Steve Spencer's Blog

Blogging on Azure Stuff

Windows Azure Training Kit–June 2012 Release

The Windows Azure Training Kit June 2012 release is out now with the following features:

  • 12 new hands-on labs for Windows Azure Virtual Machines
  • 11 new hands-on labs for Windows Azure Web Sites
  • 2 new hands-on labs demonstrating Windows Azure with Windows 8 Metro-style applications
  • Several new hands-on labs for Node.js and PHP using Mac OS X
  • Updated content for the latest Windows Azure SDKs, tools, and new Windows Azure Management Portal
  • New and updated presentations designed to support individual sessions to a full 3 day training workshops

Imagine Cup NE

Just finished at the Hacking Imagination event in County Durham. My role was to help mentor and encourage the students from Universities and Colleges in the North East of England to help them to develop their ideas for their Imagine Cup entries.

The event was held in a secret location in county Durham and the students were bussed in.

DSC_0163

A number of us from Black Marble attended and performed workshops in Migrating to Azure (me), ALM/TFS (Richard), WPF, SilverLight, Phone 7 101 (Leon), Planning Poker (Me, Leon) & Software War Stories/How to Run a Software Business(Robert, Me). The students were all enthusiastic and asked a lot of sensible questions. The students were put into teams if they hadn’t already formed them, which was interesting to watch as an outsider as it was a bit like a recruitment fair with students walking around from team to team where both sides were deciding whether the person or the team were a good fit. This seemed to have worked well with everyone having a team. the age and skill levels range from college students doing their A levels to MSc.

The aim of the two days was to get the teams in a position where they had an idea that is more than just a software app with a good justification for it. This was a difficult task for a lot of teams as they either had a technology solution and tried to find a problem to solve or a really wide problem that they were trying to solve. Most of the discussions were around getting the teams to think about the whole solution including who it is aimed at and how they are going to deliver it rather than just the software side of the solution. It was also about getting some of the teams to focus down on to a specific area rather than being general. Some of the ideas changed each time I spoke to the teams!!

The (long) 2 days ended with each of the teams doing a presentation of their ideas to the whole group. The whole 2 days was enjoyable and the students seemed to gain a lot from the experiences, bringing some out of their shells.

The thing that impressed me most was the amount of young talent that is around and the abilities they have. One group of students were from a 6th form college doing their A Levels/BTEC and the college had around 15 – 20 attendees, all working hard to deliver a good thought through ideas and presenting their ideas to a group of about 50 people. That is something I used to avoid as much as possible when I was at that age. It is this talent that is the future of IT. Credit must go to the teacher/lecturer who has encouraged this amount of A Level/BTEC students to attend an event like this. Its not an easy task to get teenagers to do anything (he says from experience).

Events like the Imagine cup helps these guys (and girls) to gain real world experience and advice from experts in the field. Getting a chance to influence and help this talent has been rewarding for me and I want to try to help some of these young people more. So thanks to all the people who organised and mentored the event and thanks to the students that attended.

There was a lot of information being passed around and to finish off this post, I’ve put together a list of some of the areas that we were talking about in my sessions. I hope they are useful.

Video of wiring the Windows Azure Access Control service into an ASP.NET website. My bit is at the end and its a no code demo to allow users to login to you website using Live, Google or Yahoo accounts.

The Windows Azure Platform training Kit

The Windows Identity training Kit

Windows Azure Pricing& MSDN subscription allowances

Team Foundation Server in the Cloud

Books

Don't Make Me Think!: A Common Sense Approach to Web Usability : Steve Krug (ISBN: 0321344758)

The Art of Unit Testing – Roy Oshrove

Windows Azure Platform Training Kit Update

If you attended the Black Marble Architecture Event yesterday you would have seen a number of talks around Azure and the Windows Azure Platform Training Kit was mentioned a number of times.

The latest update to the training kit is here:

http://www.microsoft.com/download/en/details.aspx?id=8396

This update includes the changes for the Azure 1.6 SDK plus updates and new demos.

