Summary:
Does anybody know if there are known issues or configuration gotchas with an IIS service connecting to an Azure based service?
Scenario:
I currently have a scenario that requires me to host two web-services, one in Azure, and one on a server running IIS. The IIS hosted service (a WCF service) connects to the Azure hosted service (actually the Azure storage API) in order to fetch certain information. This information is manipulated and returned to the client.
Client -> IIS Service -> Azure Storage Service
Issue:
I'm running into issues with the IIS service connecting to the Azure Service. The hostname cannot be resolved. I'm using the Azure Storage client from my code, but have actually tried this using the azure API calls, and they also do not work from IIS. I captured the requests using Fiddler (on a different machine), they match the azure REST API calls, as expected. These requests, when made outside of IIS on the host machine execute properly. It is only when they are issued by the IIS service that they fail.
In my research other people have been running into this issue when there's a firewall problem, but since I can hit the service properly from the machine, that doesn't seem to fit the bill. My hunch is that there's a configuration issue I need to sort out in IIS, but I've failed to find anything useful with my searches.
Does anyone have any information on why this might be occuring (known bugs, gotchas etc)? Any workarounds? From a SOA perspective, this seems fairly critical to understand.
Any assitance anyone has would be helpful. Thank you.
Sounds like a proxy configuration issue. Check how your IIS server connected to Internet. If you are using some sort of proxy to get to Internet, that connection has to be configured correctly.
Specifically, if your proxy servers are Microsoft ISA server, or Microsoft Forefront TMG, then you need to check two things:
ISA server client or Forefront TMG client software is installed on the server
The account used by IIS application pool is domain user. ISA Server/TMG are designed to work only with user account, not service account. Alternative workaround for this limitation is using "defaultProxy" configuration in web.config, however it only wokrs for HTTP/HTTPS.
If you use different proxy server, then other issues might be involved, for example proxy might require authentication.
Related
This has to be a pretty simple task. I have an Azure Cloud Service that works just fine with HTTP and HTTPS. Now I want to create a net.tcp connection to the cloud service. The first thing I discover is that net.tcp is not supported by IIS Express. That's fine. So I try switching to regular IIS and all I get when I try to run the application is a 404 error. If I was building an WCF Web Application, I would get a form that allows me to select (and build) the virtual directory for the application, but there's no analog for this in the Cloud Service.
I can take a fresh 'Cloud Service' project build using visual studio, make no changes to it except change IIS Express to IIS. When I launch it, I get a 404 error in the web browser.
Does anyone have a working example of tcp.net (with IIS Express or standard IIS) in a Cloud Service?
This video by the Azure team is a great overview and cleared up a lot of conceptual issues I had. An Azure Cloud Service is a container around one or more virtual machines. The virtual machines basically come in two flavors: Web Role and Worker Role. What threw me is the description that the Worker Role was intended for background processes: not true. A Web Role is basically a VM with IIS, a Worker Role is basically a VM without IIS. Since the off-the-shelf IIS doesn't have net.tcp installed, you have to jump through hoops in order to get the protocol installed. Instead, the Worker Role can be used as a self-hosted web service. If you want the performance and throughput of TCP, this appears to be the direction to go.
Enviroment
Consider the following production environment setup for a web application:
End user --Internet--> web server in DMZ --Firewall--> WCF hosted on app server --> DB Server
Constraint:
Also consider that we cannot change anything from the infrastructure point of view. For example, open ports, change any firewall setting etc.
Problem:
We want to expose the WCF, which is hosted on the app server, to external clients. We are trying to solve this as follows:
End user --Internet--> Router WCF in DMZ --Firewall--> WCF hosted on app server --> DB Server
Please note that we cannot establish a db connection from the DMZ environment where the WCF needs to be hosted so that the external clients can consume it. We have developed a "Router WCF" which passes through all messages to the internal WCF and vice-versa.
This solution adds an unnecessary overhead of serializing and de-serializing data. There must a better and proper way of doing this. We are looking forward to the community for guidance. Thank you.
In DMZ the bibliography tells you: always create an intermediate layer. This means another machine on the internet will be the point of connection and it will proxy the connection back to WCF.
The machine is the web server you seem to mention, that is stupid, has no data, and (to be a proper DMZ) has a firewall between it and all the machines (WCF and the others) it serves that permits only IP:PORTS used on such machines.
In this scenario, usually Apache on the public web server with a URL-rewrite rule (i.e if it is /x/y send it to servera.internal.com:9900 - if it is /x/z send it to serverb.internal.com:9901 etc...) is enough, but there are plenty of solutions of course.
