Azure Cookbook

Tasks to make Azure development easier
This document details common tasks that many Azure applications require, but are not obvious how they might be implemented. This is a work in progress and additional tasks will be added based on community feedback!

6/15/2010 MSIT/BGE/PSE v1.0

Author: Garry McGlennon Status: Draft

Table of Contents
Azure Service & Claims Authentication Development Guide .................................................................... 2 Convert WCF service to work in Azure.................................................................................................. 2 Steps ................................................................................................................................................ 2 Convert azure WCF service to use SSL .................................................................................................. 3 Steps ................................................................................................................................................ 3 Provisioning for claims based authentication (ADFSv2) ........................................................................ 6 Steps ................................................................................................................................................ 6 Add claims based authentication ......................................................................................................... 7 Steps ................................................................................................................................................ 8 Claims enable a Silverlight application ............................................................................................... 14 Steps .............................................................................................................................................. 15 Azure + Silverlight + Intranet Hybrid applications ............................................................................... 17 Steps .............................................................................................................................................. 17 Troubleshooting Issues ...................................................................................................................... 18 The HTTP request was forbidden with client authentication scheme 'Anonymous' ......................... 18 Could not establish trust relationship for the SSL/TLS secure channel with authority ..................... 19 IIdentity.Name is null ..................................................................................................................... 19 Things to consider .............................................................................................................................. 20 Choosing a service account name................................................................................................... 20 Service name is case sensitive ........................................................................................................ 20 Samples ................................................................................................................................................. 21 Running the samples.......................................................................................................................... 21 Trouble Shooting Samples .............................................................................................................. 21

Add the following behavior to the Web.com/en-us/library/ff423674.com/kb/971842/ In addition to the patch.Azure Service & Claims Authentication Development Guide This guide is a combination what can be found in the WIF (Windows Identity Foundation) Labs and other guides. This guide makes use of a lot of content that was published in the following areas: y y y Identity Training Kit: http://bit. The guide is organized into a number of common tasks that you may want to perform. Create your service if not already done so in your Azure Webrole that you want to host the service in. you will want to use 81 and 444 unless you ve specified specific ports in your configuration. Steps Here are the steps required to upgrade any WCF service to correctly work with Azure: 1. The purpose of the guide is to be more of a reference once you re familiar with the concepts in those guides.ly/9FT0sC Guide to Claims Auth Book: http://msdn.microsoft.aspx Convert WCF service to work in Azure WCF services need to have some changes made to them in order to make them work in Azure.Config. or as a quick reference to perform particular tasks. which in combination with the installed patch will fix the issue of WCF returning the internal Uri s when exposing the WSDL.aspx WIF Site: http://msdn.com/en-us/security/aa570351.microsoft. 2. Each task has a set of detailed steps to ensure easy completion. Therefore when running on the Dev Fabric. <behaviors> <serviceBehaviors> <behaviorname="httpAzureBehavior"> <serviceMetadatahttpGetEnabled="true" /> <serviceDebugincludeExceptionDetailInFaults="false" /> <useRequestHeadersForMetadataAddress> <defaultPorts> <addscheme="http"port="80" /> <addscheme="https"port="443" /> </defaultPorts> </useRequestHeadersForMetadataAddress> </behavior> .microsoft. You ll also need to ensure you ve applied the patch that allows the generation of WSDL to be correct in a load balanced (ie Azure) environment: http://support. you ll need to ensure you ve installed the required software for Azure development. The port numbers in the xml below should be changed to match those of your services endpoints.

