August 16th, 2010 Published by

Claims authentication against Windows Live ID for SharePoint 2010

Windows Live ID The SharePoint engineering team at Fpweb.net is always striving to discover new frontiers. To declare that the impossible is… well, possible. Recently, we put our heads together to find a way to use both Live ID and Open ID as an authentication method for SharePoint Server 2010.

With the addition of the new claims based authentication framework in SharePoint 2010, SharePoint is now more loosely coupled to the authentication layer than ever. You’ve probably seen presentations or webinars where it was mentioned that you can use claims authentication against authentication providers such as Live ID and OpenID. However, the documentation for configuring Live ID authentication is relatively hard to come by.

Recently, Chris Schwab and I were working with an Fpweb.net customer that needed to use Live ID as an external authentication source for their internet-facing hosted SharePoint 2010 Server farm.  They wanted to “outsource” the user account repository and password management for their site to Windows Live ID. While this lessened the burden of user account administration, they still needed to give the Windows Live users SharePoint permissions. Below is a step-by-step guide on how to set up claims authentication using Windows Live ID for SharePoint 2010.

Configure the Windows Live ID security token service

  1. Login to the Microsoft Services Manager for Windows Live with your Live account.
  2. Click Register Your Site.
    You’ll notice that you are redirected to https://msm.live-int.com.
  3. You are redirected to the “int” version of Live.com because your site has not been reviewed by Microsoft and has not been given the “Prod” indication (meaning your site is compliant).
  4. Below is a screenshot of the Microsoft Services Manager after clicking the “Register Your Site” link.

Configure the Windows Live ID Security Token Service

How to fill out the fields shown in the screenshot above:

  1. Name:
    1. Enter in a useful description for your site.
  2. DNS Name:
    1. Enter in a value for the DNS name of your site. This must be unique and match the setting you give for realm on the SharePoint Server (I’ll give more detail on this later)For now it can be urn:whateveryouwant.
  3. Policy:
    1. Select Window Live ID for the policy group.
    2. Click Submit and then Yes on the confirmation page.
  4. Default Return Url:
    1. https://yourdomain/_trust/default.aspx
  5. Override Authentication Policy (advanced settings):
    1. MBI_FED_SSL

Note: You will have to build your site authentication against Live-Int.com at first. Then, you’ll have to submit it to Microsoft for a compliance review. You will not be sent back real email addresses from the Live ID STS, only the PUID of the user. Once the user is authenticated to your site, they will need to enter their email/name if you need this information.

Retrieve and install the x509 certificate on the web servers

  1. Download this -int version of the x509 cert.
  2. Open it, and locate the <KeyDescriptor use=”signing” wsu:Id=”stscer”> node.
    1. Copy the contents within the <X509Certificate> node.
  3. Create a new text file in notepad, and paste the contents into it.
    1. Save as C:\LiveIDPublic.cer
    2. NOTE: from here-on, we will refer to this file as the “x509 cert”
  4. Import the new certificate using Start > Run > MMC
  5. You should see the screenshot shown below. From the File Menu, Choose:
    1. Add Snap-ins > Certificates > Computer Account > Next Local Computer > OK
  6. Import the x509 cert to all 3 places shown below:
    1. SharePoint
    2. Trusted People
    3. Trusted Root Certification Authorities

Retrieve and install the x509 certificate on the web servers

Configure a SharePoint 2010 claims provider using PowerShell

Add-PsSnapin Microsoft.SharePoint.PowerShell 
$realm = "urn:andyliveid:dev"
$certloc = "C:\LiveIDPublic.cer"
$rootcert = Get-PfxCertificate $certloc
New-SPTrustedRootAuthority "Production OpenID Token Signing Cert"
-Certificate $rootcert | Out-Null
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certloc)
$map1 = New-SPClaimTypeMapping
-IncomingClaimType "http://schemas.xmlsoap.org/claims/EmailAddress"
-IncomingClaimTypeDisplayName "http://schemas.xmlsoap.org/claims/EmailAddress"
–SameAsIncoming $map2 = New-SPClaimTypeMapping
-IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
-IncomingClaimTypeDisplayName "UPN"
-LocalClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
$user = "xxxxxxxxxx@live.com" #your unique live PUID
$apSAML = New-SPTrustedIdentityTokenIssuer
-Name "LiveIDInt" -Description "LiveIDInt"
-Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2
-SignInUrl https://login.live—int.com/login.srf
-IdentifierClaim "http://schemas.xmlsoap.org/claims/EmailAddress"
$cpSAML = New-SPClaimsPrincipal -TrustedIdentityTokenIssuer
$apSAML -Identity $user.tolower()

