ARR 3.0 with SignalR 2.0

Configure IIS Application Request Routing (ARR) 3 for reverse proxy and SignalR-

Infrastructure is built using windows azure as azure service(webroles). I have about 10 sub-sites running on azure. Just to abstracted from outside world I have decided to go for ARR(Application request routing) called as reverse proxy. It was all working as expected with SignalR implementation until we were using cloudapp.net url or cname mapped url to access the application. And as soon as I added a layer of ARR 3 we started with a lot of issues which we received as a support feature of ARR.

Problem:

  • IE 9 all the request were started as LongPooling instead of foreverframes(iframe)
  • IE 10 all the request were started as LongPooling instead of WebSocket
  • Chrom partial request used server side event (SSE) and partially long pooling but none of the request succeeded as websocket

 

Installing ARR 3 wasn’t difficult at all- We are running windows azure vm machine with windows server 2012 R2 data center. Make sure you install IIS on the machine in my case it was IIS 8.5.9600 before installing ARR.

You need to enable support for the WebSocket Protocol on Windows Server 2012 for SignalR

  • Open Server Manager.
  • Under the Manage menu, click Add Roles and Features.
  • Select Role-based or Feature-based Installation, and then click Next.
  • Select the appropriate server, (your local server is selected by default), and then click Next.
  • Expand Web Server (IIS) in the Roles tree, then expand Web Server, and then expand Application Development.
  • Select WebSocket Protocol, and then click Next.
  • If no additional features are needed, click Next.

Now most important part to be address when you really want SignalR to work with websocket/server side event.

SignalR settings required  inside ARR 3. 

open -> Application request routing cache/server proxy setting

Cache Setting
Memory cache duration (seconds)

  • Enable disk cache[uncheck]
  • Enable request consolidation[[uncheck]]

Query string support: [Do not cache]

Buffer Setting

  • Response buffer: [1]
  • Response buffer threshold(KB): [0]

The above configs will impact the over cached resources for the and that will impact over performance. I will sooner come with the version 2 of the document to share my experience.

Hybrid authentication with wif and acs

Allow users from old (without WIF support) application to login to new version application (wif + acs enabled) without data replication/duplication. Old application without windows identity foundation implementation and new application support WIF.

The problem statement seems to be common:

Approach

Designing the solution for this would have many architectural discussions and conclusion would have been just replication or database mirroring from old database to new database via some database level script. Any other solution than this will sure work and might looks more logical but that will cost a good amount of effort.

 

Simplistic solution:

Crate sts name as “old app sts”(sample name) between old application and windows azure access control service also old application should have a page which will do processing logic and redirect logged-in user to “old app sts”. And old app sts should directly talk to acs.

Note: We can have the direct mapping of old app and acs as well but this will expose the information about new application authentication and there will be a dependency.

Configure access control service:

Host “old app sts” generate a federation metadata of this application. Configure ‘old app sts’ as a identity provider inside acs. Generate the rule groups, configure certificates and have the same replying party (new application).

Following scenario would give more insight:

Have a simple page or ashx handler with will do a bit of magic and grab sample code from msdn for creating saml token.

1: Configuration information such as
  • IssuerName: Add the old application url
  • Wtrealm: custom security token service url
  • TokenSigningCertificate: name of ssl certificate should be used
  • TokenEncryptionCertificate: name of ssl certificate should be used
 2: Add .aspx or ashx page

3: Prepare request query string to generate SAML token.

  • QueryString parameters required as following
  • Key ‘wa’ Value = wsignin1.0 or wsignout1.0
  • Key wtrealm Value = read configuration value of Wtrealm
  • Key wct Value = current time as utcnow

Prepare a url with the above key and value and post the same page/handler again

 3: Generate SAML token based on configuration

Based on the url now we are sure that the return result will always have wa, wtrealm and wctx which will help us to SignInRequestMessage object. SignInRequestMessage object will let us create a basic token out from currently logged-in user. Note: This is a decision which we have to make where we should get all the information about the user but we should get name, email and role as based on these details we will do the business process into new application to generate another token.

