Develop Reference

Asp.Net VNext Windows service

I want to try moving to VNext from Asp.Net MVC 3, I used windows service project (http://www.interworks.com/blogs/banderton/2009/10/30/long-running-tasks-aspnet) but this doesn't seem to work on VNext, because it doesn't have proper System.ServiceModel reference and I cant add dll.
Is there a way around? Would you recommend other ways to run long tasks such as big file import/calculations with VNext?

Generally, no - not because of any feature-set in ASP.NET vNext (it's been possible since .NET 1.0) but because of permissions: a process needs to run under a high-privilege security context or be able to impersonate such a user account in order to control Windows Services.
w3wp.exe (the application pool hosting process, and by extension, the application pool and the applications within it) all typically run under a least-privilege user-account (often NT AUTHORITY\NETWORK SERVICE or a custom user account with enough permissions to write to the website's root directory, a database server, and not much else (in recent versions of Windows this is further reduced to the concept of a "service account" which your worker-process and pools run under).
The easiest solution is to create a user-account with the necessary privileges to control services and run your application pool process under this user-account, but I don't recommend this.
Consider, instead, creating a new Windows Service that then controls the other service (or if it's your own service, do it in-proc) that uses some form of IPC to communicate with your ASP.NET application to shut itself down and perform other tasks. You might want to look at named-pipes, for example.

If you need to run ASP.NET in a Windows service, you can do it now using ASP.NET 5. I wrote a detailed post on how to do this here: http://taskmatics.com/blog/host-asp-net-in-a-windows-service/

In ASP.NET, under which credentials does the code run?

1) I want to know suppose we are using an ASP.NET web application in debug mode in VS, then, the code runs under which user account?
2) I also want to know, suppose we publish this to the IIS and then, set it up to use WBA/FBA, then, the username/password of logged in user is used to authenticate user to the ASP.NET site, however, the code (SQL query, etc) runs under credentials of apppool account. Further, which credential is used to access resources on server like files? What is your view on this point?

1) I want to know suppose we are using an ASP.NET web application in
debug mode in VS, then, the code runs under which user account?
This is depending on the hosting. VS provides 4 ways to host & debug a web application : VS Dev Server (VS 2012), IIS Express, Local IIS and Custom Host (VS 2013). Devs servers generally runs under your -Administrator- account, and may not be suitable to test security. Working directly with IIS as your development web server lets you work in an environment closer to that of an IIS production web server.
This is configured in the Web Tab in your web project properties.
2) I also want to know, suppose we publish this to the IIS and then,
set it up to use WBA/FBA, then, the username/password of logged in
user is used to authenticate user to the ASP.NET site, however, the
code runs under credentials of apppool account. What is your view on
this point?
Not very clear, but I think your undestanding of IIS security may not be correct. There is only one application pool per web site which runs under a specific account (by default apppool account, but it could be Network Service or Local System). When a user logs in, absolutely nothing is changed in this process. The user is just connected using an authentication provider : Windows Authentatication or Forms Authentication are 2 common providers. User identity is kept in http context, which allow you to use authorization rules later. So every code block always run under the same account (unless you enable delegation but that's another story).
I higly suggest you to read this complete introduction on asp.net security.

Asp.Net MVC 4, LocalDB and separated service layer project

I'm built a forms authentication (actually I'm using the new single page application) website using Asp.net MVC 4.0 with LocalDB. I want to create a separated class lib project for service layer which accesses database. And I need to integrate the default Account/authentication tables with my own tables.
Question:
Should I put the Sql server LocalDB files under the service project folder?
If the answer is not for (1), how can the service project access the LocalDB files under the MVC project?
Do I need to modify the system generated code for Account login if I put the LocalDB file under service project. How about let the authentication code access the database via the service layer instead of the default DBContext?

This pattern is very common and the main control and point of understanding is IIS and security there.
It really is worth taking a look at MSDN IIS site to feel confident about this topic.
http://msdn.microsoft.com/en-us/library/aa292471%28v=vs.71%29.aspx
1) It doesnt matter where SQL server DB is located. Where the SQL server instance is , does play a role. If it is in the same domain/AD , then using Windows integrated security to log in to the DB works well.
2) If the userid that connects to SQL is a valid user on the DB instance and has the necessary permissions for the underlying DB, then you can access the data.
3) What is this code ?
There are a number of questions that need to be answered/considered.
a) are you using FORMS logon or Windows Integrated logon in IIS.
b) Do you want to use a service user to access the DB, or have each user allocated the in the Db.
c) What is is your security model for your application.
See also http://leastprivilege.com/category/net-security/ Dominick Baier security blog.
As a sample solution, (not the only one).
you can set the website in IIS to use FORMS authentication
Set the application pool used by the website in in IIS to use a specific Service user. You type the userid and password into IIS app pool. You must first create this user on the domain. Allocate it as little rights as possible.
Add this service user to SQL server and give it sufficient permissions in the DB that should be accessed. (2 steps) So the service user can access the DB but do little else.
So this leaves you with System.Environment.UserName as the System user you set in your app pool behind the website.
Your application security is then managed as you see fit.
Claims principal once you get to .net 4.5 is a "new way".
But you keep as simple as required here.
Thread.CurrentPrincipal.Identity.Name would contain the name of your forms based user.
good luck...

