This is my last post on here. I am no longer an MVP. After a decade of being an MVP, I’ve chosen to remove myself from consideration for the award. I’ve just become to busy with my career and family responsibilities. It was a good run, perhaps the best. I have complete faith that others will arise to carry this great MVP torch forward. So adios, Web.
What is a Windows 8 Camp?
A Windows 8 Camp is a free, two-day event. During the Camp, you’ll discover HANDS-ON how to build your first Metro Style App for Windows 8. You’ll learn from experts in a low-key, interactive way and apply what you’ve learned with support from Microsoft Canada.
How do I register?
Registration is fast and simple! Select the link for the appropriate city to the right!
Space will be limited. Register today to secure your spot!
What do I need to bring?
Any device capable of running Windows 8 and Visual Studio Express.
We recommend that you install the necessary software prior to the event. If the software is not already installed, you will need a partition with ~30 GB of free space to install the bits.
Can’t wait to see you there!
Thomas Lewis (@tommylee)
Microsoft Developer Advisor
Ps. If you have any questions, please reach out to us at Win8CDN@microsoft.com. If you’re building a Windows 8 application, we would love to hear all about it!
April 3rd & 4th, Fairmont Pacific Rim
April 10th & 11th Le Centre Sheraton
April 16th & 17th King Edward Hotel
I was putting this through it’s paces since the release and I want to capture my thoughts. First thing is that I actually gave up after a few minutes. It would not recognize my words. Granted I don’t enunciate correctly and my voice is on the shrill side but still….I don’t imagine voice software is particularly easy to create either. I gave it a rest and came back a couple days later after doing some more research. XBOX Voice is good at taking you back to the main menu. It’s got that down pat. XBOX HOME! It loves that. I was able to get it to respond well in a moderately quiet room speaking (not shouting) at it. Success is limited to ‘native’ commands. Next, previous etc. Bing anything turns into an excercise in frustration! What I would like to do is talk to it instead of shout commands at it. I would like it to evolve to the point where I can say: “Can you find me the latest version of Forza?”. That way, I can have a natural conversation with a machine. Ya, I know that sounds kinda odd. I actually have a wife I can (maybe) have a conversation with!
Think back to the first time Microsoft demoed Kinect with that little guy who was able to reach out from the TV and take a paper, and play with the puddle while understanding what you were saying… ya that one. I realized now that back then, I thought the whole thing was hard-coded. Turns out I was right. Because if I were wrong, XBOX voice would not be so frustrating. On the plus side, there’s tremendous potential once all the apps start working it into their routines. For now, voice will take you into some apps but because there’s no support, you have to go back to the control to pickup where you left off. All in all, it’s a good experience. I prefer it over waving my hand at the screen which gets tired really quickly – no minority report for me I’m afraid. In fact, it made me dust off my XBOX from the dump heap (yes, that’s where I put it, see my earlier post). So now it can find some limited use. I think this will get stronger by the release. And it is well poised to be a segment leader. It’s a given, unless Apple or Google beat them to it with the nice to haves that I pionted out.
What is Mutual Authentication
Most sites that I have seen simply regurgitate the mutual authentication process without explaining it. I’m taking a different approach here, I’ll explain what it is in simple terms. If you need painful detail, pick one of those sites.
Mutual Authentication is sometimes called 2 Way authentication. It involves proving the identity of both parties involved in the transaction. Identity is proven using X.509 Digital certificates. There are two important points in Mutual Authentication:
Each X.509 certificate issued by a Central Authority (or trusted third party) has a digital signature. That specific signature is solely for the purpose of establishing the identity of the client at the time that the certificate was issued. It makes no guarantee that whomever currently posesses the certificate is the identity to whom the certificate was issued. That part is simply assumed to be true.
Another digital signature may be added to the certificate during the SSL handshake. There are two important points to be concerned with:
The digital signature is used to determine whether or not the certificate information has been tampered with during transmission.
The digital signature is used to help transition from the costly but secure asymmetric encryption to the much less costly but more insecure symmetric encryption.
During the SSL handshake, the server will provide a copy of its certificate to the client and the client will return the favor by providing its certificate to the server. Steps 1 and 2 above apply to each certificate.
