While building a new Web Deployment project, I received the error "Unable to build project output group 'Content Files from (Active)." I checked all of my settings and everything seemed to be correct.

I found a support article on Microsoft's Help and Support site describing why this occurs. Apparently, if you have missing files in your project this will happen. In this case, it turns out that a folder of images had been moved in the source tree but not in the project file. This was causing them to all show the the yellow exclamation symbol. Even though the project has "warnings as errors" turned on, the compiler will not complain about missing content files since it does not need to do anything with them.

If you get the error, quickly scan the project you're deploying for any missing files. It will be a file with the Build Action set to Content.

Last week I was tasked with changing our build script from using sql scripts to build the database, to running sql scripts to backup and restore a "gold standard" database. Aside from a few permission issues, things went mostly well. However, in the process I updated MSBuild Community Tasks to the nightly build version. I had an error I thought it might help with, but it turned out not to be the case. I kept the unreleased version in production because it generated clearer messages in the ExecuteDDL task. For those of you that don't know, version 1.2.0.306 gives truly awful information in the event a sql script fails.

Fast forward to tonight. I had to roll out a demonstration version of the software from the previous iteration. This meant changing views in the source control system so it would execute the previous versions scripts. When I ran it, received this error (traceable info changed): C:\MyData\Project\base\src\Project.proj (1550,3):  error : ProjectCDDB: Error # -2 on Line 0: Timeout expired. The timeout period elapsed prior to completion of the operation or the server is not responding.

I used the ultracool "MSBuild Output" report to get color coding so I could easily trace down which file was causing the error. I then looked at it's size. Sure enough, it was a beast. But it used to run, and it worked when I manually executed it, so what was different? MSBuild Community Tasks, of course.

I pulled down the latest source and opened up ExecuteDDL. Sure enough, there was a new property in the class... StatementTimeout, defaulted to 30 seconds. That's probably not the best timeout for a sql script that exceeds 5 megabytes.

I changed the timeout to 120 seconds; yet another problem solved. I suppose this sort of thing is bound to happen when you're changing version of libraries and then forced to use chronomancy to pretend it's a month in the past.

The examples I showed in my C# 3.0 presentation were based on the examples provided in the Visual Studio 2008 Training Kit. The source code for the new features in C# 3.0 are located, by default, in C:\VS2008TrainingKit\Labs\WhatsNewC#. There are other great labs in this kit as well.

• Building Web Apps
• Building WPF Apps
• CardSpace
• Client Application Services
• Dynamic Sites
• Intro to ASP.NET Ajax
• JSON
• LINQ to SQL
• Silverlight Monster Factory
• LINQ in VB9
• VSTO (Excel, Outlook, SharePoint, Word)
• Windows Communication Foundation
• Windows Workflow Foundation
• What's New in VB9
• Workflow Services
• WPF Data Binding

That's an exhausting list of material to learn!

Of course, code alone doesn't give you a lot of information. Here are the topics I touched upon with links to MSDN.

C# 2.0

·         Partial Types

·         Aliases

·         Static Classes

·         Property Access Modifiers

·         Generics

·         Nullable Types

·         Null coalescing operator

·         yield

·         Delegates

o   Inference

o   Covariance/Contravariance

o   Anonymous methods

 

C# 3.0

·         Auto-Implemented Properties

·         Object and Collection Initializers

·         Implicitly typed variables

·         Anonymous types

·         Extension Methods

·         Lambda Expressions

·         Expression Trees

·         LINQ

I am presenting on new language features in C# 3.0 at the inaugral meeting of the Augusta Developers Guild tonight. It will be nearly devoid of slides, as I've decided the words on the screen will be more of a distraction than anything. So, let's code, lambda!

The patterns & practices WCF Security Guidance project has released the the WCF 3.5 Security Guidelines. This is useful if you're trying to follow the best practices for securing your services.

Here are the categories and topics for the initial release of the guidelines. For more in depth information, go to the site.  

