Many companies, ISV’s, and solutions have concerns about data in the cloud. With PKI based encryption, Trust Services provides key management for your publisher/subscribers and a simplified SDK set of classes to abstract the encryption, decryption process. Both managed classes and PowerShell add-in provided...
Learn More about Microsoft Codename "Trust Services" - TechNet Articles - Home - TechNet Wiki
Windows Azure Fieldnote
Windows Azure Drives [1] provide a means to represent a file based (disk drive) persistent storage option for the various role types within Windows Azure Compute. Each of the roles within Windows Azure can mount and utilize for persistent storage (that survives reboot, reimaging, and updated deployments, of a role instances).
During the mounting of a VHD as a CloudDrive, the managed classes have no means to control the drive letter assignment this directly through the CloudDrive managed classes that are provided through the Windows Azure SDK.
Many solutions today require the use of standard Windows File IO based access and instead of refactoring solutions to leverage the storage options available in the PaaS part of the Windows Azure platform, solutions deployed to Windows Azure can mount a Virtual Hard Disk (VHD) that is persisted in a storage account inside of a running instance. That Page Blob backed VHD is then represented through Virtual Disk Services and Windows Cloud Drive services to the running instances as a Disk Drive and addressable through File IO using a Drive Letter.
While a persistent drive option is available, the drive letter assignment is determined at runtime during the mounting process. This potentially presents a problem with existing solutions, codebases, libraries that require a setting to be established prior to runtime. For example, an application configuration setting that provides a full path, including the drive letter to a location for read/write access for File IO.
The following solution takes advantage of the Virtual Disk Services through the DiskPart.exe operating system utility to first identify what the VHD is mounted as and, select that volume, and re-assign the letter to the target drive letter.
The original idea for the approach comes from this blog post here: http://techyfreak.blogspot.com/2011/02/changing-drive-letter-of-azure-drive.html
While there is a COM interface available that could be wrapped via an interop layer, the choice was made to initiate a process to take the actions required for remapping the drive letter due to simplicity. Additionally, while there is an existing managed Interop assembly available (Microsoft.Storage.Vds) that is an undocumented and unsupported assembly.
The example scenario presented does the following:
1. Leverages a Windows Azure Web Role (could be a Worker Role or VM Role as well)
2. Implements a Windows Console applications that:
a. Is a Startup task – in elevated mode and background b. Runs elevated in order to affect Virtual Disk Services c. At startup:
a. Is a Startup task – in elevated mode and background
b. Runs elevated in order to affect Virtual Disk Services
c. At startup:
d. Then Continuously (every 30 seconds)
** Drive Letter reassignment is done through a System.Process startup object that runs Diskpart.exe with a “select volume” and “assign drive letter” command sequence.
The sample solution contains the following:
1. Windows Azure Web Role – simple MVC3 application that just lists the mapped CloudDrives using the CloudDrive.GetMountedDrives() method
2. CloudDriveManager class library – helper class that provides the CloudDrive management actions leveraged by the caller (either Console or other code)
3. CloudDriveManagerConsole – Windows console application intended to be a startup project and running in elevated mode in order to affect the assigned driver letter
4. CloudDriveManagerRole – implementation of Microsoft.WindowsAzure.ServiceRuntime.RoleEntryPoint – which allows this class to be used from within a Windows Azure Web or Worker role – however, that role entry point would need to be elevated (via the “Runtime” and “NetFxEntryPoint” Elements)
5. Logger – simple logger class that writes to a Queue for debugging purposes
6. ResponseViewer – simple WPF application that reads Queue messages so you can view log messages from your cloud instances – purely for debugging purposes
7. TestListDrives – simple Windows console application that lists the mapped CloudDrives – usable from within the Role instance by using Remote Desktop and connecting to the instance
During role startup, Windows Azure will execute the Task defined in the Service definition in background mode and elevated (running as system). Inside of the console application, the implementation of OnStart does the following:
public override bool OnStart() { try { Initialize(); MountAllDrives(); } catch (Exception ex) { _logger.Log("fail on onstart", ex); } return true; } void MountAllDrives() { try { var driveSettings = RoleEnvironment.GetConfigurationSettingValue(DRIVE_SETTINGS); string[] settings = driveSettings.Split(':'); CloudStorageAccount account =CoudStorageAccount.FromConfigurationSetting(STORAGE_ACCOUNT_SETTING); string dCacheName = RoleEnvironment.GetConfigurationSettingValue(DCACHE_NAME); LocalResource cache = RoleEnvironment.GetLocalResource(dCacheName); int cacheSize = cache.MaximumSizeInMegabytes / 2; _cloudDriveManager = new CloudDriveManager(account, settings[0], settings[1][0], cache); _cloudDriveManager.CreateDrive(); _cloudDriveManager.Mount(); } catch (Exception ex) { _logger.Log("fail on mountalldrives", ex); throw; } }
Mostly, the startup routine calls into the custom class CloudDriveManager, which provides the simple abstraction to the Windows Azure CloudDrive managed class.
The custom CreateDrive method calls the CloudDrive create drive method in a non-destructive manner – and, for this sample, creates the initial VHD in storage if it does not already exist.
