Securing a WCF Service in Windows Azure with SSL

It is easy to find articles on how to create https (SSL) endpoints in Windows Azure services, e.g. this one. But I didn’t find information on how to configure the actual service, so I had to experiment. Here is a summary of what is needed with .NET Framework 4.

Http Endpoint

With .NET Framework 4, you can skip declaring your service and endpoints in the configuration file. Default is an endpoint with basicHttpBinding. But you you probably want to enable metadata publishing using a service behavior:

    <behaviors>
      <serviceBehaviors>
        <behavior>
          <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
          <serviceMetadata httpGetEnabled="true" />
          <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
          <serviceDebug includeExceptionDetailInFaults="true" />
        </behavior>
      </serviceBehaviors>
    </behaviors>

Https Endpoint

To secure your service with SSL (https), you must create a binding configuration, a service definition and an endpoint using the binding configuration like this:

    <bindings>
      <basicHttpBinding>
        <binding name="SecureBasic">
          <security mode="Transport" />
        </binding>
      </basicHttpBinding>
    </bindings>
    <services>
      <service name="Namespace.TestService">
        <endpoint binding="basicHttpBinding" bindingConfiguration="SecureBasic" name="basicHttp" contract="Namespace.ITestService" />
      </service>
    </services>

To publish meta data, you would want to change httpGetEnabled=”true” to httpsGetEnabled=”true”:

<serviceMetadata httpsGetEnabled="true" />

Http and Https Endpoints

If you, for testing purposes, want to have both http and https bindings, you add two endpoints:

<endpoint binding="basicHttpBinding" bindingConfiguration="" name="basicHttp" contract="Namespace.ITestService" />
<endpoint binding="basicHttpBinding" bindingConfiguration="SecureBasic" name="basicHttpSecure" contract="Namespace.ITestService" />

To publish metadata on both endpoints, modify serviceMetadata like this:

<serviceMetadata httpsGetEnabled="true" httpGetEnabled="true" />
Advertisements

Virtual Network with Internet Access Using Windows 7 Virtual PC and the Loopback Adapter

Sometimes I have the need to have two or more virtual machines connected in a virtual network when developing applications. You can set the network to Internal Network in  Windows 7 Virtual PC settings and the virtual machines can communicate with each other, but they cannot communicate with the host. To fix that, and enable physical LAN/Internet access from the guests, you can use Microsoft’s loopback adapter. Here is how to set it up:

  1. Install the loopback adapter on the host and rename the new network connection from e.g. Local Area Connection 2 to e.g. Loopback.
  2. Change your original local area connection (not loopback) to allow Internet connection sharing. Set Home networking connection to Loopback.

    image 

    You will probably get a dialog similar to this:

    image

    Make note of this IP address. Your network adapters for the virtual network should use addresses in the same subnet (192.168.137.x).

  3. Configure your virtual machines to have one network adapter, and select Microsoft Loopback Adapter.

    image

  4. Inside the virtual machines, configure the network adapter to use static IP addresses, e.g.:

    image

    In this case, I have a virtual machine which is Active Directory domain controller for my test domain with address 192.168.137.101 – that is why I have that address as preferred DNS server. The alternate DNS server is the address of the host on the virtual network. The 192.168.137.101 machine will resolve host names of the test domain and the host will resolve names of other domains. (On the AD DC, preferred DNS server is set to the computer itself, i.e. 127.0.0.1.)

  5. If you (like me) have a test domain, set DNS suffix for this connection on the Advanced –> DNS tab.

    image

  6. You probably want to configure the custom domain on the loopback adapter on the host as well:

    image