.Net MVC – Display a user’s Full Name instead of User.Identity.Name (DOMAIN\USERNAME)

I had a request come in on a MVC web app to display a user’s full name instead of their domain network username. The app was using something like:

<p>Hello, @User.Identity.Name</p>

which displayed like:

Hello, MYDOMAIN\myusername!

So to update this on the MVC web app (and avoid a dedicated helper) here is what I did:

In your _ViewImports.cshtml include:

@using System.DirectoryServices.AccountManagement

Then, in your _Layouts.cshtml place this

@{ 
    var context = new PrincipalContext(ContextType.Domain);
    var principal = UserPrincipal.FindByIdentity(context, User.Identity.Name);
}

The above will render the user’s currently logged in claims and return their claim attributes as needed. You can use others as you have them also for other purposes, too.

Now, in your _Layouts.cshtml you can switch your original hello item to:

<p>Hello, @principal.GivenName @principal.Surname!</p>

You should get a friendlier format like:

Hello, Jared Meredith!

Hope that helps. Questions or comments are always welcome!

Dealing with SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)

A lot of you may be getting emails from your sys admins telling you about needing to protect yourself from the POODLE vulnerability. I wanted to post my response back to what I did to bring my servers into compliance.

I used a tool called IISCrypto to place the server in best practice template from the command line. You can do it to be in PCI, PCI31 or FIPS140 compliance as well.

Here’s what I ran for what got fixed:

ss1

They also offer a GUI that you can run to see exactly what’s being used. Here’s the box after I applied the command ran above to confirm the removal of PCT 1.0 & SSL 2.0/3.0:ss2

My recommendation would be to deploy the command line version of the tool and execute the best practice template, let it apply the best practice template and restart the box.

However, if you don’t prefer a 3rd party tool then you can follow the Microsoft suggested actions to update the registry entries and build a .reg script to run.

Hope this helps.

Troubleshooting “Could not load file or assembly ‘DotNetOpenAuth.Core, Version=4.1.0.0, Culture=neutral, PublicKeyToken=2780ccd10d57b246’ or one of its dependencies”

The Issue:

After I had updated my .Net Core on my developer machine to a newer version I went to debug a web application I had and received this error:

Could not load file or assembly 'DotNetOpenAuth.Core, Version=4.1.0.0, Culture=neutral, PublicKeyToken=2780ccd10d57b246' or one of its dependencies. The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)

The Problem:

Here is what I had in my config prior to the update install:

<runtime>
    <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
      <dependentAssembly>
        <assemblyIdentity name="DotNetOpenAuth.Core" publicKeyToken="2780ccd10d57b246" />
        <bindingRedirect oldVersion="1.0.0.0-4.0.0.0" newVersion="4.1.0.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="DotNetOpenAuth.AspNet" publicKeyToken="2780ccd10d57b246" />
        <bindingRedirect oldVersion="1.0.0.0-4.0.0.0" newVersion="4.1.0.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="EntityFramework" publicKeyToken="b77a5c561934e089" />
        <bindingRedirect oldVersion="0.0.0.0-6.0.0.0" newVersion="6.0.0.0" />
      </dependentAssembly>
    </assemblyBinding>
  </runtime>

I had outdated references in my config file.

The Solution:

Ensure your references get updated after you update your development environment.

Here is what I updated to:

  <runtime>
    <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
      <dependentAssembly>
        <assemblyIdentity name="DotNetOpenAuth.AspNet" publicKeyToken="2780ccd10d57b246" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-4.3.0.0" newVersion="4.3.0.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="DotNetOpenAuth.Core" publicKeyToken="2780ccd10d57b246" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-4.3.0.0" newVersion="4.3.0.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="EntityFramework" publicKeyToken="b77a5c561934e089" />
        <bindingRedirect oldVersion="0.0.0.0-6.0.0.0" newVersion="6.0.0.0" />
      </dependentAssembly>
    </assemblyBinding>
  </runtime>

Hope that helps. Questions are always welcome.

Ubuntu 12.04.5 LTS to 14.04.4 LTS Upgrade on Apache Web Server – Steps, Issues/Fixes & Tips

I was recently upgrading a Ubuntu server from 12.04.5 LTS to 14.04.4 LTS and for the most part had a pleasant experience. I’m going to attempt to document my steps I used for the upgrade below and comment to any issues I found (and tips to fix).

  • I ran the following to download the most up-to-date set of updates and packages to upgrade on the system:
sudo apt-get update

Issue: When I first was experimenting on a clone I noticed after running this command I received a bunch of 503s on the apt-get attempt.

Fix: After opening up the firewall to allow outbound traffic to http://us.archive.ubuntu.com then the Get attempts were successful.

