Tuesday, 7 December 2010

Padding Oracle Crypto Attack (Update Released)

In case you missed it, you should by now all have updated your servers with the windows update to fix the Padding Oracle Crypto Attack:

Points worth noting:

  • You'll need to apply th fix to all your servers in the web farm as the encryption/decryption mechanism has changed.
  • Your users will have to log in again - forms auth tickets issued by your app prior to the update will no longer be valid.

Catch-All MVC Route

A weird scenario may come up where you want all requests to an application routed to just one controller action in an ASP.Net MVC application, here's the catch-all route you'll need :)

public static void RegisterRoutes(RouteCollection routes)
      "Default", // Route name
      "{*catchall}", // URL with parameters
      new { controller = "Home", action = "Index" } // Parameter defaults

Monday, 25 October 2010

The specified request cannot be executed from current Application Pool (403.18)

So you've split your apps into seperate app pools in IIS, which works well for app isolation on your web server and all is well until you start getting 403 HTTP status responses (with a substatus in the IIS logs of 18). This error is a result of your application running your application and the custom error page you've configured within different app pools.

The solution?

I'm afraid you're going to have to edit the registry!!! So back it up first then create a registry key with the name IgnoreAppPoolForCustomErrors, of type DWORD and value 1 under the HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ folder.

Saturday, 23 October 2010

A potentially dangerous Request.Form value was detected from the client

You'll get this error from the .Net framework when it detects potentially harmful content in a web request submission. Want to disable this validation? Read on...

For normal ASP.Net Web forms apps you can disable request validation by setting validateRequest=false in the page directive (top of your aspx page) or in the configuration section.

For ASP.Net MVC apps add the [ValidateInput(false)] attribute to the appropriate controller action.

Be careful when turning off this value as you are making your site vulnerable by accepting potentially harmful input. You should explicitly validate your input in your code if you disable the built in .Net request validation.

Wednesday, 20 October 2010

Read an Embedded Resource Text File in C#

Here's a little snippet I use quite a lot in my test projects to read out an embedded resource text file as a string. The resourceName parameter is the full namespace of the resource, e.g. myproject.files.MyEmbeddedTextFile.txt

internal string GetFromResources(string resourceName)
    Assembly assem = this.GetType().Assembly;
    using (Stream stream = assem.GetManifestResourceStream(resourceName))
        using (var reader = new StreamReader(stream))
            return reader.ReadToEnd();

P.S. You may want to add some error handling to the above ;)

Monday, 27 September 2010

XML Character Support

One of the projects I'm working on heavily uses a ReST API and performs a lot of XML processing. Recently we've had some serialisation errors when processing some of the XML, resulting in a .Net error throwing:

System.InvalidOperationException: There is an error in XML document (1, XXX). ---> System.Xml.XmlException: XXX, hexadecimal value XXX, is an invalid character.

So I examined the XML payload and could see it contained a non-pritable/control character. I raised the case with the API developers but I found myself curious to find a definitive list of what characters are valid in XML documents. I soon found the Extensible Markup Language (XML) 1.0 Specification, which contained a section regarding the supported XML characters.

You can encode a massive range of characters in XML documents, but there are some non-pritable/control characters that are not supported. Legal non-pritable/control characters include tab (xx09), carriage return (xx0D) and line feed (xx0A). For printable characters it's the legal characters of Unicode and ISO/IEC 10646.

Useful Links

Tuesday, 21 September 2010

Padding Oracle Crypto Attack (Update)

The ASP.Net vulnerability that was announced prior to the EkoParty conference in Argentina last week, initially sounded a lot like a whole lot smoke and not much fire. I read the summary of the exploit and belittled it in a blog post, telling people not to panic. I did however decide to review the slides of the technique used to expose the vulnerability as it all sounded rather interesting. However, I wish I hadn't as it soon came to light that the vulnerability was more serious than previously thought. Microsoft agreed and released a security advisory.


What can the attack do?

The attack is relevant to all versions and flavours of ASP.Net and is able to decrypt ViewState data, not an issue as long as you don't store sensitive info in the ViewState - which you shouldn't!

The real issue arises if using ASP.Net 3.5 SP1 or above, the attacker could use this encryption vulnerability to request the contents of an arbitrary file within the ASP.Net application i.e. the web.config.

How the does it work?

The attack makes use of cryptographic oracles. An oracle in the context of cryptography is a system which provides hints as you ask it questions. ASP.Net acts as a padding oracle in this case. Allowing an attacker to send chosen cipher text to the server and learn if it was decrypted properly by examining which error code was returned by the server (and even time taken). If the attacker makes enough requests, they can learn enough to successfully decrypt the rest of the cipher text. The attacker can then alter the plain text and re-encrypt it as well.

Silence that Oracle!

By returning only one application error page no matter what the error effectively silences the oracle and the attacker can no longer gain the info they need to decrypt your encrypted site data. Not ideal in web apps,

Anything else?

Yeah actually! Any sensitive files on your server within your application should be encrypted. For example your connection strings or your username and passwords in your web.configs should be encrypted.

Useful links

Thursday, 16 September 2010

Padding Oracle Crypto Attack Affects Millions of ASP.NET Apps

So I saw this headline on Slashdot IT and it immediately made me pay attention. So I loaded up the ASP.Net security vulnerability article detailing the exploit and started reading.

In short, it totally destroys ASP.NET security

It soon became obvious that the article was a little bit sensationalist to say the least (see quote above). Basically the exploit is low-risk. You should only be worried if your applications aren't communicating over SSL and if you have put sensitive information in you ASP.Net application's cookies and are trusting the cookie data blindly. Sensitive data should all be stored server side - but you knew that anyway!

Needless to say, I've not wrote any code lately that checks for an SuperUser=true value in the cookie!!!

