I have deployed a MVC3, Membership Services, .NET4, C#, Razor, EF4.1, SQL Azure Web application into Azure using Azure Websites(Standard).
I have been experimenting with the new "staging" feature where one can "swap" in an upgraded web application. Very good. What we would really like to do is to upgrade code without interfering with the end user ie Continuous integration of small fixes. However we have noticed that a "Swap" logs users out which is not ideal. I suspect this is to do with authentication cookies being lost after the "swap" so the session cannot authenticate resulting in the users being returned to the login page. Is there a way around this? The only thought I have had is to somehow persist the "essentials" in the database.
Thoughts appreciated.
Thanks in advance.
Since your "stage" application is on another instance, you will need to have a matching machineKey across the two applications. Add the following to your web.config, so that a machineKey is not auto generated.
<machineKey
validationKey="052851E2D519231BE84E455B4C4A9FBC0CAC53B8FE7BBA1917FC296ACE6F41832383347EAEC498F40978DDD3374E7A666AFD0ADC1084A9E48B1B40ADC918C9A6"
decryptionKey="7077D8F4C273E3FC5CE296F3B74897ACECF055F9BA01565372EE87B8746DE50F"
validation="SHA1"
decryption="AES" />
Replace the keys with your own. You can generate them through IIS or here. You can also change the encryption and decryption algorithms if you so choose.
More info on MSDN
Related
I'm trying to set the Machine Key in Web.Config of ASP.Net MVC apps but it sounds like Azure automatically provision unique machine keys for each web app and override what's in my Web.Config.
The reason I want to do that is because I have an App Service witch is used as Authentication App. Thats where users will login. And I also have plenty others apps that will be using the Token provided by the first app. Doing this will Authenticate users at one unique place and users will be able to navigate through some modules in a portal being authenticated only once. It works very well in localhost or hosted in IIS, but on Azure Hosted App Service it seems like Machine Key aren't read properly or something even if I reset the machine-key configuration section upon Application_Start.
I tried the solution described Here, but as #gorillapower said
Seems this isnt working for us. We are using .NET 4.6.1 and using OWIN startup with app.UseCookieAuthentication() and using a Redis cache session provider. I implemented the above, but the user keeps getting logged out after a slot swap. Any ideas?
It also seems that when you run an ASP.NET application on multiple instances of an App Service Plan (ASP) you do not need to worry about machineKeys as the App Service Platform will use the same one across all your instances and therefore will not need to make any changes to your application.
But in my case, our Apps are all in different App Service Plan. So this solution doesn't apply.
Any clues about this problem ?
Thanks
Generate machine Key and add into web.config file
It will work for Web Farm / load balancer either in IIS or Azure Web App service.
Note : It will only work if you are using IAppBuilder->UseCookieAuthentication-> CookieAuthenticationOptions
<system.web>
<authentication mode="None" />
<machineKey validation="HMACSHA256" decryption="AES" validationKey="D6883865C0490AFA4907A046E838DD2C7B13B636694B552630C13770701B944A" decryptionKey="2C3C48562E6FE018E71B69BDB27D06048A573C094A962AA9A1547C3D874C63B0" />
I was deploying my asp MVC 5 web site in Azure Web Site. Everything was fine until I tried to manage my account (changging the password), it gave an error like this:
The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of ASP.NET Web Pages and that the configuration specifies explicit encryption and validation keys. AutoGenerate cannot be used in a cluster.
I was using Asp Identity, so all the code is built in. I have been searching the solution and found two possibilities:
1) It is because there are two #html.antiforgerytoken. One belongs to the MANAGE controller form, and the other belongs to the login partial view int he navigation bar. I tried to exclude the login partial view, but the error persisted, so I concluded that problem might not be it.