At this stage we are good as we have a basic saml token which we can pass to “old app sts” at this place we can choose to apply any business specific processing i.e. old to new app credential massaging can be done. And this will not impact on old application stability. Also this will be configured with asp.net federated authentication based on windows identity foundation asp.net pipeline-

Why we have this sts?
  • We will apply any custom business specific retry at this place
  • Can be a single end point to any old application as this will be only front face to talk to new application
  • While user do a sign-out on new application a request can be processed at this level and so the user who belong to old application can be redirected to old application login page

Having said that there could be many possibilities and could help us to basically bridge the gap.

Now assumed you have got your token back at this place. Following are the configuration required before processing saml token at this place.

  • TokenSigningCertificate: name of ssl certificate should be used
  • TokenEncryptionCertificate: name of ssl certificate should be used
  • Wtrealm: https://<your name space>.accesscontrol.windows.net/
  • Wreply: https://<your name space>.accesscontrol.windows.net/v2/wsfedration
  • Wctx:  A key provided by windows azure access control service which can be grabbed from acs control panel

Based on the above configuration we are good to prepare the SignInRequestMessage object. After this we need to do a custom logic or processing for writing custom claims.

We are all done here!!! Now the real mystery begins or I should call it as a fun part of the entire work!

At this place we need to make sure on few items as that may save a lot of your time:

1: Configure ‘old app sts’ as Identity Provider

2: Start the application and do a request for login from old application: (debug via fiddler-the life saver)

  • Wa = wsingin1.0,
  • wtrealm= old app sts url,
  • wct = current time as utc

3: When you are redirected to ‘old app sts’ (Pay payload)

  • wa: wsingin1.0
  • wresult: your saml token

4: when you are redirected to https://<your name space>.accesscontrol.windows.net/ (Pay payload)

  • wa: wsingin1.0
  • wresult: your saml token
  • wctx: this is very imp you should do 100 times check that you are passing a valid value.

Also must check your saml token that this value is there in your saml document as context

Now after this you are all done!

 

 

Asp.net application_beginrequest azure web_role windows r2 issue

It was almost couple of days of doing work and passing the ball game across the board. Scenario was there are few services which had to be consumed by the caller rich client (mobile/ipad). Before doing a call to action(mvc) based on the url. I need to initiate a session which I was doing kind of depending upon with application_beginrequest and querysting. Now- Everything was absolutely perfect!!!

WTF!!! Safari browser with IPad the real pain. Instead I should call it as a series of pain to list culprits! And at the end I gave up. As everything looks perfect when I do the request from IE, FF, Chrom and Safari on Windows. And FF, Chrom, Safari inside mac os. But when we try to hit the url and expect that the result will come to us on titanium emulator from mac-os it has a worse nightmare. I can’t imagine it actually overlooked the application_beginrequest and called other methods of my controller but not the application_beginrequest.
I have applied a lot hacks to get it on track but the issue was I wasn’t able to initiate my session- which is like stuff of a child going to school and asking for where is my class? The worse part of this was the global asax wasn’t helping me at all! Why? I’m not sure on this but it was the case. Have spent endless debugging, tracing and manual eye logger with line by line inspection.

Finally I asked to God-google. And there he gave a hint as iis 7 has issues which this kind of scenario where something related with integrated mode or classic mode of iis somewhere this is the bug. And it was written that this didn’t work.
Well; that was a relief at last. And then I just got a notification from my background worker my six sence and came to know the easiest solution would be change the machine. Wow; Super easy and test it. Exactly silly I just went to windows azure portal and changed the configuration of my web role to use the os from 2008r2 to windows server 2012 and finally- it brought the crazy smile to us. And the problem got solved.

Note: Safari is the browser which actually cache the ajax request sometime (may be always)- Unlike others like chrom, FireFox and IE. This was a small culprit too which was not easy to trace but manage to get the hint.

Single SignIn and Single SignOut – WIF

Scenario: For the people who doesn’t know what is SSO I have applications like gmail, picasa, hangout and so on- these are the application which will be used by end user and the end user are only interested into using these application. But question is as if consider we do not have the “God” google and these are replaced by some ‘Foo company’ and it’s a most popular thing on the internet planet. So everyone including me- wants to use all these application/web-apps. You need to supply your credentials to each of them. And they have to manage a huge credential store to take care all the stuff.

Now there are many and many talks about this as how to manage it. The most effective and most dominated by many brands as Windows Authentication- which let you access all the files/application and other resource if you belong to a specific group and not otherwise. The same concept goes to internet world with windows live, gmail, and there are many players which do this.