If items 1 and 2 are validated and proven to be true, AND assuming that standards are in place to protect the PKI infrastructure that underpins the SSL framework, both parties may reasonably assume that the certificate is valid and that both parties being mutually authenticated are who they claim to be.
Did you notice the big assumption? Consider that 1 and 2 are true but one client gives a copy of the certificate with its private keys to another party B. It then necessarily follows that this new party B assumes the identity of that client! So, this is why you need standards in place to govern certificates and the PKI infrastructure so that the key assumptions described previously can ring true.
In my example, standards would govern the distribution of private keys to other parties. I use the word govern because it may well be your intention to distribute the private keys to other parties. One example would be in a server farm where the other servers in the farm would need to assume a single identity for SSL purposes. Otherwise, governance would ensure that private keys are stored and secured appropriately such that these secrets do not fall into the hands of unauthorized users.
That’s all you really need to know to understand Mutual Authentication.
What is Server Authentication
Server Authentication is sometimes called 1 Way authentication. It is the basic requirement of SSL – more precisely TLS which is part of the SSL framework. The server is required to prove its identity to all parties. It does so by using the Central Authority’s digital signature on the certificate. As explained above, that digital signature establishes the identity of the server. 1 Way authentication also issues another signature during the SSL handshake. It serves the same purpose as in mutual authentication; it is responsible for non-repudiation and protocol transition from asymmetric to symmetric encryption.WCF Mutual Authentication
Once the SSL exchange is completed, the secure channel is finalized and the browser adds the https in the URL. From that point on, the conversation is protected from unauthorized access. While it is possible to see the traffic during transmission, it is encrypted and safe from eaves dropping.
Mutual authentication with WCF is not entirely straight forward. Here are some guidelines to help with interoperability.
Map certificates only when you require resource acquisition e.g., file updates etc. Mapped certificates require knowledge of the AD account or the IIS Server Account, or when you require the security context of the mapped account.
Certificate Mapping is ignored by default; it must be explicitly turned on in IIS. Follow this link to turn it on. http://support.microsoft.com/kb/313070
Map certificates at either the IIS or Active Directory level. Active Directory introduces another level of calling overhead. IIS mapping is straightforward. Use AD mapping to authenticate when you must authenticate the user/client certificate.
A few requirements for AD Mapping:
1. Client Certificate must meet one of the following issues:
a. Should have a Subject Alternative Name field with Principal=[Users UPN] – Entrust certs that are installed on my machine do not currently meet those requirements.
b. The users certificate needs to be imported into the users account in Active Directory.
2. The users issuing CA must be in the NTAuth store within Active Directory. Once the CA certificate is in the NTAuth store in active directory the certificate should migrate down to the IIS web servers NTAuth store.
This can be validated by typing the following command on the IIS web server: CertUtil -enterprise -store NTAuth > NTAuth.txt
NOTE: Once that has been done, open the NTAuth.txt file and look for the Issuing CA to be listed in the text file.
3. The client certificate must have Client Authentication as one of the listed Enhanced Key Usages.
4. When using Client Certificate mapping, if your application must impersonate the user off box then you will need to configure Kerberos Constrained Delegation with Protocol transition for this to work.
Mapped certificates require that the calling identity be packaged within the security context. That packaging includes a performance hit.
IIS v. AD mapping
IIS Certificate mapping provides calling code access to the security context. It also allows calling code to impersonate the mapped account.
In addition to the above listed, Active Directory mapping allows the authentication of the client via the authoritative store (assuming AD is used as such).
AD Certificate mapping is a one to one mapping meaning that a certificate maps to one user account only. If you want to map 1 certificate to a group or a list of certificates to a group then you need to use the certificate mapping within IIS.
helpful configuration settings for the service:
<authentication certificateValidationMode=”ChainTrust” revocationMode=”Online” />
Or you can replace the <authentication> tag with this as well (keeping the rest the same). mapClient… forces IIS AD mapping which results in a 403 error since AD credentials is not known on the local IIS Server.
< authentication mapClientCertificateToWindowsAccount=“false“ />
authentication mapClientCertificateToWindowsAccount=“false“ />
Trusted Subsystem or Delegation architecture.
Use the delegation architecture model when your back-end needs to know who or what on the front end is calling. Delegation architecture does not scale well.
Use the Trusted Subsystem for everything else especially if you need to manage access rights to the back-end. It is the most scalable approach. Combine this option with application level authorization to know who wrote what.