When deployed to the Azure production slot. CreateCert. and will be asked for again in two dialogs as the script runs. [ServiceBehavior(AddressFilterMode = AddressFilterMode.3. To do so run the following script that is included with this package. the cert name you specified will match and therefore won t show these warnings.xml file or the clientaccesspolicy.xml file in the root of the Webrole.cmddev-msitactivityp@ssword! When supplying the service account name use the one you ve created in Azure in all lower case. be sure to use the same one each time. When using this cert locally such as in the Dev Fabric you ll encounter warnings that the cert is not valid. Add the new behavior to your service as shown below in this service example <servicebehaviorConfiguration="httpAzureBehavior"name="SampleService. Sample copies of these files have been included with this package. Next you need to ensure your service class has the following attributes applied. . Create a certificate if you don t have one already.serviceModel> <serviceHostingEnvironmentaspNetCompatibilityEnabled="true" /> 5.To ensure you have the correct paths setup you should use the Visual Studio Command Prompt in Administrator mode. This task will require a certificate. which can be one that is self-issued. The script will add the cloudapp.Allowed)] 6.net suffix for you and create a Certs folder with your new certs. This task extends that task by adding support for SSL or https. however you can ignore those.cmd<serviceacountname><password> Example: CreateCert. Convert azure WCF service to use SSL This task assumes the steps in Convert WCF service to work in Azure have been completed. Deploy to Azure! After completing these steps your service should be ready to be deployed to the Azure cloud. Ensure you have the following element in your Web. The password is the one used to secure your certificate. The steps here show how to create a self-issued certificate. Note: If you plan on using a Silverlight client with this service you must include either the crossdomain. as shown below or one that s been issues by a trusted authority.Config <system.GetClaims"> </service> 4. however for production use one that s issued by a trusted authority should be used.Any)] [AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode. Steps 1.

Once you ve created your cert install the cert into your personal certificates location on your machine. 4. Add the new cert to the Https end point for the WebRole . Select the . If this is the case. using the same name as the domain it was registered with.msc command included with this package. This has to be done manually prior to deploying any secure services. Then right click on Personal->Certificates and select All Tasks->Import. The easiest way is to run the Local Machine Certificates. 5.pfx file from the Certs directory (note the . Use the password you used to create the certificate when prompted. 3. Note: If you right click on the pfx file to import it.2. Next upload the pfx certificate into the service account for the application in the Azure portal. Note that you want to add the certificate to the service account and not the API certificates section. the file will be added to the Current User store which will not be visible when attempting to add it to your Azure project. This can be done via the properties of the Azure solution. you need to manually move the cert to the Local Machine/Personal/Certificates folder as indicated in the diagram. Add the cert to the Webrole that contains your WCF service.cer file will be selected by default). and then keep clicking next until finished.

<behaviors> <serviceBehaviors> <behaviorname="httpsAzureBehavior"> <serviceMetadatahttpsGetEnabled="true" /> <serviceDebugincludeExceptionDetailInFaults="false" /> <useRequestHeadersForMetadataAddress> <defaultPorts> <addscheme="http"port="80" /> <addscheme="https"port="443" /> </defaultPorts> </useRequestHeadersForMetadataAddress> </behavior> 8. its best to check incase it s been changed.GetClaims"> </service> . which it will be by default. 7.6. Ensure the role is running in full trust. Add a new behavior to your Web. Add the new behavior to your service as shown below in this service example <servicebehaviorConfiguration="httpsAzureBehavior" name="SampleService.Config which is essentially the same as the one used for http but is configured for https support. However. See Convert WCF service to work in Azure for more details on this step.

Once deployed an upgrade can't add new endpoints. Update the bindings on your service to make use of this new binding <service > <endpointaddress=""binding="customBinding"bindingConfiguration="httpsBinding" contract="SampleService. Deploy to Azure! Note:If you've already deployed your solution after completing Convert WCF service to work in Azure.0. <system. Provisioning for claims based authentication (ADFSv2) The next section will describe how to add claims based authentication to your service.1:444/ Dev Fabric Note: The port number for the Dev Fabric is dependent on how you ve configured your https endpoint in the configuration.cloudapp. Define the end points you want for your applications. so you need to add the following custom binding definition to your Web. However. The issue with this is that those STS s require user interaction and so won t work very well when dealing with services. Visit https://corp.9. see Convert azure WCF service to use SSL step 5. then you may need to delete the instance and redeploy rather than doing an upgrade.net https://127. This is due to adding a new https endpoint.sts. It s recommended that you try and provision as many as you know about up front to reduce the amount of back and forth you ll need in getting this up and running.Config file.net https://accountname. so when the Dev Fabric starts up it will auto-increment the port number .net/ Production https://devaccountname. just add the new binding. To support https a new binding is required.cloudapp. If you already have a custom binding section.0.microsoft. By default your SSL port will be 443. Therefore as a recommendation you should request the following: Relying Party (realm identifier) Endpoint Purpose https://accountname.cloudapp. Steps 1.IGetClaims" /> 11.com/onboard/adfsonboard. before you can do this you need to have your site provisioned within the corporate ADFSv2 instance.htm 2. then you ll only be able to make use of the local STS s (Security Token Service) that can be automatically created for you by Visual Studio (see the Windows Identity Framework Labs for details). If you don t do this. however if you have IIS installed and have a https binding then that port will already be taken.serviceModel> <bindings> <customBinding> <bindingname="httpsBinding"> <binaryMessageEncoding /> <httpsTransportallowCookies="true" /> </binding> 10.

