If you are subscribed to SQL Server "GuruGoddessHera" Kimberly Tripp, then you have been following her incredible around the world travel schedule. Kimberly has been doing immense training and impacting SQL Server management worldwide. She is an amazing inspiration in her teachings to many people around the world and to those of us who also like to try to help people learn. What this woman could use is a nice long underwater vacation! I hope she gets one soon. I look forward to catching up with her at DevConnections next month, but I think I'll just invite her to go relax in a hot spring somewhere.

Posted from BLInk!

Carl Franklin videotaped pieces of code camp and interviewed people about attending. It's fun to watch and you can see that this event that Thom Robbins' invented is going to be a model to be adopted around the contry. Yeah Thom. Yeah everyone who helped out with it.

Shawn van Ness has written a very important and informative article for anyone interested in writing tablet applications. He talks about some of the things that we have struggled with the most with our tablet apps - not how to recognize ink or things like that, but dealing with threads, security, resources (remember the sdk is a COM API wrapped in managed code).

Understanding these things in advance, or in the least - being aware of them - will reap a huge payoff when you are digging into tablet app development.

Read this article. It will save you a lot of grief. Or you can just read about the grief instead by clicking on my tablet category.

Posted from BLInk!

So Rich (hubby) called me to say that the local classic rock/Howard Stern station, played some Rolling Stones song today dedicated to Julie Lerman at the Data Farm. He can't remember what the song was but thought maybe it was "Let it Bleed".

Fess up.

Posted from BLInk!

Here is a very good reason - note the writers of the comments, too. Plumbers!

(by way of Casey)

Posted from BLInk!

I really like posting from my little off-line blogging application so I have installed it on my desktop. Even without using the ink features, it is way better than posting online.

That is a big win for me, since I kept working on the program until there was nothing in it that bugged me anymore and now I really like it! Now if only I could draw a little smiley face right here.

Posted from BLInk!

(re my I give up on wse2 without x509 post) I followed another thought this morning and was able to get one form of encryption working although it's not totally satisfactory.

By signing my requests with a username token (and policy automatically uses a derivedkey token of that) I can just use that token to encrypt the response. I was having a problem with this because my policy was missing one little piece of info - I hadn't told the policy that the token used for signing was also supposed to be an identity token. So it just was failing and failing and I had decided that I was trying to to something that you weren't supposed to do. And because I'm coding against a remote server, I had to create the policy manually (with the help of some copy and paste though.) Check this post for the reason why and a followup in the wse newsgroup for the thread I started titled “config tool and policy for remote server“ where Hervey Wilson explains that this is by design and is being reconsidered for wse3.

It's a bad solution, but better than nothing. And it's not great because the real roadblock is that implementing secureconversation is the thing that is truly difficult without the x509 web server certificate (or kerberos).

So I am replacing a non-WSE solution that did create an authorization ticket which I could use for a number of transactions, with a solution that will require the usernametoken to be authorized on every single request at the server. In the case of my client, this is an app that I own both ends of and the webserver and sqlserver are on the same box, so I am not going to make myself any more nuts over this - since the processing time is nominal and this is not like some banking application with millions of users.

But - let's be clear here- this is a “better than nothing” solution however it is NOT a highly recommended one if you have any care about the quality of the security you are providing.

(that = my previous post...) After DevConnections, I am going to change the title of my wse talk from “WS-Security for Dummies with WSE2” to “WS-Security for Humans with WSE2“. Of course that is the kind of brilliant idea that pops into my head at 1am when I normally get to bed by 10 or 11.

Since I have no idea when the admins responsible for my client's servers will put an x509 cert on the webserver, I have decided to set aside all of the work I have been doing to apply wse2 to one of their existing applications and get on with my life.  I have learned a lot. I will continue to dig into WSE2 because it fascinates me and has opened up a huge door for me. But I don't foresee any real-life implementations any time soon. Which I hate. This application demands that I be able to encrypt my responses. With WSE1, I could create my own “shared secret” key in the client app and the same one in the web services and then on the client end insert <decryptionkeyprovider> into the app.config to point to my decryption key. That was the recommended way but now it's been deemed “too insecure“ and taken away. Although with WSE2, we have ws-trust and the ability to create and issue custom security context tokens from the web server, this method still requires a server certificate to make it possible for humans to implement it. I need to get on to other projects for this client as well as the myriad other commitments I am worried about falling behind on. In fantasyland I would love to just keep playing and playing with this. Oh well.

oh - I should mention the Kerberos token option. It's not an option - since I can't count on all of the clients being on windows xp.

