Alik Levin's

Clarity, Technology, and Solving Problems | PracticeThis.com 

March, 2011

  • Alik Levin's

    Common Tasks For Developing Windows Azure Web Role ASP.NET Web Applications Using Visual Studio 2010 – Index of How-To’s, Vol 1.

    • 0 Comments
    Programming Windows Azure - Programming the Microsoft Cloud

    How to create and run an ASP.NET service for Windows Azure in Visual Studio 2010

    1. Launch Microsoft Visual Studio 2010 with administrator privileges. To launch Visual Studio with administrator privileges, right-click Microsoft Visual Studio 2010 and then click Run as administrator.
    2. On the File menu, click New, and then click Project.
    3. Within the New Project dialog, navigate to Installed Templates, Visual C#, and clickCloud.
    4. Click Windows Azure Project. If needed, modify the Location: field, which indicates where your solution will be stored. Click OK to close the New Project dialog.
    5. Within the New Windows Azure Project dialog, navigate to Visual C#, click theASP.NET Web Role, and then click the > symbol. This will add a web role to your Windows Azure solution. A web role provides an environment for running web sites or applications as supported by Internet Information Services (IIS) 7.0. Click OK to close the New Windows Azure Project dialog.
    6. [Optional] At this point you could compile and run the application. However, you could also customize the text displayed in the web page by modifying Default.aspx. This won’t fundamentally change the application, but it will show you how similar this application is to a traditional (non-cloud) ASP.NET application. To modify Default.aspx, open Solution Explorer. If Solution Explorer is not visible, from the View menu clickSolution Explorer. Within Solution Explorer, expand WebRole1 and double-clickDefault.aspx. Modify the Welcome to ASP.NET! text to become Welcome to ASP.NET in Windows Azure!. Save and close Default.aspx.
    7. Compile and run the service by clicking Debug from the menu and then clicking Start Without Debugging.

    How to configure certificate for Compute Emulator in Visual Studio 2010

    1. Switch to your solution in Visual Studio.
    2. Right click on the web role under Roles folder in Solution Explorer and chooseProperties option.
    3. Click on the Certificates tab.
    4. Click on Add Certificate.
    5. The new row appears.
    6. Type the certificate’s arbitrary name in the Name field.
    7. Leave Store Location value LocalMachine.
    8. Leave Store value My.
    9. In the Thumbprint field click on ellipses (...), you should see list of the certificates. Locate the one you have created in previous step and click OK. Thumbprint field shows the certificate’s thumbprint.
    10. Save your work using Ctrl+S.
    11. Select and copy the thumbprint into clipboard using Ctrl+C. You will use it for configuring WIF related sections in web.config.

    How to configure Windows Azure Role’s Endpoint for SSL/HTTPS in Visual Studio 2010

    1. While in the Web Role Properties page click on Endpoints tab.
    2. Click on Add Endpoint option at the top, new row appears.
    3. Type new endpoint’s arbitrary name in the Name filed.
    4. Specify Type value of Input.
    5. Specify Protocol value of SSL.
    6. Specify Public Port arbitrary value. Note: Compute Emulator cannot be configure for specific IP addresses and ports, so if the IP address and port value are unavailable the Compute Emulator will assign its own. You want to avoid this since you need exactly to know the IP address and the port as it needs to be specified in exact way in ACSv2 portal. To identify used ports on local machine open command prompt and run the following command netstat –a –n | findstr 127.0.0.1. use the port that is not listed there.
    7. In the SSL Certificate Name specify the certificate you have just configured in previous step.
    8. Save your work by using Ctrl+S.

    How to grant certificate access permissions to application pool account on your local machine

    1. Click on the Windows button on the taskbar and type mmc. You should see mmc.exeappears in search results. Click on it.
    2. When the MMC console appears, click on File and then on Add/Remove Snap-in…option.
    3. In the available snap-ins list choose Certificates and click on Add > button.
    4. In the dialog box choose Computer Account option and click Next button.
    5. On the Select Computer wizard page choose Local computer: (the computer this console is running on)option and click Finish.
    6. Expand Console Root folder.
    7. Expand Certificates (Local Computer) folder.
    8. Expand Personal folder.
    9. Click on Certificates folder to list the available certificates.
    10. Locate your certificate, right click on it and choose All Tasks option and then click onManage Private Keys... option.
    11. Add Network Service account to the list under Group or user names: section and click OK button.

