CedarLogic, LLC - Shawn Cicoria

Learn More about Microsoft Codename "Trust Services" - TechNet Articles - Home - TechNet Wiki

cicorias — Sat, 04 Feb 2012 14:50:45 GMT

Many companies, ISV’s, and solutions have concerns about data in the cloud. With PKI based encryption, Trust Services provides key management for your publisher/subscribers and a simplified SDK set of classes to abstract the encryption, decryption process. Both managed classes and PowerShell add-in provided...

Learn More about Microsoft Codename "Trust Services" - TechNet Articles - Home - TechNet Wiki

Making Windows Azure Drive Letter Persistent

cicorias — Thu, 19 Jan 2012 20:39:49 GMT

Windows Azure Fieldnote

Summary

Windows Azure Drives [1] provide a means to represent a file based (disk drive) persistent storage option for the various role types within Windows Azure Compute. Each of the roles within Windows Azure can mount and utilize for persistent storage (that survives reboot, reimaging, and updated deployments, of a role instances).

During the mounting of a VHD as a CloudDrive, the managed classes have no means to control the drive letter assignment this directly through the CloudDrive managed classes that are provided through the Windows Azure SDK.

Problem

Many solutions today require the use of standard Windows File IO based access and instead of refactoring solutions to leverage the storage options available in the PaaS part of the Windows Azure platform, solutions deployed to Windows Azure can mount a Virtual Hard Disk (VHD) that is persisted in a storage account inside of a running instance. That Page Blob backed VHD is then represented through Virtual Disk Services and Windows Cloud Drive services to the running instances as a Disk Drive and addressable through File IO using a Drive Letter.

While a persistent drive option is available, the drive letter assignment is determined at runtime during the mounting process. This potentially presents a problem with existing solutions, codebases, libraries that require a setting to be established prior to runtime. For example, an application configuration setting that provides a full path, including the drive letter to a location for read/write access for File IO.

Solution

The following solution takes advantage of the Virtual Disk Services through the DiskPart.exe operating system utility to first identify what the VHD is mounted as and, select that volume, and re-assign the letter to the target drive letter.

The original idea for the approach comes from this blog post here: http://techyfreak.blogspot.com/2011/02/changing-drive-letter-of-azure-drive.html

While there is a COM interface available that could be wrapped via an interop layer, the choice was made to initiate a process to take the actions required for remapping the drive letter due to simplicity. Additionally, while there is an existing managed Interop assembly available (Microsoft.Storage.Vds) that is an undocumented and unsupported assembly.

The example scenario presented does the following:

1. Leverages a Windows Azure Web Role (could be a Worker Role or VM Role as well)

2. Implements a Windows Console applications that:

a. Is a Startup task – in elevated mode and background

b. Runs elevated in order to affect Virtual Disk Services

c. At startup:

Mounts the VHD from Windows Azure Storage
Detects if target drive letter and re-assigns as needed to target drive letter **

d. Then Continuously (every 30 seconds)

i. Checks if drive is mounted on target drive letter
ii. If not, reassigns drive letter **

** Drive Letter reassignment is done through a System.Process startup object that runs Diskpart.exe with a “select volume” and “assign drive letter” command sequence.

Implementation

The sample solution contains the following:

1. Windows Azure Web Role – simple MVC3 application that just lists the mapped CloudDrives using the CloudDrive.GetMountedDrives() method

2. CloudDriveManager class library – helper class that provides the CloudDrive management actions leveraged by the caller (either Console or other code)

3. CloudDriveManagerConsole – Windows console application intended to be a startup project and running in elevated mode in order to affect the assigned driver letter

4. CloudDriveManagerRole – implementation of Microsoft.WindowsAzure.ServiceRuntime.RoleEntryPoint – which allows this class to be used from within a Windows Azure Web or Worker role – however, that role entry point would need to be elevated (via the “Runtime” and “NetFxEntryPoint” Elements)

5. Logger – simple logger class that writes to a Queue for debugging purposes

6. ResponseViewer – simple WPF application that reads Queue messages so you can view log messages from your cloud instances – purely for debugging purposes

7. TestListDrives – simple Windows console application that lists the mapped CloudDrives – usable from within the Role instance by using Remote Desktop and connecting to the instance

Instance Initialization

During role startup, Windows Azure will execute the Task defined in the Service definition in background mode and elevated (running as system). Inside of the console application, the implementation of OnStart does the following:

public override bool OnStart()
{
    try
    {
        Initialize();
        MountAllDrives();
    }
    catch (Exception ex)
    {
        _logger.Log("fail on onstart", ex);
    }
    return true;
}

void MountAllDrives()
{
    try
    {
        var driveSettings = RoleEnvironment.GetConfigurationSettingValue(DRIVE_SETTINGS);
        string[] settings = driveSettings.Split(':');
        CloudStorageAccount account =CoudStorageAccount.FromConfigurationSetting(STORAGE_ACCOUNT_SETTING);
        string dCacheName = RoleEnvironment.GetConfigurationSettingValue(DCACHE_NAME);
        LocalResource cache = RoleEnvironment.GetLocalResource(dCacheName);
        int cacheSize = cache.MaximumSizeInMegabytes / 2;
        _cloudDriveManager = new CloudDriveManager(account, settings[0], settings[1][0], cache);
        _cloudDriveManager.CreateDrive();
        _cloudDriveManager.Mount();
    }
    catch (Exception ex)
    {
        _logger.Log("fail on mountalldrives", ex);
        throw;
    }
}

Mostly, the startup routine calls into the custom class CloudDriveManager, which provides the simple abstraction to the Windows Azure CloudDrive managed class.

The custom CreateDrive method calls the CloudDrive create drive method in a non-destructive manner – and, for this sample, creates the initial VHD in storage if it does not already exist.