The next meeting (our first speaker event!) of VTSDA is Tuesday 10/26. We have as our speaker Stan Eames, President and CEO of Synergy Software. See details about the speaker and presentation on the VTSDA website. The meeting is from 11:45 - 2:00. Lunch will be catered and is looking very yummy. The meeting fee is $8 for members and $15 for non-members. We will be raffling off the book Professoinal Software Development by Steve McConnell (author of Code Complete) which was donated by the publisher, Addison-Wesley, as well as a Symbol BarCode Reader for Compaq IPAQ Pocket PC's donated by EQ2.

This meeting is sponsored by ProClarity.

some people subscribe to this on instinct-but it is great business advice that Sara Williams shared with a room full of women at Tech Ed 2003:

Posted from BLInk!

Posted from BLInk!

Sounds like a song doesn't it? But it's a new blog by Valerie Winberg of Minnesotta. Val is a C# programmer with a VB background. Thanks Avonelle for pointing her out!!

So I wonder if this could inspire a new tune from Band on the Runtime.

Posted from BLInk!

Last year Rory was just another [wierd] guy at the xml dev con. Then he wrote about seeing Chris Sells and Don Box in the men's room. And he wrote and he wrote and he wrote. Now Rory is a Microsoft employee (in a dream job for him) and is back at XML DevCon only 1 year later (well not really one year since last years' was in July) and whadya know, in case you haven't heard yet, he's writing hilarious stuff about the conference.

It's interesting reading Rebecca Dias' analysis of Tim Bray's talk and the reading Rory's. And so far Becky's got the best shoes.

There are so many great postings from each session. Becky Dias, Shawn Morrissey, Chris Pels, Robert Hurlbut and John Gossman oh and Scott Hanselman, too! have been keeping us well informed and others probably too I haven't read. So I am definitely feeling in the spirit, sitting here with some Chili Lime Tortilla chips, tomatilla salsa and a Corona, reading about Tim Bray's, Chris Anderson's, Don Box's and even a talk that thrilled all of the gamers from the Dept of Defense.

Of course I wish I was there. Well, no I wish the whole conference was here!

Posted from BLInk!

Scott's Top 10 dirty little xml secrets. Very very funny.

Posted from BLInk!

I got sick of trying to figure out what to do about icons in my ink blogging application and just wasted the morning creating my OWN. Some are just from scratch, some take the images that are part of the Microsoft dev tools SDKs and modified them a bit.

I finally gave up on finding a little infinity sign for doing a hyperlink and the butterfly is for inserting images.

Now, to either get back to my original plan this morning - adding categories to Blink, or actually doing some work for my clients, working on some articles or my presentations for Connections.

Posted from BLInk!

The Mobility Road Show is well under way and Microsoft is now ready to trade your mobile application samples for a Smart Phone, Pocket PC or other mobile device.

Read more about this awesome contest on Thom Robbins weblog.

Now that I have just refreshed the WSE2 samples with their original versions (thanks Bristowe), I am very happily debugging through them to see Don Smith's lovely code for creating and issuing custom security tokens. My frustration had a lot to do with the fact that I know there is a goldmine of info in the samples and stepping through them with the debugger brings me so much farther than just reading explanations that don't cover every single step.

And now I grok this stuff well enough to dare to dig in again and start mucking with it.

Here are some tricks about debugging into web services and into httphandlers that you never really understand until you have to use them.

Debugging web services from a windows client is sometimes a real mystery. Sometimes it works, sometimes it doesn't and I never really understood.

I had this experience when debugging into the custom username token manager - sometimes I just couldn't get at the code. (John Robbins ....I need to read your book cover to cover and that is all there is to it!!!) Hervey Wilson reminded me of Debug/Processes which helped enormously. I learned finally how to attach to a process that I couldn't get into normally to debug. With the custom security token it was a bit different since I needed to attach to an httphandler that was not loaded before I needed it. Here you just need to attach to the aspnet worker process (aspnet_wp.exe) when you are at a point in your code that you know it is being used - and tada - you  can debug into the http hander. In the case of the CustomXML Security Token Sample, the httphandler is where all the goodies were.

Posted from BLInk!

One of the downsides to being part of our incredible international community is that everytime some awful news hits the press, no matter what part of the world it is in, I start worrying about people I know who live there. Oh - I am a big worrier - as I try to explain to my husband ...it's my job to constantly worry about “what if”. We all do, as programmers, right?