Tuesday, 14 September 2010

MailMessage's Subject ArgumentException

Just a quickie today... if you get an ArgumentException when setting the subject on the .Net MailMessage object (or on the constructor) like this...

System.ArgumentException: The specified string is not in the form required for a subject.

You'll want to cleanse your string input for non-printable characters. The most likely culprit is a carriage return or line feed. Which is "\r" or "\n" to the C# developers :)

Monday, 16 August 2010

Head of Applications Development

So all has been quiet on the blog front for a few weeks now, but I have a valid reason this time - honest!

I've been busy getting to grips with my new role at Esendex as 'Head of Applications Development'. Neadless to say I'm very busy at the moment with planning, coding (although not as much coding as I'd like) and improving the applications team's agility. At the moment the days are passing me by very quickly!

I've got lots of blog post ideas so as soon as I get round to it they'll be up. Expect more Asp.Net MVC, TDD and hopefully some BDD posts popping up very soon indeed :)

Thursday, 24 June 2010

Multiple types were found that match the controller

I'm starting to make use of the new Areas feature in my MVC 2 applications. I've found it great for separating my applications into distinct sections rather than staring at a massive list of controllers/views all bundled into one folder. I came across an issue when I created a controller with the same name as a controller within a different or the default area:

Multiple types were found that match the controller named XXXXXXXX...

I thought it was a little cheap of Microsoft requiring you to give your controllers unique names across all areas. I was relieved to find out giving the same name within different areas is perfectly OK, you just need to specify the full namespace for the controller when setting up the route for it, like so:

public override void RegisterArea(AreaRegistrationContext context)
  new { controller = "Home", action = "Index", id = UrlParameter.Optional },
  new string[] { "MyWebApp.Areas.Members.Controllers" }

I knew Microsoft wouldn't let me down ;)

Friday, 18 June 2010

Mock ControllerContexts in ASP.Net MVC

After performing an upgrade to MVC 2 for a web application last week, I had a number of tests failing. This gave me an opportunity to refactor some controller tests and create a base class for my controller test classes. This new base class is straight forward and allows me to mock HttpRequestBase and HttpSessionStateBase easily on the mock ControllerContext - it also has an overload for mocking AJAX requests too. I expect this class to grow in time but it serves my needs for now:

public class TestController
 public static ControllerContext GetMockControllerContext()
  return GetMockControllerContext("GET", false, null, null);

 public static ControllerContext GetMockControllerContext(string httpMethod, bool isAjaxRequest)
  return GetMockControllerContext(httpMethod, isAjaxRequest, null, null);

 public static ControllerContext GetMockControllerContext(Mock httpRequestBase, Mock httpSessionStateBase)
  return GetMockControllerContext("GET", false, httpRequestBase, httpSessionStateBase);

 public static ControllerContext GetMockControllerContext(string httpMethod, bool isAjaxRequest, Mock httpRequestBase, Mock httpSessionStateBase)
  var headerCollection = new NameValueCollection();

  // Add header value for ajax requests
  if (isAjaxRequest) headerCollection.Add("X-Requested-With", "XMLHttpRequest");

  if (httpRequestBase == null)
   httpRequestBase = new Mock();
   httpRequestBase.Setup(r => r.HttpMethod).Returns(httpMethod);
   httpRequestBase.Setup(r => r.Headers).Returns(headerCollection);
   httpRequestBase.Setup(r => r.Form).Returns(new NameValueCollection());
   httpRequestBase.Setup(r => r.QueryString).Returns(new NameValueCollection());

  if (httpSessionStateBase == null)
   httpSessionStateBase = new Mock();

  var mockHttpContext = new Mock();
  mockHttpContext.Setup(c => c.Request).Returns(httpRequestBase.Object);
  mockHttpContext.SetupGet(c => c.Session).Returns(httpSessionStateBase.Object);

  return new ControllerContext(mockHttpContext.Object, new RouteData(), new Mock().Object);

Friday, 11 June 2010

Time to Upgrade to ASP.Net MVC Web Apps to MVC 2?

Wondering if you should be upgrading to ASP.Net MVC 2? It is worth some serious thought as there's some powerful new features, the upgrade process is nice and simple, plus there aren't many breaking code changes. Why not take a peek at what's new in ASP.Net MVC 2 and I bet you'll see at least a handful of features that'll get you itching to upgrade ;)

If you decide to upgrade your web application then review the MVC 2 upgrade notes. They include instructions for upgrading manually or you can choose to use the upgrade tool. I've used the upgrade tool and it seems to work great for most people - but not me, I had two problems :( After the conversion completed I compiled my project and got an error:

It is an error to use a section registered as allowDefinition='MachineToApplication' ...

...I managed to fix this without pulling my hair out though. The only other issue I had was around 10% of my project tests suddenly started failing; a result of some change to the controller context processing (this resulted in me improving my controller tests by creating a base TestController). Again this was a nuisance rather than a show stopper - the upgrade was worth the effort :)

Thursday, 10 June 2010

IIS 6 Application Pools for Beginners

Application pools allow you to configure one or more web applications to a worker process. An application pool is separated from other application pools by worker process boundaries. So what does this mean? ...An application in one application pool is not affected by problems caused by applications in other application pools. This along with sensible recycling of your application pools, results in your web server being more efficient and reliable.

By default IIS 6 dumps everything into one application pool. So as you add new web applications to your server you should consider logically grouping them into pools. Due to there being an overhead for each application pool it makes more sense to group the web applications into related pools rather than just create a pool for each web application.

Recycling Your Application Pools

To keep your sites working efficiently your should configure IIS to periodically recycle your application pools and recycle them when they become unstable (using too much memory/cpu etc). Recycling cleans up memory fragmentation, memory leaks, abandoned threads and other bits of unwanted clutter. Note that when an application pool recycles, ASP.Net session state information stored in-process is lost for that pool, however other pools are not affected. If this is a problem then you'll need to use another session state mechanism for your ASP.Net web applications.

