Using the Windows Identity Foundation SDK with Visual Studio 2010 RC

There are some known issues with using the WIF SDK on VS 2010 RC that do not exist with VS 2008. When VS 2010 is released, we expect to refresh the SDK to resolve these problems, but in the meantime, we have some simple guidance for using the SDK with VS 2010.

Request Validation

The difference in behavior stems from changes made to the .NET 4.0 runtime with respect to validating user input received by ASP.NET web forms. In VS2008, any form field or cookie coming from the browser was checked for potentially dangerous content unless validateRequest=false was set (either in web.config or a specific .aspx file). In a passive federated authentication scenario, the response token from an STS (represented in XML) is posted back to the ASP.NET site in a form field, and thus will be flagged as dangerous by default.

ASP.NET 4.0 (included with VS2010) has changed the nature of this check to provide more flexibility to the developer. Now a web site must declare a class which will be responsible for validating all input. The value of validateRequest is ignored by default. If no such class is declared, suspicious input (including token XML) will be rejected.

There are several simple workarounds to this problem, but they require some action by the developer.

1. Run the web site in an application pool that targets the .NET v2.0 Framework. This preserves the current validation behavior. In VS 2010, the DefaultAppPool may target either the v2.0 or v4.0 Framework by default, depending on whether VS 2010 was installed as a new install or an upgrade. VS2010 adds a new application pool, ASP.NETv2.0 that always targets v2.0.

2. Preserve the v2.0 behavior for validating input, while still targeting the v4.0 Framework by adding the following configuration element to the <system.web>  element:

<httpRuntime requestValidationMode="2.0" />

3. (This is the preferred pattern.) Define a request validator class in your ASP.NET web site and add the following configuration element to the <system.web> element:

<httpRuntime requestValidationType="YourRequestValidator" />

The configuration necessary for (2) and (3) above will not parse in ASP.NET 2.0, so it’s necessary to have different configuration for the two frameworks. The WIF project templates in the current SDK were modified for VS2010 to follow approach (2) above, but the samples were not. As a result, the samples will only run in an application pool that targets .NET v2.0 in the currently released WIF SDK, while projects created from the templates will only run an application pool targeting .NET v4.0. A future SDK will provide a sample request validator class.

Assembly References

In addition, the WIF assemblies do not appear under the .NET tab of the Add References… dialog in VS 2010. This is due to changes in the way assemblies are registered for this purpose. The necessary keys can be found under HKLM\SOFTWARE\Microsoft\.NET Framework\AssemblyFolders. This problem can be resolved by copying the Windows Identity Foundation and Windows Identity Foundation SDK keys to HKLM\SOFTWARE\Microsoft\.NET Framework\v3.5\AssemblyFoldersEx. Be sure to copy them to the correct hive (32 or 64 bit) for your architecture.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.