Cloud Zone is brought to you in partnership with:

I am developer and technology maniac who is working on Microsoft and PHP technologies. I have ASP.NET MVP title and I hold MCAD, MCSD and MCTS certificates. When I have free time I usually play with new technologies, hack something, read books, participate in communities and speak in events. I am also active blogger and my ASP.NET blog is the place you can find some interesting reading about my discoveries and personal thoughts. Gunnar is a DZone MVB and is not an employee of DZone and has posted 142 posts at DZone. You can read more from them at their website. View Full User Profile

Using Client Certificates on Windows Azure

06.08.2013
| 1948 views |
  • submit to reddit

In one of current projects we needed to deploy one Windows Azure site that supports SSL and requires client certificates. Until it’s just about deploying SSL site wo Windows Azure there’s nothing complex but when modifying IIS settings is required then some coding is needed. Here is the example.

Overview

With cloud project it is possible to set up everything needed to deploy SSL site to compute instance (certificates, end points, host headers etc). Changing of IIS settings during or after deployment is not so easy. Start-up script that you can specify in cloud service definition file is run before sites are set up on IIS and the only way to modify IIS settings seems to be the moment when web role starts.

NB! In this posting I expect that you already know how to deploy SSL site to Windows Azure and you are familiar with service definition and configuration files. You can find more from Windows Azure page Configuring SSL for an application in Windows Azure.

Solution

As a solution we make changes to IIS configuration when web role starts. For this moment sites on IIS are set up and we can access them. To access site settings we need library for IIS management and elevated privileges for web role. Under these conditions we can modify site settings.

1. Reference Microsoft.Web.Administration

Right click on web application and add NuGet reference to Microsoft.Web.Administration package.

Microsoft.Web.Administration NuGet package

2. Add WebRole entry point

Add new class called WebRole.cs to web application that you want to deploy to Windows Azure. Code is taken from Manu Cohen-Yashar posting Client Certificates in Windows Azure.

public class WebRole : RoleEntryPoint
{
    public override bool OnStart()
    {
        try
        {
            using (var server = new ServerManager())
            {
                var siteNameFromServiceModel = "Web"; // TODO: update this site name for your site. 
                var siteName = string.Format("{0}_{1}", RoleEnvironment.CurrentRoleInstance.Id, siteNameFromServiceModel);

                var config = server.GetApplicationHostConfiguration();
                var accessSection = config.GetSection("system.webServer/security/access", siteName);
                accessSection["sslFlags"] = @"Ssl,SslRequireCert";
 
                server.CommitChanges();
            }
        }
        catch (Exception ex)
        {
            // handle error here

        }
        return base.OnStart();
    }
}

If you need different settings for SSL then take a look at SSL flags list in IIS.NET.

3. Run web role in elevated privileges

Now open ServiceDefinition.csdef file from your Windows Azure deployment project and add the following XML there:

<Runtime executionContext="elevated" />

Insert it right below <WebRole> node.

Now you are ready to build your solution and try out if deployment works as expected.

NB! Before deploying SSL site to Windows Azure make sure you have certificates uploaded and DNS settings done. Otherwise you may face hard to debug errors and there is no free official tech support anymore.

If everything went well then you should see the following screen when opening your Windows Azure IIS settings over remote desktop:

IIS on Windows Azure uses SSL and required client certificates

Same way you can also modify all other IIS settings for your web role.

Conclusion

As start-up scripts run in some too early phase of deployment we cannot use them to modify site settings as IIS site is not deployed yet. We were able to use web role start method to make changes to IIS. We used spacial Microsoft.Web.Administration library to keep code simple. Maybe it’s not the best way how to do things but it works in most cases and I was able to deploy the site that authenticates users using Estonian ID-card.




Published at DZone with permission of Gunnar Peipman, author and DZone MVB. (source)

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)