Set your web app to use claims / Windows NTLM authentication

  1. Set your web app to use claims / Windows NTLM authentication Open SharePoint 2010 Central Administration > Application Management > Manage Web Applications > Select your Web application > Authentication Providers > Default Zone
  2. Select “Enable Windows Authentication”, “Trusted Identity Provider” and “LiveID”

Test your SharePoint 2010 site login with Live ID credentials

  1. Open the Fiddler 2 app you downloaded earlier so that it starts logging http requests and responses. This is useful for seeing what URLs SharePoint redirects you to and what the Live ID STS is sending back.
  2. Browse to your site on the server. You should see an authentication method drop down with Live ID and Windows as options.

If everything is setup correctly you’ll be routed to the Live-Int login page and NOT see a red error. You’ll be able to login and get redirected back to your SharePoint site where you see access denied for user 00000asfaasdf@live.com. This is because you haven’t given your live id account SharePoint permissions.

After you pass the Microsoft compliance review

This section provides an educated guess on what you’ll need to do in order to configure your SharePoint 2010 server to use the Prod live.com STS vs. INT.

(our Fpweb.net SharePoint 2010 team was able to skip this part since we were working hand-in-hand with Microsoft to get this authentication method working).

We assume that essentially, you’ll repeat all of the above steps but remove the “-int” from your Claims provider. You’ll also need to get the prod x509 certificate and use that to copy/paste when creating your cert on the web servers.

Update: 7/18/2011: Chris Schwab has written a helpful post about which Fpweb.net SharePoint Hosting Plans can utilize LiveID authentication!

About Andy Milsark

Andy Milsark has written 42 posts in this blog.

Andy, a proud new daddy, enjoys learning as much as humanly possible about SharePoint, PowerShell, and Private Cloud Automation. When he needs a break from battling SharePoint, he can be found throwing around weights at the local Crossfit gym. Follow Andy on Google+

VN:F [1.9.22_1171]
Rating: 9.6/10 (9 votes cast)

 
  1. September 6th, 2010 at 11:29 | #1

    Ok Guys, I am getting a step further at a time.. However I still need some help. I could successfully complete the configuration described in this article using the INT site, however our goal is to be on production, right? :) . Based on that, I decided to give this a try using the Production settings, to see if I could successfully configure my site to redirect to the Live.com production environment as I had it when I was using SP 2007.

    My sites are registered in the live.com production environment through Azure Live Services. After repeating the configuration of this article using the production servers and settings, I made some strides but I am not there yet.. when I go to my site now, this is the url I see generated by sharepoint (I am replacing my domain with SERVER for this post):

    - http://SERVER/_login/default.aspx?ReturnUrl=%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252F&Source=%2F

    Here I can select Windows Authentication or “Windows Live ID” (the STS I configured). Once I select the “Windows Live ID” option from the menu, I get redirected to this site:

    -https://login.live.com/login.srf?wa=wsignin1.0&wtrealm=SERVER&wctx=http%3a%2f%2fSERVER%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252F

    And this page error is displayed:

    “This displays an error: We’re unable to complete your request
    Windows Live ID is experiencing technical difficulties. Please try again later.”

    After doing some extra testing, I noticed, that if I manually add my site’s APPID (coming from Azure Live Services) to the url’s querystring the Sign in page takes me to once I select Windows Live from the menu (notice 1st parameter in the querystring):

    https://login.live.com/login.srf?appid=XXXXXXXXXXXXXXXX&wa=wsignin1.0&wtrealm=SERVER&wctx=http%3a%2f%2fSERVER%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252F

    The authentication process works just great! I get redirected to the production login.live.com site, I enter my credentials, and I get redirected back to my site as expected.

    Now, my question is: Is there a way to modify the PowerShell script above to have Sharepoint pass the appid as part of the querystring when selecting “Windows Live” from the Sign in page menu?

