Need to know how to add Placement Policy in application manifest.xml
I have this PS script
New-ServiceFabricService -ApplicationName fabric:/$appName123
-ServiceName fabric:/$appName123/MyApp1 -ServiceTypeName $serviceTypeName -Stateless –PartitionSchemeSingleton –PlacementPolicy
#(“AllowMultipleStatelessInstancesOnNode”) -InstanceCount 10
-ServicePackageActivationMode ExclusiveProcess
What will be the equivalent in ApplictionManifest.xml?
`
<Service Name="App" ServicePackageActivationMode="ExclusiveProcess">
<StatelessService ServiceTypeName="Service" InstanceCount="[InstanceCount]">
<SingletonPartition />
// this tag
<ServicePlacementPolicies>
<ServicePlacementPolicy Type="AllowMultipleStatelessInstancesOnNode" />
</ServicePlacementPolicies>
</StatelessService>
</Service>
`
get xml equivalent of powershell command
This I got from ChatGPT :). Yet to try this.
<ServiceManifestImport>
<ServiceTypeName>MyServiceType</ServiceTypeName>
<ServiceManifestRef ServiceManifestName="MyServiceManifest" ServiceManifestVersion="1.0.0" />
<PlacementPolicy>
<Policy Type="InvalidDomain" DomainName="MyPlacementPolicy" />
</PlacementPolicy>
</ServiceManifestImport>
Related
I have many services with the same main path, so I'm looking to add the main path to app settings keys and access it on baseAddress.
just as below code, what I could use instead of {baseAddress}?
<appSettings>
<add key="baseAddresses"value="https://localhost:4434/X/"/>
</appSettings>
<service name="X.Services.Proxy.MOF" behaviorConfiguration="restServiceBehave">
<host>
<baseAddresses>
<add baseAddress="{baseAddresses}/MOF.svc" />
</baseAddresses>
</host>
<endpoint address="" binding="webHttpBinding" behaviorConfiguration="rest" bindingConfiguration="NormalRequestBinding" contract="X.Services.Proxy.MOF" name="MOF" />
</service>
You can do it:
ConfigurationManager.AppSettings["{your_key}"]
I've got a solution:
Solution1
--ConfigProject
----AppManifest.xml
----ServiceManifest.xml
--Project1
--Project2
ServiceManifest.xml looks like this:
<ServiceManifest>
...............
<Resources>
<Endpoints>
<!-- This endpoint is used by the communication listener to obtain the port on which to
listen. Please note that if your service is partitioned, this port is shared with
replicas of different partitions that are placed in your code. -->
<Endpoint Protocol="https" Name="ServiceEndpoint" Type="Input" />
</Endpoints>
</Resources>
</ServiceManifest>
Without relying on c# code, is there a pre-build step that I can add that will transform the Resources section in the ServiceManifest file, based on a setting in the AppManifest.xml file?
You could describe your service manifest as following:
<ServiceManifestImport>
<ServiceManifestRef ServiceManifestName="Stateless1Pkg" ServiceManifestVersion="1.0.0" />
<ConfigOverrides />
<ResourceOverrides>
<Endpoints>
<Endpoint Name="ServiceEndpoint" Port="[Port]" Protocol="[Protocol]" Type="[Type]" />
<Endpoint Name="ServiceEndpoint1" Port="[Port1]" Protocol="[Protocol1] "/>
</Endpoints>
</ResourceOverrides>
<Policies>
<EndpointBindingPolicy CertificateRef="TestCert1" EndpointRef="ServiceEndpoint"/>
</Policies>
</ServiceManifestImport>
Now you can apply the parameters in your ApplicationManifest. If you want you can add them a default value.
