Windows Azure Web Role ASP.NET Application and Access Control Service (ACS) V2 – Quick Checklist
This post outlines a quick checklist what’s needed to make the web app run on Windows Azure Compute Emulator locally on my machine when integrating with ACS v2.
Check the following to get your Web Role app run when integrating with ACS v2:
- Run Visual Studio in elevated mode as Administrator. This is required by Azure project template.
- Marking WIF assembly for copy local to true and version specific to false. Windows Identity Foundation (WIF) runtime is not available on Azure nodes since WIF is out of band downloadable runtime. It still would work on Compute Emulator though since locally you have both WIF runtime and WIF SDK installed.
- Running an app in full trust mode – this is required by WIF. Double click on your WebRole in Solution Explorer in Visual Studio 2010, click on Configuration tab and choose Full Trust option.
- Tweaking global.asax to encrypt cookies with RSA vs. default DPAPI which is not avail in Azure.
- If you do not do that your app will throw exception “Key not valid for use in specified state” as outlined in Q: I am getting exception with the following message after deploying my application to a farm: "Key not valid for use in specified state" ?
- Use the following code in Global.asax, adopted from Exercise 1: Enabling Federated Authentication for ASP.NET applications in Windows Azure to encrypt cookies with RSA. You’d need to configure endpoint certificate – it is explained in the linked resource above too.
void OnServiceConfigurationCreated(object sender, ServiceConfigurationCreatedEventArgs e)
{
//
// Use the <serviceCertificate> to protect the cookies that are
// sent to the client.
//
List<CookieTransform> sessionTransforms =
new List<CookieTransform>(new CookieTransform[] {
new DeflateCookieTransform(),
new RsaEncryptionCookieTransform(e.ServiceConfiguration.ServiceCertificate),
new RsaSignatureCookieTransform(e.ServiceConfiguration.ServiceCertificate) });
SessionSecurityTokenHandler sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly());
e.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler);
}
void Application_Start(object sender, EventArgs e)
{
FederatedAuthentication.ServiceConfigurationCreated += OnServiceConfigurationCreated;
}
- For Compute Emulator – run the app with ctrl+F5 or F5 vs. just right click –> browse – so it will run in the Compute Emulator vs. cassini [cassini is a built in web server with Visual Studio. If you run with cassini you will get just access denied].
- For Compute Emulator - figure out unused ports, otherwise Compute Emulator assign random ports (read more on it in Overview of the Windows Azure Compute Emulator – look for “In the compute emulator, it is not possible to allocate a unique IP address.”). With dynamic IP’s and ports it will casue exceptions from ACS side (Error ACS50011, more ACS Error Codes). A workaround I am using is running netstat –a –n | findstr 127.0.0.1 to find out all taken ports and then configuring your WebRole’s endpoint’s port with one that’s not taken so it won’t generate a random one. You then assign this IP and port in ACS portal as Return URL when configuring your relying party.
Related Books
- Programming Windows Identity Foundation (Dev - Pro)
- A Guide to Claims-Based Identity and Access Control (Patterns & Practices) – free online version
- Developing More-Secure Microsoft ASP.NET 2.0 Applications (Pro Developer)
Related Info
- Windows Identity Foundation (WIF) and Azure AppFabric Access Control (ACS) Service Survival Guide
- Video: What’s Windows Azure AppFabric Access Control Service (ACS) v2?
- Video: What Windows Azure AppFabric Access Control Service (ACS) v2 Can Do For Me?
- Video: Windows Azure AppFabric Access Control Service (ACS) v2 Key Components and Architecture
- Video: Windows Azure AppFabric Access Control Service (ACS) v2 Prerequisites
- Windows Identity Foundation (WIF) Questions & Answers
- Windows Identity Foundation (WIF) Configuration – Part IV (Certificate Related Configuration)