Mounting calls the managed classes CloudDrive.Mount along with calling into a custom VerifyDriveLetter method.

public void Mount()
{
    _logger.Log(string.Format("mounting drive {0}", _vhdName));
    _cloudDrive = _account.CreateCloudDrive(_vhdName);

    var driveLetter = _cloudDrive.Mount(_cacheSize, DriveMountOptions.Force);
    _logger.Log(string.Format("mounted drive letter {0}", driveLetter));

    var remounted = VerifyDriveLetter();
}

Within VerifyDriveLetter there’s some logic to validate the current state of the mounted drives. And then verification if the mounted drive is the intended drive letter.

public bool VerifyDriveLetter()
{
    _logger.Log("verifying drive letter");
    bool rv = false;
    if (RoleEnvironment.IsEmulated)
    {
        _logger.Log("Can't change drive letter in emulator");
        //return;
    }

    try
    {
        DriveInfo d = new DriveInfo(_cloudDrive.LocalPath);
        if (string.IsNullOrEmpty(_cloudDrive.LocalPath))
        {
            _logger.Log("verifydriveLetter: Not Mounted?");
            throw new InvalidOperationException("drive is notmounted");
        }

        if (!char.IsLetter(_cloudDrive.LocalPath[0]))
        {
            _logger.Log("verifiydriveLeter: Not a letter?");
            throw new InvalidOperationException("verifydriveletter - not a letter?");
        }

        if (IsSameDrive())
        {
            _logger.Log("is same drive; no need to diskpart...");
            return true;
        }

        char mountedDriveLetter = CurrentLocalDrive(_vhdName);
        RunDiskPart(_driveLetter, mountedDriveLetter);

        if (!IsSameDrive())
        {
            var msg = "Drive change failed to change";
                   _logger.Log(msg);
                   throw new ApplicationException(msg);
               }
               else
               {
                   Mount();
               }

               _logger.Log("verifydriveletter done!!");
               return rv;

           }
           catch (Exception ex)
           {
               _logger.Log("error verifydriveletter", ex);
               return rv;
           }

       }

The IsSameDrive method validates if the current mapped drive is indeed the planned drive letter. If not, it will return “false”.

bool IsSameDrive()
{
    char targetDrive = _driveLetter.ToString().ToLower()[0];
    char currentDrive = CurrentLocalDrive(_vhdName);

    string msg = string.Format(
        "target drive: {0} - current drive: {1}",
        targetDrive,
        currentDrive);

    _logger.Log(msg);

    if (targetDrive == currentDrive)
    {
        _logger.Log("verifydriveLetter: already same drive");
        return true;
    }
    else
        return false;

}

Finally, the RunDiskPart method initiates the action of spawning a new process with the dynamically created DiskPart script file that selects the existing volume name (by drive letter) and assigns the target drive letter.

void RunDiskPart(char destinationDriveLetter, char mountedDriveLetter)
{
    string diskpartFile = Path.Combine(_cache.RootPath, "diskpart.txt");

    if (File.Exists(diskpartFile))
    {
        File.Delete(diskpartFile);
    }

    string cmd = "select volume = " + mountedDriveLetter + "\r\n" + "assign letter = " + destinationDriveLetter;
      File.WriteAllText(diskpartFile, cmd);

      //start the process
      _logger.Log("running diskpart now!!!!");
      _logger.Log("using " + cmd);
      using (Process changeletter = new Process())
      {
          changeletter.StartInfo.Arguments = "/s" + " " + diskpartFile;
          changeletter.StartInfo.FileName = 
     System.Environment.GetEnvironmentVariable("WINDIR") + "\\System32\\diskpart.exe";
        //#if !DEBUG
        changeletter.Start();
        changeletter.WaitForExit();
        //#endif
    }

    File.Delete(diskpartFile);

}

Output and Results

As an example of the interaction and how the drive appears within the running Windows Azure Role, the following screen shots illustrate the results.

Program Startup

At program startup the drive is initially mounted by the Console application – immediately the drive is mounted as the F: drive – the startup code verifies if this is the intended drive – as shown below in the logs, it isn’t, so the code initiates the RunDiskPart method setting M: as the mapped drive.

The following shows how a Windows Azure Drive appears after the custom code reassigns the drive letter to the Operating system using Windows Explorer – the drive is selected below.

Within the custom MVC3 application, which simply just lists the Mounted Windows Azure drive (which runs in a separate Process non-elevated – the drive appears as a regular Operating System drive – accessible for File IO as required using the intended drive letter.

Forced Letter Change

The following shows what happens if the drive letter is intentionally changed – in this example, I just initiate a DiskPart set of commands to assign the mounted drive the letter L:

As you can see in the Windows Explorer window the letter now appears as L: for the WindowsAzureDrive.

Within approximately 30 seconds (which is the value used in the Run method by the custom code) VerifyDriveLetter detects it’s not the intended drive and initiates a change.

And the below image shows the drive again, appearing as the M: drive:

Future Options

Since capabilities in the Windows Azure platform change over time the ability to dictate the specific letter to be used may come available. Until then, this approach, by means of the Windows Azure Drive and Virtual Disk Services abstraction provided by the platform offers a means to accommodate codebase and application logic that is dependent upon predetermined drive letters.

References

[1] Windows Azure Drives http://www.windowsazure.com/en-us/develop/net/fundamentals/cloud-storage/#drives

[2] Virtual Disk Service http://msdn.microsoft.com/en-us/library/windows/desktop/bb986750(v=vs.85).aspx

[3] CloudDrive Storage Client http://msdn.microsoft.com/en-us/library/microsoft.windowsazure.storageclient.clouddrive.aspx

[4] Diskpart.exe http://technet.microsoft.com/en-us/library/cc770877(v=WS.10).aspx

[5] Task element http://msdn.microsoft.com/en-us/library/windowsazure/gg557552.aspx#Task

Runtime element http://msdn.microsoft.com/en-us/library/windowsazure/gg557552.aspx#Runtime

[7] NetFxEntryPoint element http://msdn.microsoft.com/en-us/library/windowsazure/gg557552.aspx#NetFxEntryPoint

Solution File: MountXDriveSameLetter.zip

Viewing the User Token from Visual Studio 2010 Debugger

cicorias — Tue, 06 Dec 2011 23:00:58 GMT

When you’re debugging security related things, sometimes you need to take a look at the thread identities user token.

When you’re inside of Visual Studio 2010 – in the watch windows you enter ‘$user’ and you’ll get the same as when in windbg with !token –n

Microsoft TechNet–Create PDF Takeaway chapters for your set of topics–great feature just added..

cicorias — Wed, 30 Nov 2011 15:25:14 GMT

If you’re like me, having those PDF version for offline review are great. It was a pain before as I had to individually print web pages to single PDF using tools.