<Parameters>
<Parameter Name="Port" DefaultValue="" />
<Parameter Name="Protocol" DefaultValue="" />
<Parameter Name="Type" DefaultValue="" />
<Parameter Name="Port1" DefaultValue="" />
<Parameter Name="Protocol1" DefaultValue="" />
</Parameters>
You can override these parameters with an own customized ApplicationParameters file (like Local1.1Node.xml and Local.5Node.xml). Another alternative would be to insert the parameters per powershell during publishing:
PS C:\> New-ServiceFabricApplication -ApplicationName fabric:/myapp -ApplicationTypeName "AppType" -ApplicationTypeVersion "1.0.0" -ApplicationParameter #{Port='1001'; Protocol='https'; Type='Input'; Port1='2001'; Protocol='http'}
For further details:
https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-service-manifest-resources
I have existing Form Authentication application as a relying party. I have configured this application as relying party on ADFS server. But ADFS website does not have Form authentication.
What need to be changed on my relying party application?
My answer will be as good as your question as you haven't provided much background info e.g. Visual Studio version, .NET framework version, asp.net version, etc...
If you happen to be using VS 2010 and WIF, there is quite a handy tool called Federation Utility Wizard (FedUtil) that would configure you application "automagically". This article describes exactly what you need.
In the end, your web.config's identity model should look like the following:
<microsoft.identityModel>
<service>
<audienceUris>
<add value="http://localhost:57349/ClaimsAwareWebSite2/" />
</audienceUris>
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" issuer="https://<specified STS>/FederationPassive/" realm="http://localhost:57349/ClaimsAwareWebSite2/" requireHttps="false" />
<cookieHandler requireSsl="false" />
</federatedAuthentication>
<serviceCertificate>
<certificateReference x509FindType="FindByThumbprint" findValue="48BF03FCEDA703DE09E0F1F0CEFED60BB92B3DD8" storeLocation="LocalMachine" storeName="My" />
</serviceCertificate>
<applicationService>
<claimTypeRequired>
<!--Following are the claims offered by STS 'http://<specified STS>/Trust'. Add or uncomment claims that you require by your application and then update the federation metadata of this application.-->
<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="true" />
<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" optional="true" />
<!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" optional="true" />-->
<!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" optional="true" />-->
<!--<claimType type="http://schemas.xmlsoap.org/claims/CommonName" optional="true" />-->
<!--<claimType type="http://schemas.xmlsoap.org/claims/EmailAddress" optional="true" />-->
<!--<claimType type="http://schemas.xmlsoap.org/claims/Group" optional="true" />-->
<!--<claimType type="http://schemas.xmlsoap.org/claims/UPN" optional="true" />-->
<!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" optional="true" />-->
<!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/webpage" optional="true" />-->
<!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/title" optional="true" />-->
<!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/picture" optional="true" />-->
<!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/manager" optional="true" />-->
<!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/department" optional="true" />-->
</claimTypeRequired>
</applicationService>
<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<trustedIssuers>
<add thumbprint="5C8885A8E3D29D6BF6C9365E00B1BEA5EB284D1E" name="CN=<specified STS>, OU=US-Federated Identity, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" />
</trustedIssuers>
</issuerNameRegistry>
</service>
</microsoft.identityModel>
WIF uses WS-Trust or FedAuth to redirect user to ADFS for authentication.
As you are using VS 2010, you should install
- WIF Runtime
- WIF SDK for .Net Framework 4.0
Installing the above tools will allow you to use FedUtil wizard to create you claims aware app.
Refer to these articles to start:
http://blogs.msdn.com/b/distributedservices/archive/2013/05/13/create-claims-aware-wcf-service-using-wif-on-framework-4-0.aspx
http://blogs.msdn.com/b/napegadie_kones_msft_blog/archive/2015/04/03/what-do-i-need-to-build-a-claims-aware-wcf-service-in-vs-2013.aspx
Using Azure SDK 2.3 on my vs2013 development VM I can consume Service Bus queues hosted in Azure painlessly. However, on Windows Server 2008 R2 Standard SP1, it looks like Windows can not trust the involved certificates and an exception is thrown.
The line that throws :
// Send the message
await queueclient.SendAsync(message);
Exception message :
The X.509 certificate CN=servicebus.windows.net is not in the trusted
people store. The X.509 certificate CN=servicebus.windows.net chain
building failed. The certificate that was used has a trust chain that
cannot be verified. Replace the certificate or change the
certificateValidationMode. A certificate chain could not be built to a
trusted root authority.