The training kit is a free resource that provides a good introduction to Azure and covers a large amount including Windows Azure, SQL Azure, AppFabric (Service Bus, Caching, Access Control) plus a load of other stuff.

Windows Azure Announcements

AppFabric

Microsoft have announced two new Azure AppFabric CTPs.

 

May 2011 CTP will include Service bus enhancements including

  • A more comprehensive pub/sub messaging
  • Integration with the Access Control Service V2
  • Queues based upon a new messaging infrastructure backed by a replicated, durable store.

See here for more details.

June 2011 CTP will include tooling to help with building, deploying and managing Windows Azure Applications including:

  • AppFabric Developer Tools
  • AppFabric Application Manager
  • Composition Model

See here for more details

SQL Azure

The SQL May 2011 update contains the following:

  • SQL Azure Management REST API – a web API for managing SQL Azure servers.
  • Multiple servers per subscription – create multiple SQL Azure servers per subscription.
  • JDBC Driver – updated database driver for Java applications to access SQL Server and SQL Azure.
  • DAC Framework 1.1 – making it easier to deploy databases and in-place upgrades on SQL Azure.

See here for more details

Deploying Access Control Service enabled web application in Windows Azure

When deploying an Access Control Service enabled web application from my development environment to Windows Azure I got the following error:

“Unable to find assembly ‘Microsoft.IdentityModel, Version=3.5.0.0. . .”

image

This had worked well when running in the development fabric on my machine so it was strange that it failed when deployed to Windows Azure. The reason why this file cannot be found is because on my machine it is installed in the GAC and it is not in the GAC when deployed in Azure. There is a simple way to fix this and it is by configuring a Start-up task in your ServiceDefinition.csdef file to install the Microsoft.IdentityModel assembly in the GAC. When a new instance is created within Windows Azure the start up task will be run to allow things to be installed into the virtual machine prior to running your application.

Steve Marx has written an introduction to Start-up tasks as well as a Tips, Tricks and Gotchas list.

 

This post explains how to create a Start-up task to add an assembly to the GAC.

Error calling Azure Access Control Management Service

I’ve been developing a web application that adds rules to the access control service when a user registers with my website. This was working well using the ACS in AppFabricLabs. When I ported across to ACS V2 in the live environment I kept getting an exception thrown whenever I tried to retrieve information via the management service api.

The exception details are

The remote server returned an error: (400) Bad Request.

Status = protocol error

After investigation by looking at the latest ACS code samples on MSDN I noticed that the protocol has actually changed in the Common assembly ManagementServiceHelper.cs class. Comparing the code and copying the changes across to mine fixed the problems.

I also noticed that today that AppfabricLabs was updated last night and now uses the same protocol as V2 Live so you will need to make these changes anyway.

MSDN subscribers now get more Windows Azure Platform benefits

If you are an MSDN subscriber (Ultimate or Premium) you now get more Windows Azure resources. Professional subscribers are now also included in the promotion.

See here for more details. If you have already taken up this offer and you are an MSDN Premium subscriber then you will automatically be upgraded to the MSDN Ultimate offer.

 

In order to activate your benefits

  • Sign-in to your MSDN benefits page
  • Click on the Windows Azure Platform link from My Account and follow the steps to activate Windows Azure (for limited free access). You'll need your credit card or follow the Steps to set up invoicing for Windows Azure to sign up. If you use more than the amount of services included with your MSDN subscription, you will be billed to your card for these overages. You can visit the Microsoft Online Services Customer Portal to look up your usage at any time.
  • Go to the Windows Azure Developer Portal to access your Windows Azure subscription
  • Windows Azure AppFabric Access Control and Cache Services Commercial Release

    The first production version of the windows Azure caching service and a new production version of the Access Control service have been released. The following link provides the necessary information

    http://blogs.msdn.com/b/windowsazureappfabric/archive/2011/04/11/announcing-the-commercial-release-of-windows-azure-appfabric-caching-and-access-control.aspx

    In conjunction the Windows Azure Platform Training Kit and the Identity Developer Training Kit have both also been updated.