    I think that will solve this issue.. Any thoughts guys?

  2. C Morales
    September 7th, 2010 at 10:26 | #2

    Ok Guys, I am getting a step further at a time.. However I still need some help. I could successfully complete the configuration described in this article using the INT site, however our goal is to be on production, right? :) . Based on that, I decided to give this a try using the Production settings, to see if I could successfully configure my site to redirect to the Live.com production environment as I had it when I was using SP 2007.

    My sites are registered in the live.com production environment through Azure Live Services. After repeating the configuration of this article using the production servers and settings, I made some strides but I am not there yet.. when I go to my site now, this is the url I see generated by sharepoint (I am replacing my domain with SERVER for this post):

    - http://SERVER/_login/default.aspx?ReturnUrl=%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252F&Source=%2F

    Here I can select Windows Authentication or “Windows Live ID” (the STS I configured). Once I select the “Windows Live ID” option from the menu, I get redirected to this site:

    -https://login.live.com/login.srf?wa=wsignin1.0&wtrealm=SERVER&wctx=http%3a%2f%2fSERVER%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252F

    And this page error is displayed:

    “This displays an error: We’re unable to complete your request
    Windows Live ID is experiencing technical difficulties. Please try again later.”

    After doing some extra testing, I noticed, that if I manually add my site’s APPID (coming from Azure Live Services) to the url’s querystring the Sign in page takes me to once I select Windows Live from the menu (notice 1st parameter in the querystring):

    https://login.live.com/login.srf?appid=XXXXXXXXXXXXXXXX&wa=wsignin1.0&wtrealm=SERVER&wctx=http%3a%2f%2fSERVER%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252F

    The authentication process works just great! I get redirected to the production login.live.com site, I enter my credentials, and I get redirected back to my site as expected.

    Now, my question is: Is there a way to modify the PowerShell script above to have Sharepoint pass the appid as part of the querystring when selecting “Windows Live” from the Sign in page menu?

    I think that will solve this issue.. Any thoughts guys?

  3. C Morales
    September 7th, 2010 at 10:29 | #3

    Ok Guys, I am getting a step further at a time.. However I still need some help. I could successfully complete the configuration described in this article using the INT site, however our goal is to be on production, right? . Based on that, I decided to give this a try using the Production settings, to see if I could successfully configure my site to redirect to the Live.com production environment as I had it when I was using SP 2007.

    My sites are registered in the live.com production environment through Azure Live Services. After repeating the configuration of this article using the production servers and settings, I made some strides but I am not there yet.. when I go to my site now, this is the url I see generated by sharepoint (I am replacing my domain with SERVER for this post):

    - http: // SERVER/_login/default.aspx?ReturnUrl=%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252F&Source=%2F

    Here I can select Windows Authentication or “Windows Live ID” (the STS I configured). Once I select the “Windows Live ID” option from the menu, I get redirected to this site:

    -https: // login.live.com/login.srf?wa=wsignin1.0&wtrealm=SERVER&wctx=http%3a%2f%2fSERVER%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252F

    And this page error is displayed:

    “This displays an error: We’re unable to complete your request
    Windows Live ID is experiencing technical difficulties. Please try again later.”

    After doing some extra testing, I noticed, that if I manually add my site’s APPID (coming from Azure Live Services) to the url’s querystring the Sign in page takes me to once I select Windows Live from the menu (notice 1st parameter in the querystring):

    https: // login.live.com/login.srf?appid=XXXXXXXXXXXXXXXX&wa=wsignin1.0&wtrealm=SERVER&wctx=http%3a%2f%2fSERVER%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252F

    The authentication process works just great! I get redirected to the production login.live.com site, I enter my credentials, and I get redirected back to my site as expected.

    Now, my question is: Is there a way to modify the PowerShell script above to have Sharepoint pass the appid as part of the querystring when selecting “Windows Live” from the Sign in page menu?

    I think that will solve this issue.. Any thoughts guys?

    P.S: The comments I was entering weren’t being posted because I was adding some urls I think.. I hope this one goes through..

  4. Amit
    September 9th, 2010 at 00:20 | #4

    After signing in, I am receiving this exception on https:///_trust/default.aspx page. This happens in both Live ID INT and PROD environments.

