.NET Framework 4.7.2 Developer Pack Early Access build 3056 is available!

Growing compliance and security demand requires many customers to use Multi-Factor authentication (MFA).  In addition, current best practices directs developers from not including any user password directly to the connection string. We have extended SqlClient Connection String by introducing a new Azure AD Interactive authentication keyword to support MFA. This also enables support of Azure AD Authentication. 

This feature introduces a new value for the existing “Authentication” keyword, specifying a new authentication method called “Active Directory Interactive”. The new interactive method supports native and federated Azure AD users as well as Azure AD guest users.  When this method is being used, the MFA authentication imposed by Azure AD is supported for SQL DB. In addition, a user password is requested as part of an interactive dialog enabling us to adhere to security best practices.

Originally SQL connectivity in .NET Framework supported only ActiveDirectoryPassword and ActiveDirectoryIntegrated. Both of these are part of the non-interactive ADAL protocol which do not support MFA. With the new ActiveDirectoryInteractive keyword, the SQL connectivity supports MFA as well as existing authentication methods (password and integrated authentication) allowing users to enter user password interactively without the need to persist passwords in the SQL connection string.

This feature can be configured with tools like SQL Server Data Tools (SSDT), as illustrated below. In the latest Visual Studio preview, a new authentication option called “Active Directory Interactive Authentication” can be used to support MFA authentication to SQL database.

The following sample shows how to instantiate the communication provider that is required to register it to a specific authentication method. It also shows creating connections to SQL database using the different authentication methods, of which two are existing ones: ActiveDirectoryPassword, ActiveDirectoryIntegrated and the latest ActiveDirectoryInteractive.

BCL – Cryptographic Improvements

New overloads to RSA.Create and DSA.Create 

This simplifies the pattern of creating an RSA or DSA object and calling ImportParameters. The ‘before’ and ‘after’ simplification is illustrated below.

When generating a new RSA or DSA key with a specific keysize the new size overloads can be utilized.

Rfc2898DeriveBytes accepts a hash algorithm name

New constructor overloads have been added to Rfc2898DeriveBytes that accepts a HashAlgorithmName to identify which HMAC algorithm should be used when deriving keys.  Developers are encouraged to move new key generations to a SHA-2-based HMAC as follows instead of using HMAC_SHA1. 

Support for EphemeralKeySet

PFX import can optionally load private keys directly from memory, bypassing the hard drive. The X509KeyStorageFlags enumeration has a new member, EphemeralKeySet. When this flag is specified in an X509Certificate2 constructor or X509Certificate2Collection.Import method, the private keys will be loaded as ephemeral keys. This avoids keys being visible on the disk.

• Since the keys are not persisted to disk, certificates loaded with this flag are not good candidates for being added to an X509Store.
• Keys loaded in this manner will almost always be loaded via Windows CNG, therefore callers must access the private key via the extension methods – for e.g., cert.GetRSAPrivateKey(). The PrivateKey property on X509Certificate2 will not function.
• Since the legacy PrivateKey property will not work with certificates, developers are advised to perform rigorous testing before switching to EphemeralKeySet.

Programmatic creation of PKCS#10 certification signing requests and X.509 public key certificates

The .NET Framework now enables workloads to generate certificate signing requests (CSRs), allowing certificate request generation to be staged into existing tooling.

The following example creates a CSR to be valid as a TLS Server Authentication certificate for www.adatum.com. Furthermore, adatum.com is signed with an existing RSA key using RSA-PSS with SHA-2-256.

 

The .NET Framework now enables workloads to generate self-signed certificates in a programmatic manner. This is frequently useful in test scenarios.

The following example creates a self-signed version of a TLS Server Authentication certificate for www.adatum.com, using an existing ECDSA key with an ECDSA-SHA-2-256 signature.

 

Other Features

• The SignerInfo class for SignedCms exposes more information about the signature. SignerInfo.SignatureAlgorithm can be queried to determine the signature algorithm used by the signer. SignerInfo.GetSignature() can be called to get a copy of the cryptographic signature for this signer.
• CryptoStream now has an additional constructor that allows Dispose to not close the wrapped stream. To continue with the current behavior, no changes are necessary. To leave the wrapped stream open after the CryptoStream is disposed, use `new CryptoStream(stream, transform, mode, leaveOpen: true)`.

