and understand, and more powerful. One of the most difficult challenges for a web developer is to stay ahead of new technologies. As a Microsoft .NET developer, I find myself working with beta releases... not because I'm bored, but because I need to be able to use the technology as soon as it hits an official release! However, using the newer ideas helps me not only broaden my horizons, it also helps me stay ahead of the competition.
  
• AJAX - Microsoft did us a favor, they seceded on Microsoft ATLAS. Rather than getting into a software development war with the .NET army against the rest of the world, they embraced AJAX (Asyncronous JavaScript and XML) and standardized their development platform. Since that time, they have put much backing into it's capabilities. Along side of that, all the main web browsers support the XMLHttpRequest object... the key element in AJAX's behind-the-scenes web calls. The final piece is that web savvy users are using JavaScript. So, what does a recipe of AJAX, XMLHttpRequest support, and JavaScript enabled web browsers give you after 30 minutes in the oven at 375? How about 3 excellent reasons to give up on fighting AJAX?
  
  Embrace AJAX. Use AJAX to create better applications for your customers, decrease network activity, and populate advanced metrics on your website. The pieces are in place, the community is there, active and waiting to use websites that are cutting edge, embrace them back!
  
  So how can you use AJAX? Here's an example. I recently adopted Digg, to include on this blog. During the sign up process, as I filled in the input boxes with my information, it posted back to me real time information. I received a "This username is available, go ahead and take it!" after typing in my username and leaving the text area. I got a "Hey, your password looks great!" after providing my password.
  
  Is this a good reason to adopt AJAX? Because it let's you give funky messages back to your user community? No... but think about what it took to present these messages. Upon providing the username I requested, and without submitting the form, the username was compared to usernames in the database and proactively returned a message to me. AJAX gives you server side control over data with a client side look and feel. Use AJAX in your applications to control, format, secure, and manipluate data.. and to bring your applications up to speed.
  
• RIA's - The item above discusses AJAX and user adoption, and taking advantage of a user community who embrace and enjoy the idea of proactive server activity. How about taking advantage of a user community who embrace interactive design and creativity, AKA, Rich Internet Applications?
  
  A few years ago, before I fell into web development, I acquired an educational version of Flash 4 (don't worry, I was a student at the time!). Within hours, my first Flash movie was made. It didn't have an user interaction, but it was cool, and easy to create! I gave it up because I lacked the programming skills at the time to give it some back end power.
  
  Fast-forward 5 years, and we now have Microsoft Silverlight, their answer to the RIA Juggernaut Flash. What's more, it provides much more programming capabilities, something along the lines of VB/C# .NET than just script (Flash uses ActionScript, a pseudo JavaScript meant to interact with Flash elements).
  
  When you think Silverlight, dont think of it as a design tool for a side project where the audience will only be teenagers, browsing your site at 2 in the morning and looking to stay awake by playing games. Silverlight can address an audience in your business setting as well. When I think of Silverlight, I think of Star Trek.. or any Sci-Fi show. Did you ever notice what the ship staff is using, while their busy zipping around the galaxy? It's not a standard web form, with a few text boxes and a plain-jane grey submit button. It's a screen with motion, things moving and updating on the fly (speaking of which, Silverlight is AJAX enabled.. think about that!). Why not give your end users within your business a flashier design, especially if it's little to no more extra work than it would be to create your traditional HTML forms?
  
• CardSpace Adoption - If I've been a good web developer this year, and I'm on Santa's nice list, then the last thing I'm asking him for is CardSpace adoption. Very recently, Microsoft released their latest version of Visual Studio - VS 2008. With this release came .NET 3.5, which included support for programming with CardSpace.
  
  If you haven't seen CardSpace yet, it's a personal data-store on a user's PC where an individual can store personal information within data cards. You can have several cards, each holding as little or as much personal information as you would like to provide to a website. When you arrive at a website that supports CardSpace, rather than typing in your information to either sign-up or login, you provide your card. It verifies you, and away you go!
  
  So what's so special about CardSpace? Well, it's much more than saving end-users from typing in personal data. CardSpace is actually changing the infrastructure for end-user validation. Any malicious user, anywhere in the world, can type in a name, phone number, email address, etc. and pretend to be someone else. However, with CardSpace, no one else can take that card away from me. No one else can log into a website as me because they stole my password, because the password must be accompanied with my card!
  
  CardSpace is providing a new structure for website validation. It's so cutting edge... not a lot of websites are using it! However, this is mostly because the programming capabilities recently came out of beta and were released with .NET 3.5

Thanks for reading, I hope you end up with more than just a lump of coal this holiday season!