This topic is well covered in the WIF (Windows Identity Framework) Labs and the Step-by-Step Guide to Identity Delegation book included with the onboarding package.ly/b5Utyl 6.sts. especially if you re accustomed to Windows Authentication.xml Name Account Name Email Address Uri http://schemas. In production the port will be 443 unless you change it.until it finds a free one.microsoft. which isn t the nicest form. You can find out more information here: http://bit. Complete the onboarding document with the above details and submit. you can check out the full list here: https://corp. Add claims based authentication Claims based authentication makes use of Federated Authentication. 4. Ensure that all endpoints have a trailing slash as this will cause exceptions later if they don t. Ensure you ve specified https as the STS requires https. there is a project called Matrix which is looking to address this problem. Determine what claims your application needs as a minimum you might want the following. However. 5.xmlsoap. So in some environments it will be port 444.microsoft. . However.org/ws/2005/05/identity/claims /emailaddress Description Returns domain/alias Users email address Note: At present when roles are returned they are returned using their SID. You can check what ports your Dev Fabric is using by looking at the Dev Fabric UI settings: 3.com/ws/2008/06/identity/claims /windowsaccountname http://schemas. hence defining this port above.com/FederationMetadata/2007-06/FederationMetadata.

Run the Add STS Reference command by right clicking the WebRole project and selecting the command from the context menu. Here are some examples: Relying Party (realm identifier) https://accountname. 4.net Purpose Production Dev Fabric It s important to note that the path must have a trailing slash and use https. Browser makes a request for a secured resource. The steps in the diagram are: 1.cloudapp. the Application URI is the full https path to your web site. neglecting this will cause failures which won t be easy to diagnose! . Note:Before you can follow the steps for claims based authentication. The STS returns back a token (optionally encrypted) containing the users claims.cloudapp.Config for you project and generally can be left as is. The browser is then redirect to the STS for authentication. 2. you need to ensure you ve installed WIF (Windows Identity Framework) and the WIF SDK which provides tools for Visual Studio. the above diagram shows the flow of claims when using ADFSv2 and WIF. Steps 1. 3. The config section at the top should have the Web. The browser sends the STS token to the web site as its credentials. However.net https://devaccountname.Figure 1Redirect & Claims flow when using Windows Identity Foundation Server As a quick refresher.

If you already have services in your WebRole which you would if you continued from the previous task.2. Then you will see a screen like the following: . Click Next 3.

This is optional. . 4. The Uri needed is https://corp.microsoft.Config.At this point you need to cancel out of the Wizard and comment out your service definitions in your Web.sts.xml Note: If you navigate to the ADFSv2Url you ll get the meta-data for the STS which will detail all the claims available. which will prevent the STS attaching directly to the services. 5. Now add the detail of the corporate ADFSv2 STS. Note: If you ve not on boarded your application you need to follow the steps in Provisioning for Claims based Authentication (ADFSv2) section. Next you need to choose if you want your tokens encrypted.GetClaims"> <endpoint address="" binding="customBinding" bindingConfiguration="httpsBinding" contract="SampleService.IGetClaims" /> <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" /> </service> </services> Then go back to Step 1 this time the dialog asking about services should not show up. <services> <!--<service behaviorConfiguration="httpsAzureBehavior" name="SampleService.however it would be good practice to use it in production sites.com/FederationMetadata/2007-06/FederationMetadata.