Now, TechNet can track a “book” of topics for you, and then generate HTML or PDF for you to download – personal publishing

Roll-your-own techdocs for free - TONYSO - Site Home - TechNet Blogs

Dennis Ritchie, Father of C and Co-Developer of Unix, Dies | Wired Enterprise | Wired.com

cicorias — Fri, 14 Oct 2011 14:43:19 GMT

Wow – I still have my K&R book from a class I took at AT&T. Cut my teeth on nix…

Dennis Ritchie, Father of C and Co-Developer of Unix, Dies | Wired Enterprise | Wired.com

Description of Update Rollup 1 for Active Directory Federation Services (AD FS) 2.0

cicorias — Thu, 13 Oct 2011 12:57:07 GMT

Multiple UPN support now available…

Description of Update Rollup 1 for Active Directory Federation Services (AD FS) 2.0

Additional Mime Types in Visual Studio 2010 Development Web Server

cicorias — Thu, 06 Oct 2011 22:38:51 GMT

While the development server in Visual Studio 2010 is great for most work, it does have 1 shortcoming in that if you start adding content types that are not part of the base set of known Mime types built in, you won’t affect the proper header response that is emitted to the client/browser.

For example MP4 files, out of the box the development web server emits application/octet-stream or something like that. What we really need is video/mp4.

Now, with IIS Express, you can easily switch over to use that and just add the correct mapping to the section of the web.config when you’re running in integrated mode. Such as follows:

<system.webServer>
  <modules runAllManagedModulesForAllRequests="true" />
  <staticContent>
    <mimeMap fileExtension=".mp4" mimeType="video/mp4" />
    <mimeMap fileExtension=".m4v" mimeType="video/m4v" />
  </staticContent>
</system.webServer>

However, with the Visual Studio 2010 built in Web Development server, you can’t affect the mime type support through configuration.

For this a simple NuGet package is available that provides a simple HttpModule to affect the ContentType on the response headers. it reads the Web.config for the site and will honor the section above – this all happens only when NOT running in Integrated Pipeline mode.

Sample Solution and Source here: SampleMimeHelper.zip

The HttpModule makes use of dynamically loading via the PreApplicationStartMethod and the DynamicModuleHelper utility method that is part of the Microsoft.Web.Infrastructure namespace.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Diagnostics;
using System.Configuration;
using System.Web.Configuration;
using System.Xml.Linq;
using Microsoft.Web.Infrastructure.DynamicModuleHelper;

[assembly: PreApplicationStartMethod(typeof(MimeHelper), "Start")]

/// <summary>
/// Summary description for MimeHelper
/// </summary>
public class MimeHelper : IHttpModule
{
    static Dictionary<string, string> s_mimeMappings;
    static object s_lockObject = new object();

    public static void Start()
    {
        if ( ! HttpRuntime.UsingIntegratedPipeline)
            DynamicModuleUtility.RegisterModule(typeof(MimeHelper));
    }

    static string GetMimeType(HttpContext context)
    {
        var ext = VirtualPathUtility.GetExtension(context.Request.Url.ToString());
        if (string.IsNullOrEmpty(ext)) return null;

        CreateMapping(context.ApplicationInstance);

        string mimeType = null;
        s_mimeMappings.TryGetValue(ext, out mimeType);

        return mimeType;

    }

    static void CreateMapping(HttpApplication app)
    {
        if (null == s_mimeMappings)
        {
            lock (s_lockObject)
            {
                if (null == s_mimeMappings)
                {
                    string path = app.Server.MapPath("~/web.config");
                    XDocument doc = XDocument.Load(path);

                    var s = from v in doc.Descendants("system.webServer").Descendants("staticContent").Descendants("mimeMap")
                            select new { mimeType = v.Attribute("mimeType").Value, fileExt = v.Attribute("fileExtension").Value };

                    s_mimeMappings = new Dictionary<string, string>();
                    foreach (var item in s)
                    {
                        s_mimeMappings.Add(item.fileExt.ToString(), item.mimeType.ToString());
                    }
                }
            }
        }
    }


    public void Dispose() { }

    public void Init(HttpApplication context)
    {
        context.EndRequest += new EventHandler(context_EndRequest);
    }

    void context_EndRequest(object sender, EventArgs e)
    {
        try
        {
            HttpApplication app = sender as HttpApplication;
            string mimeType = GetMimeType(app.Context);

            if (null == mimeType) return;

            app.Context.Response.ContentType = mimeType;
        }
        catch (Exception ex)
        {
            Debug.WriteLine(ex.Message);
        }
    }
}

Faking SPContext–for testing only…

cicorias — Wed, 21 Sep 2011 21:54:41 GMT

Keith Dahlby has a good post on creating a fake SPContext. Here’s the link and the code

NOTE: This is not production safe code – use at own risk…

http://solutionizing.net/2009/02/16/faking-spcontext/

public static SPContext FakeSPContext(SPWeb contextWeb)
{
  // Ensure HttpContext.Current
  if (HttpContext.Current == null)
  {
    HttpRequest request = new HttpRequest("", web.Url, "");
    HttpContext.Current = new HttpContext(request,
      new HttpResponse(TextWriter.Null));
  }

  // SPContext is based on SPControl.GetContextWeb(), which looks here
  if(HttpContext.Current.Items["HttpHandlerSPWeb"] == null)
    HttpContext.Current.Items["HttpHandlerSPWeb"] = web;

  return SPContext.Current;
}

Use an Action delegate to time a method…

cicorias — Wed, 21 Sep 2011 19:15:03 GMT

I wanted an ability to be able to simply time methods and write to a log/trace sink and a very simple approach that I ended up using was to provide a method that takes an Action delegate which would be the method that is to be timed.