    How to create service package for deployment to Windows Azure environment

    1. In Visual Studio’s Solution Explorer, right-click the project name (the one that’s above Roles folder) and then click Publish….
    2. Within the Deploy Windows Azure project dialog, click Create Service Package Only, then click OK.
    3. Assuming successful compilation, Visual Studio will open a folder that contains two files created as part of the publish process. The files are ServiceConfiguration.cscfg (which we discussed earlier in this topic) and <YourProjectName>.cspkg (such as WindowsAzureProject1.cspkg). The .cspkg extension is for service package files. A package file contains the service definition as well as the binaries and other items for the application being deployed. Make a note of the path to these files, as you’ll be prompted for the path when you deploy the application using the Windows Azure management portal.

    Related materials

  • Alik Levin's

    Windows Azure Web Role ASP.NET Application Federated Authentication Using AppFabric Access Control Service (ACS) v2 – Part 3

    • 0 Comments
    Programming Windows Identity Foundation Programming Windows Azure - Programming the Microsoft Cloud

    Before proceeding with further reading, review the following previous posts:

    In this post I will show how to publish your ASP.NET web application and how to configure it to keep federated authentication with ACS v 2.0 functional when running in Windows Azure production environment.

    Step 5 – Deploy your solution to Windows Azure

    Content in this step adopted and adapted from Code Quick Launch: Create and deploy an ASP.NET application in Windows Azure.

    In this step you will deploy the application to the cloud using the Windows Azure management portal. First you’ll need to create a service and a service configuration file, called service package, and then upload it to Windows Azure environment using Windows Azure management portal.

    To create service package and upload it to Windows Azure environment
    1. In Visual Studio’s Solution Explorer, right-click the project name (the one that’s above Roles folder) and then click Publish….
    2. Within the Deploy Windows Azure project dialog, click Create Service Package Only, then click OK.
    3. Assuming successful compilation, Visual Studio will open a folder that contains two files created as part of the publish process. The files are ServiceConfiguration.cscfg (which we discussed earlier in this topic) and <YourProjectName>.cspkg (such as WindowsAzureProject1.cspkg). The .cspkg extension is for service package files. A package file contains the service definition as well as the binaries and other items for the application being deployed. Make a note of the path to these files, as you’ll be prompted for the path when you deploy the application using the Windows Azure management portal.
    4. Log in to the Windows Azure management portal to deploy the application. Log in at http://windows.azure.com.
    5. Within the Windows Azure management portal, click Hosted Services, Storage Accounts & CDN.
    6. Click New Hosted Service.
    7. Select a subscription that will be used for this application.
    8. Enter a name for your application. This name is used to distinguish your services within the Windows Azure management portal for the specified subscription.
    9. Enter the URL for your application. The Windows Azure management portal ensures that the URL is unique within the Windows Azure platform (not in use by anyone else’s applications). Note: this is the URL that needs to be then updated in both ACS v2.0 management portal for that relying party’s realm and return URL and in the application’s web.config audienceUri and realm.
    10. Choose a region from the list of regions.
    11. Choose Deploy to stage environment.
    12. Ensure that Start after successful deployment is checked.
    13. Specify a name for the deployment.
    14. For Package location, click the corresponding Browse Locally… button, navigate to the folder where your <YourProjectName>.cspkg file is, and select the file.
    15. For Configuration file, click the corresponding Browse Locally… button, navigate to the folder where your ServiceConfiguration.cscfg is, and select the file.

    16. Click on Add Certificate button to add your certificate to be deployed, but first you need to export the certificate into file. To export the certificate into file follow these steps:

      1. Open mmc console by first clicking on Windows button in task bar and typing mmc. You should see mmc.exe appears in search results. Click on it.

      2. When mmc console appears click on File option and then on Add/Remove Snap-in… option.

      3. In the Add or Remove Snap-ins dialog box choose Certificates from the available snap-ins list and click on Add> button.

      4. Choose Computer Account option and click Finish button.

      5. In the Select Computer wizard page select Local Computer (the computer this console is running on) and click Finish button. The click OK button.

