CHAPTER 5 ■ AZURE .NET SERVICES—ACCESS CONTROL 148 Figure 5-8. Run the client; we have the echo from the server, and a user has been registered successfully The Access Control Service can provide authentication interactively using CardSpace. This approach will be covered at the end of this exercise. Alternatively, the authentication can be done using X.509 certification. Both approaches require that the client application preregister client-side information in the Azure cloud environment. Before we move forward to discuss the Access Control Service using X.509 and CardSpace authentication, we have to do some configuration in the local development environment. Authentication Using X.509 Certification or CardSpace in .NET Access Control Service Let’s start the process by installing the X.509 certificate. Installing the X.509 Certificate The source code of this exercise (Exercise 5 2) contains a generated certificate file called localhost.cer, which can be found in the subfolder Certificate after unzipping the source code as Figure 5-9 shows. CHAPTER 5 ■ AZURE .NET SERVICES—ACCESS CONTROL 149 ■ Note To generate a new certificate you need to use the certificate enrollment service. Since Windows Vista/7 and Windows Server 2008 are designed as high-security operating systems, by default this service is disabled from Windows Vista/7 and Windows Server 2008. If the operating system from your local development is either Windows Vista/7 or Windows Server 2008, the easiest workaround to this issue is to request a new certificate from another computer that runs Window XP or Windows Server 2003. (You can reference the following article from The Code Project to request a new certificate using Windows XP or Windows 2003: http://69.10.233.10/kb/wcf/wcf certificates.aspx. For troubleshooting the certificate enrollment, see http://blogs.msdn.com/windowsvistanow/archive/2008/04/08/ troubleshooting-certificate-enrollment.aspx .) Figure 5-9. Locate the certificate file that will be associated with the scope of an Azure solution in .NET Access Control Service Find that file, right-click it, and select Install Certificate. Follow the steps shown in Figure 5-10 to install the certificate in the Trusted Root Certificate Authorities/Local Computer/Certificates store. The results are shown in Figure 5-11. CHAPTER 5 ■ AZURE .NET SERVICES—ACCESS CONTROL 150 Figure 5-10. Import certificate using certmgr.exe Click the Windows Start button and type “mmc” in the search bar to find the utility program mmc.exe, and bring up the snap-in management console. From the File menu, select the certmgr.msc certificate management snap-in. CHAPTER 5 ■ AZURE .NET SERVICES—ACCESS CONTROL 151 Figure 5-11. Start certmgr.msc Windows snap-in certificate management tool Figure 5-12 shows the results after the certificate has been installed successfully. Follow the arrow to get the detailed information of the Thumbprint and copy the data to the “<behavior>” section of the Service project configuration file App.config as shown in the boldface lines in Listing 5-12. Figure 5-12. Certificate has been installed to Trust Root Certificate Authorities, Local Computer store Listing 5-12. Insert the Data of the Installed Certificate Thumbprint Information in the Configuration File App.config of the Service Project CHAPTER 5 ■ AZURE .NET SERVICES—ACCESS CONTROL 152 <behaviors> <serviceBehaviors> <behavior name="UserRegisterServiceBehavior"> <serviceMetadata httpGetEnabled="True" httpGetUrl="http://localhost/AzureForDotNetDeveloperWCFservice/wsdl" /> <serviceDebug includeExceptionDetailInFaults="True" /> <serviceCredentials> <clientCertificate> <authentication certificateValidationMode="True" /> </clientCertificate> <serviceCertificate storeLocation='LocalMachine' storeName='My' x509FindType='FindByThumbprint' findValue='01 20 90 8a 7e 12 52 45 9b 37 4b 92 64 14 18 e8 0d 12 63 fc' /> </serviceCredentials> </behavior> </serviceBehaviors> </behaviors> Associating the Certificate to the Azure Application URL To associate an installed X.509 on a client-side machine to the Azure cloud you use the registration process. The installed certification can be exported into a file of the .pfx format via the certificate management snap-in tool we used above. The file exported with the extension .pfx contains the certificate information and a corresponding private key (for CA-issued certification of a self-signed certificate). This exercise’s code also provides the exported .pfx certificate file, which can be found in the same folder as the localhost.cer file. In the next section I am going to walk you through this procedure step by step. To associate a certificate with an Azure application: 1. Sign in to the Azure portal and navigate to X.509 Certificates in .NET Access Control and select the Basic configuration as Figure 5-13 shows. 2. On the X.509 Certificates setup page, enter the endpoint address of the WCF services. 3. Uncheck the box labeled “Retrieve certificate from URL (http or https)” and select Browse. . enrollment service. Since Windows Vista/7 and Windows Server 2008 are designed as high-security operating systems, by default this service is disabled from Windows Vista/7 and Windows Server 2008 development is either Windows Vista/7 or Windows Server 2008, the easiest workaround to this issue is to request a new certificate from another computer that runs Window XP or Windows Server 2003 certificate using Windows XP or Windows 2003: http://69.10.233.10/kb/wcf/wcf certificates.aspx. For troubleshooting the certificate enrollment, see http://blogs.msdn.com/windowsvistanow/archive/2008/04/08/