2) As the error says, maybe it is about MACHINE KEY. I tried to input setting to the web config. There are two popular ways to generate this machine key, fist is using ISS and the second is using third party. I wanted to use the ISS, but my ISS8 is not showing a modul to see the machine key which is weird that I could not find any solution for it. Then I tried the third party, and created something like this:
<machineKey validationKey="4359B782C08EF91E2AA6CA8AD46C0D63BF323E97ABAA06FBDA1535A1FA1CD2B7702B2BACDC937074ED65FC16D3ECA0F674BBAC8675910AF921D301CA22343AA1" decryptionKey="1A956B2A0405EC07AEBEFBA40DA7E61E2E17F001B868D7507EB3F3CD2AFF060E" validation="SHA1" decryption="AES" />
Then I redeployed my website but the error persisted. Can anyone please help me?
I am starting a new enterprise web application. It will be hosted up on Windows Azure and will be an asp.net MVC application talking to an SQL database.
My question relates to multi-tenancy and the correct way to accomplish it. In the past I've created a multi-tenant application by having a tenant table and than putting a TenantID column in every table. This worked fine (but it was only on a smaller scale so it didn't really exercise it to the nth degree). Looking into the multi-tenant stuff on Azure, it doesn't seem to recommend this way. They talk about subdomain, splitting tenants etc. To me, that just seems like a management nightmare. I would like the user to hit a website, enter their tenant login details and boom they are off.
Is there a simpler way to implement multi-tenancy in Azure that still allows me to use Azure's scalability strengths?
Should I just use the simple TenantID method? Will the Azure framework still scale well to suit?
Should I worry about tenancy at the start or just leave it till the end?
Advice needed.
Thanks
I have done it both ways on Azure. I have done it the way you have done previously where they enter in a tenant code upon logging in and this works fine, I don't see any reason to do differently. You can use SQL Azure federations to manage the tenants so you can have multiple databases easily for scalability.
I have then also used the subdomains approach to identity the tenant, but all it did was map the subdomain to a tenant code. I used this in a system where they didn't have to log on so it was easier for the user.
Worry about it at the start if only to design the database to cope with it.
I notice in the azure examples they are using:
<sessionState mode="Custom" customProvider="TableStorageSessionStateProvider">
Can someone explain what this is used for with MVC3? I'm very confused about session state. Do I really need to use it if my application does not have anything like a shopping cart? Is it needed if I just want to do simple authentication? I removed the code from my web.config and my authentication still seems to work.
If you're publishing your application to Azure and you're using Session in any way (this includes MVC's TempData) then you will probably need to use some kind of central storage for session, rather than using the default "InProc" provider which just stores the user's session in the application's own memory. With azure, you can use, among others, SQL Azure or the AppFabric Cache (still in CTP).
Here is a good lab for AppFabric:
http://msdn.microsoft.com/en-us/gg457897
And here's one for SQL Azure (not supported): http://blogs.msdn.com/b/sqlazure/archive/2010/08/04/10046103.aspx
This is because you could have mutiple instances running or you instance could be moved at any given moment.
It sounds like your application doesn't currently use Session State so you won't need to worry about it. (although, remember that the TempData dictionary uses Session under the hood)
I have a pretty simple ASP.NET MVC Site Application. (MVC 1.0)
I have NO authorization sections in my web.config because I use the [Authoize] attribute on my controllers.
The default web.config for the server allows * for forms authentication, as expected.
I have 2 existing Windows 2008 dedicated (hosted) servers. The site works well.
I have a new dedicated server, seems identical except the site just won't work. Every resource, even images/javascript is redirecting to the login page.
I tried adding explicit authorization rules to allow * and location rules, same result. I checked the .NET Trust level, Internal/Full Trust. Everything runs perfectly on two servers, just this one is ignoring all rules for authorization.
Any ideas?
thanks
I found the issue :) Unless something has changed in Windows 2008 I would have expected this to show as an error but as stated above, it was being hidden by Forms Authentication.
The issue was the hosting company now adds data drives to all servers for your websites/storage. There were no permissions set to allow IIS to read the files. The reason I couldn't find it was I already added permission for the application pool user, in my case I just went ahead and added ASPNET, Network Service, IIS Anon User etc to have full permissions.
I needed to allow Everyone to have at least Read to the website folders and then IIS showed the non-secured content. I still think it is odd that forms auth. was kicking in and ignoring all web.config rules but anyway.
I found the error by turning off Forms Auth support in the IIS 7 manager. Then I got the process failure error because of file permissions.