Config has .6.Config and the screen above. The next screen details the claims supported by the token service Note: The claim Uri for windowsaccoutname differs from what is specified in the Web. The Web.

Note: If you re using Visual Studio 2010 you may not see this dll in the references dialog. Create a Global. . If that s the case you can manually add the reference with this path: . However the actual claim Ui is http://schemas.identityModel> <service> <certificateValidationcertificateValidationMode="None" /> 13. This path may differ depending on where you ve installed the WIF framework. 9. This will force the dll to be copied up to Azure into the local directory. you need to modify the ReferenceMicrosoft.com/ws/2008/06/identity/claims/windowsaccountname. When you are using the Dev Fabric. To do this you need to modify the service element that was generated to include the Dev Fabric Uri. 10. you need to modify the generate configuration so that the local environment is recognized. they can be uncommented again.IdentityModelwhich was added by the wizard to be CopyLocal=True. 7.http://schemas. Due to WIF not being part of Azure yet.IdentityModel to your project. If you commented out the services in step 3. The next screen gives a summary of the options selected 8.asax file for the WebRole if one is not present 12.xmlsoap.org/claims/windowsaccountname. Add the following element to the new Service element created by the Wizard: <microsoft. 11. Add a reference to Microsoft.microsoft.

ServiceCertificate) }).0.Text. Add the following code to the Global. usingSystem. newRsaSignatureCookieTransform(e. e.com/adfs/ls/" realm="https://devaccountname.net/" /> </audienceUris> <federatedAuthentication> <wsFederationpassiveRedirectEnabled="true" issuer="https://corp.1:444/" /> <addvalue="https://devaccountname. You only need to include the securing of tokens if you chose to use encrypted tokens when setting up the STS reference.ServiceConfiguration.IdentityModel. usingSystem. build a wreply parameter for theSignIn request // that reflects the real address of the application.Web. RedirectingToIdentityProviderEventArgs e) { // // In the Windows Azure environment.ServiceConfiguration. } ///<summary> ///Retrieves the address that was used in the browser for accessing /// the web application.cs file.net"requireHttps="true" /> <cookieHandlerrequireSsl="true" /> </federatedAuthentication> 14. voidOnServiceConfigurationCreated(object sender.Configuration. newRsaEncryptionCookieTransform(e. usingMicrosoft.asax. // varsessionTransforms = newList<CookieTransform>(newCookieTransform[] { newDeflateCookieTransform().sts.Tokens. usingMicrosoft. usingMicrosoft.IdentityModel. usingSystem. SessionSecurityTokenHandlersessionHandler = newSessionSecurityTokenHandler(sessionTransforms. ServiceConfigurationCreatedEventArgs e) { // // Use the <serviceCertificate> to protect the cookies that are // sent to the client.AsReadOnly()).0.ServiceConfiguration.microsoft. using System.Web.AddOrReplace(sessionHandler).<audienceUris> <addvalue="https://127.Web. // . and injects it as WREPLY parameter in the /// request to the STS ///</summary> void WSFederationAuthenticationModule_RedirectingToIdentityProvider(object sender.cloudapp.IdentityModel.Collections.cloudapp.ServiceCertificate).SecurityTokenHandlers.Generic.