Avoid Peer Trust. It does not scale well and is not supported in IIS. Peer Trust is only supported when WCF is self-hosted.
Use Chain Trust. It is the most scalable approach and is supported by Windows infrastructure.
Strengthen your chain trust by implementing offline administrative policy to define who receives a certificate.
Strengthen your chain trust by implementing multiple levels of intermediates. Know that these levels carry a performance penalty.
OWC Pivot Tables is broken in Windows 7 due to two things. UAC and MSOLAP.
Symptoms include pivots with no data in them. The fix is pretty easy. Turn UAC off and install MSOLAP 3. Windows 7 ships with MSOLAP 2 and MSOLAP 4 but not MSOLAP 3. Test your application to see if it works. If it does work, turn UAC back on, you should not run with UAC off. To fix the UAC issue, you’ll need to go to the Microsoft site to get the proper shim. Or, configure Windows 7 to whitelist the application for UAC.
Organizations that chose to skip Vista and wait to for Windows 7 face a number of challenges with Microsoft Office. Typically, these organizations stayed with Office 2003 and are now facing a migration to Office 2010. While the migration itself is pretty straightforward, the applications that depend on Office 2003 are more troublesome. Here is a running list concerning these issues that you should pay attention to. The list also details the replacement technologies for Office type applications and components. So, basically, pick your existing technology, sort through the list and determine if you need to upgrade. I’m trying to keep this simple as possible.
Exchange Web Services (EWS)
- EWS is available on any computer.
- EWS is enhanced in versions of Exchange later than Microsoft Exchange Server 2007.
- Migration is not required. But consider updating your proxy classes and specifying a newer Exchange server version by using the RequestServerVersion property on your proxy class.
Microsoft Office Outlook Object Model (OOM)
- OOM is available on any computer that has Outlook installed.
- Migration from OOM is not required. However, EWS does scale better than OOM.
- OOM will work for all scenarios.
- MAPI is available on any Windows based computer.
- MAPI is supported in Exchange 2010. However, the client DLL of MAPI is no longer being actively developed.
- The existing MAPI implementation can still be used. You should consider replacing MAPI with EWS in Exchange 2010 or the Exchange Web Services Managed API.
- If an application needs to use MAPI, use the MAPI implementation that ships with Outlook 2007.
- WebDAV is available on any Windows based computer that is using the standard HTTP/HTTPS protocol (Port 80 or 443).
- WebDAV is deprecated in Exchange 2010.
- Applications that use Exchange WebDAV should use EWS in Exchange 2010 or the Exchange Web Services Managed API.
- ExOLEDB is only available on the Exchange server.
- This technology is commonly used together with Collaboration Data Objects for Exchange (CDOEX) 3.0.
- ExOLEDB is deprecated in Exchange 2010.
- To migrate from ExOLEDB, use EWS in Exchange 2010 or the Exchange Web Services Managed API.
- This technology is available on any computer.
- CDO wraps MAPI.
- Commonly used for Outlook experience in applications.
- CDO was installed with Microsoft Outlook in the past. Since Outlook 2007 this is no longer the case. Instead, CDO 1.2.1 can be downloaded from the Microsoft Website.
- To migrate from CDO, use EWS in Exchange 2010 or the Exchange Web Services Managed API.
- CDO 1.21 is not supported and not included on Windows 7 and Windows Server R2.
- CDO 1.21 can connect to both Exchange 2003 & 2010
- CDOSYS is available on any Windows based computer.
- This technology is commonly used to send e-mail messages from applications.
- For migration:
- Use the SendItem Operation in EWS in Exchange 2010 or the Exchange Web Services Managed API.
- In a managed application, you can also use the System.Net.MailMessage class and send e-mail messages via SMTP to your Exchange server.
- SMTP uses CDOSYS.
- CDOSYS is in extended support.
- This technology is available only on the Exchange server.
- CDOEX is deemphasized in Exchange 2007, and deprecated in Exchange 2010.
- To migrate from CDOEX, use EWS in Exchange 2010 or the Exchange Web Services Managed API.
CDOSYS Event Sinks
- This technology is available only on the Exchange server.
- CDOSYS SMTP/NNTP event sinks are deprecated in Exchange 2007.
