I have two web roles within a cloud service, one to expose outside and one for internal use. The external web role has an MVC web application which will have to connect to the internal web role which will have a Web API. I have the below service definition for my Azure Cloud service.
<?xml version="1.0" encoding="utf-8"?>
<ServiceDefinition name="AzureWeb_ExternalCloudService" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceDefinition" schemaVersion="2015-04.2.6">
<WebRole name="ExternalWebApplication" vmsize="A6">
<Sites>
<Site name="Web">
<Bindings>
<Binding name="Endpoint1" endpointName="Endpoint1" />
</Bindings>
</Site>
</Sites>
<ConfigurationSettings>
<Setting name="Microsoft.WindowsAzure.Plugins.Diagnostics.ConnectionString" />
<Setting name="ServiceBaseURL" />
</ConfigurationSettings>
<Endpoints>
<InputEndpoint name="Endpoint1" protocol="http" port="80" />
</Endpoints>
</WebRole>
<WebRole name="InternalWebAPI" vmsize="Small">
<Sites>
<Site name="Web">
<Bindings>
<Binding name="Endpoint2" endpointName="Endpoint2" />
</Bindings>
</Site>
</Sites>
<ConfigurationSettings>
<Setting name="Microsoft.WindowsAzure.Plugins.Diagnostics.ConnectionString" />
</ConfigurationSettings>
<Endpoints>
<InternalEndpoint name="Endpoint2" protocol="http" port="8080" />
</Endpoints>
</WebRole>
<NetworkTrafficRules>
<OnlyAllowTrafficTo>
<Destinations>
<RoleEndpoint roleName="InternalWebAPI" endpointName="Endpoint2"/>
</Destinations>
<WhenSource matches="AnyRule">
<FromRole roleName="ExternalWebApplication"/>
</WhenSource>
<AllowAllTraffic/>
</OnlyAllowTrafficTo>
</NetworkTrafficRules>
</ServiceDefinition>
However, I get the below error when I try to build.
The XML specification is not valid: The element 'OnlyAllowTrafficTo'
in namespace
'http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceDefinition'
has invalid child element 'AllowAllTraffic' in namespace
'http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceDefinition'
According to the ServiceDefinitionSchema (mine is located at %ProgramFiles%\Microsoft SDKs\Azure.NET SDK\v2.8\schemas), the AllowAllTraffic element must precede the WhenSource element.
Related
I'm trying to get a docker image to run our on-premise Service Fabric cluster.
We've setup a service fabric cluster on our on-premise network, which seems to run fine (it already runs 2 docker images). I'm looking for one of my containers to run under a domain user (Service Account), so I can reach SMB shares in my network (which have been granted permission to the service account).
I'm getting the following error:
Error event: SourceId='System.Hosting', Property='Activation:1.0'.
There was an error during activation.Failed to setup ApplicationPrincipals. Error:ApplicationPrincipalAbortableError
Also shown as image:
The container I'm trying to run: https://hub.docker.com/r/stefanscherer/registry-windows/
ApplicationManifest.xml
<?xml version="1.0" encoding="utf-8"?>
<ApplicationManifest ApplicationTypeName="[REMOVED].ServiceFabric.WindowsContainerRegistryType"
ApplicationTypeVersion="1.0.0"
xmlns="http://schemas.microsoft.com/2011/01/fabric"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Parameters>
<Parameter Name="WindowsContainerRegistry_InstanceCount" DefaultValue="-1" />
</Parameters>
<!-- Import the ServiceManifest from the ServicePackage. The ServiceManifestName and ServiceManifestVersion
should match the Name and Version attributes of the ServiceManifest element defined in the
ServiceManifest.xml file. -->
<ServiceManifestImport>
<ServiceManifestRef ServiceManifestName="WindowsContainerRegistryPkg" ServiceManifestVersion="1.0.0" />
<ConfigOverrides />
<Policies>
<ContainerHostPolicies CodePackageRef="Code">
<!-- See https://aka.ms/I7z0p9 for how to encrypt your repository password -->
<RepositoryCredentials AccountName="" Password="" PasswordEncrypted="false" />
<PortBinding ContainerPort="5000" EndpointRef="WindowsContainerRegistryTypeEndpoint" />
<Volume Source="\\[REMOVED]\ServiceFabricShare" Destination="C:\registry" IsReadOnly="false"></Volume>
</ContainerHostPolicies>
</Policies>
</ServiceManifestImport>
<DefaultServices>
<!-- The section below creates instances of service types, when an instance of this
application type is created. You can also create one or more instances of service type using the
ServiceFabric PowerShell module.