Current. e. EventArgs e) { //This is only required if tokens are being encrypted //FederatedAuthentication. will not work in an out of browser scenario.Authority). wreply.g. The mechanism that WIF provides for customizing the way in which session tokens are processed consists in providing a custom SessionSecurityTokenHandler class.Reply = wreply.EndsWith("/")) wreply. Note: The passive authentication method discussed in this task will not work in an out-ofbrowser (OOB) scenario. As an alternative you will use the service certificate for securing the session.Append(requestUrl.ApplicationPath.Append(request. FederatedAuthentication.Append("/"). StringBuilderwreply = newStringBuilder().Url. if (!request. would create problems when the client interacts with multiple instances: a session token encrypted by a given instance would not be readable by any other. } Note: The default encryption strategy followed by WIF for session tokens is to use DPAPI. which is currently not covered in this document. However.SignInRequestMessage. "http" or "https" wreply. } protectedvoidApplication_Start(object sender.HttpRequest request = HttpContext. wreply. For that scenario you must make use of the active method. either using passive meaning the browser handles the negotiation of tokens or active where your code or application handles it.Append("://").Scheme). The passive approach is the simplest and this task will demonstrate how to make use of the passive approach.RedirectingToIdentityProv ider += WSFederationAuthenticationModule_RedirectingToIdentityProvider. To work in OOB you need to use the active method. UrirequestUrl = request. Claims enable a Silverlight application There are two ways to authenticate using claims.Append(request. 15.ServiceConfigurationCreated += OnServiceConfigurationCreated.Headers["Host"] ?? requestUrl.ApplicationPath). The application should now be claims enabled with the internal ADFSv2 server.ToString(). . one thing to keep in mind is that passive due to it using the browser. // e.WSFederationAuthenticationModule. which should cover most scenarios. wreply. This is only relevant when encrypting your tokens.Request.

It s missing the following attribute on the Authentication service class: 1. Add a reference to the SL. 6. The browser is then redirect to the STS for authentication. The above diagram shows the flow of claims for a Silverlight based application and the use of the custom service AuthenticationService. 4. The token is then attached to the service call to GymService.svc which can then check the claims of the caller. The steps in the diagram are: Browser makes a request for a secured resource. Steps 1.IdentityModel. provided by the WIF team to provide credentials to the Silverlight Application. . 2. Silverlight Application requests a claims token from the AuthenticationService.IdentityModeldll to the Silverlight application which is part of this guides package. 7. 2. The browser sends the STS token to the web site as its credentials which goes via the new handler in the SL.Passive Authentication in Silverlight The process of authenticating using Silverlight is different in that Silverlight doesn t have native support for claims based authentication. 3. The version that comes with the SDK will not work in Azure as is. 5. Create or add a Silverlight application to the Azure solution. 3. The credentials are then handed to the requested resource.dll (supplied by the WIF team). Add a reference to the SL.svc.Figure 2 .IdentityModel. The STS returns back a token (optionally encrypted) containing the users claims.Server. Note: This is a modified version that comes with the WIF SDK.svc which it can then use to populate the ClaimsIdentity.dll to the WebRole of your WCF service.

usingSL. Add the following namespace.Linq. In the constructor of the Main.assembly=SL.web> </location> 8.xaml (or the main Xaml page you're using) add the following event handler which will trigger the authentication.Services.IdentityProvider> </id:ClaimsIdentitySessionManager> </Application.[ServiceBehavior(AddressFilterMode = AddressFilterMode.Claims.cs 6.Server" %> 7. . which will instantiate the claims identity manager that is used to handle claims authentication in Silverlight.Services.IdentityModel.Server.svc"> <system.IdentityModel.svc 5. publicMainPage() { InitializeComponent().xml file. Now add the following Xaml to the App. and asking it for the token. Add a Silverlight compatible WCF service to the Webrole called AuthenticationService. Change the content of the AuthenticationService.IdentityModel" 9.web> <authorization> <allowusers="*" /> </authorization> </system. The authentication is actually performed by calling the authentication service which was added in a previous step.Passive Authentication--> <id:ClaimsIdentitySessionManager> <id:ClaimsIdentitySessionManager.SL.ApplicationLifetimeObjects> <!-.IdentityModel. <Application. Delete the code behind file AuthenticationService.svc.Authentica tionServiceServiceHostFactory" Service="SL.IdentityModel. usingSystem. usingSL.IdentityModel.Config under the configuration section to allow anyone to access the service: <locationpath="AuthenticationService.svc to the following: <%@ServiceHostLanguage="C#"Debug="true"Factory="SL.Any)] 4.IdentityModel. which references the Silverlight version of the Identity model provided by the WIF team to the App.Server.ApplicationLifetimeObjects> 10. using System.IdentityProvider> <id:WSFederationSecurityTokenService/> </id:ClaimsIdentitySessionManager.xml in the Silverlight Application: xmlns:id="clr-namespace:SL. Add the following XML to the Web.

