Since Auto-Scaling doesn't allow buffer period and/or is not intelligent enough to NOT allow only "new requests" coming in to the instance which is scheduled to be turned off due to down-autoscaling, I am trying to avoid using sticky-sessions provided by the ELB. Otherwise this behavior will leave some of customers with a log-in screen.
The website and other RESTful webservices are running in IIS7. The website is using classic forms based authentication (built-in membership provider in MVC3), but will soon migrate to custom membership provider to look at the cookie and decrypt and then give the verdict. The RESTful webservices are already using Custom Membership Providers.
In this situation, I think for the website I cannot get by without using sticky sessions via its ELB.
The ELB of RESTful webservices can be configured for non-sticky since they individually observe the cookie on every request to see if the auth token exists with some encrypted value. However, the problem here are the methods FormsAuthentication.Enrypt and FormsAuthentication.Decrypt, they use MachineKeys under the hood. RIGHT ?! If not, then its not problem, but if they do then how to synchronize machine keys across autoscaled instances in EC2 ?
A best practice for this is to generate a machine key and put in your web.config file. That way as auto scaling starts and stops instances the key will always be constant and not dependent on the actual instance.
Since the recommended website seem to have been hacked (http://aspnetresources.com/tools/machineKey), I would recommend using the following procedure instead:
Open IIS Manager
Select the website you are managing
In the ASP.NET section, choose Machine Key (read below if you don't see this section)
Uncheck Automatically generate at runtime and Generate unique keys for each application
Click on Generate Keysin the Actions menu then click Apply
Open your web.config and copy the <machineKey> tag to your other web servers in your web farm so that they all use the same machineKey
Plus, you won't have any website logging your IP address and generated machine keys (if we are being cynical).
If you don't have an ASP.NET section in your IIS Manager, you can use the following procedure to enable it (from https://serverfault.com/questions/129714/asp-net-area-in-iis-7-on-windows-2008):
In Windows 7, you can enable ASP.NET from Control Panel -> Programs -> Programs and Features -> Turn Windows features on or off.
Expand Internet Information Services -> World Wide Web Services -> Application Development Features and click ASP.NET.
In Windows Server 2008, Open Server Manager -> click Roles -> click Add Roles -> select Web Server (IIS) -> in Role Services click ASP.NET it will prompt for necessary dependent Roles Services click Add Required Role Services.
Related
I am running two Windows server 2016s with IIS 10.0.14393. One server for staging purposes, and one for production.
The application has one "front-end app" and one "back-end REST api" running on the same IIS server. The front end communicates with the backend (suprise!). The difficulty I am facing is that the staging server works as expected, i.e no "Sign in" box appears when entering the front-end web page (React). However, on the production server this box pops-up.
When the page is loaded, there is javascript that fetches some information from the API, and it seems that this async fetch is causing the pop-up to occur (the request is in pending mode until login).
I have studied the configuration of IIS on the two servers but can't seem to find any obvious differences.
Both instances have both windows authentication and anonymous authentication turned on for both front-end and backe-end. I need this as the API has different types of authentication for the endpoints.
Anyone that has solved a similar issue?
Thanks
If someone experiences a similar issue the following link may help: https://support.microsoft.com/en-us/help/258063/internet-explorer-may-prompt-you-for-a-password
In my case I was sending the request to the api with the full domain url. The problem was fixed by just using the machine name (and port in my case) when sending the request. If the whole domain with punctuation is used, the system believes that the request is meant for the Internet and not the intranet, and will not include any credentials.
Another, and probably more robust solution, is to add the site in question to: Internet properties -> security -> Local intranet -> sites -> advanced.
We have an application which is hosted on the on-premises Windows server (IIS) server
now I created a windows server on azure and building a web app for it.where the application needs to authenticate the user by windows server (DC) using kerbrose protocol but I couldn't find any documentation regarding this from Microsoft's side
Is the above query possible to be implemented in the azure web app?
No, it's not possible. Windows Authentication is something for on-premise deployments. For Azure Web Sites Azure Active Directory is clearly the best option. Sync from AD to Azure Active Directory is also quite easy to setup.
If you still want to absolutely use Windows Auth and host your website on Azure, you can create Windows VM and host your website there. You then need to join the VM to your AD. To this, both VMs must be in the same network. So if your VM is on-premise you will need to create an site-to-site VPN.
For more information, follow this SO which also discussed about this.
If your intention is to join the VM hosting the website to a domain then as others have mentioned, this isn't possible.
However, doing Kerberos authentication itself within an Azure website isn't particularly difficult, but it does require manual implementation. Windows natively handles all of this for you on domain joined machines and and IIS exposes that functionality. Since you can't domain join you have to manually do all that heavy lifting and request and validate the tickets yourself.
This involves creating a service account in Active Directory and keeping the account password in sync. Once you have that you need to indicate to the browser that it needs to negotiate auth, which is done with the WWW-Authenticate: negotiate header on a 401 response. The client, if configured to send tickets, will send a ticket in the Authorization: Negotiate YII... request header on a subsequent response. At this point you need to shove that negotiate header and that original service account password into something that can validate Kerberos tickets. Windows SSPI will do this for you, but it's a pain. I built a library that'll do this for you: Kerberos.NET. YMMV with what works best for you.
All of that said, it may be more beneficial to switch over to a more modern authentication mechanism like OAuth/OpenIDConnect/SAML.
There are several ways depending on if you have to allow access to users who are associated with a on-premise Active Directory or not.
