Case-insensitive regular expression matching in ADFS claim rules

Today I needed to create a claim rule in ADFS to send certain claims to users depending on their email address. The idea was to prevent people in certain email domains from getting claims they weren’t supposed to have.

I created a claim rule that ran regular expressions against the user’s email address and it worked fine in test, but in production, users were getting claims they weren’t supposed to have! I soon realised the reason: the casing of email addresses in our AD differs drastically. Some are in the form joe.bloggs@contoso.com, while others were john.smith@Contoso.Com. We pretty much found every type of casing possible.

It turns our that by default, regular expression matching in ADFS claims rules is case-sensitive, but it’s easy to switch the matching to case-insensitive using the information in the following Microsoft article:

Microsoft Article – Understanding Claim Rule Language in ADFS

Adding (?i) to the start of the regular expression forces case-insensitive matching, as in Microsoft’s example:

c:[type == "http://contoso.com/email", Value =~ "(?i)bob"] => issue (claim = c);

With this in place, everything worked as expected.

Installing two build agents on TeamCity

Other than jogging my memory in the future when I need to do the same thing again, this post adds no value other than to direct people to Marcos Placona’s great blog post on how to run two build agents on the same TeamCity instance. Unfortunately this doesn’t work out of the box so there is some tweaking involved, as you’ll see.

So, without further ado, over to you Marcos…

http://www.placona.co.uk/1327/technology/new-teamcity-agents-the-right-way/

Granting folder/file access permissions to IIS AppPool users

By default, processes than run under IIS won’t have permission to access folders you create on your server hard drive. So, if you want your web-sites to interact with folders and files you’ll need add access permissions using the standard folder properties dialog:

Security Permissions Dialog

Permissions must be granted to the AppPool that your site uses. To grant permissions to AppPool users, the user name you enter in the Select Users or Groups dialog:

Select User or Group Dialog

…should match the following pattern:

IIS AppPool\[AppPool Name]

When you click Check Names the text you entered will magically detect the AppPool.