Mounting calls the managed classes CloudDrive.Mount along with calling into a custom VerifyDriveLetter method.
public void Mount() { _logger.Log(string.Format("mounting drive {0}", _vhdName)); _cloudDrive = _account.CreateCloudDrive(_vhdName); var driveLetter = _cloudDrive.Mount(_cacheSize, DriveMountOptions.Force); _logger.Log(string.Format("mounted drive letter {0}", driveLetter)); var remounted = VerifyDriveLetter(); }
Within VerifyDriveLetter there’s some logic to validate the current state of the mounted drives. And then verification if the mounted drive is the intended drive letter.
public bool VerifyDriveLetter() { _logger.Log("verifying drive letter"); bool rv = false; if (RoleEnvironment.IsEmulated) { _logger.Log("Can't change drive letter in emulator"); //return; } try { DriveInfo d = new DriveInfo(_cloudDrive.LocalPath); if (string.IsNullOrEmpty(_cloudDrive.LocalPath)) { _logger.Log("verifydriveLetter: Not Mounted?"); throw new InvalidOperationException("drive is notmounted"); } if (!char.IsLetter(_cloudDrive.LocalPath[0])) { _logger.Log("verifiydriveLeter: Not a letter?"); throw new InvalidOperationException("verifydriveletter - not a letter?"); } if (IsSameDrive()) { _logger.Log("is same drive; no need to diskpart..."); return true; } char mountedDriveLetter = CurrentLocalDrive(_vhdName); RunDiskPart(_driveLetter, mountedDriveLetter); if (!IsSameDrive()) { var msg = "Drive change failed to change"; _logger.Log(msg); throw new ApplicationException(msg); } else { Mount(); } _logger.Log("verifydriveletter done!!"); return rv; } catch (Exception ex) { _logger.Log("error verifydriveletter", ex); return rv; } }
The IsSameDrive method validates if the current mapped drive is indeed the planned drive letter. If not, it will return “false”.
bool IsSameDrive() { char targetDrive = _driveLetter.ToString().ToLower()[0]; char currentDrive = CurrentLocalDrive(_vhdName); string msg = string.Format( "target drive: {0} - current drive: {1}", targetDrive, currentDrive); _logger.Log(msg); if (targetDrive == currentDrive) { _logger.Log("verifydriveLetter: already same drive"); return true; } else return false; }
Finally, the RunDiskPart method initiates the action of spawning a new process with the dynamically created DiskPart script file that selects the existing volume name (by drive letter) and assigns the target drive letter.
void RunDiskPart(char destinationDriveLetter, char mountedDriveLetter) { string diskpartFile = Path.Combine(_cache.RootPath, "diskpart.txt"); if (File.Exists(diskpartFile)) { File.Delete(diskpartFile); } string cmd = "select volume = " + mountedDriveLetter + "\r\n" + "assign letter = " + destinationDriveLetter; File.WriteAllText(diskpartFile, cmd); //start the process _logger.Log("running diskpart now!!!!"); _logger.Log("using " + cmd); using (Process changeletter = new Process()) { changeletter.StartInfo.Arguments = "/s" + " " + diskpartFile; changeletter.StartInfo.FileName = System.Environment.GetEnvironmentVariable("WINDIR") + "\\System32\\diskpart.exe"; //#if !DEBUG changeletter.Start(); changeletter.WaitForExit(); //#endif } File.Delete(diskpartFile); }
As an example of the interaction and how the drive appears within the running Windows Azure Role, the following screen shots illustrate the results.
At program startup the drive is initially mounted by the Console application – immediately the drive is mounted as the F: drive – the startup code verifies if this is the intended drive – as shown below in the logs, it isn’t, so the code initiates the RunDiskPart method setting M: as the mapped drive.
The following shows how a Windows Azure Drive appears after the custom code reassigns the drive letter to the Operating system using Windows Explorer – the drive is selected below.
Within the custom MVC3 application, which simply just lists the Mounted Windows Azure drive (which runs in a separate Process non-elevated – the drive appears as a regular Operating System drive – accessible for File IO as required using the intended drive letter.
The following shows what happens if the drive letter is intentionally changed – in this example, I just initiate a DiskPart set of commands to assign the mounted drive the letter L:
As you can see in the Windows Explorer window the letter now appears as L: for the WindowsAzureDrive.
Within approximately 30 seconds (which is the value used in the Run method by the custom code) VerifyDriveLetter detects it’s not the intended drive and initiates a change.
And the below image shows the drive again, appearing as the M: drive:
Since capabilities in the Windows Azure platform change over time the ability to dictate the specific letter to be used may come available. Until then, this approach, by means of the Windows Azure Drive and Virtual Disk Services abstraction provided by the platform offers a means to accommodate codebase and application logic that is dependent upon predetermined drive letters.
