Steve Spencer's Blog

Blogging on Azure Stuff

Windows Azure Platform Training Kit Update

If you attended the Black Marble Architecture Event yesterday you would have seen a number of talks around Azure and the Windows Azure Platform Training Kit was mentioned a number of times.

The latest update to the training kit is here:

http://www.microsoft.com/download/en/details.aspx?id=8396

This update includes the changes for the Azure 1.6 SDK plus updates and new demos.

The training kit is a free resource that provides a good introduction to Azure and covers a large amount including Windows Azure, SQL Azure, AppFabric (Service Bus, Caching, Access Control) plus a load of other stuff.

Windows Azure Announcements

AppFabric

Microsoft have announced two new Azure AppFabric CTPs.

 

May 2011 CTP will include Service bus enhancements including

  • A more comprehensive pub/sub messaging
  • Integration with the Access Control Service V2
  • Queues based upon a new messaging infrastructure backed by a replicated, durable store.

See here for more details.

June 2011 CTP will include tooling to help with building, deploying and managing Windows Azure Applications including:

  • AppFabric Developer Tools
  • AppFabric Application Manager
  • Composition Model

See here for more details

SQL Azure

The SQL May 2011 update contains the following:

  • SQL Azure Management REST API – a web API for managing SQL Azure servers.
  • Multiple servers per subscription – create multiple SQL Azure servers per subscription.
  • JDBC Driver – updated database driver for Java applications to access SQL Server and SQL Azure.
  • DAC Framework 1.1 – making it easier to deploy databases and in-place upgrades on SQL Azure.

See here for more details

Deploying Access Control Service enabled web application in Windows Azure

When deploying an Access Control Service enabled web application from my development environment to Windows Azure I got the following error:

“Unable to find assembly ‘Microsoft.IdentityModel, Version=3.5.0.0. . .”

image

This had worked well when running in the development fabric on my machine so it was strange that it failed when deployed to Windows Azure. The reason why this file cannot be found is because on my machine it is installed in the GAC and it is not in the GAC when deployed in Azure. There is a simple way to fix this and it is by configuring a Start-up task in your ServiceDefinition.csdef file to install the Microsoft.IdentityModel assembly in the GAC. When a new instance is created within Windows Azure the start up task will be run to allow things to be installed into the virtual machine prior to running your application.

Steve Marx has written an introduction to Start-up tasks as well as a Tips, Tricks and Gotchas list.

 

This post explains how to create a Start-up task to add an assembly to the GAC.

Error calling Azure Access Control Management Service

I’ve been developing a web application that adds rules to the access control service when a user registers with my website. This was working well using the ACS in AppFabricLabs. When I ported across to ACS V2 in the live environment I kept getting an exception thrown whenever I tried to retrieve information via the management service api.

The exception details are

The remote server returned an error: (400) Bad Request.

Status = protocol error

After investigation by looking at the latest ACS code samples on MSDN I noticed that the protocol has actually changed in the Common assembly ManagementServiceHelper.cs class. Comparing the code and copying the changes across to mine fixed the problems.

I also noticed that today that AppfabricLabs was updated last night and now uses the same protocol as V2 Live so you will need to make these changes anyway.

Windows Azure AppFabric Access Control and Cache Services Commercial Release

The first production version of the windows Azure caching service and a new production version of the Access Control service have been released. The following link provides the necessary information

http://blogs.msdn.com/b/windowsazureappfabric/archive/2011/04/11/announcing-the-commercial-release-of-windows-azure-appfabric-caching-and-access-control.aspx

In conjunction the Windows Azure Platform Training Kit and the Identity Developer Training Kit have both also been updated.

 

The Windows Azure Platform Training Kits adds some new labs:

  • Authenticating Users in a Windows Phone 7 App via ACS, OData Services and Windows Azure lab
  • Windows Azure Traffic Manager lab
  • Introduction to SQL Azure Reporting Services lab
  • Windows Azure AppFabric CTP February release now available

    Microsoft released on Thursday the latest CTP for Windows Azure AppFabric. Details of the release can be found here, in the AppFabric Team blog and in Wade Wegner’s blog

     

    The CTP contains changes to the Caching service and the AppFabric portal is now in Silverlight. The changes are as follows:

    • New Silverlight-based LABS portal, bringing consistency with the production Windows Azure portal.
    • Ability to select either a 128MB or 256MB cache size.
    • Ability to dynamically upgrade or downgrade your cache size.
    • Improved diagnostics with client side tracing and client request tracking capabilities.
    • Overall performance improvements.

    You can access the CTP by signing in to the AppFabric labs at http://portal.appfabriclabs.com/

    Creating your own identity provider for Windows Azure AppFabric Access Control

    Whilst doing an access control service demo I was asked whether you could wire in your own existing authentication mechanisms as customers did not want to have to redo their authentication/registration mechanisms to use Live ID, Google, Yahoo! etc. The answer to this was yes but I had never done it so this was a good time to investigate how.

    I started off with the Windows Azure Platform Training Kit(VS2010) and worked through the “Introduction to the AppFabric Access Control Service V2” lab to setup a web site that allows login via Live ID, Google and Yahoo!. Once this was running I needed to create my own provider and wire it into the lab solution that I just created. There is an additional lab ""Federated Authentication in a Windows Azure Web Role Application" which gives the basics of creating your own identity provider. Unfortunately this does not link to ACS so I needed to work out how to wire the provider in. The following instructions are how I created the site and wired it in:

    Taking the ACS lab solution as the basis, create an ASP.Net website that will carry out the login process. For this I added a “ASP.NET Security Token Service Web Site”. Right click on your solution and select new website. Make sure that the URL you enter for the site includes https at the start. (e.g. https://localhost/MyIDProvider).