Application Pool Recycling Events

It's important that you review why your application pools are being recycling. For example, if you have a pool recycling every 30 mins due to excessive memory use then you have an issue with that applcation's code and it needs looking at. Event logs for application pools are off by default, to enable them see this Microsoft KB article.


When you configuring your application pools you can configure the identity of each worker process to run as a different user and should consider how to configure application pools for application security. For example, you might need to create separate application pools for applications that require a high level of security, while allowing applications that require a lower level of security to share the same application pool.


Hopefully with this post you can see the benefits of spending some time in setting up your application pools in IIS and you've made a step in the right direction for improving your web server's reliablility and efficiency :)

Wednesday, 9 June 2010

ASP.Net allowDefinition='MachineToApplication' Error

I've come across this problem a number of times now and it was beginning to annoy me. A few times when building projects on continuous integration servers and today when upgrading my MVC web app to MVC 2 I hit the following error:

It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level This error can be caused by a virtual directory not being configured as an application in IIS.

Everytime I failed to figure out what the problem was and instead I had to admit defeat and use a work-around :(

Well the error message is quite helpful for some people getting this error at runtime and tells them how to fix the problem - configure the web apps virtual directory to be an application. However, I'd been stumbling upon this delightful error when compiling projects - not at runtime!

Luckily I had a light bulb moment... the compiler was not referring to my main web.config for the application, but instead was moaning about a web.config within a sub directory of my application (a backup of the project). Deleting the backup sub directory solved my problems!

I got 99 problems but my web.config ain't one!

Tuesday, 8 June 2010

Handling Unexpected Exceptions in ASP.Net MVC

There are way too many yellow screens of death out there on the net for my liking. But rather than trying to bullet proof your MVC web apps by putting try catch blocks in all your MVC actions to handle unexpected exceptions, there is a far easier way to do it and it keeps your code nice and DRY - see my code snippet below:

public class BaseController : Controller
 protected override void OnException(ExceptionContext filterContext)
  // Record the error
  Log.Error("Unexpected error in controller", filterContext.Exception);

  // Uses customErrors element from web.config
  if (filterContext.HttpContext.IsCustomErrorEnabled)
   // Set exception as handled and status code 500
   filterContext.ExceptionHandled = true;
   filterContext.HttpContext.Response.StatusCode = (int)HttpStatusCode.InternalServerError;



I override the OnException method within a base controller for my other controllers to inherit from. Any unhandled exceptions in my action methods will hit this and I can gracefully log the exceptions and send the user to a helpful error view (as long as customErrors for the app are set to true) - it's worth noting I also set an appropriate HTTP status code :)

Thursday, 27 May 2010

Multiline Comments in Powershell

It's hard to believe but you can't do multiline comments in Powershell for some reason! Shame on you Microsoft! Here is a bit of a hack to allow you to right comments over multiple lines using a multiline string declaration:

This is a hack so
you can do a multiline
comment in powershell
'@ > $null

Points to note...

  • The closing '@ has to be in column 0
  • No whitespace allowed after the opening @'
  • Redirect the output (or cast to [void]) unless you want to see it on the console or in a log file

Wednesday, 26 May 2010

Internet Explorer 5.5 / 6 PNG Issues

Most web developers are aware of the IE alpha transparency problems with PNG images; or will be before long. A lot of developers use GIF images rather than the superior PNG format for this reason; which is a shame.

I was discussing the issue with Alex over at Prettier Pixels (a talented UK freelance website designer and builder) and he suggested this nifty IE PNG fix by TwinHelix that you can use to avoid the issues. Thanks Alex!

I long for the day when IE 6 support is no longer required!


I only managed 18 out of my 30 target for April and I've been too ashamed to post anything since :'(

Suppose I'd better get back on that horse and see if I can start getting some helpful blog posts back up on here!

Friday, 30 April 2010

Windows 2003 IIS Returns 404 for ASP.Net Pages

Had an issue on one of my virtual servers which wouldn't process any ASP.Net documents (aspx, asmx etc), but would just return a 404. However, it would happily return other resources such as htm, txt, css. There was no web application logging, no logs in event viewer I had nothing to go on, until I remembered I hadn't checked my IIS logs.

The logs showed requests for the ASP.Net documents and that a 404 was being returned. This part wasn't helpful but the logs also provide a sub status code which was 2:

#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip sc-status sc-substatus 
2008-02-27 12:39:13 W3SVC2 GET /default.aspx - 80 - 404 2

A quick Google led me to Microsofts IIS 6 pages explaining the sub status codes - bingo!

404.2 : "Web service extension lockdown policy prevents this request"

Knowing this and with the power of Google I resolved the issue in less than a minute. Just open the IIS6 interface, select the Web Service Extensions menu node, on the right you will see the web service extensions available - just select the ASP.Net extension and click the allow button.

IIS Web Extensions Menu

Finding a Client's Mac Address via Javascript

Unless a user is on an internal network, there is no way server-side (I know of) to retrieve the mac address of a user accessing a web page, simply because it isn't sent in the http headers for a request. Any attempt to analyze the underlying network communications server side is pointless as it will just return the MAC address for the last routing machine. However, it is possible to retrieve the mac address of the user simply using client-side Javascript in IE.


MAC Address

</body> </html>

Once you've accessed the WMI and got the MAC address you can even send the value server-side if necessary.

Implications: You are connecting to the WMI (Windows Management Instrumentation) for the local machine and therefore you may have a problem if your IE security settings are restrictive. Also, this won't work in non-IE browsers; only works for Windows operating systems. Not all that restrictive then?! ;)

Troubleshooting: If you get an 'automation server can't create object' error when running the script it is probably for one of the reasons below.