The following is what I came up with (this is my reminder…)

class Program
{
    static void Main(string[] args)
    {
        TestMethod1();
    }

    private static void TestMethod1()
    {
        LoggingHelper.TimeThis("doing something", () =>
        {
            Console.WriteLine("This is the Real Method Body");
            Thread.Sleep(100);
        });
    }
}

public static class LoggingHelper
{
    public static void TimeThis(string message, Action action)
    {
        string methodUnderTimer = GetMethodCalled(1);
        Stopwatch sw = Stopwatch.StartNew();
        LogMessage( string.Format("started: {0} : {1}", methodUnderTimer, message));
        action();
        sw.Stop();
        LogMessage(string.Format("ended  : {0} : {1} : elapsed : {2}", methodUnderTimer, message, sw.Elapsed));

    }

    private static string GetMethodCalled(int stackLevel)
    {
        StackTrace stackTrace = new StackTrace();
        StackFrame stackFrame = stackTrace.GetFrame(stackLevel + 1);
        MethodBase methodBase = stackFrame.GetMethod();
        return methodBase.Name;
    }

    static void LogMessage(string message){
        Console.WriteLine("{0}", message);
    }

}

Comparison of Windows Azure Storage Queues and Service Bus Queues « Microsoft Technologies Rocks !!!

cicorias — Tue, 20 Sep 2011 12:06:46 GMT

Nice table comparing Windows Azure Queues vs. Windows Azure AppFabric Service Bus – note the comment regarding in WAZ SDK 1.5 Queue message size is now 64KB

Of course, I like the name of the blog too.

Comparison of Windows Azure Storage Queues and Service Bus Queues « Microsoft Technologies Rocks !!!

MiniProfiler– A simple but effective mini-profiler for ASP.NET MVC and ASP.NET.

cicorias — Sun, 18 Sep 2011 13:34:49 GMT

Once in a while a good tool that I find out about that helps me developing solutions comes in real handy. MiniProfiler is one of those tools.

Developed by the StackOverflow folks it’s available in source or binary, and NuGet packages

Take a look

http://code.google.com/p/mvc-mini-profiler/

http://nuget.org/List/Packages/MiniProfiler

Slides for BUILD conference…

cicorias — Sun, 18 Sep 2011 12:44:56 GMT

On the Channel 9 site where the BUILD conference sessions are available, there are several feeds that provide the media associated with the sessions.

One that’s not listed explicitly is the PowerPoint slides – that feed is here:

http://channel9.msdn.com/Events/BUILD/BUILD2011/RSS/slides

Building scalable web applications with Windows Azure (ed. and on premise too!)

cicorias — Sat, 17 Sep 2011 16:24:25 GMT

Matthew Kerner’s session at BUILD covers many of the patterns and approaches that a well designed and highly scalable solution can do to make the most efficient use of the platform.

Truth is many of the areas Matthew covers should be for on Premise too – including use of Windows Azure CDN...

At about ~30:00 in Matthew references one of my posts on Windows Azure CDN and using it with your Compute role (hosted service) as an CDN origin…

Building scalable web apps with Windows Azure
http://channel9.msdn.com/events/BUILD/BUILD2011/SAC-870T

Bringing Hyper-V to “Windows 8” - Building Windows 8 - Site Home - MSDN Blogs

cicorias — Wed, 07 Sep 2011 21:27:15 GMT

This is huge – and a welcomed addition. Been waiting too long for this.

Bringing Hyper-V to “Windows 8” - Building Windows 8 - Site Home - MSDN Blogs

Hosted Service as a Windows Azure CDN Origin Tips

cicorias — Sun, 10 Jul 2011 17:27:30 GMT

The Windows Azure Content Delivery Network (CDN) helps improve the solution experience by putting content closer to the end-user, enhances availability, geo-distribution, scalability, lower latency delivery, and performance. If that’s the goal we want to be sure that when we instantiate the source of this content at the origin it’s as CDN friendly as we need.

In Windows Azure, when you’re running under IIS7.x /ASP.NET you have to be aware of the inherent behavior associated with Output Caching as it is part of the standard deployment of IIS7.x.

Some of that inherent behavior affects how cache-friendly your content (Http Response) will be as the CDN directly consumes your Hosted Service endpoint ( http://yourservice:80|443/cdn ) on behalf of your users.

If you don’t understand how your solution emits these HTTP headers, you will end up with NO caching – defeating the purpose of the CDN (in fact making performance worse) and additional costs incurred.

The areas we’ll briefly take a look at here are:

Working with the ASP.NET OutputCache module for CDN Friendly HTTP Headers
Vary:* Headers
Compressed content with the CDN
Use of IIS Virtual Application / Directories under Windows Azure
Provide your own OutputCache module implementation

Working with the ASP.NET OutputCache Module

Default behavior

The following code is an example of what developers generally provided with anticipation that the HTTP headers, specifically the Cache-control header will be emitted with a CDN friendly HTTP header – or any cache for that matter.

using (var image = ImageUtil.RenderImage(…))
 {
     context.Response.Cache.SetMaxAge(TimeSpan.FromMinutes(Constants.MA));
     context.Response.Cache.SetCacheability(HttpCacheability.Public);
     context.Response.ContentType = "image/jpeg";
     image.Save(context.Response.OutputStream, ImageFormat.Jpeg);
     context.Response.OutputStream.Flush();
 }

Under ASP.NET 3.5/4.x, this will result in the following

---request begin---
GET /image/0.jpg HTTP/1.0
User-Agent: Wget/1.11.4
Accept: */*
Host: az30993.vo.msecnd.net
Connection: Keep-Alive
---response begin---
HTTP/1.0 200 OK
Cache-Control: public
Content-Type: image/jpeg
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Fri, 08 Jul 2011 11:26:01 GMT
Content-Length: 6976
X-Cache: MISS from cds168.ewr9.msecn.net
Connection: keep-alive

With that set of headers, you will encounter a cache MISS on every request – with a read-through to the Hosted Service origin. You might not notice the impact right away as it can get picked up by the OutputCache module – but you’ve defeated the purpose of the CDN – and made the request performance worse.

The sample solution with this post provides a set of test scenarios for manipulating the HttpResponse under a standard IHttpHandler and under MVC3. If you take a look at the code you’ll see that 3 things are done to help diagnose the situation.