  • Once I received the most up-to-date set of updates and packages I ran the command to perform the upgrade:
sudo do-release-upgrade -d

Tips:

  • You may be prompted about disabling ssh authentication for root. If you are unsure of whether this is enabled/disabled previously my recommendation is that you leave the default of “No” and enable it if you need it after the fact.

root_warning_14_04_ubuntu_u

  • If prompted about being asked to automatically allow restarts of services without notification you may want to consider saying no if you have a significant amount of upgrades.

sshot-server-3

Once the upgrade/removal process is complete you are (usually) prompted to restart the server itself. Should you not be prompted for such you can run the following command to restart the server:

sudo reboot

Now then, you should now have your server up to date and installed. This should mean your web site comes right up without problems, right? Wrong. Chances are you need to go and verify everything still runs after the upgrade. I’ll show what issues I ran into below as proof of that concept.

Issue: All web sites that previously worked before the upgrade now come up with “401 Unauthorized”

Fix: As a part of the Apache2 update in Ubuntu 14.04.4 all of the virtual host files in /etc/apache2/sites-enabled folder have to be updated to have .conf appended to them.

So in this example I had a file called my.website.com that I need to be my.website.com.conf, I made this change using:

cp my.website.com my.website.com.conf

Once I updated all of the files to use .conf related to my web sites I restarted apache2 to enforce the changes:

sudo /etc/init.d/apache2 restart

After this I was able to see my sites as I expect. Now I am seeing some odd error messages at the top…let’s dig a bit more.

Issue: I started getting some unhandled error exceptions (8192) that were in some error handling code

Here was the snippet before I made changes that had the problem:

$errorTypeLookup = array (
E_ERROR =&gt; 'PHP Fatal error',
E_DB_ERROR =&gt; 'Database Error',
E_SYSTEM_ERROR =&gt; 'System Error',
E_SECURITY_ERROR =&gt; 'Security Error',
E_VISIBLE =&gt; 'Warning',
E_WARNING =&gt; 'PHP Warning',
E_PARSE =&gt; 'PHP Parse error',
E_NOTICE =&gt; 'PHP Notice',
E_CORE_WARNING =&gt; 'PHP Core Warning',
E_COMPILE_WARNING =&gt; 'PHP Compile Warning',
E_USER_WARNING =&gt; 'User Warning',
E_USER_NOTICE =&gt; 'User Notice',
E_STRICT =&gt; 'PHP Runtime Notice',
);

Fix: If you read here about error function contstants you’ll find the introduction of 3-4 newer ones after PHP 5.2. The one in particular that I needed to add (related to 8192) was E_DEPRECATED. After I added it (and a couple others) and restarted apache2 those particular issues went away. Below is my updated snippet:

$errorTypeLookup = array (
E_ERROR           => 'PHP Fatal error',
E_DB_ERROR        => 'Database Error',
E_SYSTEM_ERROR    => 'System Error',
E_SECURITY_ERROR  => 'Security Error',
E_RECOVERABLE_ERROR     => 'Recoverable Error',
E_DEPRECATED      => 'Deprecated',
E_USER_DEPRECATED => 'User Deprecated',
E_VISIBLE         => 'Warning',
E_WARNING         => 'PHP Warning',
E_PARSE           => 'PHP Parse error',
E_NOTICE          => 'PHP Notice',
E_CORE_WARNING    => 'PHP Core Warning',
E_COMPILE_WARNING => 'PHP Compile Warning',
E_USER_WARNING    => 'User Warning',
E_USER_NOTICE     => 'User Notice',
E_STRICT          => 'PHP Runtime Notice',
);

After I worked through these issues my web sites functioned as expected. Please do understand that based on your web sites/apps that these steps and issues/fixes will always be unique. The good thing is that for the most part what is documented on the internet will usually help guide you through particular problems you are facing. I hope this helps, questions are always welcome.

Helpful links: 

Encrypting .NET Config Files in a Shared Development Environment

This page will attempt to describe how to encrypt sensitive information contained in .NET config files using the RSA Key Container, as well as how to export/import the key from that container so that other developers may use the same key to work on the same project.

Helpful Tips: The aspnet_regiis.exe utility must be run as a administrator, otherwise you may receive “duplicate object” errors. In addition, you will want to run Visual Studio as an administrator to ensure the program has access to the RSA Key Container store.

Creating a Custom RSA Key Container

In this part we will create an RSA key container by using aspnet_regiis.exe with the -pc option. This identifies the RSA key container as a user-level key container. RSA key containers must be identified as either user-level (by using the -pku option) or machine-level (by not using the -pku option). For more information about machine-level and user-level RSA key containers, see Understanding Machine-Level and User-Level RSA Key Containers.

In this example the following command will create an RSA key container named SampleKeys that is a machine-level key container and is exportable:

cd \WINDOWS\Microsoft.Net\Framework\v4.0.*
aspnet_regiis -pc "SampleKeys"–exp

Adding your provider to the web.config

The following example shows the configProtectedData section of a Web.config file. The section specifies an RsaProtectedConfigurationProvider that uses a machine-level RSA key container named SampleKeys.

