Windows Azure Web Role ASP.NET Application Federated Authentication Using AppFabric Access Control Service (ACS) v2 – Part 2

  • Article

Programming Windows Azure - Programming the Microsoft Cloud

This post is continuation to Windows Azure Web Role ASP.NET Application Federated Authentication Using AppFabric Access Control Service (ACS) v2 – Part 1

Step 4 – Prepare ASP.NET cloud web application’s dependencies to be deployed to Windows Azure Environment

Content in this step is adapted from Exercise 1: Enabling Federated Authentication for ASP.NET applications in Windows Azure

This step helps you prepare your ASP.NET cloud web application to be deployed to Windows Azure with its prerequisites such as WIF assembly. WIF runtime is not installed as part of Windows Azure environment. It also helps creating and configuring server certificates to enable secure communications over SSL. Server certificate is also required for WIF related functions work properly on Windows Azure.

To prepare application’s dependencies to be deployed to Windows Azure

  1. Switch to your solution in Visual Studio 2010.

  2. Add reference to the Microsoft.IdentityModel assembly To add the reference right click on Reference folder in the solution explorer, choose Add Reference… , Click on .Net tab, locate and choose the Microsoft.IdentityModel assembly from the list and click OK.

  3. Locate and choose the referenced assembly, Microsoft.IdentityModel, in the References folder.

  4. Click F4 to bring up the assembly’s properties window.

  5. In the Properties window specify Copy Local to true and Specific Version to false.

  6. Open global.asax.cs code behind file.

  7. Add the following using declarations:

     using Microsoft.IdentityModel.Tokens;
using Microsoft.IdentityModel.Web;
using Microsoft.IdentityModel.Web.Configuration;

  8. Add the following code to it (note, that you may already have Application_Start event handler added to it, just update it) . The reason for the following code is that by default the cookies are protected using DPAPI which is not available in Azure environment.

     void OnServiceConfigurationCreated(object sender, ServiceConfigurationCreatedEventArgs e)
{
    //
    // Use the <serviceCertificate> to protect the cookies that are
    // sent to the client.
    //
    List<CookieTransform> sessionTransforms =
        new List<CookieTransform>(new CookieTransform[] {
        new DeflateCookieTransform(), 
        new RsaEncryptionCookieTransform(e.ServiceConfiguration.ServiceCertificate),
        new RsaSignatureCookieTransform(e.ServiceConfiguration.ServiceCertificate)  });
    SessionSecurityTokenHandler sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly());
    e.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler);
}

void Application_Start(object sender, EventArgs e)
{
    FederatedAuthentication.ServiceConfigurationCreated += OnServiceConfigurationCreated;
}

The following procedure will help you create self signed certificate and configure it for Compute Emulator and the application’s usage

To create and configure self signed certificate

  1. Open IIS Manager MMC by clicking on Windows button on the task bar and typing IIS Manager (case is not important). You should see Internet Information Services (IIS) Manager appears in search results. Click it to open the Manager.
  2. When the IIS Manager appears type cert in the Filter: text area at the top middle of the screen. It should leave only Server Certificates option. Run it by double clicking on it.
  3. On the right-hand side, on the Actions pane, click on Create Self-Signed Certificate… option.
  4. In the dialog specify friendly name for your certificate and click OK to dismiss it.

This procedure will help you configure the certificate for usage in your Compute Emulator.

To configure certificate for Compute Emulator

  1. Switch to your solution in Visual Studio.
  2. Right click on the web role under Roles folder in Solution Explorer and choose Properties option.
  3. Click on the Certificates tab.
  4. Click on Add Certificate.
  5. The new row appears.
  6. Type the certificate’s arbitrary name in the Name field.
  7. Leave Store Location value LocalMachine.
  8. Leave Store value My.
  9. In the Thumbprint field click on ellipses (...), you should see list of the certificates. Locate the one you have created in previous step and click OK. Thumbprint field shows the certificate’s thumbprint.
  10. Save your work using Ctrl+S.
  11. Select and copy the thumbprint into clipboard using Ctrl+C. You will use it for configuring WIF related sections in web.config.