Request Logger – this is a simple request logger that captures requests for the purposes of providing a simple view against the incoming requests (could have used IIS logs, but this is a simple way to get the requests I’m interested in and display them)
Kernel caching is disabled via the web.config – with this enabled requests won’t make it into your ASP.NET pipeline when it’s a cache hit – giving you a false positive on understanding if and when CDN requests are “leaking” through and not being cached at the CDN
OOB OutputCache module is removed, then re-added – this ensures it’s lower in the module list at request time allowing the Request Logger to be higher up in the call chain so I’m sure to capture the inbound requests – if they’re cached or not in the OutputCache module

Set SlidingExpiration on Response

The easiest fix is to ensure you set SlidingExpiration to true on the response. This will ensure that the Cache-control header will contain your desired “public, max-age=xxxx”

public void ProcessRequest(HttpContext context)
{
    using (var image = ImageUtil.RenderImage(…)
    {
       context.Response.Cache.SetCacheability(HttpCacheability.Public);
       context.Response.Cache.SetMaxAge(TimeSpan.FromMinutes(Config.MaxAge));
       context.Response.ContentType = "image/jpeg";
       context.Response.Cache.SetSlidingExpiration(true);
       image.Save(context.Response.OutputStream, ImageFormat.Jpeg);
    }
}

Set an explicit Expires on the Response

public void ProcessRequest(HttpContext context)
{
    using (var image = ImageUtil.RenderImage(…)
    {
      context.Response.Cache.SetCacheability(HttpCacheability.Public);
      context.Response.Cache.SetExpires(DateTime.Now.AddMinutes(Config.MA));
      context.Response.ContentType = "image/jpeg";
      image.Save(context.Response.OutputStream, ImageFormat.Jpeg);
      context.Response.OutputStream.Flush();
    }
}

Use Downstream as the location when using the MVC OutputCache Attribute

[OutputCache(CacheProfile = "CacheDownstream")]
public ActionResult Image3()
{
    MemoryStream oStream = new MemoryStream();
    using (Bitmap obmp = ImageUtil.RenderImage(…)
    {
       obmp.Save(oStream, ImageFormat.Jpeg);
       oStream.Position = 0;
       return new FileStreamResult(oStream, "image/jpeg");
    }
}

//web.config
 <caching>
      <outputCacheSettings>
        <outputCacheProfiles>
          <add name="CacheDownstream" 
               location="Downstream" 
               duration="1000" 
               enabled="true"/>
        </outputCacheProfiles>
      </outputCacheSettings>

Append a query string

Providing a query string on the request affects the Cache-control header. Even if you add just a “?” after the URL path, the OutputCache module will then emit your intended max-age.

Disable OutputCache module – via config

You can do this by removing it from the ASP.NET pipeline altogether, or remove it in the sub-path where /cnd is located (or Virtual Application – see section later). This disables all Output caching for all requests.

Disable OutputCache module – via code – per request

You can also choose to bypass the OutputCache by affecting the Response with the following code

public void ProcessRequest(HttpContext context)
{
    using (var image = ImageUtil.RenderImage(…)
    {
       context.Response.Cache.SetCacheability(HttpCacheability.Public);
       context.Response.Cache.SetMaxAge(TimeSpan.FromMinutes(Config.MA));
       context.Response.Cache.SetNoServerCaching();
       context.Response.ContentType = "image/jpeg";
       image.Save(context.Response.OutputStream, ImageFormat.Jpeg);
       context.Response.OutputStream.Flush();
    }
}

Implement your own OutputCache module

You can take a look at the links in the section on implementing your own OutputCache module to get an idea on the implementation effort, but the reasoning why you would want to is varied – which I’ll cover a couple of reasons in that section.

Vary:* Headers and Caching

Ensure you’re not emitting Vary:* by headers at all if you want to take advantage of caching – either with the Windows Azure CDN or not – as the specification indicates responses with Vary:* should not be cached and only handled at the origin.

From RFC2616: "A Vary header field-value of "*" always fails to match and subsequent requests on that resource can only be properly interpreted by the origin server."

Compressed content with the CDN

One of the reasons you would want to move your origin from Windows Azure Storage to a Hosted Service is to take advantage of compression. As part of IIS7.x, you can ensure that static and dynamic compression is enabled for your content – this will then cascade through to the Windows Azure CDN and provide an overall better experience for your end users.

Use of IIS Virtual Application / Directories under Windows Azure

Today, using Hosted Service as an origin to Windows Azure CDN requires a production deployment of your service listening at the path http://yourserviceDnsName:80|443/cdn. Currently we do not support Hosted Services as origins in staging.

All that is required is that your service provide responses under the /cdn path. You can achieve this with a WebRole that has a directory (path) under your main site.

What happens if you need (or desire) to isolate that path (/cdn)? Under Windows Azure, you can take advantage of IIS Virtual Applications / Directories under your main WebRole.

The following Service Definition illustrates the approach by taking advantage of the Full IIS model and the VirtualApplication element. The key to the approach here for your solution in the development fabric is to ensure the physical directory is relative to the MainWeb path.

<ServiceDefinition name="TR13VirtualApp" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceDefinition">
  <WebRole name="MainWeb" vmsize="ExtraSmall">
    <Sites>
      <Site name="Web">
        <VirtualApplication name="cdn" physicalDirectory="../MainWebCdn" />
        <Bindings>
          <Binding name="Endpoint1" endpointName="Endpoint1" />
        </Bindings>
      </Site>
    </Sites>
    …

This results in a deployment up on Windows Azure as the following – with a single site, and 2 application pools:

Simple VS2010 Solution is also provided at the end of the post and the following links provide further detail:

Creating Virtual Applications / Directories

The Windows Azure Training kit contains a sample walkthrough that demonstrates the approach.

http://msdn.microsoft.com/en-us/wazplatformtrainingcourse_advancedwebandworkerrolesvs2010lab_topic2.aspx

Additionally, Wade Wegner goes into a bit of detail as well.

http://www.wadewegner.com/2011/02/running-multiple-websites-in-a-windows-azure-web-role/

Why provide your own OutputCache module implementation?

So, what would make you want to write your own OutputCache module implementation? Recall that the Service model when you have many instances in your Windows Azure Role may result in different host instances servicing requests.

If that content is VERY expensive to produce….

You now have N (# of instances) producing possibly exact or similar replicas of your content. Not exactly a desirable effect if your transaction costs are high (maybe you’re reaching out to external services, or on premise mainframes, etc.)

Take advantage of Windows Azure AppFabric Caching

Either replacing the OutputCache module with your own implementation, or leveraging your own request model (that will still work with or bypass the OutputCache module) you can instantiate a single copy of that content in AppFabric Caching – thereby reducing the overall cost associated with repetitive content creation. Whatever your choice, ensure to factor in operational costs of AppFabric to see if it meets your economic model.

Implement your own OutputCache

The following links provide some guidance on replacing OutputCache module – which can be done at the /cdn path level if required.