you may want to also call internal (CorpNet) services too.microsoft. var identity = ClaimsIdentitySessionManager.GetClaimsIdentityComplete += newEventHandler<ClaimsIdentityEventArgs>(this.com/enus/library/cc189008(VS. 2.aspx Steps 1. It seems Silverlight denies cross zone communication by default! Note: For more details on this see the following Url:http://msdn.ClaimsIdentitySessionManager. the easiest route would be option 2. } //Passive Authentication Callback privatevoidCurrent_GetClaimsIdentityComplete(object sender. However.SingleOrDefault(). Add either you site or the Azure root domain to the local intranet zone. // Code to make use of claim } } Azure + Silverlight + Intranet Hybrid applications There may be times when you want to host your Silverlight application out on Azure as well as some services. However. This can be done in IE by selecting Alt (brings up the menu) then: Tools|InternetOptions|Security (tab) | Local Intranet (item)| Sites|Advanced.Where<Claim>(c =>c. Directly call internal endpoint: Keep endpoints internal and access them directly.95). if (identity. You typically have two options here: 1. Service Bus : Expose your internal services to the outside world via the service bus.User.ClaimType == userAccountClaim) . given the restrictions on MBI and HBI data.Identity asClaimsIdentity.Current. The first option is great if you need your application to be used outside of CorpNet. for internal applications.Claims . .org/claims/windowsaccountname".Current.xmlsoap.Current_GetClaimsIdentityComplete ). The issue is option 2 doesn t work out of the box! The issue lies in the Azure application belonging to the Internet zone and your internal services belonging to the Intranet zone. ClaimsIdentityEventArgs e) { varuserAccountClaim = "http://schemas.IsAuthenticated) { ClaimuserAccount = identity. This has been covered already in the previous tasks.

net 3. You should now be able to access your internal services via your Silverlight Application.This should bring you to the same area you have in diagram 3. You can combine claims with the cloud with Windows Authentication for the intranet.cloudapp. Then enter either the domain of your site or the root of the Azure cloud. It should be noted that you can continue to use Windows Authentication as you previously did if you were using it. Figure 3 . 2. This means that .Local Intranet Zone Troubleshooting Issues This section attempts to help solve some of the more common issues that arise during development of Azure solutions. The HTTP request was forbidden with client authentication scheme 'Anonymous' This error is typically caused by the client certificate not being installed correctly. http://*. It s important to note that when you create a self-signed certificate it will have a non-exportable private key.

PublicKeyToken=31bf3856ad364e35"/> .Saml11SecurityTokenHandler. }).xmlsoap. In this case its http://schemas. The good news is that you can actually get WIF to use any claim for this value.Cryptography.IdentityModel.X509Certificate certificate. The following is what needs to be added to your configuration which specifies the claim to be used. elsereturnfalse. See the task Convert azure WCF service to use SSL step 1 for details on how to run this command.Saml11. System.Cryptography. Note: If you right click on the pfx file to import it.Name. however if the same certificate is used on another machine you will get this error. Microsoft. As a work around during development you can intercept the validation of the certificate and provide your own logic. To make this easier however.RemoteCertificateChainErrors) returntrue.ServerCertificateValidationCallback = newRemoteCertificateValidationCallback( delegate(object sender. <service> <securityTokenHandlers> <removetype="Microsoft. this is probably due to the claims you re requesting. you just need to configure it.5.Name is null If you are not getting a value populated for the IIdentity. Version=3. SslPolicyErrorssslPolicyErrors) { // Accept if there are no errors or if the only error is RemoteCertifcationChainErrors which is // indicating that the cert is not from a trusted souce .Security.cert files you need. The routine below will allow un-trusted and domain mismatches to be valid.the certificate will work fine on the machine in which it was created. It should be noted that this code really should only be used in development and not put into production. Where you want to share a certificate you must create one with an exportable private key (-pe option in makecert). Culture=neutral. the file will be added to the Current User store which may not be visible to the tool you re using.0. System.IdentityModel.org/claims/windowsaccountname. you can use the CreateCert. } IIdentity.Tokens. If this is the case. if (sslPolicyErrors == SslPolicyErrors.as its a self-signed cert.0. staticvoidConfigureDevelopmentSLLHandler() { // This code is not for production and is only here to avoid issues with self-signed certificates ServicePointManager.X509Chain chain.Security.X509Certificates. you need to move the cert to the Local Machine/Personal/Certificates folder manually as indicated in the diagram. Could not establish trust relationship for the SSL/TLS secure channel with authority This error is due to the certificate not matching the domain you re using or due to the cert not being trusted.pfx and .None | sslPolicyErrors == SslPolicyErrors.cmd which will generate the .X509Certificates.