Deploy the default MVC 4 template to windows Azure

I am very new to Windows Azure and am tinkering with it to learn how it works. To keep things as simple as possible, I am trying to deploy the default MVC 4 template that is generated by VS 2012 Express for web. I created a new project - an Azure cloud service. I selected an MVC 4 web role. And that creates a nice little asp.net application with home, about and contact pages, and links to register and login. I just want to deploy this site to Azure and see it work on the cloud.
However the membership does not appear to work on azure. The pages of the application appear correct. However when I click the 'Register' link it does not take me to a page to nter a new username and password. I do not believe the membership tables are being generated anywhere either.
Considering how simple this is, I think I must be making a silly mistake somewhere. I would really appreciate if someone could help me with this.
Also, for the record, I have noticed that if I create a stand alone MVC 4 project in VS2012 Express (as opposed to a Windows Azure Cloud service project with an mvc 4 web role) then when I right click that MVC4 project and choose to publish it, it allows me to specify a sql database using a connection string. What is more is once it is published to Azure, the membership works perfectly. I can create useraccounts and log in. If I examine my SQL Azure database using the azure portal, I can see the new membership tables created there.
But when I try to publish a Windows Azure Cloud service with MVC4 webrole, I do not see any option to provide a connection string of any sort to the azure project. Maybe that is why the membership is not working... since there is no database linked with the web role... but I cannot figure out how to specify this. I was under the impression that publishing a stand alone MVC4 project to Azure, and publishing an Azure Cloud Service with an MVC4 Web Role is the exact same thing, please correct me if I am wrong. And either way, I should be able to see the membership functionality of my mvc 4 web role.
Here are the steps to recreate what I have. Basically it is all default stuff:
Create a new project in VS2012 Express
File -> New Project -> 'Windows Azure Cloud Service'.
On the next screen add an ASP.NET MVC 4 Web Role to it.
On the subsequent screen choose 'Internet Application'.
These 3 steps create a new project. It runs locally just fine.
Now I try to put it on the cloud.
Right click on the windows azure project in solution explorer and choose 'Publish'.
Choose the subscription (I already have certificate/credentials in place to publish to azure from VS so I select that)
Create a cloud service on the next screen (I name it 'garyazurecloudservice').
Accept all the default settings in the Publish wizard and click Publish.
The publishing process takes a few minutes.
The web application can be viewed at http://garyazurecloudservice.cloudapp.net/.
The Home, About and Contact pages all display correctly. However it I click the 'Register' link at the top right I see a webpage with the correct layout template, but an error in red that says:
"Error. An error occurred while processing your request."
I have tried to create an SQL database on Azure but I don't see any way to connect this role to it. Possibly that is the problem? Or maybe it is something else altogether. I would appreciate if anyone can tell me what is wrong.
I have spent the entire day googling and going in circles with no success. Thank you for any help you can provide.
Gary

You're right in that the Membership section of your website would not be able to create the SQL tables in the background when running on Azure, due only the problem of where those tables would reside.
Remember, that Azure hosting space is different from traditional hosting, in that your site would exist on a virtual machine, with files being replicated to another virtual machine if the first were to experience problems. Also, what would happen if you were to invoke a second 'server' to host your website, to cater for a load, perhaps? Where would the tables live then, and how would the second virtual machine know how to access the first?
The answer would be to create a SQL Azure database, upload your tables there, and then you'd have a permanent place for 1, 2 or 1000 'servers' that are running your website to access a central database repository of your data.
I know in your example, it should just 'work' and I agree to some extent, but your application running on your local machine or with your existing (traditional) web host is quite different to the Azure model of working.
In terms of your question regarding how the SQL Azure set-up works, presumably you've created this through the Portal, via the www.windowsazure.com website? If so, then you should be able to see and manage your SQL Azure database from there, including gaining access to the Connection Strings section, whereby you would copy and paste these into your web.config file for your MVC4 application. From there, you can utilise this database pretty much as though you would any other.
I hope this all helps - Azure is a beautiful beast once tamed.

Windows User Account that executes only IIS7 Provisions

I have a web application that executes IIS 7 provisions (using Microsoft.Web.Administration.dll) to create our web and ftp sites. When I run this using the administrator account, it works ok.
I want to create a Windows user account for impersonation that will only execute these web provisioning procedures without being identical to a server's administrator roles.
How can I achieve this?

You should split your application into three parts:
Windows Service
This would host a WCF or Remoting application. You want to put the code that requires privileged access to your system in here. For example creating and deleting websites. Run this service under an account that has enough rights to perform operations using Microsoft.Web.Administration.
Trusted Wrapper or Proxy Assembly
This is just a signed wrapper assembly that is installed in the GAC. Its role is to pass on calls from your low trust web application to perform privileged actions in the code running in the service above. Mark the assembly with the AllowPartiallyTrustedCallers attribute (if your server is configured for partial trust) and mark any classes that require access to the remoting service with [PermissionSet(SecurityAction.Assert, Unrestricted=true)].
Front End Application(or Web Service)
This is the interface to your application (whether it be a web application with a GUI or a web service). Run this in its own application pool with just enough rights to execute, for example IUSR or a similar account. Ideally you should also run this under partial trust.
Your web application/service references the Trusted Wrapper assembly in the GAC which in turn has a reference to the remoting or WCF application running in the windows service.
Using this layered approach means that you are locking down by gating access to specific privileged operations which only run in your windows service.
This approach is covered quite well in Appendix C of Dominick Baier's 'Developing More-Secure Microsoft ASP.NET 2.0 Applications'. I thoroughly recommend getting a copy.