Custom OutputCacheProvider

The following is a sample implementation of a custom OutputCache module under NetFx 4.0.

http://weblogs.asp.net/gunnarpeipman/archive/2009/11/19/asp-net-4-0-writing-custom-output-cache-providers.aspx

ASP.NET 4.0 Caching Overview

Check out the following link on ASP.NET 4.0 caching in general to get an idea of OutputCache module.

http://msdn.microsoft.com/en-us/library/ms178597.aspx

Solution Files

CDN Test Solution

Virtual App Sample

Raffaele Rialdi DeployManager June 2011 edition–Now supports SAN certificates

cicorias — Wed, 06 Jul 2011 19:15:26 GMT

Raffaele Rialdi has been adding features to his certificate management tool. Already supporting wildcard certificates, he’s now added SAN cert support.

But it’s more than certificate management too.

IAmRaf - Tools

Identity Claims Encoding for SharePoint

cicorias — Thu, 30 Jun 2011 15:44:13 GMT

Just to remind myself, the list of claim types and their encodings are listed here at the bottom.

http://msdn.microsoft.com/en-us/library/gg481769.aspx

Where for example:

i:0#.w|contoso\scicoria

‘i’ = identity, could be ‘c’ for others

# == SPClaimTypes.UserLogonName

. == Microsoft.IdentityModel.Claims.ClaimValueTypes.String

Table for reference:

Table 1. Claim types encoding

Character	Claim Type
!	SPClaimTypes.IdentityProvider
”	SPClaimTypes.UserIdentifier
#	SPClaimTypes.UserLogonName
$	SPClaimTypes.DistributionListClaimType
%	SPClaimTypes.FarmId
&	SPClaimTypes.ProcessIdentitySID
‘	SPClaimTypes.ProcessIdentityLogonName
(	SPClaimTypes.IsAuthenticated
)	Microsoft.IdentityModel.Claims.ClaimTypes.PrimarySid
*	Microsoft.IdentityModel.Claims.ClaimTypes.PrimaryGroupSid
+	Microsoft.IdentityModel.Claims.ClaimTypes.GroupSid
-	Microsoft.IdentityModel.Claims.ClaimTypes.Role
.	System.IdentityModel.Claims.ClaimTypes.Anonymous
/	System.IdentityModel.Claims.ClaimTypes.Authentication
0	System.IdentityModel.Claims.ClaimTypes.AuthorizationDecision
1	System.IdentityModel.Claims.ClaimTypes.Country
2	System.IdentityModel.Claims.ClaimTypes.DateOfBirth
3	System.IdentityModel.Claims.ClaimTypes.DenyOnlySid
4	System.IdentityModel.Claims.ClaimTypes.Dns
5	System.IdentityModel.Claims.ClaimTypes.Email
6	System.IdentityModel.Claims.ClaimTypes.Gender
7	System.IdentityModel.Claims.ClaimTypes.GivenName
8	System.IdentityModel.Claims.ClaimTypes.Hash
9	System.IdentityModel.Claims.ClaimTypes.HomePhone
<	System.IdentityModel.Claims.ClaimTypes.Locality
=	System.IdentityModel.Claims.ClaimTypes.MobilePhone
>	System.IdentityModel.Claims.ClaimTypes.Name
?	System.IdentityModel.Claims.ClaimTypes.NameIdentifier
@	System.IdentityModel.Claims.ClaimTypes.OtherPhone
[	System.IdentityModel.Claims.ClaimTypes.PostalCode
\	System.IdentityModel.Claims.ClaimTypes.PPID
]	System.IdentityModel.Claims.ClaimTypes.Rsa
^	System.IdentityModel.Claims.ClaimTypes.Sid
_	System.IdentityModel.Claims.ClaimTypes.Spn
`	System.IdentityModel.Claims.ClaimTypes.StateOrProvince
a	System.IdentityModel.Claims.ClaimTypes.StreetAddress
b	System.IdentityModel.Claims.ClaimTypes.Surname
c	System.IdentityModel.Claims.ClaimTypes.System
d	System.IdentityModel.Claims.ClaimTypes.Thumbprint
e	System.IdentityModel.Claims.ClaimTypes.Upn
f	System.IdentityModel.Claims.ClaimTypes.Uri
g	System.IdentityModel.Claims.ClaimTypes.Webpage

Table 2. Claim value types encoding

Character	Claim Type
!	Microsoft.IdentityModel.Claims.ClaimValueTypes.Base64Binary
“	Microsoft.IdentityModel.Claims.ClaimValueTypes.Boolean
#	Microsoft.IdentityModel.Claims.ClaimValueTypes.Date
$	Microsoft.IdentityModel.Claims.ClaimValueTypes.Datetime
%	Microsoft.IdentityModel.Claims.ClaimValueTypes.DaytimeDuration
&	Microsoft.IdentityModel.Claims.ClaimValueTypes.Double
‘	Microsoft.IdentityModel.Claims.ClaimValueTypes.DsaKeyValue
(	Microsoft.IdentityModel.Claims.ClaimValueTypes.HexBinary
)	Microsoft.IdentityModel.Claims.ClaimValueTypes.Integer
*	Microsoft.IdentityModel.Claims.ClaimValueTypes.KeyInfo
+	Microsoft.IdentityModel.Claims.ClaimValueTypes.Rfc822Name
-	Microsoft.IdentityModel.Claims.ClaimValueTypes.RsaKeyValue
.	Microsoft.IdentityModel.Claims.ClaimValueTypes.String
/	Microsoft.IdentityModel.Claims.ClaimValueTypes.Time
0	Microsoft.IdentityModel.Claims.ClaimValueTypes.X500Name
1	Microsoft.IdentityModel.Claims.ClaimValueTypes.YearMonthDuration

Creating Wildcard Certificates with makecert.exe

cicorias — Wed, 29 Jun 2011 01:14:36 GMT

Be nice to be able to make wildcard certificates for use in development with makecert – turns out, it’s real easy. Just ensure that your CN= is the wildcard string to use.