[1] Windows Azure Drives http://www.windowsazure.com/en-us/develop/net/fundamentals/cloud-storage/#drives
[2] Virtual Disk Service http://msdn.microsoft.com/en-us/library/windows/desktop/bb986750(v=vs.85).aspx
[3] CloudDrive Storage Client http://msdn.microsoft.com/en-us/library/microsoft.windowsazure.storageclient.clouddrive.aspx
[4] Diskpart.exe http://technet.microsoft.com/en-us/library/cc770877(v=WS.10).aspx
[5] Task element http://msdn.microsoft.com/en-us/library/windowsazure/gg557552.aspx#Task
[6] Runtime element http://msdn.microsoft.com/en-us/library/windowsazure/gg557552.aspx#Runtime
[7] NetFxEntryPoint element http://msdn.microsoft.com/en-us/library/windowsazure/gg557552.aspx#NetFxEntryPoint
Solution File: MountXDriveSameLetter.zip
When you’re debugging security related things, sometimes you need to take a look at the thread identities user token.
When you’re inside of Visual Studio 2010 – in the watch windows you enter ‘$user’ and you’ll get the same as when in windbg with !token –n
If you’re like me, having those PDF version for offline review are great. It was a pain before as I had to individually print web pages to single PDF using tools.
Now, TechNet can track a “book” of topics for you, and then generate HTML or PDF for you to download – personal publishing
Roll-your-own techdocs for free - TONYSO - Site Home - TechNet Blogs
Wow – I still have my K&R book from a class I took at AT&T. Cut my teeth on nix…
Dennis Ritchie, Father of C and Co-Developer of Unix, Dies | Wired Enterprise | Wired.com
Multiple UPN support now available…
Description of Update Rollup 1 for Active Directory Federation Services (AD FS) 2.0
While the development server in Visual Studio 2010 is great for most work, it does have 1 shortcoming in that if you start adding content types that are not part of the base set of known Mime types built in, you won’t affect the proper header response that is emitted to the client/browser.
For example MP4 files, out of the box the development web server emits application/octet-stream or something like that. What we really need is video/mp4.
Now, with IIS Express, you can easily switch over to use that and just add the correct mapping to the section of the web.config when you’re running in integrated mode. Such as follows:
<system.webServer> <modules runAllManagedModulesForAllRequests="true" /> <staticContent> <mimeMap fileExtension=".mp4" mimeType="video/mp4" /> <mimeMap fileExtension=".m4v" mimeType="video/m4v" /> </staticContent> </system.webServer>
However, with the Visual Studio 2010 built in Web Development server, you can’t affect the mime type support through configuration.
For this a simple NuGet package is available that provides a simple HttpModule to affect the ContentType on the response headers. it reads the Web.config for the site and will honor the section above – this all happens only when NOT running in Integrated Pipeline mode.
Sample Solution and Source here: SampleMimeHelper.zip
The HttpModule makes use of dynamically loading via the PreApplicationStartMethod and the DynamicModuleHelper utility method that is part of the Microsoft.Web.Infrastructure namespace.
using System; using System.Collections.Generic; using System.Linq; using System.Web; using System.Diagnostics; using System.Configuration; using System.Web.Configuration; using System.Xml.Linq; using Microsoft.Web.Infrastructure.DynamicModuleHelper; [assembly: PreApplicationStartMethod(typeof(MimeHelper), "Start")] /// <summary> /// Summary description for MimeHelper /// </summary> public class MimeHelper : IHttpModule { static Dictionary<string, string> s_mimeMappings; static object s_lockObject = new object(); public static void Start() { if ( ! HttpRuntime.UsingIntegratedPipeline) DynamicModuleUtility.RegisterModule(typeof(MimeHelper)); } static string GetMimeType(HttpContext context) { var ext = VirtualPathUtility.GetExtension(context.Request.Url.ToString()); if (string.IsNullOrEmpty(ext)) return null; CreateMapping(context.ApplicationInstance); string mimeType = null; s_mimeMappings.TryGetValue(ext, out mimeType); return mimeType; } static void CreateMapping(HttpApplication app) { if (null == s_mimeMappings) { lock (s_lockObject) { if (null == s_mimeMappings) { string path = app.Server.MapPath("~/web.config"); XDocument doc = XDocument.Load(path); var s = from v in doc.Descendants("system.webServer").Descendants("staticContent").Descendants("mimeMap") select new { mimeType = v.Attribute("mimeType").Value, fileExt = v.Attribute("fileExtension").Value }; s_mimeMappings = new Dictionary<string, string>(); foreach (var item in s) { s_mimeMappings.Add(item.fileExt.ToString(), item.mimeType.ToString()); } } } } } public void Dispose() { } public void Init(HttpApplication context) { context.EndRequest += new EventHandler(context_EndRequest); } void context_EndRequest(object sender, EventArgs e) { try { HttpApplication app = sender as HttpApplication; string mimeType = GetMimeType(app.Context); if (null == mimeType) return; app.Context.Response.ContentType = mimeType; } catch (Exception ex) { Debug.WriteLine(ex.Message); } } }
Keith Dahlby has a good post on creating a fake SPContext. Here’s the link and the code
NOTE: This is not production safe code – use at own risk…
http://solutionizing.net/2009/02/16/faking-spcontext/
public static SPContext FakeSPContext(SPWeb contextWeb) { // Ensure HttpContext.Current if (HttpContext.Current == null) { HttpRequest request = new HttpRequest("", web.Url, ""); HttpContext.Current = new HttpContext(request, new HttpResponse(TextWriter.Null)); } // SPContext is based on SPControl.GetContextWeb(), which looks here if(HttpContext.Current.Items["HttpHandlerSPWeb"] == null) HttpContext.Current.Items["HttpHandlerSPWeb"] = web; return SPContext.Current; }
I wanted an ability to be able to simply time methods and write to a log/trace sink and a very simple approach that I ended up using was to provide a method that takes an Action delegate which would be the method that is to be timed.