The attribute ServiceTypeName below must match the name defined in the imported ServiceManifest.xml file. -->
<Service Name="WindowsContainerRegistry" ServicePackageActivationMode="ExclusiveProcess">
<StatelessService ServiceTypeName="WindowsContainerRegistryType" InstanceCount="[WindowsContainerRegistry_InstanceCount]">
<SingletonPartition />
</StatelessService>
</Service>
</DefaultServices>
<Principals>
<Users>
<User Name="ServiceFabricAppl" AccountType="DomainUser" AccountName="[REMOVED]\appl_ServiceFabric" Password="[REMOVED]" PasswordEncrypted="false" />
</Users>
</Principals>
<Policies>
<DefaultRunAsPolicy UserRef="ServiceFabricAppl" />
</Policies>
</ApplicationManifest>
P. S. I'm working with an unencrypted password just for testing purposes to make sure this isn't the problem right now.
ServiceManifest.xml
<?xml version="1.0" encoding="utf-8"?>
<ServiceManifest Name="WindowsContainerRegistryPkg"
Version="1.0.0"
xmlns="http://schemas.microsoft.com/2011/01/fabric"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ServiceTypes>
<!-- This is the name of your ServiceType.
The UseImplicitHost attribute indicates this is a guest service. -->
<StatelessServiceType ServiceTypeName="WindowsContainerRegistryType" UseImplicitHost="true">
<Extensions>
<Extension Name="Traefik">
<Labels xmlns="http://schemas.microsoft.com/2015/03/fabact-no-schema">
<Label Key="traefik.frontend.rule">Host:registry.windows.containers.[REMOVED].com</Label>
<Label Key="traefik.enable">true</Label>
<Label Key="traefik.frontend.passHostHeader">true</Label>
<!--<Label Key="traefik.port">5000</Label>
<Label Key="traefik.protocol">http</Label>
<Label Key="traefik.frontend.entryPoints">http,https</Label>
<Label Key="traefik.frontend.headers.referrerPolicy">no-referrer</Label>-->
</Labels>
</Extension>
</Extensions>
</StatelessServiceType>
</ServiceTypes>
<!-- Code package is your service executable. -->
<CodePackage Name="Code" Version="1.0.0">
<EntryPoint>
<!-- Follow this link for more information about deploying Windows containers to Service Fabric: https://aka.ms/sfguestcontainers -->
<ContainerHost>
<ImageName>stefanscherer/registry-windows:2.6.2-2016</ImageName>
</ContainerHost>
</EntryPoint>
<!-- Pass environment variables to your container: -->
<!--
<EnvironmentVariables>
<EnvironmentVariable Name="VariableName" Value="VariableValue"/>
</EnvironmentVariables>
-->
</CodePackage>
<!-- Config package is the contents of the Config directoy under PackageRoot that contains an
independently-updateable and versioned set of custom configuration settings for your service. -->
<ConfigPackage Name="Config" Version="1.0.0" />
<Resources>
<Endpoints>
<!-- This endpoint is used by the communication listener to obtain the port on which to
listen. Please note that if your service is partitioned, this port is shared with
replicas of different partitions that are placed in your code. -->
<Endpoint Name="WindowsContainerRegistryTypeEndpoint" Port="5000" />
</Endpoints>
</Resources>
</ServiceManifest>
Sources:
https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-run-service-as-ad-user-or-group
Service fabric local cluster error (this one didn't offer any solution for me unfortunately)
I have a WCF project with CSLA and I have published this service and MVC application in my IIS Server, but it's throwing one error when calling the service from Web app
System.ServiceModel.Security.SecurityNegotiationException: The caller was not authenticated by the service. ---> System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed.