The following sequence generates a CA cert, then the public/private key pair for a wildcard certificate

REM make the CA
rem CA Certificate:
makecert -r -pe -n "CN=AA Contoso Test Root Authority" -ss CA -sr CurrentUser -a sha1 -sky signature -cy authority -sv CA.pvk CA.cer -len 2048


REM now make the server wildcard cert
makecert -pe -n "CN=*.contosotest.com" -a sha1 -len 2048 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -ic CA.cer -iv CA.pvk -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -sv wildcard.pvk wildcard.cer

pvk2pfx -pvk wildcard.pvk -spc wildcard.cer -pfx wildcard.pfx

Lorem Ipsum–Generating in Word 2010

cicorias — Mon, 27 Jun 2011 19:17:34 GMT

Well, apparently I missed this hidden feature having used the Lorem Ipsum website for some time, but if you enter the following in blank Word document – you’ll get 10 paragraphs of generated text:

=Lorem(10)

Such as:

Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Maecenas porttitor congue massa. Fusce posuere, magna sed pulvinar ultricies, purus lectus malesuada libero, sit amet commodo magna eros quis urna.

Nunc viverra imperdiet enim. Fusce est. Vivamus a tellus.

Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Proin pharetra nonummy pede. Mauris et orci.

Aenean nec lorem. In porttitor. Donec laoreet nonummy augue.

Suspendisse dui purus, scelerisque at, vulputate vitae, pretium mattis, nunc. Mauris eget neque at sem venenatis eleifend. Ut nonummy.

Fusce aliquet pede non pede. Suspendisse dapibus lorem pellentesque magna. Integer nulla.

Donec blandit feugiat ligula. Donec hendrerit, felis et imperdiet euismod, purus ipsum pretium metus, in lacinia nulla nisl eget sapien. Donec ut est in lectus consequat consequat.

Etiam eget dui. Aliquam erat volutpat. Sed at lorem in nunc porta tristique.

Proin nec augue. Quisque aliquam tempor magna. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas.

Nunc ac magna. Maecenas odio dolor, vulputate vel, auctor ac, accumsan id, felis. Pellentesque cursus sagittis felis.

HACK: Forcing FBA Token Refresh against SPClaimProvider with No Credential Challenge

cicorias — Wed, 15 Jun 2011 13:00:53 GMT

The approach takes advantage of the SP 2010 OOB Session Token handler and FBA claims provider implementation that during a period of token lifetime, if there is activity during the period of time that can be defined as "EW" in the image in the section "Background" below, that the SPSecurityTokenManager will, with the FBA provider, reissue a Session Token with new SessionToken ValidTo and ValidFrom times without forcing a re-challenge for user credentials (username and password).

Additionally, it takes advantage of the ability to provide an event handler, on the SessionAuthentcationModule (SPSessionAuthenticationModule) to cause a reissue of the token temporarily with an expiry time (ValidTo) that will cause a SPSessionToken cache miss – thus forcing the re-issue by the SPSecurityTokenManager.

General Approach

The following is a contrived example and uses a rudimentary approach for determine how/when to indicate that the token should be "refreshed" This is done by hooking into the WIF Session Authentication Module's (SAM) Event "SessionSecurityTokenReceived".

The approach taken, and shown on the internet in several posts is to subclass the HttpApplication implementation.

The approach I recommend is to leverage the ability of any HttpApplication by ways of built in ability to identify all HttpModules loaded for that ASP.NET application (SP included) and determine if there are Event handlers specified by ways of the Global.asax in the Root of the SP IIS Site. This is handled by the System.Web.HttpApplication.HookupEventHandlersForApplicationAndModules method.

Note: There are alternatives that I've also tested that work – 1 approach is to register a new HttpModule, then in that HttpModule is to register "1" time a handler for the SAM's SessionSecurityTokenReceived event. This requires a method of indicating at the application level that a handler has already been registered.

Scenario Supported

The general scenario is:

User is already logged onto the site with a valid token
At time required to force a Claims refresh, user will click a link or system will determine how to initiate an HttpRequest that will call the logic required for forcing the refresh
System receives request
SessionAuthenticationModule raises event that custom code will handle
1. This is done by HttpRequest inspection – the sample looks for a Url that contains "RefreshToken.aspx" – there are other means to provide a similar approach.
Custom code identifies the SP LogonTokenCacheExpirationWindow
Using LogonTokenCacheExpirationWindow, custom code forces a re-issue of token that has a ValidTo that will fall into the LogonTokenCacheExpirationWindows – eg.

DateTime newValidTo = DateTime.UtcNow.Add(logonWindow);

System (SP Session Cache) determines that the token requires a re-issue
System calls SPSecurityToken Manager – to reissue all claims for user, bypassing the Logon credentials prompt
During the SPSecurityToken manager re-issue any custom SPClaimProvider types loaded are also called – using FBA and SPClaimProvider will make a call to its FillClaimsForEntity inside of the SP STS.
Session continues with new SessionToken using configuration based values for ValidFrom, ValidTo as defined in the SPSecurityTokenConfig.

Sample Code for Event Handler

The sample code uses another class to contain the code; your implementation could just as easily keep this in the global.asax – however, I'm of the belief that the global.asax should be kept as pristine as possible.

The following code is placed in an assembly that is resolvable through normal fusion – that is, it could be a private assembly. I've chosen GAC in the sample project just for the ease of development.

The code below handles the event and just looks for a page (Url) that contains a well-known request string. This could be anything, but ensure that it's not a common page and based upon the application needs, how your logic will determine a need to refresh all claims.

<%@ Assembly Name="Microsoft.SharePoint" %>
<%@ Assembly Name="RefreshClaimsSample, Version=1.0.0.0, Culture=neutral, PublicKeyToken=329ca2a6e4eeb8c6" %>
<%@ Application Language="C#" Inherits="Microsoft.SharePoint.ApplicationRuntime.SPHttpApplication" %>
<%@ Import Namespace="Microsoft.IdentityModel.Web" %>
<%@ Import Namespace="Microsoft.IdentityModel.Tokens" %>
<%@ Import Namespace="Microsoft.SharePoint.IdentityModel" %>

<script runat="server">
    void SessionAuthentication_SessionSecurityTokenReceived(object sender, SessionSecurityTokenReceivedEventArgs e) 
    {
        RefreshClaimsSample.SampleRefreshClaims.ForceRefreshClaims(sender, e);
    }
</script>

public static void ForceRefreshClaims(object sender, SessionSecurityTokenReceivedEventArgs e)
{
    if (HttpContext.Current.Request.Url.AbsoluteUri.Contains("RefreshClaims.aspx"))
    {
        SessionAuthenticationModule sam = sender as SessionAuthenticationModule;
        var logonWindow = SPSecurityTokenServiceManager.Local.LogonTokenCacheExpirationWindow;

        DateTime newValidTo = DateTime.UtcNow.Add(logonWindow);

        e.SessionToken = sam.CreateSessionSecurityToken(
            e.SessionToken.ClaimsPrincipal,
            e.SessionToken.Context,
            e.SessionToken.ValidFrom,
            newValidTo,
            e.SessionToken.IsPersistent);

        e.ReissueCookie = true;
    }
}

Wiring up Event Handler

In the SP Global.asax provided a method signature that matches the event from the SAM.