    [InvalidOperationException: This operation is not supported for a relative URI.]
    System.Uri.GetLeftPart(UriPartial part) +7154343
    Microsoft.SharePoint.Administration.SPAlternateUrl.Canonicalize(Uri uri) +25
    Microsoft.SharePoint.Administration.SPWebApplication.Lookup(SPFarm farm, Uri requestUri, Boolean fallbackToHttpContext, SPAlternateUrl& alternateUrl, SPSiteLookupInfo& hostHeaderSiteInfo, Boolean& lookupRequiredContext) +182
    Microsoft.SharePoint.Administration.SPWebApplication.Lookup(Uri requestUri, Boolean fallbackToHttpContext) +205
    Microsoft.SharePoint.IdentityModel.SPSaml11SecurityTokenHandler.RetrieveWebApplicationIdAndZoneFromUri(Uri context, Guid& webAppId, SPUrlZone& zone) +124
    Microsoft.SharePoint.IdentityModel.SPSaml11SecurityTokenHandler.ValidateSingleAudienceCondition(Uri audienceUri, Guid requestWebAppId, SPUrlZone requestZone, IEnumerable`1 trustedLoginProviderNames) +130
    Microsoft.SharePoint.IdentityModel.SPSaml11SecurityTokenHandler.ValidateAudienceConditions(SamlConditions conditions) +385
    Microsoft.SharePoint.IdentityModel.SPSaml11SecurityTokenHandler.ValidateConditions(SamlConditions conditions, Boolean enforceAudienceRestriction) +28
    Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token) +393
    Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri) +118
    Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request) +461
    Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +1099510
    System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
    System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +171
    ——————————————————————————–
    Version Information: Microsoft .NET Framework Version:2.0.50727.4952; ASP.NET Version:2.0.50727.4927

  5. Amit
    September 9th, 2010 at 00:23 | #5

    The URL is https://REALM/_trust/default.aspx
    I do NOT have any SP 2010 CU installed. Any pointers?

  6. Amit
    September 9th, 2010 at 01:32 | #6

    Did anyone get it fully working?

  7. Amit
    September 10th, 2010 at 16:21 | #7

    @Amit

    If that helps anyone, the DNS Name on MSM site registration must be in “urn::” format and realm of SharePoint 2010 trusted identity token issuer must match the registered DNS Name on MSM. Return URL is not affected by DNS name.
    For example,
    Domain Name: mydomain.com
    DNS Name: urn:subdomain:Geneva
    Return URL: https://subdomain.part.anotherpart.mydomain.com/_trust/default.aspx

    This resolves the Microsoft.SharePoint.Administration.SPAlternateUrl.Canonicalize(Uri uri) error I was seeing earlier.

  8. Kevin
    September 13th, 2010 at 10:36 | #8

    @Amit:

    My main issue is when I attempt to log into my site (portal.dev.com), I am redirected to the Windows Live loging screen, but receive the error “The Windows Live Network is unavailable from this site for one of the following reasons…”

    I initially used the FQDN name (portal.dev.com) of my SharePoint site as the DNS name for MSM, but after reading your comments, I attempted to use “urn:portal:kjmtest”

    When I submit that request, I receive a number of errors, such as illegal leading/trailing spaces, bad http formats, etc. How did you actually register a site with MSM if the “urn:abc:def” format is not accepted?

    Also: I believe I understand that whatever the DNS entry is in MSM, it has to match the “$realm” in the Powershell commands. If you’ve alread set up the membership providor; can you simply re-run the powershell commands to change the realm of the memebrship providor? Or is there some delete process you would need to go through?

  9. Ashkan
    September 13th, 2010 at 13:27 | #9

    @Amit

    Thank Amit,

    I got a little bit furthur. I now get the following error:

    Microsoft.SharePoint.WebControls.SPControl.SPWebEnsureSPControl(HttpContext context) +27711448
    Microsoft.SharePoint.Utilities.SPUtility.DetermineLayoutsUrl(SPWeb overrideWeb, HttpContext context, Boolean includeLCID, Boolean doNotInitWeb) +252
    Microsoft.SharePoint.Utilities.SPUtility.DetermineRedirectUrl(String urlProposed, SPRedirectFlags flags, HttpContext context, SPWeb overrideWeb, String queryString, String& urlRedirect) +616
    Microsoft.SharePoint.Utilities.SPUtility.Redirect(String url, SPRedirectFlags flags, HttpContext context, String queryString) +98
    Microsoft.SharePoint.Utilities.SPUtility.HandleAccessDenied(HttpContext context) +1077
    Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule.OnEndRequest(Object sender, EventArgs args) +693
    System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
    System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +171

    I have tried adding both the email claim http://schemas.xmlsoap.org/claims/EmailAddress and the UPN claim with my xxxx@hotmail-int.com email address.