This is my service web.config
<system.serviceModel>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
<services>
<service name="Csla.Server.Hosts.WcfPortal" behaviorConfiguration="returnFaults">
<endpoint binding="wsHttpBinding" bindingConfiguration="wsHttpBinding_IWcfPortal" contract="Csla.Server.Hosts.IWcfPortal" />
</service>
<service name="Csla.Server.Hosts.Mobile.WcfPortal" behaviorConfiguration="returnFaults">
<endpoint binding="basicHttpBinding" bindingConfiguration="basicHttpBinding_IWcfPortal" contract="Csla.Server.Hosts.Mobile.IWcfPortal" />
</service>
</services>
<bindings>
<basicHttpBinding>
<binding name="basicHttpBinding_IWcfPortal" maxReceivedMessageSize="2147483647" maxBufferPoolSize="2147483647" maxBufferSize="2147483647">
<readerQuotas maxBytesPerRead="2147483647" maxArrayLength="2147483647" maxStringContentLength="2147483647" maxNameTableCharCount="2147483647" maxDepth="2147483647" />
</binding>
</basicHttpBinding>
<wsHttpBinding>
<binding name="wsHttpBinding_IWcfPortal" maxReceivedMessageSize="2147483647">
<readerQuotas maxBytesPerRead="2147483647" maxArrayLength="2147483647" maxStringContentLength="2147483647" maxNameTableCharCount="2147483647" maxDepth="2147483647" />
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="returnFaults">
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceMetadata httpGetEnabled="true" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
I have consume this service in my MVC web.config like this.
<add key="CslaAuthentication" value="Csla" />
<add key="CslaDataPortalProxy" value="Csla.DataPortalClient.WcfProxy, Csla" />
<add key="CslaDataPortalUrl" value="http://www.someurl.net/WcfFullPortal.svc" />
Then after I have called service directly from my service project, that was working fine.
<add key="CslaDataPortalUrl" value="http://localhost:11170/WcfFullPortal.svc" />
And also tried with published IP address, that also working fine
<add key="CslaDataPortalUrl" value="http://10.4.56.75/WcfFullPortal.svc" />
Only problem when I use published host name(http://www.someurl.net/WcfFullPortal.svc). And I have open this URL in by browser that was working.
Add following binding configuration right after the section in the web.config <system.serviceModel> section.
<bindings>
<wsHttpBinding>
<binding name="TheBindingConfig">
<security mode="None" />
</binding>
</wsHttpBinding>
</bindings>
just Change Csla.DataPortalClient.WcfProxy to Csla.DataPortalClient.HttpProxy
and <add key="CslaDataPortalUrl" value="http://www.someurl.net/WcfFullPortal.svc" /> to <add key="CslaDataPortalUrl" value="http://www.someurl.net/DataPortal/PostAsync" />
And also add
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
HttpContext.Current.User = new Csla.Security.UnauthenticatedPrincipal();
}
in Global.asax.cs
I have attempted to get IIS Express working so that external users can view my MVC ASP.NET development website. I followed instructions on this SO answer but am now getting a 503 error when accessing the website using my external IP address, localhost still works fine.
My configuration file seems ok
<site name="ManagerUI" id="5">
<application path="/" applicationPool="Clr4IntegratedAppPool">
<virtualDirectory path="/" physicalPath="D:\Application Development\Manager\MAIN-Branch\ManagerUI\ManagerUI" />
</application>
<bindings>
<binding protocol="http" bindingInformation="*:1904:" />
</bindings>
</site>
I found the following SO answer which solves the issue, but it will ONLY allow it to work on an external address rather than all my IP addresses (localhost, external one etc)
<binding protocol="http" bindingInformation=":1904:your-machine-name" />
I managed to solve it, my mistake was thinking that you could only have one binding set, I then setup binding for every external address I wished to serve on and it now all works
<bindings>
<binding protocol="http" bindingInformation=":1904:" />
<binding protocol="http" bindingInformation=":1904:machineName" />
<binding protocol="http" bindingInformation=":1904:10.1.10.123" />
</bindings>
I've got an WCF .svc file added to my MVC3 project and I'm trying to prevent the service being accessed over HTTP.