<configProtectedData>
   <providers>
    <add keyContainerName="SampleKeys" useMachineContainer="true" description="RsaCryptoServiceProvider" name="SampleKeys" type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
   </providers>
</configProtectedData>

Importing and Exporting the Key Container

In order for another developer to run your project (encrypted by your key) you will need to  export a key to be used by another developer:

aspnet_regiis -px "SampleKeys" "C:\keys.xml" -pri

Once you pass this along to another user to use then import with the following command:

aspnet_regiis -pi "SampleKeys" "C:\keys.xml"

If this is a machine level container, the code should now run without the need to assign permissions. However, if it’s a user container (i.e. your app pool is ran by a specific user or service account), additional permissions may need to be assigned:

aspnet_regiis -pa "SampleKeys" "NT AUTHORITY\NETWORK SERVICE"
aspnet_regiis -pa "SampleKeys" "[impersonation account]"

To use the default RsaProtectedConfigurationProvider specified in the machine configuration, you must first grant the application’s Windows identity access to the machine key container named NetFrameworkConfigurationKey, which is the key container specified for the default provider. For example, the following command grants the NETWORK SERVICE account access to the RSA key container used by the default RsaProtectedConfigurationProvider:

aspnet_regiis -pa "NetFrameworkConfigurationKey" "NT AUTHORITY\NETWORK SERVICE"

Encrypting and Decrypting Config Sections

.NET allows specific sections of a config file to be encrypted, so non-sensitive information can still be accessed. To encrypt a section:

aspnet_regiis -pef [section] [path] -prov [provider]

Where [section] is the name of the config section, relative to the configuration tag. [path] is the relative path to the directory containing the web.config file. For example, the following commands will encrypt the appSettings section as well as the impersonation credentials:

cd C:\SolutionFolder
aspnet_regiis -pef appSettings ProjectFolder -prov SampleKeys
aspnet_regiis -pef system.web/identity ProjectFolder -prov SampleKeys

To decrypt the appSettings section:

aspnet_regiis -pdf appSettings ProjectFolder

Partially Encrypting a Section

It may be necessary to only encrypt part of a section in a web.config file. For example, if the appSettings section contains multiple, non-sensitive keys and only a subset contain sensitive information. To encrypt only a few keys, a second appSettings section must be created and the new keys moved into it. The keys are accessed exactly the same way in the code, so no coding changes are needed.

First, register a new section name called secureAppSettings by placing the following XML under the configuration node:

<configSections>
<section name="secureAppSettings" type="System.Configuration.NameValueSectionHandler, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
</configSections>

Next, create a new section called secureAppSettings and move the sensitive keys under it:

<secureAppSettings>
    <add key="Username" value="XXX" />
    <add key="Password" value="XXX" />
</secureAppSettings>
<appSettings>
    <add key="NotSensitive" value="XXX" />
</appSettings>

Finally, the new secure section can be encrypted and decrypted independently of the existing appSettings section:

aspnet_regiis -pef secureAppSettings ProjectFolder -prov ProviderName

App.config

This Microsoft utility was designed for web.config files. It will not find app.config files for other project types. To encrypt these config files, just rename them to web.config prior to encrypting, then rename back afterwards.

Other Helpful Links:

How To Fix “no exports were found that match the constraint” In Visual Studio

So, you have that “no exports were found that match the constraint” message in Visual Studio, eh?

The first thing I would try doing on the affected version of visual studio is to go to programs and features, select the version and pick change: VSbugss3

When that loads let it repair. Once it does see if that resolves the issue.

VSbugss2

If it does not a more manual method that is to delete all of the contents of the ComponentModelCache folder from the following area (of which VS version is affected):

Put your username in the path:

VS 2012:

C:\Users\username\AppData\Local\Microsoft\VisualStudio\11.0\ComponentModelCache

VS 2013:

C:\Users\username\AppData\Local\Microsoft\VisualStudio\12.0\ComponentModelCache

VS 2015:

C:\Users\username\AppData\Local\Microsoft\VisualStudio\14.0\ComponentModelCache

It should look something like:

VSbugss1

If that fails there is also a patch that they released in response: https://www.microsoft.com/en-in/download/confirmation.aspx?id=36020#

Redirect All HTTP to HTTPS in WordPress with .htaccess

I recently had a request from a client to transfer all web traffic on some WordPress site (www or no www) to all be forced over HTTPS. And with all of the up and coming security issues that stem from HTTP-only traffic it is a must. Why you ask? Well, unless you are explicitly doing this already users may able to browse and intercept traffic from your site with no encryption. If you have a SSL certificate but have not done this to your WordPress site then please do so!

Edit your .htaccess file and append this somewhere at the bottom (and change your website URL to the URL that is associated with the SSL certificate):

RewriteCond %{HTTPS} !^on$
RewriteRule (.*) https://www.example.com/$1 [R,L]

After this you should see all browsing of HTTP to your site to be automatically redirected to HTTPS. Note: in some cases you will have to update all the links and content of your site to use links that are HTTPS also. There are useful plugins out there that can assist with doing a bulk conversion of this. Otherwise you users will not get the padlock icon on the page (or even cases where the page will not render entirely). Happy securing! Hope this helps, questions are always welcome.