This procedure will help you configure Windows Azure Role’s Endpoint to use the certificate for SSL/HTTPS communications.

To configure Windows Azure Role’s Endpoint for SSL/HTTPS

  1. While in the Web Role Properties page click on Endpoints tab.
  2. Click on Add Endpoint option at the top, new row appears.
  3. Type new endpoint’s arbitrary name in the Name filed.
  4. Specify Type value of Input.
  5. Specify Protocol value of SSL.
  6. Specify Public Port arbitrary value. Note: Compute Emulator cannot be configure for specific IP addresses and ports, so if the IP address and port value are unavailable the Compute Emulator will assign its own. You want to avoid this since you need exactly to know the IP address and the port as it needs to be specified in exact way in ACSv2 portal. To identify used ports on local machine open command prompt and run the following command netstat –a –n | findstr 127.0.0.1. use the port that is not listed there.
  7. In the SSL Certificate Name specify the certificate you have just configured in previous step.
  8. Save your work by using Ctrl+S.

Next procedure will help you configure the certificate for usage by WIF related functionality.

To configure certificate for WIF functionality

  1. Open web.config file and locate microsoft.identityModel/service section.

  2. Add the following markup to the section. For the findValue value specify the thumbprint value from the previous step.

     <serviceCertificate>
  <certificateReference x509FindType="FindByThumbprint" findValue="YOURTHUMBPRINTFROMPREVSTEP" storeLocation="LocalMachine" storeName="My" />
</serviceCertificate>

  3. Locate audienceUris/add section and change the value reflecting on the changes you have done. Change http to https change the port number according to what you have specified in the previous step.

  4. Locate federatedAuthentication/wsFederation section and change the realm to the same value as in audienceUris.

This procedure helps you configure your ACS v2.0 configuration to proper values. Since the URL changed (HTTPS vs. HTTP and the port number) it needs also to be updated in the ACS v2.0 Management Portal

To update your relying party configuration on ACS v2.0 Management Portal

  1. Log on to ACS v2.0 Management Portal at https://portal.appfabriclabs.com/
  2. Click on the Service Bus, Access Control & Caching on the left.
  3. Click on the Access Control in the tree under AppFabric node.
  4. You should see the list of your namespaces.
  5. Click on desired namespace you configured in previous steps.
  6. Click on the Access Control Service ribbon at the top of the page, new page or tab will open.
  7. Click on the Relying Party Applications link on the left.
  8. Your replying parties should be listed.
  9. Click on desired replying party you configured earlier, you should be presented with Edit Relying Party Application page.
  10. Change the Realm and the Return URL fields to the values reflecting recent changes. It should match audienceUris and realm you specified configuring web.config in previous step.
  11. Click Save button to save your changes.

This procedure will help you configure permissions for the application to access your certificate. The application by default runs in application pool under Network Service account. You need to grant permissions to this account so that it can use the certificate.

To grant certificate access permissions to application pool account

  1. Click on the Windows button on the taskbar and type mmc. You should see mmc.exe appears in search results. Click on it.
  2. When the MMC console appears, click on File and then on Add/Remove Snap-in… option.
  3. In the available snap-ins list choose Certificates and click on Add > button.
  4. In the dialog box choose Computer Account option and click Next button.
  5. On the Select Computer wizard page choose Local computer: (the computer this console is running on) option and click Finish.
  6. Expand Console Root folder.
  7. Expand Certificates (Local Computer) folder.
  8. Expand Personal folder.
  9. Click on Certificates folder to list the available certificates.
  10. Locate your certificate, right click on it and choose All Tasks option and then click on Manage Private Keys... option.
  11. Add Network Service account to the list under Group or user names: section and click OK button.

This procedure tests your configuration and validates its readiness to be deployed to Windows Azure environment.

To test readiness for Windows Azure deployment

  1. Switch to your solution in Visual Studio.
  2. Run your application using Ctrl+F5.
  3. You should be presented with certificate warning. Accept it. It happens since we are using self signed certificated.
  4. You should be redirected to Home Realm Discovery page presetting Google or Windows Live id options.
  5. Use any of these.
  6. Upon successful authentication you should be presented with your Default.aspx page