The requirements are that the signature is as follows:

void <moduleNameFromConfig>_<eventName> ( eventArgsType )

Where:

moduleNameFromConfig – must match the name attribute from the module as specified in the /system.webServer/modules/add/@name element.
eventName – must match the event name as defined in the HttpModule's public event
eventArgsType – must match the event arguments type that is defined for the event.

Background

In the above diagram, the settings:

TL = FormsTokenLifeTime
EW = LogonTokenCacheExpirationWindow

These settings are obtained and modified via PowerShell under the SPSecurityT0kenServiceConfig set of cmdlets.

For the following samples, assume the following:

TL = 10 Minutes
EW = 4 Minutes

TL – EW = 6 Minutes

Solution Zip

SharePoint 2010 FBA and Sliding Sessions

cicorias — Fri, 10 Jun 2011 20:41:10 GMT

This is to provide a little bit of explanation on the implementation of FBA authentication with SP 2010. There have been blog posts that indicate there are no sliding sessions, but with a little manipulation and understanding of some of the settings, there is somewhat of support for sliding sessions and re-issuance of tokens. The current model provides for a little trade-off on performance as re-requests to the FBA providers and also any SP Custom Claim providers can have impact on overall performance.

The following diagram represents the initial static view of the SP 2010 Security Token Service Configuration settings that control the management of Tokens issued under Forms Based Authentication (FBA) authentication.

The current SP 2010 April 2011 CU’s does support a level of sliding sessions as long as a request (user activity) occurs in the window of time after token issuance (logon or re-issuance) defined in the “EW” segment below.

In the above diagram, the settings:

TL = FormsTokenLifeTime
EW = LogonTokenCacheExpirationWindow

These settings are obtained and modified via PowerShell under the SPSecurityT0kenServiceConfig set of cmdlets.

For the following samples, assume the following:

TL = 10 Minutes
EW = 4 Minutes
TL – EW = 6 Minutes

Example 1:

User Logon occurs
User is Inactive for 11 minutes (> 10 minutes)
At next request: System Presents Forms based logon (or identity selector) to user forcing re-authentication (All Claims Providers Called)

Example 2:

User Logon occurs
User is Inactive for 3 minutes
User issues Request
Token is NOT updated as request occurred in the “TL – EW” window
User remains Inactive for 8 more minutes (> 7 or more than 3 + 7 = 10, which is the original window
At next request: System Presents Forms based logon (or identity selector) to user forcing re-authentication (All Claims Providers Called)

Example 3:

User Logon occurs
User is inactive for 8 minutes
User issues Request
System attempts to re-issue token, skipping password check
System re-issues new Token with updated ValidFrom / ValidTo timestamp based upon current clock (All Claims Providers Called)
Entire “window” is now shifted based upon existing configured values

Note in the above scenarios that the “(All Claims Providers Called)” indicates that the Claims Providers registered for the Web Application / Site are then called; any custom SPClaimProvider implementations will have the method FillClaimsForEntity called at that time

Adding and Removing SPClaimProvider via PowerShell

cicorias — Thu, 09 Jun 2011 19:51:05 GMT

There are really 2 ways to get a SPClaimProvider registered – 1 via a Farm Feature activation. The other is via PowerShell.

However, the documentation on how to remove is not that clear.

The following code will remove it based upon a TypeName. Other identifiers can be used.

In order to remove:

Get-SPClaimProvider | ForEach-Object { 
    Write-Host $_.TypeName
    IF ( $_.TypeName -eq "SimpleClaimsProvider.LVClaimsProvider")
        {
            Write-Host "Found"
            $cp = $_
        }
    
    }
    
    
$cp.DisplayName

Remove-SPClaimProvider $cp

I want my $8.5 B back…

cicorias — Tue, 07 Jun 2011 12:41:23 GMT

Skype reporting “some users” can’t login. Odd, when you’re “some users” you can’t imagine the entire world is not feeling your pain.

And numerous crashes.

Know what Process is calling your SPClaimProvider

cicorias — Mon, 06 Jun 2011 13:55:50 GMT

If you’re writing a custom SharePoint Claims Provider (SPClaimProvider) in order to augment claims, it’s important to also understand what process is executing your specific code path. In the situation where you are making calls to a DB or service endpoint you will need to understand which process actually makes that call.

In situations when running in a Trusted Subsystem model, you’ll also need to RunWithElevated in order to have that code path execute in the context of the Windows Principal for that process.

The following table illustrates for the abstract members of the SPClaimProvider class when implemented and where they execute:

Method / Property	Web App	SP STS	Timer, PS (Feature Activation Code)
FillClaimTypes	X		X
FillClaimValueTypes			X
FillClaimsForEntity		X
FillEntityTypes	X
FillHierarchy	X
FillResolve	X
FillResolve	X
FillSchema	X
FillSearch	X
Name	X	X	X
SupportsEntityInformation		X
SupportsHierarchy	X
SupportsResolve	X
SupportsSearch	X		X

So, if you have your persistence in a SQL DB, and your using Windows Authentication (and using RunWithElevated) you’ll need to grant (or have) to the appropriate SQL permissions; generally, I’ve just granted “datareader”.

Forcing use of the same Master Page in sub-sites without Publishing

cicorias — Thu, 02 Jun 2011 16:19:31 GMT

This seems to come up a few times. The following sample script in PS applies a common master page across all SPWebs in a site collection.

$site = Get-SPSite http://fba.contosotest.com/dv1
$site | Get-SPWeb -limit all | ForEach-Object { $_.MasterUrl = "/dv1/_catalogs/masterpage/custom_v4.master";$_.Update() }
$site.Dispose()

Thanks to Phil Childs - http://get-spscripts.com/2010/09/changing-master-page-on-sharepoint.html