The following is what I came up with (this is my reminder…)
class Program { static void Main(string[] args) { TestMethod1(); } private static void TestMethod1() { LoggingHelper.TimeThis("doing something", () => { Console.WriteLine("This is the Real Method Body"); Thread.Sleep(100); }); } } public static class LoggingHelper { public static void TimeThis(string message, Action action) { string methodUnderTimer = GetMethodCalled(1); Stopwatch sw = Stopwatch.StartNew(); LogMessage( string.Format("started: {0} : {1}", methodUnderTimer, message)); action(); sw.Stop(); LogMessage(string.Format("ended : {0} : {1} : elapsed : {2}", methodUnderTimer, message, sw.Elapsed)); } private static string GetMethodCalled(int stackLevel) { StackTrace stackTrace = new StackTrace(); StackFrame stackFrame = stackTrace.GetFrame(stackLevel + 1); MethodBase methodBase = stackFrame.GetMethod(); return methodBase.Name; } static void LogMessage(string message){ Console.WriteLine("{0}", message); } }
Nice table comparing Windows Azure Queues vs. Windows Azure AppFabric Service Bus – note the comment regarding in WAZ SDK 1.5 Queue message size is now 64KB
Of course, I like the name of the blog too.
Comparison of Windows Azure Storage Queues and Service Bus Queues « Microsoft Technologies Rocks !!!
Once in a while a good tool that I find out about that helps me developing solutions comes in real handy. MiniProfiler is one of those tools.
Developed by the StackOverflow folks it’s available in source or binary, and NuGet packages
Take a look
http://code.google.com/p/mvc-mini-profiler/
http://nuget.org/List/Packages/MiniProfiler
On the Channel 9 site where the BUILD conference sessions are available, there are several feeds that provide the media associated with the sessions.
One that’s not listed explicitly is the PowerPoint slides – that feed is here:
http://channel9.msdn.com/Events/BUILD/BUILD2011/RSS/slides
Matthew Kerner’s session at BUILD covers many of the patterns and approaches that a well designed and highly scalable solution can do to make the most efficient use of the platform.
Truth is many of the areas Matthew covers should be for on Premise too – including use of Windows Azure CDN.
At about ~30:00 in Matthew references one of my posts on Windows Azure CDN and using it with your Compute role (hosted service) as an CDN origin…
This is huge – and a welcomed addition. Been waiting too long for this.
Bringing Hyper-V to “Windows 8” - Building Windows 8 - Site Home - MSDN Blogs
The Windows Azure Content Delivery Network (CDN) helps improve the solution experience by putting content closer to the end-user, enhances availability, geo-distribution, scalability, lower latency delivery, and performance. If that’s the goal we want to be sure that when we instantiate the source of this content at the origin it’s as CDN friendly as we need.
In Windows Azure, when you’re running under IIS7.x /ASP.NET you have to be aware of the inherent behavior associated with Output Caching as it is part of the standard deployment of IIS7.x.
Some of that inherent behavior affects how cache-friendly your content (Http Response) will be as the CDN directly consumes your Hosted Service endpoint ( http[s]://yourservice:80|443/cdn ) on behalf of your users.
If you don’t understand how your solution emits these HTTP headers, you will end up with NO caching – defeating the purpose of the CDN (in fact making performance worse) and additional costs incurred.
The areas we’ll briefly take a look at here are:
The following code is an example of what developers generally provided with anticipation that the HTTP headers, specifically the Cache-control header will be emitted with a CDN friendly HTTP header – or any cache for that matter.
using (var image = ImageUtil.RenderImage(…)) { context.Response.Cache.SetMaxAge(TimeSpan.FromMinutes(Constants.MA)); context.Response.Cache.SetCacheability(HttpCacheability.Public); context.Response.ContentType = "image/jpeg"; image.Save(context.Response.OutputStream, ImageFormat.Jpeg); context.Response.OutputStream.Flush(); }
Under ASP.NET 3.5/4.x, this will result in the following
---request begin--- GET /image/0.jpg HTTP/1.0 User-Agent: Wget/1.11.4 Accept: */* Host: az30993.vo.msecnd.net Connection: Keep-Alive ---response begin--- HTTP/1.0 200 OK Cache-Control: public Content-Type: image/jpeg Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Fri, 08 Jul 2011 11:26:01 GMT Content-Length: 6976 X-Cache: MISS from cds168.ewr9.msecn.net Connection: keep-alive
With that set of headers, you will encounter a cache MISS on every request – with a read-through to the Hosted Service origin. You might not notice the impact right away as it can get picked up by the OutputCache module – but you’ve defeated the purpose of the CDN – and made the request performance worse.