  • You need to enable 'Initialize and script ActiveX controls not marked as safe' on the security tab -> custom level options in IE
  • WMI isn't installed correctly
  • WMI isn't installed
  • Some other permission issue. Are you an administrator? If on Windows 2000 server, have you installed sp4?

P.S. Another plausible option is to use an ActiveX control in connecting to WMI.

User is not associated with a trusted SQL Server connection

Login failed for user 'username'. The user is not associated with a trusted SQL Server connection.

This is a common error when setting up SQL Server instances from scratch and takes just 30 secs to fix.

Basically the SQL server instance you are conecting to has been configured to operate in Windows Authentication Mode and doesn't allow the use of SQL accounts. So change the Authentication Mode of the SQL server from Windows Authentication Mode to Mixed Mode (Windows Authentication and SQL Server Authentication). To do this right click your SQL Server instance in Enterprise Manager/Management Studio, select security and you should see the option in there. Hope you didn't waste as much time as I did on this :)

HTML Email Newsletter Top Tips

Email newsletters are common place for advertising products, services and events. Considering its uses, it is easy to understand why HTML newsletters are king; who wants to send plain text emails when we can send fancy text and graphics?! Unfortunately there are a lot of email clients out there wanting the HTML in a particular manner. Below are some simple tips to get you started with your HTML email newsletter creation.

1. Tables for layout not CSS... Unfortunately, there are alot of email clients that were developed in the last ice age still being used. This means CSS is poorly and wildly interpreted in terms of displaying your newsletter's layout. It's back to tables for cross email application consistency.

2. Inline styles... Although CSS shouldn't be used for layout, it is fine to use simple CSS styling for the content of the email newsletter. Some email clients can strip out HTML head styles, so put the <styles section in the body tag, or even better, put the css styles inline.

<p style="color: red;">

3. Javascript... Put simply, no JavaScript allowed! Most email clients will just strip it out.

4. Test, test and test... First test the design in Chrome, Firefox and IE, chances are if it works in these then you should have a consistent design across the web email clients and most app email clients. Finally test with as many email applications as possible (outlook, outlook express, thunderbird, lotus notes etc).

Using the above tips you should achieve a fairly consistent viewing experience of your newsletter for recipients. If you are having consistency issues the links below may help.

A Guide to CSS Support in Email A top compatabilities article
Example table layouts
Useful email marketing blog
CSS support in HTML emails of Hotmail, Yahoo! Mail and Gmail
CSS and Email, Kissing in a Tree

Wednesday, 21 April 2010

Compile Your ASP.Net MVC Views

A big problem with ASP.Net MVC views is the amount of inline code you put in your views that could potentially result in errors that aren't apparent until runtime. Microsoft did spot this as a problem and kindly introduced a way of checking your views for compilation errors when you compile your source, here's how to enable the feature:

Open up your project file for editing either in Visual Studio by right clicking the project file and choosing 'Edit Project File' or just use your favourite text editor. At the top of the project file you'll see a PropertyGroup XML element with a child element of MvcBuildViews, change the value of this to true...


This results in a build event at the bottom of your project file getting called...


That's it! You now are that little bit more confident in your deploys :)

Further Points

Increase in Build Time and How to Avoid

This will add an overhead to your builds, so depending on the size of your MVC project this could extend your build time substantially. However, thanks to a discussion with some other team members at Esendex (Alex and Jon) there is a way of avoiding the overhead the majority of the time. Create a new project configuration in Visual Studio, called something like Debug with Views Compilation. This will add a new PropertyGroup section in your project file for this configuration. Set the MvcBuildViews element to true in this new section. Remember to ensure the default section value for MvcBuildViews is false but set the release section value to true.




Quite useful if you are working within your MVC app and not changing the views at all.

Problems with Non-Standard Project Builds

If you are building a standard MVC project on a developer machine then everything should work fine. If your MVC project isn't standard you may find you have to play with the PhysicalPath part of the AspNetCompiler. To get our CI build machine building this project I had to change the PhysicalPath value to $(WebProjectOutputDir), this value is passed in as a parameter when calling the build on your project.


MSBuild.exe myproject.web.csproj /target:Rebuild,ResolveReferences,_CopyWebApplication /p:Configuration=Release;

Hope this info is useful to someone out there!

Monday, 19 April 2010

Compiling .Net for a Specific Target Platform (Any CPU vs x86 vs x64)

Given my new dev machine runs Windows XP x64 (64 bit OS), I've been considering the implications of compiling the assemblies and executables for different target CPUs.

First of all, no matter what target CPU you select, the .Net compiler STILL compiles the source to the Common Intermidate Language (CIL). The executable or assembly being compiled is only affected by this setting to set the platform status information on the assembly’s Common Language Runtime (CLR) header. The CIL is only turned into native code by the CLR at runtime using the Just-in-time (JIT) compiler.

Now here's the important bits, so pay attention...

32 Bit Machine

  • Any-CPU executable will run as a 32 bit process, can load Any-CPU.dll and x86.dll but will get BadImageFormatException if it tries to load x64.dll.
  • x86 executable will run as a 32 bit process. It can load Any-CPU.dll and x86.dll but will get BadImageFormatException if it tries to load x64.dll.
  • x64 executable will not load. The framework will throw a BadImageFormatException if ran.

64 Bit Machine

  • Any-CPU executable will run as a 64 bit process. It can load Any-CPU.dll and x64.dll but will get BadImageFormatException if it tries to load x86.dll.
  • x86 executable will run as a 32 bit process (WOW64). It can load Any-CPU.dll and x86.dll but x64.dll will not load, the framework will throw a BadImageFormatException.
  • x64 executable will run as a 64 bit process. It can load Any-CPU.dll and x64.dll but x86.dll will not load, the framework will throw a BadImageFormatException.
Rule of thumb is... by limiting the CPU target at compilation you would be saying there is something being used by the assembly (something likely unmanaged) that requires 32 bits or 64 bits.

