UPDATE: Folks from the Windows Azure team have posted an improved solution for how to host NetTcp services in Azure by using a WebRole instead of a WorkerRole, which simplifies the setup quite a bit.

Silverlight 4 added support for WCF’s NetTcpBinding, which is a performant and scalable TCP-based binding. It is also a useful binding when used in Windows Azure because it is not affected by Azure’s random load-balancer when using multiple instances of the service and creates an effectively pinned duplex connection to the cloud. The only disadvantage of the NetTcp binding is that it Silverlight does not support TCP transport security, so all the traffic to the web service is unsecured and can be intercepted by malicious parties. That may or may not be acceptable for your application.

I put together a sample on how to host a NetTcp service in Azure and consume it using a Silverlight client. The first thing to keep in mind here, is that Silverlight has some networking restrictions for security reasons. One of this restrictions is that if you want to speak TCP to a server, the server has to expose a policy file over port 80 explicitly listing the ports that it allows TCP for. Moreover, the ports have to be in the range 4502-4530. In other words if my Silverlight app wants to talk to net.tcp://contoso.cloudapp.net:4502, then I need to expose a policy file at http://contoso.cloudapp.net:80. 

Another interesting concern here is that hosting WCF NetTcp services is only allowed in Azure Worker Roles. This is because the Azure Web Role (which is basically an IIS instance) does not have WCF non-HTTP activation enabled.

My sample actually shows two separate approaches on how to implement this. If you already have an external web server where you host static HTML content as well as your Silverlight XAP file, the sample shows an approach using a single Worker Role.

Now if you don’t have an existing webpage, you are probably already considering a Web Role, where you can host the static HTML files and Silverlight XAP file. In that case we can make our life easier by reusing that WebRole to host the clientaccesspolicy.xml file as well. This diagram shows that approach: Web Role + Worker Role.

To run the sample, you need to install the following:

• Visual Studio 2010
• Windows Azure SDK v1.4
• Windows Azure Tools for Microsoft Visual Studio 2010 Platform v1.4

Keep in mind that when you run the sample locally in the development fabric, it will not run correctly, because the the emulator cannot use port 80. Since the policy file has to be hosted on port 80, calls from Silverlight to the service will fail. This gets resolved when you publish the sample to the cloud.

You can get the sample code here. 

Read More

UPDATE: A coworker here at Microsoft has brought up some interesting thoughts regarding this approach, and I’ve added a brief discussion below the second diagram.

Recently I decided to experiment with RIA Services in federated authentication scenarios. For those of you that aren’t familiar with federation, let’s consider the following scenario: my company Contoso builds an expense reporting application that I host in the cloud. One day I get Fabrikam to sign up as a client, and now I have to onboard all Fabrikam employees onto my system. It is true that I could create a login for every employee, but that is impractical because Fabrikam employees have to remember that extra login, and also I would need to keep my list of logins in sync when employees join or leave Fabrikam.

The solution for this is federated authentication, where my app can use a third-party (Fabrikam’s) authentication provider (also known as a Security Token Service or STS) to authenticate users. I won’t try to explain federation from scratch, because Microsoft’s patterns & practices has a great write-up. You can squint and ignore some of the claims stuff as it’s not super relevant to what I’m describing here.

To build an app with federated auth using RIA Services, most folks resort to passive federation, which you might be familiar with from using things like your LiveID login. The passive approach is browser-friendly and uses a combination of cookies, URIs and redirects to log you in to the site you’re trying to access.  The downside in the case of Silverlight is that you cannot complete the login inside your app: you have to navigate away from the Silverlight control, type in your credentials into a HTML (or ASPX) page, and then be bounced back by your browser to reload the control. Another downside is that you need to host a HTML page for the user to type in their credentials, in addition to the Silverlight app and the web services, which might not be desirable.

The following diagram has a more detailed explanation of the exact flow that happens during the passive scenario:

From what I’ve seen, most folks use this passive pattern with RIA today. Eugenio Pace’s blog has a few great write-ups and demos that you can try out. Some are a bit dated, but you should be able to find your way around.

What I wanted to try out was the active federation case, in which the Silverlight app talks dirctly to the identity provider. This has the benefit of having the user type their credentials directly into the Silverlight app, without having to leave the page, which results in a more polished and faster user experience. Eventually, as the crypto support in Silverlight improves, it may end up being a more secure solution as well, if we are able to encrypt and sign the tokens that are being exchanged. The following diagram demonstrates the slightly different message flow in the active case. Note that the app itself is doing most of the work, not the browser.

Some interesting considerations emerged in conversation with Robert O'Brien, an architect here at Microsoft. Please consider these before building your own app:

• One of the things we gain in this approach over a passive federation approach is the ability to log the user in from inside our UI. That provides for a better user experience, but it also puts the burden on our app to expose a credentials UI and pass the token over to the service. Potentially this could be a security risk for our app. Some folks believe that this goes against the spirit of federated authentication since it takes control away from the identity provider.
• The implementation shown here relies on WS-Trust as the protocol for the token. Unfortunately in today’s federated web, it seems like only ADFS and maybe OpenID servers honor that protocol. If you are trying to use WS-Trust and use Facebook/Yahoo/Google (either directly or through Azure’s Access Control Service) as the identity provider, you will find that WS-Trust is probably not supported. So outside the enterprise environment, this approach might not work.