The sample solution with this post provides a set of test scenarios for manipulating the HttpResponse under a standard IHttpHandler and under MVC3. If you take a look at the code you’ll see that 3 things are done to help diagnose the situation.
The easiest fix is to ensure you set SlidingExpiration to true on the response. This will ensure that the Cache-control header will contain your desired “public, max-age=xxxx”
public void ProcessRequest(HttpContext context) { using (var image = ImageUtil.RenderImage(…) { context.Response.Cache.SetCacheability(HttpCacheability.Public); context.Response.Cache.SetMaxAge(TimeSpan.FromMinutes(Config.MaxAge)); context.Response.ContentType = "image/jpeg"; context.Response.Cache.SetSlidingExpiration(true); image.Save(context.Response.OutputStream, ImageFormat.Jpeg); } }
public void ProcessRequest(HttpContext context) { using (var image = ImageUtil.RenderImage(…) { context.Response.Cache.SetCacheability(HttpCacheability.Public); context.Response.Cache.SetExpires(DateTime.Now.AddMinutes(Config.MA)); context.Response.ContentType = "image/jpeg"; image.Save(context.Response.OutputStream, ImageFormat.Jpeg); context.Response.OutputStream.Flush(); } }
[OutputCache(CacheProfile = "CacheDownstream")] public ActionResult Image3() { MemoryStream oStream = new MemoryStream(); using (Bitmap obmp = ImageUtil.RenderImage(…) { obmp.Save(oStream, ImageFormat.Jpeg); oStream.Position = 0; return new FileStreamResult(oStream, "image/jpeg"); } } //web.config <caching> <outputCacheSettings> <outputCacheProfiles> <add name="CacheDownstream" location="Downstream" duration="1000" enabled="true"/> </outputCacheProfiles> </outputCacheSettings>
Providing a query string on the request affects the Cache-control header. Even if you add just a “?” after the URL path, the OutputCache module will then emit your intended max-age.
You can do this by removing it from the ASP.NET pipeline altogether, or remove it in the sub-path where /cnd is located (or Virtual Application – see section later). This disables all Output caching for all requests.
You can also choose to bypass the OutputCache by affecting the Response with the following code
public void ProcessRequest(HttpContext context) { using (var image = ImageUtil.RenderImage(…) { context.Response.Cache.SetCacheability(HttpCacheability.Public); context.Response.Cache.SetMaxAge(TimeSpan.FromMinutes(Config.MA)); context.Response.Cache.SetNoServerCaching(); context.Response.ContentType = "image/jpeg"; image.Save(context.Response.OutputStream, ImageFormat.Jpeg); context.Response.OutputStream.Flush(); } }
You can take a look at the links in the section on implementing your own OutputCache module to get an idea on the implementation effort, but the reasoning why you would want to is varied – which I’ll cover a couple of reasons in that section.
Ensure you’re not emitting Vary:* by headers at all if you want to take advantage of caching – either with the Windows Azure CDN or not – as the specification indicates responses with Vary:* should not be cached and only handled at the origin.
From RFC2616: "A Vary header field-value of "*" always fails to match and subsequent requests on that resource can only be properly interpreted by the origin server."
One of the reasons you would want to move your origin from Windows Azure Storage to a Hosted Service is to take advantage of compression. As part of IIS7.x, you can ensure that static and dynamic compression is enabled for your content – this will then cascade through to the Windows Azure CDN and provide an overall better experience for your end users.
Today, using Hosted Service as an origin to Windows Azure CDN requires a production deployment of your service listening at the path http[s]://yourserviceDnsName:80|443/cdn. Currently we do not support Hosted Services as origins in staging.
All that is required is that your service provide responses under the /cdn path. You can achieve this with a WebRole that has a directory (path) under your main site.
What happens if you need (or desire) to isolate that path (/cdn)? Under Windows Azure, you can take advantage of IIS Virtual Applications / Directories under your main WebRole.
The following Service Definition illustrates the approach by taking advantage of the Full IIS model and the VirtualApplication element. The key to the approach here for your solution in the development fabric is to ensure the physical directory is relative to the MainWeb path.
<ServiceDefinition name="TR13VirtualApp" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceDefinition"> <WebRole name="MainWeb" vmsize="ExtraSmall"> <Sites> <Site name="Web"> <VirtualApplication name="cdn" physicalDirectory="../MainWebCdn" /> <Bindings> <Binding name="Endpoint1" endpointName="Endpoint1" /> </Bindings> </Site> </Sites> …
This results in a deployment up on Windows Azure as the following – with a single site, and 2 application pools:
Simple VS2010 Solution is also provided at the end of the post and the following links provide further detail:
The Windows Azure Training kit contains a sample walkthrough that demonstrates the approach.
http://msdn.microsoft.com/en-us/wazplatformtrainingcourse_advancedwebandworkerrolesvs2010lab_topic2.aspx
Additionally, Wade Wegner goes into a bit of detail as well.
http://www.wadewegner.com/2011/02/running-multiple-websites-in-a-windows-azure-web-role/
You now have N (# of instances) producing possibly exact or similar replicas of your content. Not exactly a desirable effect if your transaction costs are high (maybe you’re reaching out to external services, or on premise mainframes, etc.)