How to Install COM+ on x64

You'll need the x64 version of .Net installed and then just reference the regsvcs utility in the x64 install directory:

{SysDir}\Microsoft.NET\Framework64\v2.0.50727\regsvcs {assembly.dll}

Thursday, 15 April 2010

The Mappings for the Solution Could Not Be Found!

When trying to bind a disconnected project/solution from Visual SourceSafe in Visual Studio 2008/2010 you may get the following error:

The mappings for the solution could not be found

Fix by changing your source control plugin (Tools -> Options -> Source Control -> Plug-in Selection) to Microsoft Visual SourceSafe.

Wednesday, 14 April 2010

My Top 5 Firefox Plugins for Web Developers

Here are my favourite plugins for mine and every other decent web developers' favourite browser - Firefox :) All are essential in my day to day web development and I'd cry if you took them away...


The web development tool I use most. It keeps me sane when debugging strange web site behavior. Use it for inspecting markup for elements, css, modifying it in real-time, debugging javascript, analysing network usage and a whole lot more.


A Firefox addon that integrates with firebug (so you'll need to install that first). Great for analysing web site performance and suggesting performance improvements.

Web Developer

Adds a menu and toolbar to Firefox with lots of handy web developer tools, e.g. a link validator, a html validator, a 'small screen rendering' option for simulating mobile browsing and a bunch of other things too.


A web page analyser for reviewing your search engine optimisation criteria. Handy in its own right but very useful to the non SEO educated web developers out there.

IE Tab

A useful tool for easily and quickly viewing pages rendered as IE would. unfortunately this won't work for the very latest firefox release but hopefully they'll update the extension soon.

Tuesday, 13 April 2010

What is the aspnet_client Directory Used For?

The aspnet_client directory holds important javascript files used by ASP.Net sites for client side validation on web form controls. Although the directory isn't required for an ASP.Net site to run, it will affect behaviour of certain controls with client side validation enabled, so removing the directory should be avoided (unless you know what you are doing).

If you've removed it by mistake you can regenerate it by reinstalling the ASP.Net site using:

aspnet_regiis -c

Friday, 9 April 2010

When a Stand-Up Becomes a Sit Down

I'm not always a morning person, so when the morning stand-up meeting becomes extended I get a little frustrated.

To me the daily stand-up should take place every morning, within an hour but not first-thing (this gives people a chance to gather their thoughts/make coffee and wake-up). The meeting itself should be kicked off by the last person to attend, it should involve us standing in our project teams and involve us going around each team in turn. One member from each team have 3 questions to answer:

  • What have you done since yesterday? "Yesterday we did X"
  • What are you planning to do today? "Today we plan to do Y"
  • Do you have any problems preventing you from accomplishing your goal? "We currently have no problems" - (hopefully)

The stand-up is great for a brief update on what is happening in the team and the 3 questions should be answered clearly and concisely within 60 secs (no room for waffle and unnecessary details). The stand-up is also great for people to make commitments. So if a team says "Today we plan to complete X" ... the development team will be expecting that that team tomorrow to say "Yesterday we completed X" – it helps people realise commitments.

How to know when your stand-up ceases to be (a stand-up)...

  • The three questions aren't answered concisely and it takes > 60 secs
  • There is a discussion between two people resulting in ‘spectators’
  • People start losing interest and start staring out the window
  • Someone sits down ;)
These things ruin stand-ups, the rhythm that's supposed to be associated with it and an extended stand-up is detrimental to its purpose!

Thursday, 8 April 2010

Running IIS in 64 Bit Mode

Internet Information Services (IIS) 6.0 supports both the 32-bit mode and the 64-bit mode (as long as your OS is 64-bit too!). However IIS 6.0 does not support running both modes at the same time.

  • ASP.NET 1.1 runs only in 32-bit mode (but who's still using this?!)
  • ASP.NET 2.0 (and up) runs in 32-bit mode or in 64-bit mode
  • To run ASP.NET 1.1 and ASP.NET 2.0 web applications at the same time, you're stuck with IIS in 32-bit mode unfortunately

So here's how I setup IIS and ASP.Net to run in 64-bit mode:

  1. Go to command prompt
  2. Disable the 32-bit mode in IIS using the command line argument: cscript %SYSTEMDRIVE%\inetpub\adminscripts\adsutil.vbs SET W3SVC/AppPools/Enable32bitAppOnWin64 0
  3. Install the 64-bit version of ASP.NET 2.0 on IIS using the command line argument: %SYSTEMROOT%\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe -i
  4. Make sure that the status of ASP.NET version 2.0.50727 is set to Allowed in the Web service extension list in IIS Manager. If you had been using ASP.Net in 32-bit mode before, you may need to Prohibit that version ASP.NET version 2.0.50727 (32 bit) first.

ASP.Net SQL Server Registration Tool & Session State

The ASP.NET SQL Server Registration tool is used to create a Microsoft SQL Server database for use by the SQL Server providers in ASP.NET, or to add or remove options from an existing database. The tool can be found @ Windows\Microsoft.NET\Framework\VERSION\aspnet_regsql.exe.

Run the executable without arguments to load the wizard, then use the wizard to create or modify database elements for the membership, role management, profile, web parts personalization, and health monitoring features.