Tokens.0. The difference stems from a requirement for REST services that the storage account adheres to.xmlsoap.cloudapp.net dev-myaccount. The management APIs will automatically upload your package file to your associated storage account (it assumes that you ve used the same name as the service account) however.IdentityModel. However.cloudapp. Version=3.<addtype="Microsoft.Saml11. REST based endpoints based on WCF are case sensitive.net Account Type Service Account Storage Account IsValid Valid Invalid This can become an issue if you later try to use the management APIs to auto-deploy your solution. Service name is case sensitive We ve all become accustomed to Uri s being case insensitive when using them for web addresses or even service endpoints. however the service account Uri will accept any valid Uri. It s a section that will grow over time as new best practices are developed. for this reason its recommended that you always choose lowercase names for resource endpoints.IdentityModel.5. . Culture=neutral.0.Saml11SecurityTokenHandler. Microsoft. PublicKeyToken=31bf3856ad364e35"> <samlSecurityTokenRequirement> <nameClaimTypevalue="http://schemas. You would then have to ensure that a separate step uploaded the package file to your storage account and explicitly specify the location when making the call.org/claims/windowsaccountname" /> </samlSecurityTokenRequirement> </add> </securityTokenHandlers> Things to consider This section is about things that you need to consider when doing Azure development or deployments. as you can t create a storage account with the hyphen it will fail. Where this might be an issue is if you decide to use a service account name like the following: Name dev-myaccount. Choosing a service account name When choosing a service account name keep in mind that you ll probably want to use the same name for your storage account too. The gotcha is that the storage account Uri only accepts numbers and letters.

App Fabric sample isn t working. If this happens the easiest thing to do is shut down the App Fabric using the blue icon in the task tray.Samples Included with this package are a number of samples written in Visual Studio 2010 which show a start and end state. The end state is what was added by following the steps for a given task. Cloud samples don t work. Feedback is appreciated! Running the samples Before starting a new sample project you will probably need to delete the reference to the virtual directory in IIS. The samples are not meant to be a guided learning experience. but should still be functional. [A]pp Fabric and the [C]loud: Convert Azure WCF service to use SSL Add claims based authentication Claims enable a Silverlight application For the samples that make use of IIS and SSL you will need to create a https binding on port 443 to a certificate with a name of localhost. If you do delete it and then try reloading the project. This also means that for the claims based authentication tasks that you ve had it setup in ADFSv2 appropriately. Try shutting down the App Fabric this can solve many issues with a solution that should work that doesn t. Note: the samples need the code to be cleaned up. This is because each sample uses the same Web Site name to keep things simple. y y y . Trouble Shooting Samples There may be times when the samples don t run as you d expect. Failed to create/load CookBookSample project. Also work is still needed in this section to explain samples better. As such when you open a sample up it will prompt you if you want to create the virtual directory in IIS. You need to ensure you ve updated the sample code to work with your hosted service account. so here are a few things to check when things don t work correctly. They can also be used to help trouble shoot issues during implementation in your own solutions. but rather a very simple demonstration of the implementation of the steps within a task. y y y y Convert WCF service to work in Azure: This sample provides a simple console Application which can be used to test against [L]ocalhost. y y Is the local host website pointing to the sample you re running? Is the port number of the App Fabric the same as what s referenced in the code? Sometimes when you run multiple projects you ll get incrementing port numbers. Ensure that you don t already have a CookBookSample virtual directory setup in your IIS.