see sharp RSS 2.0
# Friday, 28 November 2014
SQL Logfiles might get quite big.

here is a solution Nick Xu has posted in his Blog.

shrinklog.txt (1.36 KB)
Friday, 28 November 2014 13:14:48 (Mitteleuropäische Zeit, UTC+01:00)  #    -
# Tuesday, 08 July 2014
Had the following error viewing the debug log:

The requested operation cannot be performed over an enabled direct channel. The channel must first be disabled before performing the requested operation.

In short its because of the retention policy that has to be set:
First, disable log: wevtutil set-log "AD FS Tracing/Debug" /enabled:false
then set the tracelevel (see above:wevtutil sl "AD FS Tracing/Debug" /L:5) and clear an enable the log again: wevtutil set-log "AD FS Tracing/Debug" /enabled:true /quiet:true /retention:true /maxsize:153600

Check this KB article:

Loglevel 0 is off, 5 is Verbose

Tuesday, 08 July 2014 09:12:49 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
# Thursday, 08 May 2014
A small utility that sets the proxy credentials for visual studio.
To install you need to do the following:

1) Copy HannesK.ProxyHelper.dll to IDE directory, i.e.:
    C:\Program Files (x86)\Microsoft Visual Studio 11.0\Common7\IDE

2) edit devenv.config '' section:
    <defaultProxy useDefaultCredentials="false" enabled="true">
        <module type = "HannesK.ProxyHelper.MyProxy, HannesK.ProxyHelper" />

3) configure appSettings:
    <add key="HannesK.Proxy.User" value="username"/>
    <!-- sorry, only plain password -->
    <add key="HannesK.Proxy.Pass" value="secret"/>
    <add key="HannesK.Proxy" value="http://<server>:<port>"/>

4) open package manager console in VS (with an open solution)
    run the update-package command

The Code:
namespace HannesK.ProxyHelper { using System; using System.Configuration; using System.Diagnostics; using System.Net; public class MyProxy : IWebProxy { private IWebProxy _default; private const string Category = "HannesK.ProxyHelper.MyProxy"; private IWebProxy DefaultProxy { get { return this._default ?? (this._default = WebRequest.GetSystemWebProxy()); } } public ICredentials Credentials { get { var user = ConfigurationManager.AppSettings["HannesK.Proxy.User"]; var pass = ConfigurationManager.AppSettings["HannesK.Proxy.Pass"]; if (string.IsNullOrEmpty(user) || string.IsNullOrEmpty(pass)) { TraceMessage("using default credentials"); return DefaultProxy.Credentials; } TraceMessage("using credentials: User '{0}', Password 'secret']", user); return new NetworkCredential(user, pass); } //or get { return new NetworkCredential("user", "password","domain"); } set { } } public Uri GetProxy(Uri destination) { var proxy = ConfigurationManager.AppSettings["HannesK.Proxy"]; if (!string.IsNullOrEmpty(proxy)) { TraceMessage("configured proxy is '{0}'", proxy); return new Uri(proxy); } var dproxy = this.DefaultProxy.GetProxy(destination); TraceMessage("default proxy for '{1}' is '{0}'", proxy, destination.AbsoluteUri); return dproxy; } public bool IsBypassed(Uri host) { var rc = DefaultProxy.IsBypassed(host); TraceMessage( "{0} is bypassed:{1}", host.AbsoluteUri, rc); return rc; } private static void TraceMessage(string fmt, params object[] args) { Trace.WriteLine(string.Format(fmt,args), Category); } } } (3.83 KB)
Thursday, 08 May 2014 10:46:06 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -

# Friday, 28 February 2014

A small utility that signs federation metadata.

MetadataSigner[1].zip (56.86 KB)
it requires .NET 4.5

Friday, 28 February 2014 11:03:13 (Mitteleuropäische Zeit, UTC+01:00)  #    -
Authentication | Certificates
# Monday, 28 January 2013

There is an interesting article on how to enable tracing/logging in AD FS 2.0 on MSDN.