With the config below my service is available over https on one port and then over http on another.
How can I prevent this?
Thanks
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="TS">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<services>
<service name="Endpoints" behaviorConfiguration="Default">
<endpoint address="https://localhost:44301/Services/Endpoints.svc" binding="basicHttpBinding" bindingConfiguration="TS" contract="UkerLtd.Services.IEndpoints"></endpoint>
<endpoint contract="IMetadataExchange" binding="mexHttpBinding" address="mex" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="Default">
<serviceMetadata httpGetEnabled="false" httpsGetUrl="https://localhost:44301/Services/Endpoints.svc" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="false" />
</system.serviceModel>
You can comment or remove the second endpoint for the IMetadataExchange,
since it is for the same service, the metadata will be exposed by the
httpsGetEnabled="true" in the serviceBehaviors/serviceMetadata.
Otherwise you could "Set up IIS to require SSL", but since it's not an option..
hope this helps.
I have two ASP.Net MVC applications, let's say Site1 and Site2.
For now, I can successfully access Site1 by visiting http://localhost/
Here's my IIS Express applicationhost.config file:
<sites>
<site name="Site1" id="1" serverAutoStart="true">
<application path="/">
<virtualDirectory path="/" physicalPath="%IIS_USER_HOME%\wwwroot\Site1" />
</application>
<bindings>
<binding protocol="http" bindingInformation=":80:localhost" />
<binding protocol="http" bindingInformation=":80:10.49.0.137" />
</bindings>
</site>
<siteDefaults>
<logFile logFormat="W3C" directory="%IIS_USER_HOME%\logs" />
<traceFailedRequestsLogging directory="%IIS_USER_HOME%\logs\tracelogfiles" enabled="false" maxLogFileSizeKB="1024" />
</siteDefaults>
<applicationDefaults applicationPool="IISExpressAppPool" />
<virtualDirectoryDefaults allowSubDirConfig="true" />
</sites>
What I want now is:
Access Site1 on http://localhost/Site1
Place Site2 on %IIS_USER_HOME%\wwwroot\Site2
Access Site2 on http.//localhost/Site2
How should I change the above applicationhost.config to achieve what I want?
Thanks.
change your applicationhost.config as shown below and restart IIS Express.
<sites>
<site name="Site1" id="1" serverAutoStart="true">
<application path="/">
<virtualDirectory path="/" physicalPath="%IIS_USER_HOME%\wwwroot\" />
</application>
<application path="/site1">
<virtualDirectory path="/" physicalPath="%IIS_USER_HOME%\wwwroot\Site1" />
</application>
<application path="/site2">
<virtualDirectory path="/" physicalPath="%IIS_USER_HOME%\wwwroot\Site2" />
</application>
<bindings>
<binding protocol="http" bindingInformation=":80:localhost" />
<binding protocol="http" bindingInformation=":80:10.49.0.137" />
</bindings>
</site>
<siteDefaults>
<logFile logFormat="W3C" directory="%IIS_USER_HOME%\logs" />
<traceFailedRequestsLogging directory="%IIS_USER_HOME%\logs\tracelogfiles" enabled="false" maxLogFileSizeKB="1024" />
</siteDefaults>
<applicationDefaults applicationPool="IISExpressAppPool" />
<virtualDirectoryDefaults allowSubDirConfig="true" />
</sites>
Check this great entry.
Working with SSL at Development Time is easier with IISExpress - Scott Hanselman
Execute netsh command after applicationHost.config append binding.
netsh http add urlacl url=http://10.49.0.137:80/ user=everyone