      6. Expand Console Root folder.

      7. Expand Certificates(Local Computer) folder.

      8. Expand Personal folder.

      9. Click on Certificates folder to list available certificates.

      10. Locate your certificate in the list.

      11. Right click on the certificate and choose All Tasks and then Export… option.

      12. Click Next on the welcome page of the wizard.

      13. On the Export Private Key page choose Yes, export the private key option and click Next button.

      14. On the Export File Format leave the default option which is Personal Information Exchange - PKCS #12 (.PFX) and click Next button.

      15. On the Password page of the wizard specify password. You will need it when uploading the certificate to Windows Azure environment via management portal.

      16. On the File to Export page of the wizard specify destination file and click Next button. Make a note where you are saving the file. Note, since the certificate being exported has private key extra care should be taken to not exposing it to the public. It’s best if you delete the file altogether after uploading it to Windows Azure environment.

      17. Click Finish to complete the wizard. You should be presented with The export was successful message, click OK button to dismiss the message.

    17. Switch back to Windows Azure management portal where you opened a dialog box to locate your certificate (.PFX) file and locate the certificate file you have just exported.

    18. Specify the password for your certificate in the Certificate Password field.

    19. Click OK. You will receive a warning after you click OK because there is only one instance of the web role defined for your application (this setting is contained in the ServiceConfiguration.cscfg file). For purposes of this walk-through, override the warning by clicking Yes, but realize that you likely will want more than one instance of a web role for a robust application.

      You can monitor the status of the deployment in the Windows Azure management portal by navigating to the Hosted Services section. Because this was a deployment to a staging environment, the DNS will be of the form http://<guid>.cloudapp.net. You can see the DNS name if you click the deployment name in the Windows Azure management portal (you may need to expand the Hosted Service node to see the deployment name); the DNS name is in the right hand pane of the portal. Once your deployment has a status of Ready (as indicated by the Windows Azure management portal), you can enter the DNS name in your browser (or click it from the Windows Azure management portal) to see that your application is deployed to the cloud.

      Although this walk-through was for a deployment to the staging environment, a deployment to production follows the same steps, except you pick the production environment instead of staging. A deployment to production results in a DNS name based on the URL of your choice, instead of a GUID as used for staging.

      If this is your first exposure to the Windows Azure management portal, take some time to familiarize yourself with its functionality. For example, similar to the way you deployed your application, the portal provides functionality for stopping, starting, deleting, or upgrading a deployment.

      ImportantImportant

      Assuming no issues were encountered, at this point you have deployed your Windows Azure application to the cloud. However, before proceeding, realize that a deployed application, even if it is not running, will continue to accrue billable time for your subscription. Therefore, it is extremely important that you delete unwanted deployments from your Windows Azure subscription. To delete the deployment, use the Windows Azure management portal to first stop your deployment, and then delete your deployment. These steps take place within the Hosted Services section of the Windows Azure management portal: Navigate to your deployment, select it, and then click the Stop icon. After it is stopped, delete it by clicking the Delete icon. If you do not delete the deployment, billable charges will continue to accrue for your deployment, even if it is stopped.

    20. Publish to production clicking on you deployment node so that Swap VIP ribbon appears.

    21. Click on Swap VIP ribbon and then OK button. The deployment to production should take couple of minutes.

    In the next procedure you will update the the package and the ACSv2 to reflect on the address changes from staging environment to production.

    To update the package and ACS v2.0 configuration to reflect on production environment
    1. Switch back to your solution in Visual Studio.
    2. Open web.config and change audienceUri and realm to reflect on the changes you made when switching from staging to production environment.
    3. In the Solution Explorer right clock on the role (right above the roles folder) and click on Publish option republish the package with the changes in web.config. You cannot update just web.config, you need to create the new package.
    4. Switch to Windows Azure management portal.
    5. Click on the role so that you see the Upgrade ribbon appears in the tool bar, click on the ribbon and provide path to newly created package and configuration files in Package Location: and Configuration File: fields respectively.
    6. Click OK button. The update should take several minutes.
    7. Go to ACS v2.0 portal and update realm and return URL of the relying party to reflect the changes you made when switching from staging to production, these values should match audienceUris and realm values in the web.config.

    Next procedure helps you to verify your application is functional when running in Windows Azure environment.

    To verify the application is functional and running in Windows Azure environment
    1. Navigate to your production URL of your application. Make sure that you use SSL (HTTPS) and use the right port you configured in the package.
    2. You should be redirected to the Home Realm Discovery (HRD) page presenting you with two options – Windows Live ID and Google.
    3. Choose one of them to authenticate yourself.
    4. Upon successful authentication you will be redirected to your Default.aspx page.