However the brand new Version 2.1 is located in a slightly different place:

  1. the config file is no longer located in
    %ProgramFiles%\Active Directory Federation Services 2.0\Microsoft.IdentityServer.Servicehost.exe.config 
    instead you can find it here:
  2. Configure the System.diagnostics as stated in the article
  3. the wevtutil command has to use a different Provider.
    instead of
    wevtutil sl “AD FS 2.0 Tracing/Debug” /L:5 
    you have to use:

    wevtutil sl "AD FS Tracing/Debug" /L:5

  4. restart the AD FS Service

Monday, 28 January 2013 15:11:29 (Mitteleuropäische Zeit, UTC+01:00)  #    -
Authentication | Tracing
# Monday, 10 December 2012

Much more because I tend to forget these things all the time than anything else:

NET Stop certsvc
Net Start certsvc

then you can create a INF file with the following:


Subject="CN=<your real hostname here>"


CertificateTemplate="<your templatename here>"

SAN="DNS==<your real hostname here>&DNS=<hostname1>&DNS=<hostname2>"


Monday, 10 December 2012 14:17:28 (Mitteleuropäische Zeit, UTC+01:00)  #    -
CA | Certificates | Registry
# Sunday, 07 October 2012

None. There is absolutely none.

I always suspected that but now I’m sure.

Sunday, 07 October 2012 16:04:05 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
anything else
# Monday, 04 April 2011

i wrote about parsing the san of a certificate before, here is another way to do it:

1) add a reference to CertEnroll 1.0 Type Library

2) use IX509ExtensionAlternativeNames to get a collection of IAlternativeName objects

3) get the data using the IAlternativeName.strValue and IAlternativeName.Type attributes

 Here's an example:

private string GetSAN(X509Certificate2 cert)
        X509Extension ext = cert.Extensions[""]; // get the SAN extension

        if (null != ext)
                string temp = string.Empty;
                IX509ExtensionAlternativeNames an = new CX509ExtensionAlternativeNames();
                an.InitializeDecode(EncodingType.XCN_CRYPT_STRING_BASE64, Convert.ToBase64String(ext.RawData));
                foreach (IAlternativeName name in an.AlternativeNames)
                    temp += name.Type+":"+name.strValue+Environment.NewLine;
                return temp;                   
            catch (Exception ex)
                return ex.Message;
        return "no SAN present";
Monday, 04 April 2011 11:44:34 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
C# | CAPI | Certificates
# Wednesday, 16 March 2011

If you have to parse the Subject Alternative Name (aka SAN) of a Certificate CertGetNameString is your friend:

[DllImport("crypt32.dll", EntryPoint = "CertGetNameString", CharSet = CharSet.Auto, SetLastError = true)]
static extern UInt32 CertGetNameString(
    IntPtr CertContext, 
    UInt32 lType, 
    UInt32 lFlags, 
    IntPtr pTypeParameter, 
    StringBuilder str, 
    UInt32 cch);

private const int CERT_NAME_EMAIL_TYPE = 1;
private const int CERT_NAME_UPN_TYPE = 8;
private const int CERT_NAME_NO_FLAG = 0;
private const int SIZE = 255;

private static void ParseSan(X509Certificate2 cc)
    Oid oid = new Oid("");
    X509Extension ext = cc.Extensions[oid.Value]; // get the SAN extension

    if (null != ext)
        StringBuilder Buffer = new StringBuilder(SIZE);               

        UInt32 nChars = CertGetNameString(cc.Handle,
        if (nChars == 1)
            nChars = CertGetNameString(cc.Handle,
        Console.WriteLine("{1}:'{0}'", Buffer.ToString(), cc.Thumbprint);

Wednesday, 16 March 2011 15:34:13 (Mitteleuropäische Zeit, UTC+01:00)  #    -
C# | CAPI | Certificates | P/INVOKE
# Thursday, 18 November 2010

You can extend the lifetime of FIM CM OTP's.

All that needs to be done is:

  • Select the Custom Password Provider option in your policy 
  • set the type to Microsoft.CLM.BusinessLayer.DefaultSecretProvider
  • the Password provider data controls the OTP generation.
    the format is in the form of
    • numberofotp can be 0,1 or two
    • i did not see a technical limit (yeah its possibly an int32, so there IS a limit) for length or lifetime


  • 1,8,40 will generate one OTP with a length of '8' and a lifetime of 40 days
  • 2.8.8,40 will generate two OTPs, both with a length of 8 and a lifetime of 40 days

It seems that adding 'm' to the lifetime will make it minutes, not days.



Thursday, 18 November 2010 11:22:46 (Mitteleuropäische Zeit, UTC+01:00)  #    -
<2018 November>
About the author/Disclaimer

The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.
Any link on this site may lead to an external website that is not under my control and that external website might show an opinion that is not mine.

© Copyright 2018
Hannes Köhler
Sign In
Total Posts: 39
This Year: 0
This Month: 0
This Week: 0
Comments: 1
All Content © 2018, Hannes Köhler
DasBlog theme 'Business' created by Christoph De Baene (delarou)