    When the project is created, you need to change some of the code in the template as it does not handle the return address correctly when redirecting from your identity provider after logging in.

    The template for an STS web site needs the following code changing in App_Code\CustomSecurityTokenService.cs

    Go to GetScope and change the line

    scope.ReplyToAddress = scope.AppliesToAddress;

    to

    scope.ReplyToAddress = String.IsNullOrEmpty(request.ReplyTo) ? scope.AppliesToAddress : request.ReplyTo; 

    This takes the replyto address from the query string and uses this to redirect back to ACS once the login process has been completed. There are 2 other changes required to the basic STS template in order for it to work correctly.

    Open web.config and search for IssuerName in the application settings section and change it to be the url of your STS website (e.g. https://localhost/MyIDProvider)

    Also change the SigningCertificateName to point to a certificate that exists in your local machine certificate store. This website will now provide a simple mechanism for logging in. Without any changes you can enter any username and it will authenticate. At this point you will need to wire in your own authentication mechanism, but for testing purposes the default site will allow you to set it up correctly and test it out.

    We now need to wire this into ACS. I am using the labs version of the access control service at https://portal.appfabriclabs.com/.

    Navigate to your Access Control Service at appfabriclabs.

    Click “Identity Providers”, “Add Identity Provider” and add a new “Microsoft Active Directory Federation Service 2.0” provider. The two bits that are important are “WS-Federation metatdata” and the relying party application. Browse to the FederationMetadata.xml file of your STS project you have just created. (e.g. C:\inetpub\wwwroot\MyIDProvider\FederationMetadata\2007-06\FederationMetadata.xml). Also ensure that the ACS website created as part of the labs is checked and press Save.

    The final piece of configuration that is required is to add in the rules for your provider. still in the Access Control Service portal, click “Rule Groups”, select the rule group that you setup for your ACS lab and select “Generate Rules”. Ensure that your new identity provider is in the list and that it has been checked and press the “Generate” button. Two new rules should have been added for your provider (Pass through for name and role). You are now ready to test this.

    To make it easier to see what is happening I added the following to the Default.aspx of my ACS lab

    In default.aspx add the following:

        <asp:LoginView ID="LoginView1" runat="server">
            <AnonymousTemplate>
                <asp:Panel Visible="true" CssClass="secretContent" runat="server" ID="unauthorisedContent">
                You are unauthorised to view this page
                </asp:Panel>
            </AnonymousTemplate>
        
            <LoggedInTemplate>
                    You are logged in
            </LoggedInTemplate>
            <RoleGroups>
                <asp:RoleGroup Roles="Administrator">
                    <ContentTemplate>
                        <asp:Panel ID="SecretContent" runat="server" CssClass="secretContent" 
                            Visible="true">
                            Secret Content (Only administrators can access this section)
                        </asp:Panel>
                    </ContentTemplate>
                </asp:RoleGroup>
            </RoleGroups>
        </asp:LoginView>

    This will display the login status so you can see whether the login works or not.

    Also add the following style to the site.css file in the ACS lab site:

    .secretContent
    {
      border-style: solid; 
      background-color: Red; 
      padding: 5px;
      color: White;
    }

    Run the ACS lab application and check to see if your provider appears in the list of providers and also that when you click on the button it redirects to you page. Login and you should be redirected to the Default.aspx page of the ACS lab site with the text “you are logged in”.

    You may want to change the claims that are allowed for specific users. This is done in App_Data\CustomSecurityTokenService.cs in your identity provider web site.

    Modify GetOutputClaimsIdentity to change depending upon who is logged in.

    Change the code that adds a Manager Role to the following code to allow a user called Steve to be an administrator and everyone else as a user.

    if (principal.Identity.Name.Equals("Steve") == true)
    {
        outputIdentity.Claims.Add(new Claim(ClaimTypes.Role, "Administrator"));
    }
    else
    {
        outputIdentity.Claims.Add(new Claim(ClaimTypes.Role, "User"));
    }

    Run your ACS website again and login with “Steve” and you should now see the secret content that only administrator should see. Login as anyone else and you will not see the secret content.

    All that you need to do now is to wire in your own authentication mechanism and deal with the claims for each user.

    Azure Jumpstart and Accelerator links

    Thanks for attending the Azure Jumpstart and Accelerator events in Dublin and Belfast (also the Galway Live Meeting).

    Here are the list of links from my presentations:

    Azure HOL (August labs = VS2008, November Labs = VS2010)

    http://bit.ly/d16e3M (Update: 7 Jan 2011 : Looks like this link does not give the 2008 option any more)

    Also include the December update for Azure SDK 1.3 for VS2010 (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=413E88F8-5966-4A83-B309-53B7B77EDF78&displaylang=en#RelatedResources)

    Shared Access signatures

    http://blog.smarx.com/posts/shared-access-signatures-are-easy-these-days

    CNAME mappings to CDN URLs

    http://blog.smarx.com/posts/using-the-new-windows-azure-cdn-with-a-custom-domain

    Adaptive Streaming can be made to work with the CDN too

    http://blog.smarx.com/posts/smooth-streaming-with-windows-azure-blobs-and-cdn

    Ticket Direct Case study

    http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?casestudyid=4000005890

    MSDN offers

    http://www.microsoft.com/windowsazure/offers/default.aspx

    Patterns Azure Guidance

    http://wag.codeplex.com/

    Windows Azure AppFabric Labs (to see the latest changes to App Fabric)

    https://portal.appfabriclabs.com/