- CDOSYS SMTP/NNTP event sinks are used to implement ISMTP_OnArrival sinks (via script, for example) and various NNTP sinks.
- NNTP events are not supported in Exchange 2010.
- To migrate from CDOSYS SMTP/NNTP event sinks, use transport agents either on the Hub Transport or Edge Transport server.
Active Directory Services Interfaces (ADSI) or LDAP
- These technologies are available on any Windows based computer.
- ADSI and LDAP are commonly used to search the global address list (GAL) and get information about user and contact objects.
- To migrate from ADSI or LDAP, do the following:
- To search for a specific user, use EWS in Exchange 2010 (the ResolveNames operation) or the Exchange Web Services Managed API.
- To browse the GAL, no change is required. EWS does not cover this scenario.
- Because ICS is part of the Messaging Application Programming Interface (MAPI), the same migration considerations apply.
- Consider migrating to Event Notifications together with the Synchronization features of EWS in Exchange 2010.
- EWS provides synchronization support by means of the SyncFolderHierarchy Operation and the SyncFolderItems Operation.
Exchange Store event sinks
- Exchange Store event sinks are available only on the Exchange server.
- This technology is deprecated in Exchange 2010.
- To migrate existing Exchange Store event sink applications, use Event Notifications. Event Notifications are part of EWS in Exchange 2010 and the
Exchange Web Services Managed API
- A managed component for the Event Notifications is available on CodePlex. For more information, see Exchange Notifications Component.
- Synchronous event sinks are no longer supported. Event Notifications are always asynchronous. For this reason, items cannot be modified during a transaction.
- WebDAV notifications are available on any computer.
- This technology is deprecated in Exchange 2010.
- Exchange WebDAV Notifications are the predecessor to Event Notifications in Exchange 2010. Instead of Web Services notifications, HTTP over UDP is used as a communication channel.
- Applications that use Exchange WebDAV Notifications should migrate to Event Notifications. Event Notifications are part of EWS in Exchange 2010 and the Exchange Web Services Managed API.
- A managed component for the Event Notifications is available on CodePlex. For more information, see Exchange Notifications Component.
SMTP Event Sinks
- SMTP event sinks are available only on the Exchange server.
- To migrate from SMTP event sinks, use transport agents either on the Hub Transport or Edge Transport server.
- CDOEXM is available on any computer that is running the Exchange Administrative tools.
- CDOEXM is deprecated in Exchange 2007.
- To migrate from CDOEXM, use Exchange Management Shell cmdlets. These cmdlets are based on Windows PowerShell. You can call Exchange Management Shell cmdlets directly from managed code.
Outlook Address Book Object Wrapper 2003
Outlook Address Book which is scriptable from a Web page currently has no supported replacement.
Received a Microsoft Accesssibility Technology for Everyone Champion 2011 recognition from Microsoft for my help on the Accessibility eLearning courses. I thought that was a great way to say thank you.
Each year, I give away several copies of Visual Studio 20xx. These copies are obtained from Microsoft directly and are valid for activation. Support and activation issues are handled by Microsoft directly.
The fine print
I do not publish or make known, in any way, the names and addresses of winners of the sweepstakes, nor are these bits of private information sold or used for any other purpose other than for what it what is was collected.
- Product details are here
- Cost of the product is US$11,899
I came across this article while surfing, “Scientifically, God Does Not Exist: Science Allows us to Say God Does Not Exist” (http://atheism.about.com/od/argumentsagainstgod/a/GodScience.htm). It moved me to write this piece. Firstly, let me get the formalities out of the way for full disclosure. I am a student of science and a software engineer by training which lends itself well to proof via empirical evidence.
On with the task at hand! As far as this article goes, it shows a profound ignorance for scientific principles. It is not possible to prove a negative! Proof of a negative would amount to a determination for all possible choices. And that is simply not possible. So, is it a catchy title aimed at drawing attention? Perhaps, so I’ll humor the author a bit. The piece contains the typical arguments that most Christians find offensive at best. However, the average Christian finds difficulty dismantling the central argument made by the article. Christian arguments are usually based on faith, something that does not carry salt in an atheistic world. The central thesis of the article is flawed. If you can’t easily see the flaw, allow me to dissect it. Science does not allow us to weigh in on the question of whether or not God exists (notice the uppercase). That is in fact, a false narrative. Science does not have an opinion on the matter and, in fact, science is fundamentally indifferent to the question. I’ll explain.