    Any thoughts?

    Thanks,
    Ashkan

  10. Ashkan
    September 13th, 2010 at 13:31 | #10

    @Ashkan

    What I meant is that I added both claims permissions for http://schemas.xmlsoap.org/claims/EmailAddress and the UPN (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier) for my xxxx@hotmail-int.com email address.

  11. September 17th, 2010 at 18:26 | #11

    Hi andy
    Here is another solution that supports OpenID and Windows Live Id both together, in this solution Security Token Service (STS) will be installed at same machine. Have some benefit such as give permission just by e-mail and email verification too, it very great feature to prevent our mail server send spam to unwanted email address, it will be installed as security token service and doesn’t need ADFS 2.0 server.
    One of the other benefit is that you can add live users with SharePoint Poeple Picker and also you can give access to a user just by valid emails.
    Check it here: http://www.shetabtech.com/english/SharePointLiveAuth

  12. Ben
    October 22nd, 2010 at 09:04 | #12

    @Carlos Morales
    The dash is an “em dash”
    “https://login.live—int.com/login.srf”
    should be
    “https://login.live-int.com/login.srf”

    - instead of —

  13. Akalpita
    December 8th, 2010 at 01:50 | #13

    I get ‘The file type is not recognizable.Select another file.’When I try to import the X509 certificate.Please help me in this.

  14. Joe
    January 6th, 2011 at 21:36 | #14

    Two questions:
    1. What is the purpose of ‘Manage Certificates’ in the Microsoft Site Manager site?
    2. Can this set by only using ‘e-mail’ claims and not UPN?
    3. If we are using certificates in step 1, should I care about using the x509 cert you described above?
    4. If we are using certificates in step 1 and not using UPN claims, should I care about having the PUID@live.com user?

    Thanks in advance for your help. I am looking to setup Sharepoint in a slightly different way than described above and can’t seem to make it work.

  15. Andy Milsark
    January 7th, 2011 at 01:44 | #15

    @Joe
    Hi Joe! Thanks for reading!

    Wictor Wilen did a follow up and in depth walk through of setting up Live ID in his post here http://www.wictorwilen.se/Post/Visual-guide-to-Windows-Live-ID-authentication-with-SharePoint-2010-part-1.aspx
    If you are not an internal Microsoft entity, you will not have access to Live ID users’ email addresses, only their UPN. You will have to capture the email address after after they register for your site.

    You need to properly configure the x509 certificate to communicate with the Live services. Your sharepoint site itself is required to use an SSL certificate in order to use Live services. These certificates are separate.

  16. Andy Milsark
    January 7th, 2011 at 01:46 | #16

    @Akalpita
    My guess is that you did not copy the correct nodes of xml to your .cer file before the import.

  17. Andy Milsark
    January 7th, 2011 at 01:49 | #17

    @madnik7
    That is a very neat solution, not free however :)

  18. January 7th, 2011 at 14:31 | #18

    I have Live Authentication working. Thank you for all the helpful information. My question is with regard to the cryptic names. Is there any way to display their real live ID?? Adding and maintaining users is a nightmare because I never really know who is who. All you get is the 9812709817234@live ID.
    Any suggestions??
    Lou

  19. Nilesh Teli
    January 13th, 2011 at 00:18 | #19

    Hi Lou,

    Did it work in INT environment? We are using INT environment but facing an issue. We get to see the Login screen and once we provide valid credentials it goes in loop.We have even tried to debug it using fiddler but without success. The last URL we get from fiddler is ‘http://account.live-int.com:443′

    Any help will be appreciated.

    Thanks in advance.

