Override MachineKey on Microsoft Azure App Services across multiple App Service Plan - asp.net-mvc

I'm trying to set the Machine Key in Web.Config of ASP.Net MVC apps but it sounds like Azure automatically provision unique machine keys for each web app and override what's in my Web.Config.
The reason I want to do that is because I have an App Service witch is used as Authentication App. Thats where users will login. And I also have plenty others apps that will be using the Token provided by the first app. Doing this will Authenticate users at one unique place and users will be able to navigate through some modules in a portal being authenticated only once. It works very well in localhost or hosted in IIS, but on Azure Hosted App Service it seems like Machine Key aren't read properly or something even if I reset the machine-key configuration section upon Application_Start.
I tried the solution described Here, but as #gorillapower said
Seems this isnt working for us. We are using .NET 4.6.1 and using OWIN startup with app.UseCookieAuthentication() and using a Redis cache session provider. I implemented the above, but the user keeps getting logged out after a slot swap. Any ideas?
It also seems that when you run an ASP.NET application on multiple instances of an App Service Plan (ASP) you do not need to worry about machineKeys as the App Service Platform will use the same one across all your instances and therefore will not need to make any changes to your application.
But in my case, our Apps are all in different App Service Plan. So this solution doesn't apply.
Any clues about this problem ?
Thanks

Generate machine Key and add into web.config file
It will work for Web Farm / load balancer either in IIS or Azure Web App service.
Note : It will only work if you are using IAppBuilder->UseCookieAuthentication-> CookieAuthenticationOptions
<system.web>
<authentication mode="None" />
<machineKey validation="HMACSHA256" decryption="AES" validationKey="D6883865C0490AFA4907A046E838DD2C7B13B636694B552630C13770701B944A" decryptionKey="2C3C48562E6FE018E71B69BDB27D06048A573C094A962AA9A1547C3D874C63B0" />

Related

How to use OAuth in a C# web api app when hosting multiple instances

I have a C# web API application, which is using OAuth and annotations such as:
[Authorize(Roles = "admin")]
I'm hosting it on AWS elastic beanstalk. It works fine when there is 1 instance running, but when I started to have multiple instances, I was getting unauthorised messages returned. Clearly the tokens are not valid across multiple machines.
Is there a way that I can add some configuration to the instances so that they accept tokens that have been generated on a different machine?
You can set the MachineKey in web.config which can be used to share tokens between multiple machines.
<machineKey decryption="AES" decryptionKey="..." validation="HMACSHA256" validationKey="..." />
The script to generate the machine key can be found here.

Identity Impersonation with ASP.NET 4 MVC not working as expected

I am in the process of building a Intranet MVC 4 application for our analysts. The goal is to allow internal users access to this application without having to sign on given they are part of our internal network. When they access the application I want to be able to capture their windows user name and check against the active directory using LDAP and retrieve the department they belong to and display the relevant details on the screen. Based on the advice from different fora, I have chosen Windows Authentication for this application and I was able to test the app successfully running from Visual Studio. The trouble I am having is when I deploy this to our UAT server running IIS 7.5.
<authentication mode="Windows">
</authentication>
<identity impersonate="false" />
This is the current state of my Web.config file. Irrespective of whether impersonate is true or false, the application seems to not capture the windows username of the browser from which the application is accessed. Is
impersonate = true
required for this at all? In the Welcome message on the homepage, I always see the windows user name of the computer where the application is hosted/IIS is running. I have tried a wide variety of ways to capture the Windows User name of the incoming user request.
string name = System.Web.HttpContext.Current.User.Identity.Name;
string name = System.Web.HttpContext.Current.Request.LogonUserIdentity.Name;
string name = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
string name = System.Web.HttpContext.Current.Request.ServerVariables["LOGON_USER"].Name;
etc. I also looked into several other posts here like this. But I am unable to get it to work. I am afraid that I am trying to achieve this by accident rather than really understanding what is going on? Could someone please guide me in the right direction?
No, you misunderstand the purpose of impersonation.
First, Impersonation is no longer supported in IIS 7 or greater running in integrated mode.
Second, the purpose of impersonation is to change the "user" the worker process runs under at runtime, specifically to allow access to filesystem or database resources as that user. It has nothing to do with authentication in general, and is not particularly useful for most web applications.
You want to use Windows Authentication, however you should know that this will only work with Internet Explorer. It will also only work with servers that are joined to your domain, and do not have any intermediary Kerberos authentication issues. (these are often known as "double hop" problems). Other browsers do not, by default, provide Active Directory account information automatically, although some may be configured to allow it to do so, others do not.
If you are using a properly configured server with Windows Authentication, and you are using a browser that supports ActiveDirectory Kerberos ticket passthrough, and there are no network issues that would cause problems with this passthrough, then you can use HttpContext.Current.User.Identity.Name to get the users name.
Don't use LogonName or anything like that, as those will just give you the worker process, not the authenticated users name.