Science is a framework, a tool, one filled with limitations and shortcomings, that may be used to understand and explore the world that we live in. To attempt to use a tool to perform a task that it was not designed for is a reckless hack. Here’s a quick example. I am trying to open a door. I use a can opener on the door knob. Unable to open the door with the can opener, I conclude that the door cannot be opened. It sounds like science, has all the principles of science except that the tool was not designed to solve the task at hand! Therefore, any conclusion arising out of that experiment is fundamentally invalid from a scientific point of view. It makes no difference whether or not I was methodical in my approach to the door opening exercise.
Now let’s put this into context. Science, the tool, is simply a window into our world. It’s a very limited window but I think it is the best that we have from an empirical perspective. It’s limited because by my own observation, the kind of precision required to erect an object like the universe requires something well outside the bounds of the scientific framework. To claim that “this is the only window” shows reckless indifference in the least and deeply rooted in mental slavery (mine is better than yours complex). The fact of the matter is that there are many other windows into our world, religion (spirituality whatever you want to call it) being one of them – none being better than the other! Both bring different perspectives and each may be used to provide solutions for specific problems e.g., religion provides an answer to ‘why are we here?’, science provides an answer to why things work the way they do. It is not an all or nothing proposition; it never was.
By sleight of hand, the author is trying to promote science as the only process capable of discovering a truth. It’s a nice try, but it is dishonest. The justice system arrives at truth everyday by systematically eliminating what is not true until only the truth remains. It’s the best method we have in the legal system but it isn’t the only process for discovering truth. History also provides a framework for discovering truth and so on and so forth. When multiple windows are used, we get a better view of the world, similar to the way in which a pair of eyes provides better stereoscopic vision than a single eye. At times, they are juxtaposed creating a blind spot which serves absolutely no one; you can only see the edge of your nose with the help of a mirror or shutting one eye! The danger occurs when one camp declares it is the only viable window into the world. Both science and religion are equally guilty of that transgression and it doesn’t help us move forward as a people either, which is why I side-step the name calling and focus on framing the argument in a way where we, as a people, can move forward.
Part of the article mentioned above outlines 5 principles listed in God: The Failed Hypothesis — How Science Shows That God Does Not Exist, Victor J. Stenger. I list the 5 principles here for convenience.
Hypothesize a God who plays an important role in the universe.
Assume that God has specific attributes that should provide objective evidence for his existence.
Look for such evidence with an open mind.
If such evidence is found, conclude that God may exist.
If such objective evidence is not found, conclude beyond a reasonable doubt that a God with these properties does not exist.
I’ve not read the book, but the flaw in the arguments is pretty obvious. The last part is a false conclusion. Here’s a simple example: I’m looking for a spider in a room. I hypothesize that it is there. I assume it has attributes that allow it to spin a web. I go looking for the spider. If I don’t find the spider, science does not allow me to say that the spider does not exist. All science allows me to conclude is that I haven’t found the spider. My conclusion supports my finding (or lack of it.). There’s also the other problem of inventing attributes of a spider and assigning it to the spider based on my interpretation of what I think those attributes may be; but that’s for another day.
Searching for God through science and not finding him is not empirical evidence that God does not exist. Now, what if I found a cobweb? Can I conclude that the spider exists? No, science does not support that conclusion either because something else could have spun the web. Science is black and white; there are no shades of grey. I may theorize that the spider exists based on what I have found but understand that there is no empirical evidence to support this conclusion. See?
Christians believe that God isn’t measurable and so, any attempt to do so is akin to a declaration of war on Christianity. However, truth be told, science is disinterested in this topic because it is not possible to build an experiment to test the theory (what are you going to build? How are you going to build it? How are you go to remove bias? etc). It really is that simple. I really wish we would stop these pointless arguments about proving or disproving God. Science and religion are two separate windows. You’ll need to come over to my side to see my view of the world and I, yours. It doesn’t work any other way; I can’t describe what you see from my window, and it is disingenuous on my part to invalidate your view. In context, you won’t convince an atheist that God exists using religious arguments. Atheist won’t convert Christians either because Christians impose a limitation on science. If you can’t see the futility of the exercise, then you are doomed to repeat the cycle ad infinitum.