It seems you are doing exactly this, why do you say it is not the proper solution?
DMZs could seem a bit dated as protection mechanism (I agree) but you have to think when servers like your WCF machine had dozens of ports opened, and you wanted to lower the risk of random ports on web-facing machines, a giant attack surface. Nowadays everything can work with couple of ports opened, so it can seem "silly" to do all of this just to forward a TCP port. But it is still valuable as (for example) if servers behind the web server in DMZ do not have internet access, even when WCF is compromised, the attacker cannot use its own reverse shell to deploy what it is nowadays called an APT (yesterday backdoor). The attacker "won't see" his own machine from WCF as the DMZ provides the connection to the external world.
I've got a working WCF service and a working Delphi client. On a normal PC, they work nicely. On a VM that's "Bridged" they work nicely if I log onto the domain (but not if I logon locally to the VM as administrator). If the VM is NATed, the connection attempt times out.
I would love to hear people's thoughts on what could be making such a difference to whether the client can successfully connect to the WCF service. Bear in mind I'm connecting with basicHttpBinding with no security.
The service is setup to use System Account (interact with desktop is NOT checked), and it starts automatically. The service URI doesn't change, the port is open, and can be telnet'd to in all scenarios.
Any ideas or pointers?
Within the VM, open Internet Explorer and verify that you can view the WSDL of the WCF service. If you can't, then your issue is connectivity and has nothing to do with your Delphi code.
Group Policies and Enterprise Security solutions that swap certificates or require certificates to be registered (we're using a UTM called CyberRoam) make a difference.
Also when Virtual Machines join a domain, their ComputerNames are added to a list maintained by the Domain Controller. When the same Virtual Machine is "moved" or "copied", its ComputerName should be changed to avoid DNS resolution issues.
I'm not claiming this as the definitive answer, however it does explain the issues I noticed in this instance.
I am struggling with a WCF issue relating to name resolution-or something like so. When I consume a wcf service (netTcpBinding) on an application server via a web application on the web server it doesn't work. Ok it doesn't work in most situations. If you access the web application from the web server itself using localhost or 127.0.0.1 it works. However accessing it through the web server via another client machine or accessing the web application locally on the web server using the host name or IP address does not work. In both instances you get a socket connection aborted error.
What makes it more interesting is that switching all the security to 'none' as opposed to 'transport' resolves the issue.
My question is, is it possible to access wcf services using your web server and still use transport security? Or is this a bug/designed behaviour?
Many thanks for any insight,
Steve
The default NetTcpBinding security option is Kerberos / Windows Authentication. If your client and service are not on the same domain it will not work. You may need to look at certificate based authentication.
If you your service is running under a domain account, try changing it to LocalService or NetworkService to see if it resolves the issue.
Transport security typically only works point-to-point - when the client connects directly to the server.
If you have clients that come in from the internet, you have no control over how many intermediary hops they go through - so Transport security, even if you get it to work, will most likely not work at all, e.g. your message might be protected from the client to the first hop, and from the last hop to your server - but not in between hops.
For an internet scenario, typically, Transport security is not a valid option - use Message Security for those cases.
I'm not 100% sure why the connection wouldn't work at all - but in any case, if you're not behind a corporate firewall, I wouldn't be using netTcp with transport security in such a scenario.
Could you please add your server side config (anything inside <system.serviceModel>) to your question to see how you set up Transport security?
Does anyone recognise this error?
The SecurityContextSecurityToken with context-id=urn:uuid:xxx (key generation-id=) is not registered
It has suddenly appeared in the service trace log of my WCF service.
We had a Windows service successfully transmitting data into the WCF service for a day until it broke. The error manifests when the Windows service tries to connect to the WCF service.
It's highly unlikely that the environments changed. The two services exist on separate machines (an application server and a web server). Both are Windows Server 2003 SP1 machines, and the web server is running IIS 6.
Unfortunately, we have scarce access to the servers to help us debug, so any guesses on what might be wrong would be highly appreciated.
Indi
We had this problem with Web Service Extension 3.0, which was used before WCF. I have not experianced this with WCF, but I think that it is worth checking.
The scenario works like this:
The service starts and the user that is the identity of the service gets logged on.
When the service makes a call it is done in the security context of this user
After a while the logon token becomes so old (a day?) that the service will no longer accept it.
The easy way to test this is to restart the windows service.