Azure Support Team

Feedback around protecting Azure

ASP.NET Debugging — Mon, 29 Mar 2010 17:39:25 GMT

Our friends on the Forefront Server Protection team are conducting research to understand what workloads you would like to protect, and how you would like them protected. One of the workloads they are soliciting feedback on is Azure. The survey shouldn't take more than 5-10 minutes, and your feedback directly impacts product decisions.

Please head over to http://www.surveymonkey.com/s/forefrontsurvey to take the survey. We appreciate your valuable input.

How to install a chained SSL certificate

willbell — Wed, 24 Feb 2010 15:24:23 GMT

When a user browses to a web site protected by a Secure Sockets Layer (SSL) endpoint, an error will be displayed if the proper certificates are not discovered, or if the certificate is expired, or revoked.

The second line of this dialog reports more information on the specific certificate error:

The security certificate presented by this website was not issued by a trusted certificate authority.

If the user clicks on the red x “Continue to this website (not recommended).” the IE 8 Security Status Bar will turn red to continue to warn the user:

This document discusses how to properly install a chained SSL certificate in a Windows Azure application.

When creating an application with Windows Azure Tools for Microsoft Visual Studio installed, it is easy to add a certificate chain if the certificate is installed on your development machine. If the certificate is not installed, it is easy to do so by double clicking on the PFX file in Windows Explorer.

1. In the Solution Explorer window in Visual Studio, Choose the role located in the Roles folder.

2. Click on the Certificates tab.

3. Click on the Add Certificate link at the top of the window.

4. Click on the Ellipsis button under Thumbprint.

5. Choose the SSL certificate and click on the OK button.

6. You can modify the Name, but it is best to not include spaces in the name.

7. Change the Store Name for the chained certificates (MyIntermediateCert and MyRootCert in this case) from My to CA. In this example the dialog will look like this:

8. In this example the ServiceConfiguration.cscfg file will look like this:

<?xml version="1.0"?>
<ServiceConfiguration serviceName="HelloWorld" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceConfiguration">
  <Role name="HelloWorld_WebRole">
    <Instances count="1" />
    <ConfigurationSettings />
    <Certificates>
      <Certificate name="MySSLCert" thumbprint="E70E7E4B5FE948297A33A780B1E427DBAB500000" thumbprintAlgorithm="sha1" />
      <Certificate name="MyIntermediateCert" thumbprint="6143AF68F7B33A47940474988B05F7B162900000" thumbprintAlgorithm="sha1" />
      <Certificate name="MyRootCert" thumbprint="B975811DDA15107EF5E0DC28141C7B938EB00000" thumbprintAlgorithm="sha1" />
    </Certificates>
  </Role>
</ServiceConfiguration>

9. In this example the ServiceDefinition.csdef file will look like this:

<?xml version="1.0" encoding="utf-8"?>
<ServiceDefinition xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceDefinition" name="HelloWorld">
  <WebRole name="HelloWorld_WebRole" enableNativeCodeExecution="false">
    <InputEndpoints>
      <InputEndpoint name="HttpsIn" protocol="https" port="443" />
    </InputEndpoints>
    <Certificates>
      <Certificate name="MySSLCert" storeLocation="LocalMachine" storeName="My" />
      <Certificate name="MyIntermediateCert" storeLocation="LocalMachine" storeName="CA" />
      <Certificate name="MyRootCert" storeLocation="LocalMachine" storeName="CA" />
    </Certificates>
  </WebRole>
</ServiceDefinition>

MySSLCert is being placed in the My store because it is the primary certificate configured for SSL (Step 13). MySSLCert contains the chain pointing to MyIntermediateCert and MyRootCert. These names can be changed for clarity. MyIntermediateCert and MyRootCert are placed in the CA store so that IIS can automatically send them to the client.

10. The next step is to click on the Endpoints tabs

11. Uncheck the checkbox next to the HTTP endpoint.

12. Check the checkbox next to the HTTPS endopoint.

13. Select the correct SSL certificate name in the dropdown list box (MySSLCert in this example).

14. Log into the Windows Azure Developer Portal

15. Select the correct project and your service application.

16. In the Certificates section click on the Manage link.

17. Choose the PFX certificate file and enter the password.

18. In the Installed Certificates section, you should see the SSL and intermediate certificates. Verify that all three certificates are present and that the Thumbprints match.

If you are not using Microsoft Visual Studio as your development environment, then you will need to manually add the Certificates node to both the ServiceDefinition.csdef and ServiceConfiguration.cscfg. All intermediate certificates must be present in both files. Make sure that the storeLocation is set to LocalMachine for all certificates. The primary SSL certificate must be configured for the My store and the other certificates must be placed in the CA store.