    My live demo is here https://wawithacsv2.cloudapp.net:8085/.

    Related materials

  • Alik Levin's

    Windows Azure Web Role ASP.NET Application Federated Authentication Using AppFabric Access Control Service (ACS) v2 – Part 2

    • 0 Comments
    Programming Windows Identity Foundation Programming Windows Azure - Programming the Microsoft Cloud

    This post is continuation to Windows Azure Web Role ASP.NET Application Federated Authentication Using AppFabric Access Control Service (ACS) v2 – Part 1

    Step 4 – Prepare ASP.NET cloud web application’s dependencies to be deployed to Windows Azure Environment

    Content in this step is adapted from Exercise 1: Enabling Federated Authentication for ASP.NET applications in Windows Azure

    This step helps you prepare your ASP.NET cloud web application to be deployed to Windows Azure with its prerequisites such as WIF assembly. WIF runtime is not installed as part of Windows Azure environment. It also helps creating and configuring server certificates to enable secure communications over SSL. Server certificate is also required for WIF related functions work properly on Windows Azure.

    To prepare application’s dependencies to be deployed to Windows Azure

    1. Switch to your solution in Visual Studio 2010.
    2. Add reference to the Microsoft.IdentityModel assembly To add the reference right click on Reference folder in the solution explorer, choose Add Reference…, Click on .Net tab, locate and choose the Microsoft.IdentityModel assembly from the list and click OK.
    3. Locate and choose the referenced assembly, Microsoft.IdentityModel, in the References folder.
    4. Click F4 to bring up the assembly’s properties window.
    5. In the Properties window specify Copy Local to true and Specific Version to false.
    6. Open global.asax.cs code behind file.
    7. Add the following using declarations:
      using Microsoft.IdentityModel.Tokens;
      using Microsoft.IdentityModel.Web;
      using Microsoft.IdentityModel.Web.Configuration;
    8. Add the following code to it (note, that you may already have Application_Start event handler added to it, just update it) . The reason for the following code is that by default the cookies are protected using DPAPI which is not available in Azure environment.
      void OnServiceConfigurationCreated(object sender, ServiceConfigurationCreatedEventArgs e)
      {
          //
          // Use the <serviceCertificate> to protect the cookies that are
          // sent to the client.
          //
          List<CookieTransform> sessionTransforms =
              new List<CookieTransform>(new CookieTransform[] {
              new DeflateCookieTransform(), 
              new RsaEncryptionCookieTransform(e.ServiceConfiguration.ServiceCertificate),
              new RsaSignatureCookieTransform(e.ServiceConfiguration.ServiceCertificate)  });
          SessionSecurityTokenHandler sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly());
          e.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler);
      }
      
      void Application_Start(object sender, EventArgs e)
      {
          FederatedAuthentication.ServiceConfigurationCreated += OnServiceConfigurationCreated;
      }

    The following procedure will help you create self signed certificate and configure it for Compute Emulator and the application’s usage

    To create and configure self signed certificate

    1. Open IIS Manager MMC by clicking on Windows button on the task bar and typing IIS Manager (case is not important). You should see Internet Information Services (IIS) Manager appears in search results. Click it to open the Manager.
    2. When the IIS Manager appears type cert in the Filter: text area at the top middle of the screen. It should leave only Server Certificates option. Run it by double clicking on it.
    3. On the right-hand side, on the Actions pane, click on Create Self-Signed Certificate… option.
    4. In the dialog specify friendly name for your certificate and click OK to dismiss it.

    This procedure will help you configure the certificate for usage in your Compute Emulator.

    To configure certificate for Compute Emulator

    1. Switch to your solution in Visual Studio.
    2. Right click on the web role under Roles folder in Solution Explorer and choose Properties option.
    3. Click on the Certificates tab.
    4. Click on Add Certificate.
    5. The new row appears.
    6. Type the certificate’s arbitrary name in the Name field.
    7. Leave Store Location value LocalMachine.
    8. Leave Store value My.
    9. In the Thumbprint field click on ellipses (...), you should see list of the certificates. Locate the one you have created in previous step and click OK. Thumbprint field shows the certificate’s thumbprint.
    10. Save your work using Ctrl+S.
    11. Select and copy the thumbprint into clipboard using Ctrl+C. You will use it for configuring WIF related sections in web.config.