BCL – ZLib decompression support to DeflateStream

This feature improves the throughput of decompressing ZIP archives by using native implementation of ZIP. This enables up-to 3x increase in the throughput of ZIP archives during decompression. There are minor differences between the existing and native implementation, hence this feature is enabled by default only for applications targeting .NET Framework 4.7.2.
Older applications can opt-into this behavior by using the following AppContext switch:

BCL – Additional Collection APIs

In .NET Framework 4.7.2 we have added a few APIs to the standard Collection types that will enable new functionality as follows.   

• ‘TryGetValue’ is added to SortedSet and HashSet to match the Try pattern used in other collection types.
• The `Enumerable.To*` extension methods are added to SortedSet and HashSet.
• New HashSet constructors allow HashSets to be constructed with a capacity, offering a performance benefit when you know ahead of time what the size of the HashSet will be.

The new Collection APIs are listed below.

WorkflowDesigner High Contrast Improvements

New WorkflowDesignerColors have been added to improve UI experiences in high contrast mode. The following properties are now added to Class System.Activities.Presentation.WorkflowDesignerColors.

Before and after experiences with these changes for various workflow features are illustrated below.

Feature	Before	After
Foreground colors of selected activities’s title change to black
Foreground colors of selected arguments/variables change to black
Foreground colors of selected context menu items change to black
Foreground colors of selected flowchart connectors change to turquoise
Foreground colors of selected buttons in properties window change to black

 

WPF – Finding ResourceDictionaries by Source

This feature enables a diagnostic assistant to locate the ResourceDictionaries that have been created from a given Source Uri. A diagnostic assistant such as Visual Studio’s “Edit-and-Continue” facility lets its user edit a ResourceDictionary, with the intent that the changes are applied to the running application. One step in achieving this is finding all the ResourceDictionaries that the running application has created from the dictionary that’s being edited. For example, an application can declare a ResourceDictionary whose content is copied from a given source URI:

A diagnostic assistant that edits the original markup in “MyRD.xaml” can use the new feature to locate the dictionary. The feature is implemented by a new method on the class `System.Windows.DiagnosticsResourceDictionaryDiagnostics` as illustrated by the first line in the code below. The diagnostic assistant would call the new method using an absolute Uri that identifies the original markup as illustrated by the next line below.

The feature is for use by diagnostic assistants, not by production applications. The method returns an empty enumerable unless VisualDiagnostics are enabled and the ENABLE_XAML_DIAGNOSTICS_SOURCE_INFO environment variable is set.

WPF – Finding ResourceDictionary owners

This feature enables a diagnostic assistant to locate the owners of a given ResourceDictionary. Whenever a change is made to a ResourceDictionary, WPF automatically finds all DynamicResource references that might be affected by the change. A diagnostic assistant such as Visual Studio’s “Edit-and-Continue” facility may want extend this to handle StaticResource references.

The first step in this process is finding the owners of the dictionary – all the objects whose `Resources` property refers to the dictionary (either directly, or indirectly via the `ResourceDictionary.MergedDictionaries`property). The new methods support this step.

The feature is implemented by three new methods on the class `System.Windows.DiagnosticsResourceDictionaryDiagnostics`, one for each of the base types that have a `Resources` property.

The feature is for use by diagnostic assistants and not by production applications. The methods return an empty enumerable unless VisualDiagnostics are enabled and the ENABLE_XAML_DIAGNOSTICS_SOURCE_INFO environment variable is set.

WPF – Finding StaticResource references

This feature allows a diagnostic assistant to receive a notification whenever a StaticResource reference is resolved. A diagnostic assistant such as Visual Studio’s “Edit-and-Continue” facility may want to update all uses of a resource when it changes or replaces a value in a  ResourceDictionary. WPF does this automatically for DynamicResource references, but intentionally does not do so for StaticResource references. The diagnostic assistant is faced with the challenge of locating those uses. This feature helps meet the challenge.

The feature is implemented by a new event on the class `System.Windows.DiagnosticsResourceDictionaryDiagnostics`.

This event is raised whenever the runtime resolves a StaticResource reference. The event args describe the resolution, indicating the object and property that host the StaticResource reference, and the ResourceDictionary and key used for the resolution.

The feature is for use by diagnostic assistants, not by production applications. The event is not raised (and its `add` method is ignored) unless VisualDiagnostics are enabled and the ENABLE_XAML_DIAGNOSTICS_SOURCE_INFO environment variable is set.

 

Closing

Try out these new features in .NET Framework 4.7.2 Early Access build and please provide your feedback by reporting an issue at the .NET Framework Early Access GitHub repository.