SQL Session State (ASPState)

ASP.Net Session State supports several different storage options for session data. To make use of SQL Server Session State you'll need to create the ASPState database on your SQL server instance; but this database isn't created by the aspnet_regsql wizard. Instead you'll need to run the executable with additional arguments. Use MSDN for a full list of arguments available, below is the minimum you'll need to get it installed.

aspnet_regsql.exe -ssadd -S {SERVER} -U {USER} -P {PASSWORD}

The -ssadd command-line option == add the session state database

Wednesday, 7 April 2010

Public Queues Missing from Message Queuing

Ran into an issue on my newish Windows XP x64 dev machine today; my public queues were missing completely from Message Queuing! The dev team have all got new installs from the same image and I'm the only one with the problem; so I'm not sure what I've done :/

So I did some digging... Message Queuing integrates with active directory but due to an orphaned object my message queuing went into workgroup mode. There is this article on the Microsoft site that may help, but I solved the issue by uninstalling and re-installing Message Queuing.

Tuesday, 6 April 2010

Getting IIS to Forward All Requests to ASP.Net

Setting up IIS to send all requests to ASP.Net (e.g. for a HttpHandler for a ReST service or for an ASP.Net MVC web app) is straight forward with .Net and IIS.

1) First ensure that your web application can handle all requests

This is already done for you in an ASP.Net MVC web app. But if you are creating a custom HttpHandler to handle all requests you'll need to go to the httpHandlers section of your web.config file add a reference to your HttpHandler for all HTTP verbs and extensions:

      <add verb="*" path="*" type="your.assembly.reference"/>

2) Setup IIS to route all request to your handler

a) IIS 5/5.1 (Win XP)

  • Open the website properties in IIS
  • Select the Home tab
  • Click the Configuration button
  • In new window select the Mappings tab
  • Click the Add button
  • In new window's executable field Browse to the ASP.Net ISAPI dll (usually something like C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll)
  • In the Extension field type .*
  • Untick the Check that file exists box and click OK
N.B. There is a bug that if your OK button is not active you need to click the executable field text box, you should see the middle section of the text in the box change from /.../ to the full file path this should now make the OK button active.

b) IIS 6 (XP x64 & Windows Server 2003)

  • Open the website properties in IIS
  • Select the Home tab
  • Click the Configuration button
  • In new window select the Mappings tab
  • Insert an entry in to the Wildcard application maps with the ASP.Net ISAPI dll (usually something like C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll)
  • Untick the check that file exists box and click OK

You should now see all requests being handle via your handler. If you are having issues, you may want to look at your IIS logs - but where are my IIS logs?. Good luck!

IIS Returning 404s for ASP.Net Requests

This is a common error with new developer/server installs, where IIS (5 & 6) won't process any ASP.Net documents (aspx, asmx etc), but just return a 404. However, it would happily return other files such as htm, txt, css. Typically you won't get any application or event viewer logging, but just the often forgotten and rarely used IIS logs (see my article on Where Are My IIS logs? to find yours :)

The IIS logs show the requests for the ASP.Net documents and record a response status of 404 being returned. This part clearly isn't helpful, but the logs also provide a sub status code which were 2:

#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip sc-status sc-substatus 
2008-02-27 12:39:13 W3SVC2 GET /default.aspx - 80 - 404 2

A quick Google led me to Microsofts IIS 6 pages explaining the sub status codes - bingo!

404.2 : "Web service extension lockdown policy prevents this request"

With the power of Google I managed to resolve the issue in less than a minute. Just open the IIS interface, select the Web Service Extensions menu node, on the right you will see the web service extensions available - just select the ASP.Net extension and click the allow button.

IIS Web Extensions Menu

Where Are My IIS Logs?

Although you may have bucket loads of logging taking place in your web applications/sites, the IIS logs can be helpful in certain circumstances. Use the following steps to track down these tucked-away log files:

  1. Open Internet Information Services (IIS)
  2. Right-click the desired web site and select properties
  3. On the Web Site tab, at the bottom is the Active Log Format; select the properties button next to it
  4. You'll now have a box that contains the log file directory and the log file name. Together they make the full log path.

In this window you can also change useful settings like what request/response details are recorded in the logs. Some useful options not selected by default are bytes sent, bytes received and referrer (useful for tracking 404s in certain cases).

Extracting useful info from these log files is another blog post all together ;)

Thursday, 1 April 2010

The Big Three-O

I didn't do too bad in March with the blog; publishing 9 posts in all. Some of them were worth reading too!

In April I'm going to try and hit the big three-O; I'm going to try and post 30 blog entries and I promise at least half will be worth reading ;)

Wish me luck ...only 29 to go :)

Wednesday, 31 March 2010

Testing Private Methods in .Net

Some developers seem to be against testing private methods, that if you need to test private methods there is a design issue. I don't think I agree in all cases and extracting some method logic into another method for further testing seems valid to me. Having to make that method public (against it's design) just for testing purposes doesn't sit right, so I test private methods using the PrivateObject class found in the Visual Studio TestTools library...

public void IsValidInput_NumberString_ReturnsTrue()
 // Arrange 
 var myClass = new MyClassWithPrivateMethod();
 var privateObject = new PrivateObject(myClass);

 // Act
 bool result = (bool)privateObject.Invoke("IsValidInput", new object[] { "123" });

 // Assert

Powershell V2 on Windows XP x64 OS

Just had a mild heart attack... I couldn't find a download for Powershell V2 for Windows XP x64 OS! But turns out XP x64 is half XP - half Server 2003! So I've downloaded the Windows Server 2003 x64 install and it works fine!

Panic over! :)


Lots of talk regarding the .LESS (pronounced dot-less) library has prompted me to finally get around to incorporating it within one of my projects - and I'm impressed. .LESS extends on CSS, making your CSS dynamic. It allows you to work with your CSS more easily and without needing to repeat yourself by way of 4 powerful language enhancements:


Variables specify widely used values in one place such as site colours.

@companyRed: #eeeeee;

h1, h2   { color: @companyRed; } 
#banner  { color: @companyRed; }


Collecting sets of rules within a class and allowing other rules to add that class as a property.