    This procedure will help you configure Windows Azure Role’s Endpoint to use the certificate for SSL/HTTPS communications.

    To configure Windows Azure Role’s Endpoint for SSL/HTTPS

    1. While in the Web Role Properties page click on Endpoints tab.
    2. Click on Add Endpoint option at the top, new row appears.
    3. Type new endpoint’s arbitrary name in the Name filed.
    4. Specify Type value of Input.
    5. Specify Protocol value of SSL.
    6. Specify Public Port arbitrary value. Note: Compute Emulator cannot be configure for specific IP addresses and ports, so if the IP address and port value are unavailable the Compute Emulator will assign its own. You want to avoid this since you need exactly to know the IP address and the port as it needs to be specified in exact way in ACSv2 portal. To identify used ports on local machine open command prompt and run the following command netstat –a –n | findstr 127.0.0.1. use the port that is not listed there.
    7. In the SSL Certificate Name specify the certificate you have just configured in previous step.
    8. Save your work by using Ctrl+S.

    Next procedure will help you configure the certificate for usage by WIF related functionality.

    To configure certificate for WIF functionality

    1. Open web.config file and locate microsoft.identityModel/service section.
    2. Add the following markup to the section. For the findValue value specify the thumbprint value from the previous step.
      <serviceCertificate>
        <certificateReference x509FindType="FindByThumbprint" findValue="YOURTHUMBPRINTFROMPREVSTEP" storeLocation="LocalMachine" storeName="My" />
      </serviceCertificate>
    3. Locate audienceUris/add section and change the value reflecting on the changes you have done. Change http to https change the port number according to what you have specified in the previous step.
    4. Locate federatedAuthentication/wsFederation section and change the realm to the same value as in audienceUris.

    This procedure helps you configure your ACS v2.0 configuration to proper values. Since the URL changed (HTTPS vs. HTTP and the port number) it needs also to be updated in the ACS v2.0 Management Portal

    To update your relying party configuration on ACS v2.0 Management Portal

    1. Log on to ACS v2.0 Management Portal at https://portal.appfabriclabs.com/
    2. Click on the Service Bus, Access Control & Caching on the left.
    3. Click on the Access Control in the tree under AppFabric node.
    4. You should see the list of your namespaces.
    5. Click on desired namespace you configured in previous steps.
    6. Click on the Access Control Service ribbon at the top of the page, new page or tab will open.
    7. Click on the Relying Party Applications link on the left.
    8. Your replying parties should be listed.
    9. Click on desired replying party you configured earlier, you should be presented with Edit Relying Party Application page.
    10. Change the Realm and the Return URL fields to the values reflecting recent changes. It should match audienceUris and realm you specified configuring web.config in previous step.
    11. Click Save button to save your changes.

    This procedure will help you configure permissions for the application to access your certificate. The application by default runs in application pool under Network Service account. You need to grant permissions to this account so that it can use the certificate.

    To grant certificate access permissions to application pool account

    1. Click on the Windows button on the taskbar and type mmc. You should see mmc.exe appears in search results. Click on it.
    2. When the MMC console appears, click on File and then on Add/Remove Snap-in… option.
    3. In the available snap-ins list choose Certificates and click on Add > button.
    4. In the dialog box choose Computer Account option and click Next button.
    5. On the Select Computer wizard page choose Local computer: (the computer this console is running on)option and click Finish.
    6. Expand Console Root folder.
    7. Expand Certificates (Local Computer) folder.
    8. Expand Personal folder.
    9. Click on Certificates folder to list the available certificates.
    10. Locate your certificate, right click on it and choose All Tasks option and then click on Manage Private Keys... option.
    11. Add Network Service account to the list under Group or user names: section and click OK button.

    This procedure tests your configuration and validates its readiness to be deployed to Windows Azure environment.

    To test readiness for Windows Azure deployment

    1. Switch to your solution in Visual Studio.
    2. Run your application using Ctrl+F5.
    3. You should be presented with certificate warning. Accept it. It happens since we are using self signed certificated.
    4. You should be redirected to Home Realm Discovery page presetting Google or Windows Live id options.
    5. Use any of these.
    6. Upon successful authentication you should be presented with your Default.aspx page

    Related materials

Page 4 of 8 (23 items) «23456»