Quick Blog: Architecting your applications - Avoid "All Tinsel with No Tree" pitfalls

I recently met with a client of mine. He is a professor, and needs a grading/rollbook application, and this app will be for his eyes only. Being the web/database guru that I am, I recommended that we create a web application.. for the obvious benefits that the web provides us.

After some initial conversation... and some notes written on scraps of paper during a Chinese buffet lunch meeting... I was able to get to work. I began with a simple HTML mock-up. Nothing fancy, nothing dynamic, just a quick and dirty way to show the principles of how the system will perform. For example, I created a screen mockup of adding a student to the system, a separate screen on assigning grades to a student, etc. Nothing of a rocket scientry proportion...

After a few hours of work, we met again to discuss the status of the system: how it will work, what we need to do next, etc. I explained to him that the screens are very basic, but to focus on the functionality... not the design. What he said next was just... perfect... so perfect that I wanted to blog about it. He said "that's fine, I don't want to be given all tinsel with no tree". I immediately thought... perfect, I'm on track for writing this system. Fortunately, he felt the same.

The moral of the story is this. If you develop app's the way I do, you're in charge of some database design, some application development, and some web design as well.. just to name a few of the skills we must always sharpen! Sometimes it's easy to get caught up in how a system looks.. on mock drafts.. just avoid that. More importantly, have your clients avoid it on round 1 design sessions as well. The longer you think of system functionality, the better the application design is.. and the happier the client is.

I am not telling you to avoid making your app pretty, but pretty can come at a later time. Slap a CSS sheet while creating your mockups, and in a matter of an hour or two you can update the look and feel. System functionality is... obviously... a different animal, but worth the time to give it's full attention at the start of your project.

Custom Help Desk Workflow in Sharepoint 2007

Several years ago, a developer at the company I work at wrote our Intranet. It's ASP based, and over the years the developer's been asked to add/modify/update various features on the site. One of the features he had implemented was a custom Help Desk System. In a general sense, its workflow is as follows:

• Only specific users of the Intranet can submit Help Desk tickets
• Help Desk ticket details are required
• Help Desk tickets are assigned by the requestor to a 'group'
• The Help Desk ticket groups contain individuals who receive the ticket - example, rather than request a particular person receive the ticket, the members of the requested group can own and close the ticket.
• Help Desk Tickets are automatically owned by group members, members do NOT have to accept ownership.
• Help Desk Tickets can be transferred from the owner to other individuals, regardless of the ticket group
• Emails are sent to members of the group upon ticket submission.

There are a few other features of the current Help Desk ticket system, but for the most part those are the key features that we have been working with.

About 9 months ago, we migrated to a SharePoint 2007 Intranet. OK, I shouldn't say 'migrated', we've been using it, but we've been using our legacy ASP based Intranet as well to make use of necessary systems... such as the Help Desk system described above. We now have an end of life timeline on our legacy system, so we are pursuing options to migrate all systems. One option that I am particulary pleased with is the Sharepoint 2007 Helpdesk Application Template - download here.

Application templates are cool, they are customized lists, announcements, views, and libraries, all with enabled workflows. This means that trying to use a customized Sharepoint site to meet my requirements listed above would be difficult. However, with the Help Desk Application Template, we're in business!

So, how do we make use of the application template? For starters, you need Microsoft SharePoint Designer 2007. SD will let you modify existing templates and workflows.

Installing the Help Desk Application Template
On your SharePoint server, download the template from the link above, and extract the files to a local directory. If you haven't installed any application templates on your server yet, you must download and install the Core Templates first! A link to the Core Templates can be found at the site linked to above. As a local administrator, open up a new command line window, navigate to the stsadm.exe directory, and follow the instructions found in the link above.

Creating your new Help Desk Site
After installing the Help Desk template (and perhaps the Core templates as well), go into SharePoint, navigate to your appropriate site where you want to create your Help Desk site, and then click "Site Actions -> Create -> Sites and Workspaces", then create a new site, but select the Help Desk template.

Customizing your new Help Desk Site
To make the template fit into our existing workflow (given the requirements stated at the top of this blog post), I had to create an option for the new ticket request to allow someone to select a group. Sounds simple enough, right? Well, first we add our column, as a new help desk ticket is nothing more than a list item. Well, I need the group to also be a required field on the new ticket request. Finally, based on the group selected, we need to assign the ticket.

1. Adding our "Group":
   On your help desk site, go to Site Actions -> Site Settings -> Site libraries and lists. Then, select "Customize Service Requests". Underneath the existing columns, click "Create Column", name your column "Service Group", make the column a "Choice" column, require the column have information, and add each "group type" for your choices. For example, "SharePoint issue" and "Website Down".
   