Now some specifics of the sample. It’s a simple master/detail application that allows you to display and edit data. There are two registered users fabrikam\yavor and fabrikam\test and the password for both of them is 12345. If you don’t log in and try to display the data, you will get an error because of the EnableClientAccess attribute.

[RequiresAuthentication]
[EnableClientAccess()]
public class CustomersService : LinqToEntitiesDomainService<AdventureWorksLT2008R2Entities>;

All authenticated users can view the data, but only users in the Editor role can make changes to it. Only the user fabrikam\yavor is in that role.

[RequiresRole("Editors")]
public void UpdateCustomer(Customer currentCustomer)

The bottom line here is that even though we have a STS with external user authentication, we kept authorization local to our app (we use ASP.NET roles). That’s a choice you can make as a developer - you can also externalize the user roles (or claims) as part of the STS, or keep them local.

There are lots of extra details in the app, which you’ll see by exploring the source.

The code is available here. Note that you need the following installed on your machine for it to work:

• Visual Studio 2010
• SQL Server 2008 R2 Express
• SQL Server 2008 R2 Management Studio Express 
• WCF RIA Services V1 SP1/SP2
• Windows Identity Foundation Runtime
• The AdventureWorks LT 2008R2 database for SQL Server Express 2008 R2

Here are some additional notes on the structure of the sample:

• First, please run the included SetupCertificates.cmd script inside the Scripts folder
• The solution will create two applications in your local IIS instance: AddressBookFederatedAuth and IdentityProviderAndSts. Make sure you launch Visual Studio as Administrator, so it has permission to create those. Also make sure you enable HTTPS so both of the applications in the IIS Manager
• Change the Application pool under which those applications are running to use the Network Service account. 
• Use SQL Server Management Studio, make sure Network Service is added as a login to your SQL instance. When you add the account, make sure you give him some sane Server Roles (for example sysadmin). Let me know in the comments if you find any of these steps difficult and I can provide more detailed instructions.

I want to credit Eugenio Pace, Kyle McClellan, and the folks behind the Identity Developer Training Kit, from where I shamelessly stole some code.

Read More

Recently we were contacted by a customer who was building a Release version of their assembly in Visual Studio and encountered the following error:

You could get the same error if you attempt to run the sgen.exe tool on the built assembly:

~~~ Microsoft ® Xml Serialization support utility [Microsoft ® .NET Framework, Version 4.0.30319.1] Copyright © Microsoft Corporation. All rights reserved. Error: Unable to load one or more of the requested types. Retrieve the LoaderExceptions property for more information.

Read More

As you know one of the new features in RIA Services V1 SP1 is support for T4 templates. The T4 template is a design-time artifact that can modify the way RIA Services client-side code generation happens. For more information on T4 templates, check out Jeff Handley’s blog post on the subject.

Recently I was experimenting with RIA Services and I discovered that the IntelliSense comments for my entities were very sparse on the client. For example my Customer entity has a CompanyName property and the IntelliSense comment for that was:

Gets or sets the "CompanyName" value.

It was clear that this comment was being generated automatically, which was quite annoying because I had used my entity model on the server to carefully create useful comments for each property.

I hear EF is actually smart enough that it supports defining these comments in the database itself, and they will get copied over when you create the model, but I haven’t tried it myself.

So I set out to write a T4 template to take those comments from the server types generated by EF and copy them over to my Silverlight project.

The first step was to tell Visual Studio to scrape all the types in my server project and generate a XML file containing their comments, by going to the Build tab of project properties and checking this box: 

This file is usually used for IntelliSense, but you can open it up and the schema is pretty self-explanatory. Because code comments don’t get compiled into assemblies, this is the only way I know to tell VS to export the comments from my entities.

The next step was to write a simple T4 template using RIA Services extensibility. What this does is that as it is about to generate a type on the client (which happens when you build), it will look up that type name and all its properties in the above XML file, and copy the comments over to the generated file.

~~~ csharp [DomainServiceClientCodeGenerator(typeof(CommentsClientCodeGenerator), “C#”)] public class CommentsClientCodeGenerator : CSharpClientCodeGenerator { private XElement comments;

Read More

Ето и презентацията ми за Silverlight и WCF услуги в Windows Azure. Очаквайте и демонстрациите скоро! Отдолу ще намерите презентацията и примерите които показах.

Примери

• Използване на WCF NetTcp услуги в Azure от Silverlight
• Федеративна сигурност с WCF и WIF

Read More

Благодаря на всички които дойдоха на моята презентация за RIA Services миналата седмица по време на Дни на Microsoft ‘11. Отдолу ще намерите презентацията и примерите които показах.

Примери

• T4 templates за копиране на описания от сървърския RIA Services проект в Silverlight проекта
• Федеративна сигурност с RIA Services и WIF

Read More