SSL Background Information

When connecting to a web site over SSL, the user's web browser decides whether to trust the SSL Certificate based on which Certification Authority issued the actual SSL Certificate. To determine this, the browser looks at its own internal list of trusted Certification Authorities and Intermediate Certification Authorities. Root certificates are trusted if they are issued by a Certification Authority which is contained in the browser’s list of trusted authorities. If the chain can be built, and the root certificate is present on the machine, the site will work from that particular browser. You can see the list by clicking on the Certificates button, which is on the Internet Explorer Tools menu Internet Options, Content tab.

The Internet Explorer Security Status Bar will display green (EV certificate) or white with a padlock icon when an SSL communication is successfully established. By clicking on the SSL Padlock icon, the user can find out more about the certificate. Below is an example from https://login.live.com where the user has clicked on the padlock then clicked on the View certificates link and then clicked on the Certification Path tab at the top of the Certificate dialog.

A certificate chain is a sequence of certificates, where each certificate in the chain is signed by the subsequent certificate. The purpose of certificate chain is to establish a chain of trust from a peer certificate to a trusted Certification Authority (CA) certificate. The CA vouches for the identity in the peer certificate by signing it.

There are three possible ways for the client browser to obtain the intermediate certificates:

1. IIS will automatically send the intermediate certificates if they are installed on the server. This is the recommended method and described above.

2. Authority Information Access (AIA) extensions will cause the browser to automatically retrieve the missing certificates.

Not recommended: Manually install the certificates on each client.

Azure Table Exception: One of the request inputs is not valid

ASP.NET Debugging — Wed, 03 Feb 2010 18:25:02 GMT

When trying to insert data into an Azure Table, and calling SaveChanges() you may get an exception like:

One reason that you can get this error is if you are trying to insert an unsupported type into a table. Decimal types, for example, are unsupported at this time.

The list of supported types are:

ADO.NET Data Services type	Common Language Runtime type	Details
Edm.Binary	byte[]	An array of bytes up to 64 KB in size.
Edm.Boolean	bool	A Boolean value.
Edm.DateTime	DateTime	A 64-bit value expressed as Coordinated Universal Time (UTC). The supported DateTime range begins from 12:00 midnight, January 1, 1601 A.D. (C.E.), UTC. The range ends at December 31, 9999.
Edm.Double	double	A 64-bit floating point value.
Edm.Guid	Guid	A 128-bit globally unique identifier.
Edm.Int32	Int32 or int	A 32-bit integer.
Edm.Int64	Int64 or long	A 64-bit integer.
Edm.String	String	A UTF-16-encoded value. String values may be up to 64 KB in size.

This list is from: http://msdn.microsoft.com/en-us/library/dd179338.aspx

We would love to hear your Azure Ideas

ASP.NET Debugging — Tue, 26 Jan 2010 15:43:38 GMT

Do you want to have a say in the future of Azure? Do you have a great idea that would really make one of the Azure products really great? Well we would love to hear from you. You can submit your ideas on http://www.mygreatwindowsazureidea.com.

You can also vote on any of the existing suggestions to help bring awareness to the great idea. The Azure teams will be monitoring this site and looking to add additional features into future versions of the products.

There is also a place for SQL Azure Feature Voting and Dallas Feature Voting.

Getting SSL certificates to work

ASP.NET Debugging — Wed, 30 Dec 2009 16:30:12 GMT

There are a number of useful informational articles out on the web on how to deal with SSL Certificates with Windows Azure. The first few places to start are:

http://blogs.msdn.com/davethompson/archive/2009/11/24/add-ssl-security-to-your-azure-webrole.aspx
http://blogs.msdn.com/jnak/archive/2009/12/01/how-to-add-an-https-endpoint-to-a-windows-azure-cloud-service.aspx
http://blogs.msdn.com/davethompson/archive/2009/11/24/add-ssl-security-to-your-azure-webrole.aspx

There may be times, depending on the certificate you are trying to use that these steps won’t be enough. You may see an error like:

At least one certificate specified in your service definition is not found.
Please upload these certificate(s), and then upload your application package again.
 - Dr. Watson Diagnostic ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Resolution

If you see something like this, and you are using a certificate from a 3rd party, you may need to get the intermediate certificates installed as well. One problem that happens with some 3rd parties is that they will not give you a .pfx file. Since that is the only file type you can upload to Azure for certificates, you have to convert them. All that is needed is to create a .NET application with the following code:

// The path to the certificate.
string certificate = @"c:\test.cer";
 
// Load the certificate into an X509Certificate object.
X509Certificate cert = new X509Certificate(certificate);
byte[] certData = cert.Export(X509ContentType.Pkcs12, "Password");
 
System.IO.File.WriteAllBytes(@"c:\test.pfx", certData);

Or you can do the same in powershell:

$c = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\test.cer")
$bytes = $c.Export("Pfx", "Password")
[System.IO.File]::WriteAllBytes("c:\test.pfx", $bytes)

Running this will allow you to create .pfx files for each certificate and then import them into Azure. Just be sure to change the “Password” and put the same one in on the dashboard for Azure.