2. Making our group available on support tickets:
   Adding a column to your list doesn't magically add the field to new requests. So, now we open up SharePoint Designer, and follow the instructions found here. This article shows you how to create a new web form, bring in your service requests fields.. which now include your "Service Group" field.. associate the SharePoint Master Page, and associate this new web form as your page that will be used when a new request is created.
   
3. Assigning tickets based on groups:
   SharePoint has built in workflow capability, unfortunately it's difficult to manipulate using SharePoint. Fortunately, SharePoint Designer has a GREAT tool to help you unlock workflow. So, open SharePoint Designer and navigate to your helpdesk site. Next, select File -> New -> Workflow. Associate the workflow with your Service Requests List, and select the option to initiate the workflow based on a new item.
   
   The next screen brings you to an "If/Then" wizard. It's simple, "If" a condition is met, "Then" run a series of events. So, its pretty simple. If a group is selected, assign the ticket item to an individual.
   
   So, from the "Conditions" button, choose "Compate Service Requests field". Then, select the appropriate options so it states If Service Group equals . Next, for actions, choose "Send Email" to send an email to a particular individual stating that a call ticket has been entered. Then, select Actions again, and choose the "Set Field in Current Item". This option will let us specifically alter fields on the submitted service request, such as "Assigned To", so we can assign a ticket based on the Service Group".
   
   So, after selecting "Set Field in Current Item", set the field to "Assigned To" and then assign your individual to receive the item.

When you're done, repeat the "If/Then" logic for each group you have.

I apologize there aren't an screen shots, but I was in a bit of a rush to get this blog post live. I just wanted to get something out here on the Internet as I had to stumble through the steps above to get my Call Ticket system working.

I hope this blog post helps, below are a list of some helpful links that can guide you as you manipulate the Application Templates:

• Helpdesk Application Template
• SharePoint Core Application Template
• Creating Custom List Web Forms in SharePoint
• Introduction to Workflows in SharePoint

ASP .NET Security - Stopping scripting attaXSS in their traXSS

As of May 2007, the top security vulnerability on the web is Cross Site Scriping (XSS) attacks. And why shouldn't they be? Theyre extremely easy to use and potentially lethal to the credibility of your site, fortunately the kind people at Microsoft made it simple to prevent these attacks.

The culprit

Here's the situation: You have a web form where the user can post data for others to see. For example, you're writing a custom blog application and you want users to write comments. On your site, you have a textbox that allows users to post comments, lets call this textbox "txtUserComments".

When your user clicks your submit button on the form, your code will look something like this:

If Page.IsPostBack

'Some Code Up Here

Dim UserComment as String = txtUserComments.Text

'Some More Code Here

End If

Yep, thats all it takes to have an XSS Vulnerability. If input validation is turned off on your page/site, an end user can post some bad stuff, and all future users will be affected.

For example, if <script>alert('ha')</script> is posted, all future users will enter the page and see the alert box. I'll let your imagination run wild with the other possiblities here...

The fix

So, what's the fix to this solution? Well for one, you probably noticed that I said above that "If input validation is turned off", which is turned on by default. So... don't turn off validation! But there's much more to this post than that. What about query string values, HTTP Header Information, or other Form POST data?

The nice people at Microsoft developed an Anti XSS library... and it's cake to use. You can get the library here.

To use it, download and install the library. In your web project, add a new project reference, and get your dll from your program files\Microsoft Corporation\Anti-Cross Site Scripting Library V1.5\Library\.Net 1.1 | .Net 2.0. That's right folks, the library is available for both 1.1 and 2.0!

Now that you added your reference, import the namespace into your page:

Imports Microsoft.Security.Application

Finally, make use of the library! For example, remember our example above with the textbox input? Well, now we would use the following code:

Dim UserComment as String = AntiXss.HtmlEncode(txtUserComments.Text)

The magic behind it all

Some of the best things in life are simple, and this is no variation of that rule. The HtmlEncode function takes the input characters and encodes them for HTML output. For example, the '<' in a script tag is converted to a '&lt;'.

The library has multiple functions available, so you can use the best encoding for your application. There is "JavaScriptEncode" for any JavaScript input, or even "UrlEncode" for passing values via querystring.

Hopefully this blog post gave you some insight into how easy it can be to compromise your site with an XSS attack, but more importantly you also saw how easy it can be to fix such attacks.

References

• Microsoft Anti-Cross Site Scripting Library v1.5 Download


• MSDN Anti-Cross Site Scripting Article - Kevin Lam - November 2006


• OWASP Top-10 Security Vulnerabilities