Kinnect (pronounced connect) landed at my pad late last week – a gift. Here are my thoughts.
- I like Kinnect a lot. However, it is definitely not for me. I definitely would not purchase it if I had a choice. I know it seems contradictory but allow me to explain. I’m the type of person who finds a comfortable spot in the couch and plops in. I literally don’t move for hours until I absolutely have to. When I do move, I consolidate everything; that is, a toilet break, grab a drink, some food, check on the kids, glance outside, head back to the couch. If you suffer the same symptoms like me, Kinnect is not for you. I hate the thought of moving once I am situated. In fact the thought is painful and causes some injury to my brain. I’m able to move my hands to surf the Web, use the remote, stretch for a drink, reposition myself on the couch. Anything else is a hassle. Kinnect flies in the face of this. It requires you to get up and move, do something. wave around, behave like a clown. Oh, it’s healthy alright, it’s just not my idea of fun.
- It doesn’t really work for projector home theaters. I finally put mine on the floor. Works well there but doesn’t flow with the aesthetics of the room. Now, if I had a tv, I can easily see it being placed at the base of the tv, even mounted to the top. Projector, different story.
- It doesn’t quite work with a home theatre system. These systems function in poor light at best. This isn’t your living room. While the kinnect complained miserably about the poor light, I chose to ignore it and proceed, and it worked pretty well.
- At most two people can play. When two people are in the play zone, it can be a challenge for kinnect to not mix the two together (like connect my hand to her foot!). From time to time, it will indicate that you are out of the play zone and it will flash your avatar or fail to pick up movements as a consequence. But all in all, it works ok.
- Your play area needs to be wide and deep enough. In some apartments, space might be a challenge. Consider the space needs to be about the size of a couch. But, the couch is already there so you’ll need to move it out of the way. If you can’t, then you can’t play two people at a time.
- Games will determine if this thing succeeds or flops. Right now, the games are not the best at all. There are several reasons why and I will list a few. Humans are hard-wired for tactile sensation. We push on a wall, there’s resistance; that is, the wall ‘pushes back’. We feed off that response. Kinnect does away with this. So when you attempt to steer a car, there’s no tactile response. It translates into an uneasy feeling of ‘did I just oversteer? Better look at the car on screen to see if I did!’ That’s not a normal feedback loop for us humans. While you can get accustom to it, you’ll evidently undo this learning when you go out into the real world.
- Calling the menu is troublesome. When you are bored and want to turn off the game console, it isn’t easy to do as compared to a controller. Selecting items on the menu are equally cumbersome requiring you to wave your hand and hold it in place for a few seconds to select an option on screen. At best, it is touch and go.
- Only certain types of games will succeed in this niche space. Here’s why. First person shooter games are expected to fail at least until someone solves the ‘trigger problem’. How does kinnect know you squeezed the trigger on the AK-47? It isn’t sensitive enough to consistently recognize the trigger squeeze. That problem needs to be solved in a way that matches reality. Excercise games, dance games etc will definitely succeed because all you really need is your body. Add a personal instructor with some A.I. to chime in and say ‘pick up the pace!’ etc will make those games widely successfull. Racing games or any sort of game that requires tactile response isn’t going to succeed. I can play forza 3 for 12 hours straight! Seriously. Kinnect racing got my arms dead tired in 30 seconds. How long can you hold your arms outstretched? Exactly.
- Video conference capabilities are awesome. The microphone is extremely powerful. You seem to be able to talk above a whisper and it picks up.
- You have to face the Kinnect dead on. Seems odd but if you have a projector and the Kinnect is not on the floor, you may think it wise to put it slightly to the side so you can see the screen unencumbered (sp???). It won’t consistently pick up motion in that spot.
- Did I mention the games suck? I intend to buy an aerobics fitness game though. I think that will be great for me to get in shape (got to lose those last 10 pounds!).
- It’s very sleak and light and fits will with modern decor.
- It does take a fraction to translate your movements but it isn’t noticeable in a game. it is noticeable when interacting with the menu. In fact, some menu routines are downright painful.
- Family members and cousins quite literally could not get enough of it and talked non-stop about purchasing one.
- Here’s the final, most important feedback. I put mine away to collect dust after playing with it for 10 minutes! I’ll dust it off when my exercise game comes in. Hopefully. Seriously. SERIOUSLY!!!