Using client certificates on Windows Azure

In one of current projects we needed to deploy one Windows Azure site that supports SSL and requires client certificates. Until it’s just about deploying SSL site wo Windows Azure there’s nothing complex but when modifying IIS settings is required then some coding is needed. Here is the example.

Overview

With cloud project it is possible to set up everything needed to deploy SSL site to compute instance (certificates, end points, host headers etc). Changing of IIS settings during or after deployment is not so easy. Start-up script that you can specify in cloud service definition file is run before sites are set up on IIS and the only way to modify IIS settings seems to be the moment when web role starts.

NB! In this posting I expect that you already know how to deploy SSL site to Windows Azure and you are familiar with service definition and configuration files. You can find more from Windows Azure page Configuring SSL for an application in Windows Azure.

Solution

As a solution we make changes to IIS configuration when web role starts. For this moment sites on IIS are set up and we can access them. To access site settings we need library for IIS management and elevated privileges for web role. Under these conditions we can modify site settings.

1. Reference Microsoft.Web.Administration

Right click on web application and add NuGet reference to Microsoft.Web.Administration package.

Microsoft.Web.Administration NuGet package

2. Add WebRole entry point

Add new class called WebRole.cs to web application that you want to deploy to Windows Azure. Code is taken from Manu Cohen-Yashar posting Client Certificates in Windows Azure.

public class WebRole : RoleEntryPoint
{
   
public override bool
OnStart()
    {
       
try
        {
           
using (var server = new ServerManager
())
            {
               
var siteNameFromServiceModel = "Web"; // TODO: update this site name for your site.
                var siteName = string.Format("{0}_{1}", RoleEnvironment
.CurrentRoleInstance.Id, siteNameFromServiceModel);

                var
config = server.GetApplicationHostConfiguration();
               
var accessSection = config.GetSection("system.webServer/security/access"
, siteName);
                accessSection[
"sslFlags"] = @"Ssl,SslRequireCert"
;

                server.CommitChanges();
            }
        }
       
catch (Exception
ex)
        {
           
// handle error here

        }
       
return base.OnStart();
    }
}

If you need different settings for SSL then take a look at SSL flags list in IIS.NET.

3. Run web role in elevated privileges

Now open ServiceDefinition.csdef file from your Windows Azure deployment project and add the following XML there:

<Runtime executionContext="elevated" />

Insert it right below <WebRole> node.

Now you are ready to build your solution and try out if deployment works as expected.

NB! Before deploying SSL site to Windows Azure make sure you have certificates uploaded and DNS settings done. Otherwise you may face hard to debug errors and there is no free official tech support anymore.

If everything went well then you should see the following screen when opening your Windows Azure IIS settings over remote desktop:

IIS on Windows Azure uses SSL and required client certificates

Same way you can also modify all other IIS settings for your web role.

Conclusion

As start-up scripts run in some too early phase of deployment we cannot use them to modify site settings as IIS site is not deployed yet. We were able to use web role start method to make changes to IIS. We used spacial Microsoft.Web.Administration library to keep code simple. Maybe it’s not the best way how to do things but it works in most cases and I was able to deploy the site that authenticates users using Estonian ID-card.

Gunnar Peipman

Gunnar Peipman is ASP.NET, Azure and SharePoint fan, Estonian Microsoft user group leader, blogger, conference speaker, teacher, and tech maniac. Since 2008 he is Microsoft MVP specialized on ASP.NET.

    2 thoughts on “Using client certificates on Windows Azure

    • June 6, 2013 at 11:16 am
      Permalink

      Client certificates will solely be connected to an SSL request to try to do that we want to make an SSL certificate and sign it by a trusty CA (Certificate Authority). we will produce a certificate request exploitation IIS and send it to the CA.

    • Pingback:WindowsAzureRocks

    Leave a Reply

    Your email address will not be published. Required fields are marked *