The CAPI2 logs (attached below) pointed to a trust issue so I compared certificates installed on both machines. The following certificates are absent on the server :
Intermediate Certification Authorities > Microsoft Internet Authority
(Issued by Baltimore CyberTrust Root)
Intermediate Certification Authorities > MSIT Machine Auth CA 2
(Issued by Microsoft Internet Authority)
The questions :
Where does the certificates come from?
Why are they missing from the server?
How to fix this issue?
Possible trails (updated) :
Install Azure SDK 2.3 for Visual Studio 2013 on the server
Install all Windows Updates on the server
I tried :
<appSettings>
<add key="Microsoft.ServiceBus.X509RevocationMode" value="NoCheck"/>
</appSettings>
CAPI2 Verify Chain Policy event :
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />
<EventID>30</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>30</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000001</Keywords>
<TimeCreated SystemTime="2014-06-11T19:57:38.998656000Z" />
<EventRecordID>5642</EventRecordID>
<Correlation />
<Execution ProcessID="5280" ThreadID="8472" />
<Channel>Microsoft-Windows-CAPI2/Operational</Channel>
<Computer>ne-r026-310cn</Computer>
<Security UserID="S-1-5-82-1758914132-2364927631-3137608320-3227192193-3717738432" />
</System>
<UserData>
<CertVerifyCertificateChainPolicy>
<Policy type="CERT_CHAIN_POLICY_BASE" constant="1" />
<Certificate fileRef="3E560462C61B45BE1A59F1286B34A065A878AFA0.cer" subjectName="servicebus.windows.net" />
<CertificateChain chainRef="{19B5F58A-FA37-4213-A888-C81C340D019C}" />
<Flags value="1000" CERT_CHAIN_POLICY_IGNORE_PEER_TRUST_FLAG="true" />
<Status chainIndex="0" elementIndex="-1" />
<EventAuxInfo ProcessName="w3wp.exe" />
<CorrelationAuxInfo TaskId="{F8DE43DD-9E68-461E-8A2B-17215BA87E0C}" SeqNumber="1" />
<Result value="800B010A">A certificate chain could not be built to a trusted root authority.</Result>
</CertVerifyCertificateChainPolicy>
</UserData>
</Event>
CAPI2 Build Chain event :
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />
<EventID>11</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>11</Task>
<Opcode>2</Opcode>
<Keywords>0x4000000000000003</Keywords>
<TimeCreated SystemTime="2014-06-11T19:57:38.998656000Z" />
<EventRecordID>5641</EventRecordID>
<Correlation />
<Execution ProcessID="5280" ThreadID="8472" />
<Channel>Microsoft-Windows-CAPI2/Operational</Channel>
<Computer>ne-r026-310cn</Computer>
<Security UserID="S-1-5-82-1758914132-2364927631-3137608320-3227192193-3717738432" />
</System>
<UserData>
<CertGetCertificateChain>
<Certificate fileRef="3E560462C61B45BE1A59F1286B34A065A878AFA0.cer" subjectName="servicebus.windows.net" />
<ValidationTime>2014-06-11T19:57:38.998Z</ValidationTime>
<AdditionalStore />
<ExtendedKeyUsage />
<Flags value="0" />
<ChainEngineInfo context="machine" />
<AdditionalInfo>
<NetworkConnectivityStatus value="1" _SENSAPI_NETWORK_ALIVE_LAN="true" />
</AdditionalInfo>
<CertificateChain chainRef="{19B5F58A-FA37-4213-A888-C81C340D019C}">
<TrustStatus>