Categories

• Auditing and Logging
• Authentication
• Authorization
• Binding
• Configuration Management
• Exception Management
• Hosting
• Impersonation and Delegation
• Input/Data Validation
• Proxy Considerations
• Deployment considerations 

Auditing and Logging

• Use WCF auditing to audit your service
• If non-repudiation is important, consider setting SuppressAuditFailure property to false
• Use message logging to log operations on your service
• Instrument for user management events
• Instrument for significant business operations
• Protect log files from unauthorized access
• Do not log sensitive information

Authentication

• Know your authentication options
• Use Windows Authentication when you can
• If you support non-WCF clients using windows authentication and message security, consider using the Kerberos direct option
• If your users are in AD, but you can’t use windows authentication, consider using username authentication
• If your clients have certificates, consider using client certificate authentication
• If you need to streamline certificate distribution to your clients for message encryption, consider using the negotiate credentials option
• If your users are in a custom store, consider using username authentication with a custom validator
• If your users are in a SQL membership store, use the SQL Membership Provider
• If your partner applications need to be authenticated when calling WCF services, use client certificate authentication.
• If you are using username authentication, use SQL Server Membership Provider instead of custom authentication
• If you need to support intermediaries and a variety of transports between client and service, use message security to protect credentials
• If you are using username authentication, validate user login information
• Do not store passwords directly in the user store
• Enforce strong passwords
• Protect access to your credential store
• If you are using Windows Forms to connect to WCF, do not cache credentials

Authorization

• If you use ASP.NET roles, use the ASP.NET Role Provider
• If you use windows groups for authorization, use ASP.NET Role Provider with AspNetWindowsTokenRoleProvider
• If you store role information in SQL, consider using the SQL Server Role Provider for roles authorization
• If you store role information in Windows Groups, consider using the WCF PrincipalPermissionAttribute class for roles authorization
• If you need to authorize access to WCF operations, use declarative authorization
• If you need to perform fine-grained authorization based on business logic, use imperative authorization

Binding

• If you need to support clients over the internet, consider using wsHttpBinding.
• If you need to expose your WCF service to legacy clients as an ASMX web service, use basicHttpBinding
• If you need to support remote WCF clients within an intranet, consider using netTcpBinding.
• If you need to support local WCF clients, consider using netNamedPipeBinding.
• If you need to support disconnected queued calls, use netMsmqBinding.
• If you need to support bidirectional communication between WCF Client and WCF service, use wsDualHttpBinding.

Configuration Management

• Use Replay detection to protect against message replay attacks
• If you host your service in a Windows service, expose a metadata exchange (mex) binding
• If you don’t want to expose your WSDL, turn off HttpGetEnabled and metadata exchange (mex)
• Manage bindings and endpoints in config not code
• Associate names with the service configuration when you create service behavior, endpoint behavior, and binding configuration
• Encrypt configuration sections that contain sensitive data

Exception Management

• Use structured exception handling
• Do not divulge exception details to clients in production
• Use a fault contract to return error information to clients
• Use a global exception handler to catch unhandled exceptions

Hosting

• If you are hosting your service in a Windows Service, use a least privileged custom domain account
• If you are hosting your service in IIS, use a least privileged service account
• Use IIS to host your service unless you need to use a transport that IIS does not support

Impersonation and Delegation

• Know the impersonation options
• If you have to flow the original caller, use constrained delegation
• Consider LogonUser when you need to impersonate but you don’t have trusted delegation
• Consider S4U when you need a Windows token and you don’t have the original caller’s credentials
• Use programmatic impersonation to impersonate based on business logic
• When impersonating programmatically be sure to revert to original context
• Only impersonate on operations that require it
• Use OperationBehavior to impersonate declaratively

Input/Data Validation

• If you need to validate parameters, use parameter inspectors
• If your service has operations that accept message or data contracts, use schemas to validate your messages
• If you need to do schema validation, use message inspectors
• Validate operation parameters for length, range, format and type
• Validate parameter input on the server
• Validate service responses on the client
• Do not rely on client-side validation
• Avoid user-supplied file name and path input
• Do not echo untrusted input

Proxy Considerations

• Publish your metadata over HTTPS to protect your clients from proxy spoofing
• If you turn off mutual authentication, be aware of service spoofing

Deployment considerations

• Do not use temporary certificates in production
• If you are using a custom domain account in the identity pool for your WCF application, create an SPN for Kerberos to authenticate the client.
• If you are using a custom service account and need to use trusted for delegation, create an SPN
• If you are hosting your service in a Windows Service, using a custom domain identity, and ASP.NET needs to use constrained trusted for delegation when calling the service, create an SPN
• Use IIS to host your service unless you need to use a transport that IIS does not support
• Use a least privileged account to run your WCF service
• Protect sensitive data in your configuration files

My Related Posts

Microsoft has released a training kit for .NET Framework 3.5 Enhancements. It includes labs, demos, and Power Point files for the following technologies:

• ASP.NET MVC
• ASP.NET Dynamic Data
• ASP.NET AJAX History
• ASP.NET Silverlight controls
• ADO.NET Data Services
• ADO.NET Entity Framework

I've been busy since the South Florida Code Camp. I've been promoted to the Architecture Team on the South Carolina Integrated Tax System project, and I've been to two more code camps.