There is not enough space on the disk

ASP.NET Debugging — Mon, 21 Dec 2009 19:53:00 GMT

This issue was originally posted here, but I wanted to bring it to the this blog as well so it is being cross-posted here.

Problem

There may be some times where you will see this message when developing an application for Windows Azure. The message will look like:

There is not enough space on the disk.
Description: An unhandled exception occurred during the execution 
of the current web request. Please review the stack trace for more 
information about the error and where it originated in the code. 

Exception Details: System.IO.IOException: There is not enough 
space on the disk.


Source Error: 
An unhandled exception was generated during the execution of the 
current web request. Information regarding the origin and location 
of the exception can be identified using the exception stack trace 
below. 

Stack Trace: 
  
[IOException: There is not enough space on the disk.]
   System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) +10546789
   System.IO.FileStream.WriteCore(Byte[] buffer, Int32 offset, Int32 count) +10351324
   System.Web.TempFile.AddBytes(Byte[] data, Int32 offset, Int32 length) +26
   System.Web.HttpRawUploadedContent.AddBytes(Byte[] data, Int32 offset, Int32 length) +327
   System.Web.HttpRequest.GetEntireRawContent() +515
   System.Web.HttpRequest.GetMultipartContent() +72
   System.Web.HttpRequest.FillInFormCollection() +248
   System.Web.HttpRequest.get_Form() +79
   System.Web.HttpRequest.get_HasForm() +73
   System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull) +54
   System.Web.UI.Page.DeterminePostBackMode() +90
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, 
        Boolean includeStagesAfterAsyncPoint) +268

The typical situation where you will see this is if you are using the ASP.NET FileUpload control to let users upload files.

If the file they try to upload exceeds 100 MB, it will error with this message.

Resolution

There are a few ways that you can work around this issue. The best solution would be to use Silverlight to handle the upload instead of the ASP.NET FileUpload control. By using Silverlight, you can have the client directly upload the file to blob storage and reduce how many places the file gets copied.

There are also some 3rd party controls that you can use to do this as well.

More Information

The problem with the ASP.NET FileUpload control is that it writes the file to a temp folder during upload. The folder that is used in Windows Azure is limited to 100 MB so if you try to write something larger then that, it will fail.

I haven’t tested this, but if you have multiple users uploading data at the same time, you could see the same problem. For example, if 15 users all upload a 10 MB file at the same time, the temp folder will probably fill up and give the same error.

Note: there is a setting that you may be temped to use which is the tempDirectory attribute off the compilation element. If you try to set this to anything, it will cause your Web Role to not start up.

Contacting Azure Dev Support

ASP.NET Debugging — Fri, 04 Dec 2009 22:00:00 GMT

We are unable to give everyone's individual problems attention as we only have so much time a day to dedicate to this blog. So if you have a problem that needs to be investigated, please go through the official Microsoft channels to get help. You can get help at http://support.microsoft.com and one of us will be glad to help you out.

Also, you can now quickly submit your issues via the Internet as follows:

Azure .Net Services Developer
https://support.microsoft.com/oas/default.aspx?gprid=14927&st=1

Azure .Net Services Service
https://support.microsoft.com/oas/default.aspx?gprid=14924&st=1

Azure SQL Developer
https://support.microsoft.com/oas/default.aspx?gprid=14930&st=1

Azure SQL Service
https://support.microsoft.com/oas/default.aspx?gprid=14919&st=1

Azure Windows Developer
https://support.microsoft.com/oas/default.aspx?gprid=14920&st=1

Azure Windows Service
https://support.microsoft.com/oas/default.aspx?gprid=14928&st=1

Cases can be created 24 hours a day, 7 days a week and will be responded to in one business day.

If you would like to contact us about the blog, please feel free to post a comment.

Comment Guidelines for this Blog

ASP.NET Debugging — Fri, 04 Dec 2009 21:55:13 GMT

As the community participates in the Azure Dev Support blog, I want to offer some guidelines on how I handle comments in general. My primary goal is for this to be a place for open discussion about Azure, so I don’t want to have lots of overhead and process.

I love comments and look forward to the dialog.

Things I want to see in comments:

Lots of good interesting responses on Azure and the posts on this blog
Keep it on topic
Keep it respectful
Keep it fun

Things that will get comments edited/deleted:

Offensive or abusive language or behavior
Misrepresentation (i.e., claiming to be somebody you're not) - if you don't want to use your real name, that's fine, as long as your "handle" isn't offensive, abusive, or misrepresentative
Blog-spam of any kind

I hope these rules will keep the discussion lively and on topic. Hope everyone enjoys this blog now and in the future.

Welcome to the Azure Dev Support Blog!

ASP.NET Debugging — Fri, 04 Dec 2009 21:52:13 GMT

This blog is dedicated to all things Azure. We are the support team here at Microsoft that are working with Azure. Things you can expect to see are are posts on:

We look forward to interacting with everyone and helping make Azure a success.