    Nilesh

  20. Andy Milsark
    January 13th, 2011 at 07:58 | #20

    @Nilesh Teli
    I have seen this loop before. Your URL indicated.. shouldn’t that be https://account.live-int.com ?

  21. Nilesh Teli
    January 19th, 2011 at 03:56 | #21

    Thanks Andy. URL is not an issue. We are using https://account.live-int.com.
    One quick question : does http://www.live-int.com work for you thr’ browser. We are not able to sign in using valid hotmail-int account. Can you confirm from your end that this ‘live-int’ environment is working fine at your end.
    Thanks

  22. Andy Milsark
    January 19th, 2011 at 07:29 | #22

    @Nilesh Teli
    When i browse to http://www.live-int.com it redirects me to https://login.live-int.com and I am able to login.

  23. Nilesh
    January 29th, 2011 at 01:08 | #23

    @Andy,

    After getting authenticated from Live ID we need to capture email id ,name of the user and associate it with UID returned from Live ID. Do we need to implement custom claims provider for this? If yes, can you please help me with steps. We intend to have flow as following:
    1. User authenticates with Live Id and gets redirected to our site (this is already implemented and working fine)
    2. We need to extract PUID of the user from token and direct him to the form to capture additional details i.e. name ,email id etc.
    3. We store this info in custom DB alongwith PUID mapping
    4. We intend to show Name of user instead of PUID on our site. Also people picker should allow us to select from our DB than Live Id

    Any suggestions.
    Thanks in advance

  24. Sam
    February 8th, 2011 at 12:42 | #24

    Is anyone else having trouble with the live-int.com sites? The login.live-int.com page seems to work, but the account pages don’t seem to work nor does the redirect from sharepoint. It seems the server times out.

    Thanks,
    Sam

  25. stephanus
    February 21st, 2011 at 07:09 | #25

    Hi Sam,

    Same here, on firefox the message I get is "The server at account.live-int.com is taking too long to respond."

    Any idea why?

  26. November 14th, 2012 at 02:14 | #26

    Oh my goodness! Amazing article dude! Thank you, However I am having troubles with your RSS.
    I don’t know the reason why I cannot subscribe to it. Is there anybody having the same RSS problems? Anyone that knows the answer will you kindly respond? Thanks!!

  27. November 14th, 2012 at 19:12 | #27

    Woah! I’m really digging the template/theme of this site. It’s simple, yet effective.
    A lot of times it’s very hard to get that “perfect balance” between superb usability and visual appearance. I must say you have done a awesome job with this. In addition, the blog loads extremely quick for me on Chrome. Excellent Blog!

  28. December 5th, 2012 at 11:38 | #28

    Can I just say what a comfort to discover someone
    who genuinely understands what they are discussing on the
    web. You certainly understand how to bring a problem to light
    and make it important. A lot more people should check this out and understand this side of your story.
    It’s surprising you’re not more popular because you certainly have the
    gift.

  29. December 6th, 2012 at 04:34 | #29

    Howdy! This post couldn’t be written any better! Reading this post reminds me of my old room mate! He always kept talking about this. I will forward this article to him. Fairly certain he will have a good read. Thanks for sharing!

  30. December 30th, 2012 at 13:28 | #30

    Hiya very cool web site!! Guy .. Beautiful .. Amazing .
    . I will bookmark your blog and take the feeds

    additionally…I am glad to search out numerous

    useful info here within the put up, we need work out more techniques on this regard, thank you for

    sharing. . . . . .

  31. February 19th, 2013 at 16:39 | #31

    This design is incredible! You definitely know how to

    keep a reader amused. Between your wit and your videos, I was almost moved to start my own blog (well,

    almost…HaHa!) Great job. I really enjoyed what you had
    to say, and more than

    that, how you presented it. Too cool!

  32. May 27th, 2013 at 16:57 | #32

    hi!,I really like your writing very so much! proportion we communicate more approximately your post on AOL?
    I need a specialist in this space to resolve my problem. Maybe that is you!
    Taking a look forward to look you.

Comment pages
  1. April 20th, 2011 at 13:32 | #1
  2. June 7th, 2012 at 20:08 | #2
  3. September 3rd, 2013 at 14:23 | #3
  4. September 3rd, 2013 at 14:31 | #4
  5. September 3rd, 2013 at 14:33 | #5


<