Either replacing the OutputCache module with your own implementation, or leveraging your own request model (that will still work with or bypass the OutputCache module) you can instantiate a single copy of that content in AppFabric Caching – thereby reducing the overall cost associated with repetitive content creation. Whatever your choice, ensure to factor in operational costs of AppFabric to see if it meets your economic model.
The following links provide some guidance on replacing OutputCache module – which can be done at the /cdn path level if required.
The following is a sample implementation of a custom OutputCache module under NetFx 4.0.
http://weblogs.asp.net/gunnarpeipman/archive/2009/11/19/asp-net-4-0-writing-custom-output-cache-providers.aspx
Check out the following link on ASP.NET 4.0 caching in general to get an idea of OutputCache module.
http://msdn.microsoft.com/en-us/library/ms178597.aspx
CDN Test Solution
Virtual App Sample
Raffaele Rialdi has been adding features to his certificate management tool. Already supporting wildcard certificates, he’s now added SAN cert support.
But it’s more than certificate management too.
IAmRaf - Tools
Just to remind myself, the list of claim types and their encodings are listed here at the bottom.
http://msdn.microsoft.com/en-us/library/gg481769.aspx
Where for example:
i:0#.w|contoso\scicoria
‘i’ = identity, could be ‘c’ for others
# == SPClaimTypes.UserLogonName
. == Microsoft.IdentityModel.Claims.ClaimValueTypes.String
Table for reference:
Table 1. Claim types encoding
!
SPClaimTypes.IdentityProvider
”
SPClaimTypes.UserIdentifier
#
SPClaimTypes.UserLogonName
$
SPClaimTypes.DistributionListClaimType
%
SPClaimTypes.FarmId
&
SPClaimTypes.ProcessIdentitySID
‘
SPClaimTypes.ProcessIdentityLogonName
(
SPClaimTypes.IsAuthenticated
)
Microsoft.IdentityModel.Claims.ClaimTypes.PrimarySid
*
Microsoft.IdentityModel.Claims.ClaimTypes.PrimaryGroupSid
+
Microsoft.IdentityModel.Claims.ClaimTypes.GroupSid
-
Microsoft.IdentityModel.Claims.ClaimTypes.Role
.
System.IdentityModel.Claims.ClaimTypes.Anonymous
/
System.IdentityModel.Claims.ClaimTypes.Authentication
0
System.IdentityModel.Claims.ClaimTypes.AuthorizationDecision
1
System.IdentityModel.Claims.ClaimTypes.Country
2
System.IdentityModel.Claims.ClaimTypes.DateOfBirth
3
System.IdentityModel.Claims.ClaimTypes.DenyOnlySid
4
System.IdentityModel.Claims.ClaimTypes.Dns
5
System.IdentityModel.Claims.ClaimTypes.Email
6
System.IdentityModel.Claims.ClaimTypes.Gender
7
System.IdentityModel.Claims.ClaimTypes.GivenName
8
System.IdentityModel.Claims.ClaimTypes.Hash
9
System.IdentityModel.Claims.ClaimTypes.HomePhone
<
System.IdentityModel.Claims.ClaimTypes.Locality
=
System.IdentityModel.Claims.ClaimTypes.MobilePhone
>
System.IdentityModel.Claims.ClaimTypes.Name
?
System.IdentityModel.Claims.ClaimTypes.NameIdentifier
@
System.IdentityModel.Claims.ClaimTypes.OtherPhone
[
System.IdentityModel.Claims.ClaimTypes.PostalCode
\
System.IdentityModel.Claims.ClaimTypes.PPID
]
System.IdentityModel.Claims.ClaimTypes.Rsa
^
System.IdentityModel.Claims.ClaimTypes.Sid
_
System.IdentityModel.Claims.ClaimTypes.Spn
`
System.IdentityModel.Claims.ClaimTypes.StateOrProvince
a
System.IdentityModel.Claims.ClaimTypes.StreetAddress
b
System.IdentityModel.Claims.ClaimTypes.Surname
c
System.IdentityModel.Claims.ClaimTypes.System
d
System.IdentityModel.Claims.ClaimTypes.Thumbprint
e
System.IdentityModel.Claims.ClaimTypes.Upn
f
System.IdentityModel.Claims.ClaimTypes.Uri
g
System.IdentityModel.Claims.ClaimTypes.Webpage
Character
Claim Type
Microsoft.IdentityModel.Claims.ClaimValueTypes.Base64Binary
“
Microsoft.IdentityModel.Claims.ClaimValueTypes.Boolean
Microsoft.IdentityModel.Claims.ClaimValueTypes.Date
Microsoft.IdentityModel.Claims.ClaimValueTypes.Datetime
Microsoft.IdentityModel.Claims.ClaimValueTypes.DaytimeDuration
Microsoft.IdentityModel.Claims.ClaimValueTypes.Double
Microsoft.IdentityModel.Claims.ClaimValueTypes.DsaKeyValue
Microsoft.IdentityModel.Claims.ClaimValueTypes.HexBinary
Microsoft.IdentityModel.Claims.ClaimValueTypes.Integer
Microsoft.IdentityModel.Claims.ClaimValueTypes.KeyInfo
Microsoft.IdentityModel.Claims.ClaimValueTypes.Rfc822Name
Microsoft.IdentityModel.Claims.ClaimValueTypes.RsaKeyValue
Microsoft.IdentityModel.Claims.ClaimValueTypes.String
Microsoft.IdentityModel.Claims.ClaimValueTypes.Time
Microsoft.IdentityModel.Claims.ClaimValueTypes.X500Name
Microsoft.IdentityModel.Claims.ClaimValueTypes.YearMonthDuration
Be nice to be able to make wildcard certificates for use in development with makecert – turns out, it’s real easy. Just ensure that your CN= is the wildcard string to use.