Let’s start by calling ‘RP’ to the applications such as Gmail, Picasa, Hangout. There is a main application out of your application pool which you trust in case of user’s identity that you may call as Identity provider. What’s now? When user wants to use any of the RP they will be redirected to IDP (Identity Provider).
IDP is the central heart to do the authentication and then send back the user to the appropriate RP.

Let’s understand with better example: When you want buy a new sim card for your mobile phone. The carrier ([RP] as Vodafone, Aircell, AirTel and so on) does normally ask for the Identity! Now what you do? The best could be you provide your passport copy and signed on that copy and submit to the carriers. Wait- What you just did is you got a sim card why? Because the carriers check your signature with the passport signature and they blindly trust passport copy & off course you. Let’s examine what has happen? The carrier’s understand the passport and they rely on that and don’t seek for any background check on that passport copy if you have signed on the copy of the passport. That’s how the human goes in real life and the same applies to Single Sign in and single signout. Looks very simple!

Now there is not really any need to go anyfurther in deep to explain how these individual things works. There are a lot of good quality materials are already available please read them. Search as Windows Identity Foundation. The latest version at the present is Windows Identity Foundation 4.5.

Now you should do dry run/hands on with configuration and terminology about as Relying Party (Carriers/Application), Security Token Service (Passport issuers). So in short we have something called as RP, STS and you might also see terms as IP-STS, STS and RP or RP, STS, ACS and IP-STS. Just trust me as relying party you need to find over Google there are a lot of material to understand these.

Windows 8 UI Designs

That’s something interesting - We as developer never though of UI designs concept. But the reality is there are people out on web they have done some fantastic research.

Microsoft Windows 8, is basically a new view of thinking and response from the user natural way of thinking or accessing possible view or being technical what suits for those people not to learn as process just being natural is the key for modern UI design.

Nothing surprise me when windows 8 is been pulled out into market after a research of 3 years. And concept of applying a common notation over web, mobile and desktop users.

Just for a quick Windows 8 built guidelines for windows 8 ui design guidelines are based on some common real-world design principals.

  • Do more with less
  • Pride in craftsmanship
  • Be fast and fluid
  • Authentically digital
  • Win as one

The above concepts are basically pulled out from web, which is common but I believe my experience say my designer never ever thought of doing a little research on the same. But looking at the view of windows 8 and future development of windows 8 app will certainly going to take care for the same.

For example, when it comes to share the things with twitter, facebook with respect to images then windows 8 ui design concept contract. Did I said something wired? Contract- Common my designer will never agree on it. but let me tell you- It’s going to give a huge sit back to my designers.

 

ASP.NET MVC, Entity Framework, Repository, IOC

ASP.NET MVC 4, Repository, Ninject Container
Enough I have heard from many developers and other related geek about what would be a better approach for asp.net mvc and a standard pattern. It will be a series of article which will try to bring all the answers for everyone. Also make sure it’s my personal opinion to apply the pattern with various source and the research over Google I did. So I am expecting to learn from you as well so that I can improve myself for future.

Asp.Net MVC Project structure

Asp.Net MVC Project structure

Whats new ASP.NET MVC 4

Since more than two months I am kind of playing with asp.net mvc 4. And more often I ask a question as what has make asp.net mvc differ from asp.net mvc version 3. Well there are several reasons where asp.net mvc has given a significant chance to over rule asp.net mvc 3. I hope that in the next week or so I would come up with the list of items which are the gems of asp.net mvc 4.

Scaffold multiple controllers and views from Entity Framework

It’s sometime really frustrating that at one side Microsoft has given a powerful editor to work and play with the great power of tooling sense but other-side there is no literally no support for syntax highlighting inteli-sence for tt(t4template).

Will see how things will be much faster and robust than doing a donkey work all day all around. Just see the following code snippet.

PM> $Model = “BusinessGroup”, “City”, “User”, “Invoice”, “Region”, “Manager”, “Site”, “InvoiceAttachment”, “Landlord”, “Municipality”
PM> foreach($m in $Model) { Scaffold Controller $m }

In the above code I have given the Types(model name which I extracted out from entity framework. Just as a simple string and on left hand side I have specified a string array. Also the next statement is at present is calling a default scaffold hook from nuget. But I will override as per my project requirement.