<ErrorStatus value="10000" CERT_TRUST_IS_PARTIAL_CHAIN="true" />
<InfoStatus value="0" />
</TrustStatus>
<ChainElement>
<Certificate fileRef="3E560462C61B45BE1A59F1286B34A065A878AFA0.cer" subjectName="servicebus.windows.net" />
<SignatureAlgorithm oid="1.2.840.113549.1.1.5" hashName="SHA1" publicKeyName="RSA" />
<PublicKeyAlgorithm oid="1.2.840.113549.1.1.1" publicKeyName="RSA" publicKeyLength="2048" />
<TrustStatus>
<ErrorStatus value="0" />
<InfoStatus value="2" CERT_TRUST_HAS_KEY_MATCH_ISSUER="true" />
</TrustStatus>
<ApplicationUsage>
<Usage oid="1.3.6.1.5.5.7.3.2" name="Client Authentication" />
<Usage oid="1.3.6.1.5.5.7.3.1" name="Server Authentication" />
</ApplicationUsage>
<IssuanceUsage />
</ChainElement>
</CertificateChain>
<EventAuxInfo ProcessName="w3wp.exe" />
<CorrelationAuxInfo TaskId="{9077AB4E-95E3-449B-AF2F-0BF42E92E6B7}" SeqNumber="11" />
<Result value="800B010A">A certificate chain could not be built to a trusted root authority.</Result>
</CertGetCertificateChain>
</UserData>
</Event>
CAPI2 X509 Objects event :
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />
<EventID>90</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>90</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000200</Keywords>
<TimeCreated SystemTime="2014-06-11T19:57:38.998656000Z" />
<EventRecordID>5640</EventRecordID>
<Correlation />
<Execution ProcessID="5280" ThreadID="8472" />
<Channel>Microsoft-Windows-CAPI2/Operational</Channel>
<Computer>ne-r026-310cn</Computer>
<Security UserID="S-1-5-82-1758914132-2364927631-3137608320-3227192193-3717738432" />
</System>
<UserData>
<X509Objects>
<Certificate fileRef="3E560462C61B45BE1A59F1286B34A065A878AFA0.cer" subjectName="servicebus.windows.net">
<Subject>
<CN>servicebus.windows.net</CN>
</Subject>
<SubjectKeyID computed="false" hash="BD41618C22D8DBEE9D172C12A2C549D61711ED75" />
<SignatureAlgorithm oid="1.2.840.113549.1.1.5" hashName="SHA1" publicKeyName="RSA" />
<PublicKeyAlgorithm oid="1.2.840.113549.1.1.1" publicKeyName="RSA" publicKeyLength="2048" />
<Issuer>
<CN>MSIT Machine Auth CA 2</CN>
<DC>redmond</DC>
<DC>corp</DC>
<DC>microsoft</DC>
<DC>com</DC>
</Issuer>
<SerialNumber>70DB015B000100008C58</SerialNumber>
<NotBefore>2013-07-27T03:31:06Z</NotBefore>
<NotAfter>2015-07-27T03:31:06Z</NotAfter>
<Extensions>
<KeyUsage value="B0" CERT_DIGITAL_SIGNATURE_KEY_USAGE="true" CERT_KEY_ENCIPHERMENT_KEY_USAGE="true" CERT_DATA_ENCIPHERMENT_KEY_USAGE="true" />
<ExtendedKeyUsage>
<Usage oid="1.3.6.1.5.5.7.3.2" name="Client Authentication" />
<Usage oid="1.3.6.1.5.5.7.3.1" name="Server Authentication" />
</ExtendedKeyUsage>
<SubjectAltName>
<DNSName>*.servicebus.windows.net</DNSName>
<DNSName>servicebus.windows.net</DNSName>
</SubjectAltName>
<AuthorityKeyIdentifier>
<KeyID hash="EBDB115EF8099ED8D6629CFD629DE3844A28E127" />
</AuthorityKeyIdentifier>
</Extensions>
</Certificate>
<EventAuxInfo ProcessName="w3wp.exe" />
<CorrelationAuxInfo TaskId="{9077AB4E-95E3-449B-AF2F-0BF42E92E6B7}" SeqNumber="10" />
</X509Objects>
</UserData>
</Event>
The missing certificates were responsible for the exception.