The following sequence generates a CA cert, then the public/private key pair for a wildcard certificate
REM make the CA rem CA Certificate: makecert -r -pe -n "CN=AA Contoso Test Root Authority" -ss CA -sr CurrentUser -a sha1 -sky signature -cy authority -sv CA.pvk CA.cer -len 2048 REM now make the server wildcard cert makecert -pe -n "CN=*.contosotest.com" -a sha1 -len 2048 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -ic CA.cer -iv CA.pvk -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -sv wildcard.pvk wildcard.cer pvk2pfx -pvk wildcard.pvk -spc wildcard.cer -pfx wildcard.pfx
Well, apparently I missed this hidden feature having used the Lorem Ipsum website for some time, but if you enter the following in blank Word document – you’ll get 10 paragraphs of generated text:
=Lorem(10)
Such as:
Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Maecenas porttitor congue massa. Fusce posuere, magna sed pulvinar ultricies, purus lectus malesuada libero, sit amet commodo magna eros quis urna.
Nunc viverra imperdiet enim. Fusce est. Vivamus a tellus.
Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Proin pharetra nonummy pede. Mauris et orci.
Aenean nec lorem. In porttitor. Donec laoreet nonummy augue.
Suspendisse dui purus, scelerisque at, vulputate vitae, pretium mattis, nunc. Mauris eget neque at sem venenatis eleifend. Ut nonummy.
Fusce aliquet pede non pede. Suspendisse dapibus lorem pellentesque magna. Integer nulla.
Donec blandit feugiat ligula. Donec hendrerit, felis et imperdiet euismod, purus ipsum pretium metus, in lacinia nulla nisl eget sapien. Donec ut est in lectus consequat consequat.
Etiam eget dui. Aliquam erat volutpat. Sed at lorem in nunc porta tristique.
Proin nec augue. Quisque aliquam tempor magna. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas.
Nunc ac magna. Maecenas odio dolor, vulputate vel, auctor ac, accumsan id, felis. Pellentesque cursus sagittis felis.
The approach takes advantage of the SP 2010 OOB Session Token handler and FBA claims provider implementation that during a period of token lifetime, if there is activity during the period of time that can be defined as "EW" in the image in the section "Background" below, that the SPSecurityTokenManager will, with the FBA provider, reissue a Session Token with new SessionToken ValidTo and ValidFrom times without forcing a re-challenge for user credentials (username and password).
Additionally, it takes advantage of the ability to provide an event handler, on the SessionAuthentcationModule (SPSessionAuthenticationModule) to cause a reissue of the token temporarily with an expiry time (ValidTo) that will cause a SPSessionToken cache miss – thus forcing the re-issue by the SPSecurityTokenManager.
General Approach
The following is a contrived example and uses a rudimentary approach for determine how/when to indicate that the token should be "refreshed" This is done by hooking into the WIF Session Authentication Module's (SAM) Event "SessionSecurityTokenReceived".
The approach taken, and shown on the internet in several posts is to subclass the HttpApplication implementation.
The approach I recommend is to leverage the ability of any HttpApplication by ways of built in ability to identify all HttpModules loaded for that ASP.NET application (SP included) and determine if there are Event handlers specified by ways of the Global.asax in the Root of the SP IIS Site. This is handled by the System.Web.HttpApplication.HookupEventHandlersForApplicationAndModules method.
Note: There are alternatives that I've also tested that work – 1 approach is to register a new HttpModule, then in that HttpModule is to register "1" time a handler for the SAM's SessionSecurityTokenReceived event. This requires a method of indicating at the application level that a handler has already been registered.
Scenario Supported
The general scenario is:
DateTime newValidTo = DateTime.UtcNow.Add(logonWindow);
Sample Code for Event Handler
The sample code uses another class to contain the code; your implementation could just as easily keep this in the global.asax – however, I'm of the belief that the global.asax should be kept as pristine as possible.
The following code is placed in an assembly that is resolvable through normal fusion – that is, it could be a private assembly. I've chosen GAC in the sample project just for the ease of development.
The code below handles the event and just looks for a page (Url) that contains a well-known request string. This could be anything, but ensure that it's not a common page and based upon the application needs, how your logic will determine a need to refresh all claims.