.myMixinClass { 
   color: #ffffff; 
   text-align: center; 
   font-weight: bold; 

#banner   { .myMixinClass; padding: 30px; }
#footer   { .myMixinClass; padding: 0px; }


Perform simple math operations between related properties.

@defaultBorder: 1px;
@companyRed: #eeeeee;

#banner {
  color: @companyRed;
  border-left: @defaultBorder;
  border-right: @defaultBorder * 2;

#footer { 
  color: (@companyRed + #111) * 1.5;

Nested Rules

Avoid long selector names for specifying inheritance, allowing you simply to nest the rules making the CSS a lot more readable.

#header {
  color: red;
  a {
    font-weight: bold;
    text-decoration: none;

How does .LESS work?

These language enhancements are parsed and converted to valid CSS on the fly, or can be pre-compiled. It's amazingly easily to start working with and the homepage has all the info you'll probably ever need on .LESS - it really is that simple :)


.LESS removes comments by default and has built in support for minification and caching via the optional config values. Although if you are serious about performance I'd suggest using .LESS to compile your .LESS files to .css during the build and leave the caching and compression to IIS.

Gotchas to avoid...

  • Visual Studio 2008 won't know what type of file a .LESS file is, which means it opens it as a plain text file. There is a .LESS Visual Studio Integration Pack (if it asks you to login then click 'login as guest') that I recommend you getting so you have syntax highlighting at least - but I'm afraid intellisense won't be able to help you here.
  • Remember to make sure IIS is setup to forward .LESS resource requests to the ASP.Net engine (if you are working on MVC apps then it will by default).
  • Visual Studio won't set a build action on .LESS files, so remember to set build action to 'content' or the files won't be deployed.
  • As .LESS parses the file I noticed it fell over (didn't process the rest of the CSS file) on this particular CSS hack "border:none!important;" so you may need to rethink your hacks if .LESS doesn't like it.

Monday, 29 March 2010

Visual Studio Team Foundation Server Power Tools

I often forget to comment my check-ins and I'm getting fed up with having a big sign stuck to my monitor saying "Comment Your Check-Ins!". So I've decided to make use of Team Foundation Server Power Tools to enforce a custom check-in policy to ensure everyone checks in comments with their changesets.

Team Foundation Server Power Tools is a set of enhancements, tools and command-line utilities that improve the Team Foundation Server (TFS) user experience.

Other useful features of the add-on include the ability to enforce a 'testing policy' to ensure tests are run before check-in and an alert editor for enabling subscriptions to events (e.g. failed builds) in Team Foundation Server. A very useful add-on indeed :)

Thursday, 25 March 2010

How to Check if ASP.Net Debugger is Attached

Want to know how to check if the ASP.Net debugger is attached in code?


Visual Studio Build Actions Property

Each file within a .Net project has a build action property for specifying the build action on the file when a build is executed. Typically the buld action will be one of these:

  • None - The file is not included in the project output group and is not compiled in the build process. An example is a text file that contains documentation, such as a Readme file.
  • Compile - The file is compiled into the build output. This setting is used for code files.
  • Content - The file is not compiled, but is included in the Content output group. For example, this setting is the default value for an .htm or other kind of Web file.
  • Embedded Resource - This file is embedded in the main project build output as a DLL or executable. It is typically used for resource files.

However, this is not the definitive list as the build action property is extensible.

The default build action property set by Visual Studio is set according to the extension of the file that you add to the solution.

e.g. a Class.cs file would get a build action of compile as it's a code file - simples :)

Thursday, 4 March 2010

How to Zip and UnZip Using Powershell

Here are some easy-to-use functions for zipping up a directory and unzipping using Powershell. The functions use the opensource SharpZipLib library, a Zip, GZip, Tar and BZip2 library written entirely in C# for the .NET platform. So you'll need to download this and reference the SharpZipLib assembly in the appropriate place in the functions below.

function ZipFiles($sourcePath,$zipFilename)
   # Reference the SharpZipLib assembly here

   $zip = New-Object ICSharpCode.SharpZipLib.Zip.FastZip
   $zip.CreateZip($zipFilename,$sourcePath, $true,"")

function UnzipFiles($zipFilename,$destinationPath)
   # Reference the SharpZipLib assembly here

   $zip = New-Object ICSharpCode.SharpZipLib.Zip.FastZip

Powershell and Where to Begin...

Go to the Powershell website and download PowerShell. It isn't that obvious but it's part of the Windows Management Framework download. First time you run scripts you'll need to remove the restricted execution policy by running Powershell from the command line and running the command:

set-executionpolicy remotesigned

There is a bundled editor in the Powershell download but I use PowerShell GUI, it's quite a nice editor and has intellisense :)

jQuery .html() Problems in Internet Explorer

So I've developed my web application in firefox, all seems to be working fine but before I check-in I quickly check the application in the other major browsers; they all work great. All work great APART from IE!

In IE it turns out that the jQuery .html() attribute won't replace contents of first matched element unless the new HTML is valid (i.e. opening and closing tags match). Guess I can't complain with IE not liking the HTML I'm giving it when its imperfect. If only IE practiced what it preached! :)

// This fails in IE...
$('#someDivID').html("<div id='newDivID'><p>hello world</p></div></div>");

// This works in IE...

hello world


That is all.

Wednesday, 17 February 2010

Resx Resource Problems when Unit Testing

If you use resx files for something like translations in your web apps, you'll notice problems when unit testing as your web app won't be running in its natural state and those resources won't be loaded as normal. Typically you'll get the error...

Could not load file or assembly App_GlobalResources

I'm yet to find a decent solution for this problem but here's how I currently get around it in MVC apps. Here I'm replacing my dependency on Strings.resx in App_GlobalResources.