     

    The Windows Azure Platform Training Kits adds some new labs:

  • Authenticating Users in a Windows Phone 7 App via ACS, OData Services and Windows Azure lab
  • Windows Azure Traffic Manager lab
  • Introduction to SQL Azure Reporting Services lab
  • Add your own Claims to your ADFS Provider

    Following on from my previous blog on “Creating your own identity provider …” The following changes can be made to add in your own claims.

    Firstly in the App_Data\CustomSecurityTokenService.cs file of your identity provider web site I changed the following code

    outputIdentity.Claims.Add( new Claim( System.IdentityModel.Claims.ClaimTypes.Name, principal.Identity.Name ) );
    if (principal.Identity.Name.Equals("Steve") == true)
    {
    outputIdentity.Claims.Add(new Claim(ClaimTypes.Role, "Administrator"));

    outputIdentity.Claims.Add(new Claim("http://schemas.BlackMarble/Identity/Claims/Business",
    "Black Marble"));

    }
    else
    {
    outputIdentity.Claims.Add(new Claim(ClaimTypes.Role, "User"));
    }

     

     
    The first parameter of the Claim constructor needs to be in the format of a namespace and I added this one up as it was an internal name we are using.
    The second parameter of the Claim constructor is the value you want to pass through.
     
    Next go to the appfabric portal and add in the following rule to your STS provider. You need to make sure that the schema string you have in your code matches the Input Claim Type you added in your rule.
     
     
     
    image
    Now you should be passing through the Business claim to your website. To get access to the claim use the following code:
     
    using System.Threading;
    using Microsoft.IdentityModel.Claims;
    IClaimsPrincipal principal = (IClaimsPrincipal)Thread.CurrentPrincipal;
    var business = "";
    foreach (Claim claim in principal.Identities[0].Claims)
    {
    if (claim.ClaimType.Equals("http://schemas.BlackMarble/Identity/Claims/Business"))
    {
    business = claim.Value;
    break;
    }
    }

    if (!String.IsNullOrEmpty(business))
    {
    // we have a claim value for School so lets display it
    BusinessLabel.Text = business;
    }
    else
    {
    BusinessLabel.Text = "No business claim found";
    }
    Again, note that the claim type namespace is the same as you specified previously.

    The following claims are passed through to my website:

    image

    Creating your own identity provider for Windows Azure AppFabric Access Control

    Whilst doing an access control service demo I was asked whether you could wire in your own existing authentication mechanisms as customers did not want to have to redo their authentication/registration mechanisms to use Live ID, Google, Yahoo! etc. The answer to this was yes but I had never done it so this was a good time to investigate how.

    I started off with the Windows Azure Platform Training Kit(VS2010) and worked through the “Introduction to the AppFabric Access Control Service V2” lab to setup a web site that allows login via Live ID, Google and Yahoo!. Once this was running I needed to create my own provider and wire it into the lab solution that I just created. There is an additional lab ""Federated Authentication in a Windows Azure Web Role Application" which gives the basics of creating your own identity provider. Unfortunately this does not link to ACS so I needed to work out how to wire the provider in. The following instructions are how I created the site and wired it in:

    Taking the ACS lab solution as the basis, create an ASP.Net website that will carry out the login process. For this I added a “ASP.NET Security Token Service Web Site”. Right click on your solution and select new website. Make sure that the URL you enter for the site includes https at the start. (e.g. https://localhost/MyIDProvider).

    When the project is created, you need to change some of the code in the template as it does not handle the return address correctly when redirecting from your identity provider after logging in.