<%@ Assembly Name="Microsoft.SharePoint" %> <%@ Assembly Name="RefreshClaimsSample, Version=1.0.0.0, Culture=neutral, PublicKeyToken=329ca2a6e4eeb8c6" %> <%@ Application Language="C#" Inherits="Microsoft.SharePoint.ApplicationRuntime.SPHttpApplication" %> <%@ Import Namespace="Microsoft.IdentityModel.Web" %> <%@ Import Namespace="Microsoft.IdentityModel.Tokens" %> <%@ Import Namespace="Microsoft.SharePoint.IdentityModel" %> <script runat="server"> void SessionAuthentication_SessionSecurityTokenReceived(object sender, SessionSecurityTokenReceivedEventArgs e) { RefreshClaimsSample.SampleRefreshClaims.ForceRefreshClaims(sender, e); } </script>
public static void ForceRefreshClaims(object sender, SessionSecurityTokenReceivedEventArgs e) { if (HttpContext.Current.Request.Url.AbsoluteUri.Contains("RefreshClaims.aspx")) { SessionAuthenticationModule sam = sender as SessionAuthenticationModule; var logonWindow = SPSecurityTokenServiceManager.Local.LogonTokenCacheExpirationWindow; DateTime newValidTo = DateTime.UtcNow.Add(logonWindow); e.SessionToken = sam.CreateSessionSecurityToken( e.SessionToken.ClaimsPrincipal, e.SessionToken.Context, e.SessionToken.ValidFrom, newValidTo, e.SessionToken.IsPersistent); e.ReissueCookie = true; } }
Wiring up Event Handler
In the SP Global.asax provided a method signature that matches the event from the SAM.
The requirements are that the signature is as follows:
void <moduleNameFromConfig>_<eventName> ( eventArgsType )
Where:
Background
In the above diagram, the settings:
These settings are obtained and modified via PowerShell under the SPSecurityT0kenServiceConfig set of cmdlets.
For the following samples, assume the following:
TL – EW = 6 Minutes
Solution Zip
This is to provide a little bit of explanation on the implementation of FBA authentication with SP 2010. There have been blog posts that indicate there are no sliding sessions, but with a little manipulation and understanding of some of the settings, there is somewhat of support for sliding sessions and re-issuance of tokens. The current model provides for a little trade-off on performance as re-requests to the FBA providers and also any SP Custom Claim providers can have impact on overall performance.
The following diagram represents the initial static view of the SP 2010 Security Token Service Configuration settings that control the management of Tokens issued under Forms Based Authentication (FBA) authentication.
The current SP 2010 April 2011 CU’s does support a level of sliding sessions as long as a request (user activity) occurs in the window of time after token issuance (logon or re-issuance) defined in the “EW” segment below.
Example 1:
Example 2:
Example 3:
Note in the above scenarios that the “(All Claims Providers Called)” indicates that the Claims Providers registered for the Web Application / Site are then called; any custom SPClaimProvider implementations will have the method FillClaimsForEntity called at that time
There are really 2 ways to get a SPClaimProvider registered – 1 via a Farm Feature activation. The other is via PowerShell.
However, the documentation on how to remove is not that clear.
The following code will remove it based upon a TypeName. Other identifiers can be used.
In order to remove:
Get-SPClaimProvider | ForEach-Object { Write-Host $_.TypeName IF ( $_.TypeName -eq "SimpleClaimsProvider.LVClaimsProvider") { Write-Host "Found" $cp = $_ } } $cp.DisplayName Remove-SPClaimProvider $cp
If you’re writing a custom SharePoint Claims Provider (SPClaimProvider) in order to augment claims, it’s important to also understand what process is executing your specific code path. In the situation where you are making calls to a DB or service endpoint you will need to understand which process actually makes that call.
In situations when running in a Trusted Subsystem model, you’ll also need to RunWithElevated in order to have that code path execute in the context of the Windows Principal for that process.
The following table illustrates for the abstract members of the SPClaimProvider class when implemented and where they execute:
Method / Property
Web App
FillClaimTypes
X
FillClaimValueTypes
FillClaimsForEntity
FillEntityTypes
FillHierarchy
FillResolve
FillSchema
FillSearch
Name
SupportsEntityInformation
SupportsHierarchy
SupportsResolve
SupportsSearch
So, if you have your persistence in a SQL DB, and your using Windows Authentication (and using RunWithElevated) you’ll need to grant (or have) to the appropriate SQL permissions; generally, I’ve just granted “datareader”.
This seems to come up a few times. The following sample script in PS applies a common master page across all SPWebs in a site collection.
$site = Get-SPSite http://fba.contosotest.com/dv1 $site | Get-SPWeb -limit all | ForEach-Object { $_.MasterUrl = "/dv1/_catalogs/masterpage/custom_v4.master";$_.Update() } $site.Dispose()
Thanks to Phil Childs - http://get-spscripts.com/2010/09/changing-master-page-on-sharepoint.html
Kevin Williamson has a great post on the overall flow of things from the point of publishing of your package up on the Windows Azure Developer Portal to Run().
These are good things to know as many times you need to inject steps, tasks, context at various stages of your service instance’s lifetime.
http://blogs.msdn.com/b/kwill/archive/2011/05/05/windows-azure-role-architecture.aspx
Windows Azure Role Architecture - Windows Azure - Troubleshooting & Debugging - Site Home - MSDN Blogs