The speaker list was already full when I tried to get in on the Raleigh Code Camp. I was still able to do a session on Continuous Integration due to another speaker's VM crashing. I had very few attendees since it wasn't advertised. However, as long as I have one person interested in the topic then I'm good to go.

Last weekend I did two sessions at the Roanoke Code Camp. The Design Principles presentation went very well, with enough crowd participation to keep it interesting. The Continuous Integration session went smoothly, but the crowd was somewhat quiet. Afterwards, one of the attendees told me that he thought it was a follow-up to the Design Principles session (apparently confusing MSBuild with Building Software). So, it's possible the crowd was quiet because they had no background in what I was presenting on. This was exacerbated by the fact I was in the same room.

From now on, if I'm going to do multiple sessions I will try to do related topics (design or agile processes) or request to be in different rooms.

This coming Wednesday I will be presenting on Continuous Integration at the Triangle .Net User Group in Raleigh. I've currently been running two 30 minute modules: 1) MSBuild, 2) CI / Cruise Control.NET. I will put together a new module this weekend so I can fill out the time more appropriately for a user group meeting. I'll probably take it back to fleshing out the build process with running more tests and integrating the generated reports into CruiseControl.NET.

After next week, I will have done 8 sessions at 6 events in 5 locations. It's still early in the year so perhaps I should set my goal to 20 locations instead of 20 events? When do you want me to come to Charleston, Lou?

The WPF Team at Microsoft has posted the 0.1 edition of the WPF Application Quality Guide. There's still a lot missing, but it does have good tips on how to set up your WPF application for automated testing.

Here's a list of tools they recommend for performance profiling:

Using Performance Profiling Tools for WPF.

Event Trace. Use this tool for analyzing events and generating event log files.

Perforator. Use this tool for analyzing rendering behavior.

ETW Trace Viewer. Use this tool to record, display, and browse Event Tracing for Windows (ETW) log files in a WPF user-interface format.

Visual Profiler. Use this tool for profiling the use of WPF services, such as layout and event handling, by elements in the visual tree.

Working Set Analyzer. Use this tool for analyzing the working set characteristics of your application.

I also feel the need to plug the best visualizer out there, Mole!

Earlier I wrote about how I felt pwned during my first session at the South Florida Code Camp.

Luckily, things turned around during my second session. I was unable to turn it in a discussion as I had planned. The room was still set up to serve presentations, and some of the people I would have liked to have in the discussion (like Scott Dorman) were busy with their own sessions. However, everything went smoothly during my second presentation. I had great crowd interaction, and I received good applause at the end. It was definitely a contrast to the earlier session.

I was unable to make it to the after party. My wife doesn't turn 25 until March, so I had to drive her back to the hotel to freshen up. Car rentals don't cover under-25s unless you want to spend an arm and a leg. We ended up on the wrong side of Miami in the process. You know, when you head north on a highway, you expect to go south to return from whence you came. This proved untrue with the Florida Turnpike, which apparently has three directions. We ended up eating at a great Argentinian restaurant though, so not all was lost.

I had a great time at this code camp, and I learned new lessons on presenting. I also met some great people like Dave Noderer, Joe Healy, and David Silverlight. Next time there is a Code Camp in Florida, I hope to make it down. I even have a great new presentation planned that should be ready by April (with an accompanying project I will release to the community).

I just finished my session on Design Principles in the South Florida Code Camp. I feel kind of pwned  by what happened at the beginning. I should have expected it. After all, there are over 600 people here, and I warned everyone at the beginning that it was meant to be an introductory class (hence the 100 level). The presentation still has good nuggets even if you're an experienced developer.

My room was packed. About 5 minutes into it, 20-30 people walked out. Having all those people get up, walk by me, and opening the door distracted me. I lost my focus, and it took a while to get my bearings. I need to keep in mind that this can happen and not let it get to me. I can't believe I actually faltered.

I realize I didn't write about my experience in Philadelphia. I had an incident there as well. At the beginning, the projector messed up. I spent a few minutes trying to get everything working but eventually realized I would lose the audience if I didn't move on. I ended losing my local screen, and had to move the desk around and look at the projection This prevented me from using my slide deck. Luckily, I knew my material well enough to talk while doing demonstrations (though I strained my neck). It ended up being successful. albeit unstructured.

After I did my presentation here in Miami, I spoke to Joe Healy about it. He mentioned something about my session at the end of the day. I didn't even realize I am doing another one! This time it's in the Birds of a Feather and Panel Discussion room, so I'm going to make it a discussion rather than a presentation.