You should have a look at this service: https://learn.microsoft.com/en-us/azure/active-directory-domain-services/
It will offer an Active Directory within Azure where you can domain join your VM to and then using Kerberos as authentication protocol (should work the same way like on prem).
The other option would be to create a new Active Directory within your Virtual Network (via 1 or 2 small Windows Server VMs where you create the AD).
The good thing if you are using Active Directory Domain Services would be that you could extend it to your on-prem Active Directory by synchronizing or federating your on-prem AD.
There are more informations regarding these scenarios here:
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-hybrid-identity
For a Azure App Service - Web App you would connect it to your Azure Active Directory (AAD) and use the hybrid identity model to allow users who originate from an on-prem AD access to it:
https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad
Hope this helps a bit, it is a rather complicated topic you are digging into.
Is it possible to have a wcf service role live in a virtual directory (or the equivalent not sure if that word is the appropriate one for Azure) of a web role on Azure.
For example:
www.mydomain.com <- contains the web role or website
www.mydomain.com/myservice.svc <- contains the WCF service
I've seen people suggest that you can change the config to allow for virtual directories, however I have RDPed into both VMs and they appear not to share the same files on disk.
I am Azure newbie, please forgive the terminology. But is it possible to do what I am wanting?
A web site and a WCF service can be accessed using the URLs you listed above if they are both in the same web role. You will get the URLs you describe above if you do the following:
Create a new cloud project in Visual Studio, specifying a Windows Azure Cloud Service.
At the prompt, add an MVC web role.
At the next prompt, select Internet Application and press OK.
When the project is created, right click on the MVC project and choose Add --> New Item --> WCF Service.
Press F5. The default ASP.NET MVC home page will show up. Then navigate to http://yourlocalhostaddress/Service1.svc. You'll see the typical "You have created a service" landing page for a new WCF service.
I'm wishing to use Visual Studio Load Tests to perform some load testing.
I was hoping to be able to use the counter monitoring that the Load Test provide in order to collect performance statistics from the web server I'm loading.
However there only seems to be support for connecting to machines you wish to monitor via your domain credentials. From http://msdn.microsoft.com/en-us/library/ms182594.aspx, section "To specify computers to monitor with counter sets during load test run"
On each server that you monitor, you must have sufficient user permissions to run performance monitors. Otherwise, errors are generated.
There seems to be no way to provide specific credentials to use to connect to machines you wish to monitor. As the web server I wish to monitor does not belong to a domain, I don't see any way to monitor it using VS Load Tests.
Is there some way to monitor it using VS Load Tests that I've missed?
There seems to be no way to provide specific credentials to use to connect to machines you wish to monitor
There is a way to do this. On Windows 7 it is called Credential Manager and you can access it either by searching for Manage Network Passwords on your Start Menu or via Control Panel > User Accounts. On older versions it was called Stored User Names and Passwords, also accessible via Control Panel > User Accounts.
In a nutshell, it allows you to specify alternative credentials for remote systems. Once you have set up credentials, it works completely invisibly and automatically for remote connection attempts from any application applications that support it, including Visual Studio collecting remote Perfmon data.
NOTE that you have to set up the credentials on the account that actually runs your load tests. If you are only running local load tests with no Controller then that's your own account. However if you run a Controller/Agent rig, the Controller may be configured to run under a service account (i.e. check the account running "Visual Studio Test Controller" service or QTController.exe). You have to login as that account and add the credentials.
I've found the following which is working for me. I'm just running the net use commands by hand because I don't want the user name and password in source control.
To get this working you will need to manually open an IPC channel to
the SQL and IIS machines with an account that has permissions in that
domain. This allows the account running the load tests to "piggyback"
across that IPC channel.
i have found this site to be a great help getting this going myself.
http://blogs.catapultsystems.com/tlingenfelder/archive/2009/06/18/performance-counters-timeouts-and-load-testing-with-visual-studio-2008.aspx
what you can do is create a small bat file and set it up to run in the
.testrunconfig file as a setup script.
net use \\SQLSERVER\IPC$ password1 /user:DOMAIN1\USER /persistent:yes
net use \\IISSERVER\IPC$ password2 /user:DOMAIN2\USER /persistent:yes
When I create a new "WCF Service Application" in Visual Studio and right-click Service1.svc, I can choose "View in Browser". A web browser appears showing http://localhost:50311/Service1.svc, which says
Service1 Service
You have created a service.
To test this service, you will need to create a client and use it to call the service. You can do this using the svcutil.exe tool from the command line with the following syntax:
svcutil.exe http://localhost:50311/Service1.svc?wsdl
...
The service somehow seems tied to Visual Studio itself, since the web page becomes inaccessible if I close the solution. What's going on? I don't have a web server installed, and I didn't (knowingly) start the service. What is the source of the displayed web page, and why is it on port 50311? Can the page be customized?
What you're seeing is the development web server that starts when you run a debugger instance of a project that requires a web server. (WCF, ASP.NET).
The port 50311 is determined by your project settings (most likely random, but you can specify).
The page for a .svc file is not meant to be customized. Since the service is waiting for a caller, that default page simply tells you that it's running properly.
Keep in mind that WCF offers several binding options that use various protocols (HTTP, TCP). Depending on the protocol that you choose, you will have to host in either IIS, a Windows Service or elsewhere. By default, new services will adopt a binding that works in IIS.
Check out Introduction to Building Windows Communication Foundation Services