First thing to do is to create a ResourceManager property and make use of this instance within the class you're testing. Now whenever you need to make use of the resource you have to replace the normal syntax of Strings.FieldYouWant with StringsResource.GetString("FieldYouWant") as shown in the method MethodBeingTested().

public class MyController
   public ResourceManager StringsResource
      private set;

   public MyController()
       : this(Strings.ResourceManager)

   public MyController(ResourceManager stringsResourceManager)
      StringsResource = stringsResourceManager;

   public object MethodBeingTested()
      return new ContentResult( StringsResource.GetString("FieldYouWant") );

In your test project you'll need to create a Strings.resx mirrored source file and make use of this when testing MyController class. Do this by instantiating with a resource from the calling test assembly...

var stringsResource
   = new ResourceManager("test.assembly.Strings", Assembly.GetExecutingAssembly());
var controller = new MyController(stringsResource);
...not pretty, but at least you can run your unit tests without an exception slapping you around the face. Any one got a better solution?

Tuesday, 16 February 2010

Using Analytics to Track Events & AJAX Navigation

Google Analytics is THE way to record and analyse everything about the traffic on your site. Whilst it's real easy to setup you need to change the default behaviour if you want to record javascript events and AJAX navigation changes; this is how to do exactly that.

Analytics requires two things to work. You need the Analytics resource on the client...

<script type="text/javascript">
   var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
   document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
...and call the tracker with your unique ID (provided when you sign up)...
<script type="text/javascript">
   try {
      var pageTracker = _gat._getTracker("123456789");
   } catch (err) { }
...it's the pageTracker._trackPageview(); part that sends the data to Google Analytics. Without parameters the current URL is sent. However, you can override the default behaviour and pass the URL as an argument.

So change the second part to...

<script type="text/javascript">
   try {
      var pageTracker = _gat._getTracker("123456789");
   } catch (err) { }
...then you can call pageTracker._trackPageview('/My-Virtual-URL'); with your 'virtual' URLs at will - perfect for recording javascript events and AJAX navigation changes :)

Wednesday, 10 February 2010

Hudson as an Alternative to TFS

I've been looking at alternatives to Team Foundation Server for my latest project's continuous integration tool... and I think I've found it!

Hudson was suggested to me by a colleague (Jonathan Relf) after his attempts with Cruise Control became a little frustrating.

You'll have Hudson installed and building your projects in under an hour unless you're stupid or get carried away with the large number of plugins, including a Chuck Norris plugin ;)

Someone has too much time on their hands...

I particularly enjoyed...

  • VERY easy to setup
  • LOADS of plugins
  • Setup, monitioring and configuration is all through a nice web based interface

I'll keep you posted with how I get on.

Wednesday, 27 January 2010

Unit Test Naming Conventions

Unit test names can be horribly long and misleading at times. I particularly hate...


Naming them in a concise, clear manner is important but consistency is the key. I use a simple convention to help me with naming my test methods that I've seen others use.

// MethodNameBeingTested_Input_Output

Steve Sanderson suggested (on his blog) that we call this naming convention SSR (Subject, Scenario, Result), sounds good to me :)

IE AJAX Caching Issue

I don't want to pick on IE again (it has been less than 24 hours since my last post about IE), but I'm afraid I have to. I've been working on a new project recently that makes use of AJAX. I usually develop in Firefox and then fix all my IE problems afterwards. This time however one of my AJAX areas of the site seemed to rarely update in IE (if at all), other browsers were fine.

After some playing around I came to the conclusion that IE was caching my AJAX requests. You could argue that IE is right to cache the requests, as the HTTP spec states that GET requests should be cached. But given the browser knows a XMLHttpRequest is being made the caching is completely uneccessary/unwanted. Once I knew the problem the fix was easy. I just needed to append something random to the request URI, a number or timestamp for example.

So instead of requests to /Resource, just use /Resource?ie={random}. It's fairly straight forward to generate a random number in Javascript:

// Random number between 0 and 100

Realising that I wouldn't be alone in tackling the issue I found people used similar tactics to get around the problem. Another neat way is to change the request to be a POST.

IE6? Time to Upgrade Says Microsoft

IE6 we haven't been friends for a while now. We haven't been able to sit at the same desk for some time, around seven years without an argument starting.

Needless to say I am not in the least bit sad to hear you are finally being ousted by your makers; Microsoft are trying to get the heavily used browser's users to upgrade. Although web savvy users have updated their browser, Microsoft is targeting the tough cookies and touting its own IE 8 as a better alternative.

It's about time :)

Tuesday, 26 January 2010

Syntax Highlighter for C#, XML, SQL and More

I used SyntaxHighlighter before on my last blog and it is perfect for putting snippets of code up with your blog posts. Looks like its come on a treat too and even offers hosted source files for those of us without access to file hosting (and those of us too lazy). Would like to see them using a CDN for the hosted files though - maybe the Amazon S3 service.

Plugging the highlighter couldn't be easier, just refererence a few CSS and JS files. There's a quick explanation here of getting the hosted version working on your blog.

Example using syntax highlighter...

string output = "SyntaxHighlighter is brillo!";

// Tell the world...

Why oh why?! - Take 2

So I’d gone and done it. Finally created a new blog on the impressive tumblr platform. But soon ran into problems when I wanted archive and category features on the micro blogging platform. Not even the new kid on the block Posterious had all the features I needed. So I decided to come back on Blogger and give it another chance. After all it's quick, customisable and has all the features I need right now.

So why start a new blog anyway?… Well my last blog was getting around 3000 hits a month before I stopped posting entries around 18 months ago and its still getting 2000 now. I found posting little snippets for getting around bugs and problems I had stumbled across were not just good for me to record for future reference, but the blog posts that people found most useful.

Every developer uses the net to find solutions for the problems they come across and this blog is my contribution to the developer communities; hope you find something useful :)