I haven't been able to find the certificates online and I'm still unsure of how EXACTLY they managed to install themselves BUT I think I have an idea..
How we managed to obtain the certificates?
We isolated the Service Bus messaging code into a console application and executed it with admin rights on the production server. The certificates installed themselves automatically in the process.
Perhaps our application pool, running under ApplicationPoolIdentity with limited permissions was not allowing Windows to download or install the certificates.
This link seems to offer related information : http://netsekure.org/2011/04/automatic-ca-root-certificate-updates-on-windows/
Update : You can download the certificate chain here.
To eliminate certificate trust issues from Service Bus for Windows Server, use the following:
Create a list of the certificates you trust:
var trustedCertificates = new HashSet<string>(new[]
{
"1245…",
"4567…,
"8102…"
}, StringComparer.OrdinalIgnoreCase);
Trust those:
ServicePointManager.ServerCertificateValidationCallback = (sender, certificate, chain, errors) =>
{
if (errors == SslPolicyErrors.None)
{
return true;
}
var hashString = certificate.GetCertHashString();
var isTrusted = trustedCertificates.Contains(hashString);
if (!isTrusted)
{
telemetryClient.TrackTrace($"Untrusted: {hashString} Errors: {errors} Cert: {certificate.ToString()}", SeverityLevel.Warning);
}
return isTrusted;
};
Calm Service Bus down too:
private static void SetCertificateValidator()
{
var retriableCertificateValidatorType = Type.GetType("Microsoft.ServiceBus.Channels.Security.RetriableCertificateValidator, Microsoft.ServiceBus", true, false);
var instanceProperty = retriableCertificateValidatorType.GetProperty("Instance", BindingFlags.Static | BindingFlags.NonPublic);
var instance = instanceProperty.GetValue(null);
var peerOrChainTrustNoCheck = retriableCertificateValidatorType.GetField("peerOrChainTrustNoCheck", BindingFlags.Instance | BindingFlags.NonPublic);
peerOrChainTrustNoCheck?.SetValue(instance, new EmptyOpX509CertificateValidator());
}
private sealed class EmptyOpX509CertificateValidator : X509CertificateValidator
{
public override void Validate(X509Certificate2 certificate)
{
}
}
I have a set of WCF services hosted on a .NET 4 application. I manually create the ServiceHost class and start listening on TCP port.
All works as expected but in the WCF trace on the server side I get the warning below.
Configuration evaluation context not found.
XML trace follows:
<E2ETraceEvent xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent">
<System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system">
<EventID>524312</EventID>
<Type>3</Type>
<SubType Name="Warning">0</SubType>
<Level>4</Level>
<TimeCreated SystemTime="2010-09-03T12:33:01.9404010Z" />
<Source Name="System.ServiceModel" />
<Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" />
<Execution ProcessName="Server.Console.vshost" ProcessID="24612" ThreadID="10" />
<Channel />
<Computer>BAROLO</Computer>
</System>
<ApplicationData>
<TraceData>
<DataItem>
<TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Warning">
<TraceIdentifier>http://msdn.microsoft.com/it-IT/library/System.ServiceModel.EvaluationContextNotFound.aspx</TraceIdentifier>
<Description>Configuration evaluation context not found.</Description>
<AppDomain>Server.Console.vshost.exe</AppDomain>
</TraceRecord>
</DataItem>
</TraceData>
</ApplicationData>
</E2ETraceEvent>
Any idea about the reason of the warning?
Thanks
Did you take a look at that MSDN blog: Missing Binding Extensions?
The evaluation context not found error (or in traces with the identifier System.ServiceModel.EvaluationContextNotFound) is generally caused by using a configuration element defined in a library that is not included in the application’s configuration as an extension.
My experience is, you have to manually create service with service name and other details under tag.
e.g.
<system.serviceModel>
<services>
<service name="WCF_NameSpace.Service1" behaviorConfiguration="behave">
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="bind" contract="WCF_Trace_2.IService1"></endpoint>
</service>
</services>