    The template for an STS web site needs the following code changing in App_Code\CustomSecurityTokenService.cs

    Go to GetScope and change the line

    scope.ReplyToAddress = scope.AppliesToAddress;

    to

    scope.ReplyToAddress = String.IsNullOrEmpty(request.ReplyTo) ? scope.AppliesToAddress : request.ReplyTo; 

    This takes the replyto address from the query string and uses this to redirect back to ACS once the login process has been completed. There are 2 other changes required to the basic STS template in order for it to work correctly.

    Open web.config and search for IssuerName in the application settings section and change it to be the url of your STS website (e.g. https://localhost/MyIDProvider)

    Also change the SigningCertificateName to point to a certificate that exists in your local machine certificate store. This website will now provide a simple mechanism for logging in. Without any changes you can enter any username and it will authenticate. At this point you will need to wire in your own authentication mechanism, but for testing purposes the default site will allow you to set it up correctly and test it out.

    We now need to wire this into ACS. I am using the labs version of the access control service at https://portal.appfabriclabs.com/.

    Navigate to your Access Control Service at appfabriclabs.

    Click “Identity Providers”, “Add Identity Provider” and add a new “Microsoft Active Directory Federation Service 2.0” provider. The two bits that are important are “WS-Federation metatdata” and the relying party application. Browse to the FederationMetadata.xml file of your STS project you have just created. (e.g. C:\inetpub\wwwroot\MyIDProvider\FederationMetadata\2007-06\FederationMetadata.xml). Also ensure that the ACS website created as part of the labs is checked and press Save.

    The final piece of configuration that is required is to add in the rules for your provider. still in the Access Control Service portal, click “Rule Groups”, select the rule group that you setup for your ACS lab and select “Generate Rules”. Ensure that your new identity provider is in the list and that it has been checked and press the “Generate” button. Two new rules should have been added for your provider (Pass through for name and role). You are now ready to test this.

    To make it easier to see what is happening I added the following to the Default.aspx of my ACS lab

    In default.aspx add the following:

        <asp:LoginView ID="LoginView1" runat="server">
            <AnonymousTemplate>
                <asp:Panel Visible="true" CssClass="secretContent" runat="server" ID="unauthorisedContent">
                You are unauthorised to view this page
                </asp:Panel>
            </AnonymousTemplate>
        
            <LoggedInTemplate>
                    You are logged in
            </LoggedInTemplate>
            <RoleGroups>
                <asp:RoleGroup Roles="Administrator">
                    <ContentTemplate>
                        <asp:Panel ID="SecretContent" runat="server" CssClass="secretContent" 
                            Visible="true">
                            Secret Content (Only administrators can access this section)
                        </asp:Panel>
                    </ContentTemplate>
                </asp:RoleGroup>
            </RoleGroups>
        </asp:LoginView>

    This will display the login status so you can see whether the login works or not.

    Also add the following style to the site.css file in the ACS lab site:

    .secretContent
    {
      border-style: solid; 
      background-color: Red; 
      padding: 5px;
      color: White;
    }

    Run the ACS lab application and check to see if your provider appears in the list of providers and also that when you click on the button it redirects to you page. Login and you should be redirected to the Default.aspx page of the ACS lab site with the text “you are logged in”.

    You may want to change the claims that are allowed for specific users. This is done in App_Data\CustomSecurityTokenService.cs in your identity provider web site.

    Modify GetOutputClaimsIdentity to change depending upon who is logged in.

    Change the code that adds a Manager Role to the following code to allow a user called Steve to be an administrator and everyone else as a user.

    if (principal.Identity.Name.Equals("Steve") == true)
    {
        outputIdentity.Claims.Add(new Claim(ClaimTypes.Role, "Administrator"));
    }
    else
    {
        outputIdentity.Claims.Add(new Claim(ClaimTypes.Role, "User"));
    }

    Run your ACS website again and login with “Steve” and you should now see the secret content that only administrator should see. Login as anyone else and you will not see the secret content.

    All that you need to do now is to wire in your own authentication mechanism and deal with the claims for each user.