How to prevent "Swapping" of "Staged" Azure Websites from logging users out?

I have deployed a MVC3, Membership Services, .NET4, C#, Razor, EF4.1, SQL Azure Web application into Azure using Azure Websites(Standard).
I have been experimenting with the new "staging" feature where one can "swap" in an upgraded web application. Very good. What we would really like to do is to upgrade code without interfering with the end user ie Continuous integration of small fixes. However we have noticed that a "Swap" logs users out which is not ideal. I suspect this is to do with authentication cookies being lost after the "swap" so the session cannot authenticate resulting in the users being returned to the login page. Is there a way around this? The only thought I have had is to somehow persist the "essentials" in the database.
Thoughts appreciated.
Thanks in advance.
Since your "stage" application is on another instance, you will need to have a matching machineKey across the two applications. Add the following to your web.config, so that a machineKey is not auto generated.
<machineKey
validationKey="052851E2D519231BE84E455B4C4A9FBC0CAC53B8FE7BBA1917FC296ACE6F41832383347EAEC498F40978DDD3374E7A666AFD0ADC1084A9E48B1B40ADC918C9A6"
decryptionKey="7077D8F4C273E3FC5CE296F3B74897ACECF055F9BA01565372EE87B8746DE50F"
validation="SHA1"
decryption="AES" />
Replace the keys with your own. You can generate them through IIS or here. You can also change the encryption and decryption algorithms if you so choose.
More info on MSDN

MVC 3 Authentication Issue

I have a few web applications running on production server.
Scenario:
Web App1(e.g. www.test.com): In this web application, User logs in and cookies are created in this application. User can do some other functionalities here, although on click of 1 button, it is required to redirect to another web application (WebApp2)
Web App2 (on different subdomain, e.g. abc.test.com): The session created earlier is to be passed here. Hence, I had used same machine key for Web.config in two webapps (Web App1 and Web App2) (As suggested on Link: Sharing sessions across applications using the ASP.NET Session State Service).
Issue:
Although, the session is getting shared fine and everything works great on staging.
But, on production, I am getting this error:
Unable to cast object of type 'System.Security.Principal.GenericIdentity' to type 'System.Web.Security.FormsIdentity'
It seems to me that the session sharing is not happening for some reason on production. Can you please guide me on the possible cause of this issue.
Either: Enable Forms authentication on production IIS
or: ensure your web.config on production (sessionState)
It looks like roots are configuration issues on production.

Configure application pools in IIS Express

Recently I have been using IIS Express and it works really great. However, I have on scenario I am unable to solve.
I am developing a webapp where users should be able to login with their AD account. Since the server which will run the webapp is outside the domain I use ADFS 2.0 as a SSO solution to solve this problem.
To make development for this project easier, I have chosen to use IIS Express when developing.
To be able to exchange claims information with the ADFS 2.0 server from my development environment, I have to configure the application pool for the site to have Load User Profile set to true (like i.e. IIS 7.5). I have searched around the web, and have so far found very little documentation on how to configure application pools in IIS Express.
This has nothing to do with ADFS but it's the way WIF uses to sign and encrypt the cookie that will be used to identify the user after the initial sign in. The default implementation in WIF uses DPAPI which relies om the user profile to get key material.
You can override that default and use the machinekey as key material instead. Indeed thats the way it works in NET 4.5 by default precisely because all the issues with DPAPI. Here you have the way to do it in Net 4
http://leastprivilege.com/2012/07/12/machinekey-based-session-protection-for-wif/

Resources