I'm researching on how integrate 2-way SSL in two IIS servers
ASP.Net web site is hosted in one server.
ASMX web services is hosted in another server.
They both run under Dot Net 3.5 in Windows Server 2003.
I am aware IIS needs to take the follow steps as part of 2-way SSL.
Install certificates through Certificates MMC.
Configure both web applications to require secured channel SSL.
But I cannot tell what steps need to take in my ASP.Net and ASMX application.
Does IIS handle 2-way SSL internally? (Provided the server is configured correctly)
Do I need custom coding to handle 2-way SSL in my application?
I found plenty of articles reference to WCF setup, which breaks down into two steps
Setup WCF configuration to use certificate explicitly.
Setup that certificates to IIS server.
However, I’m not finding anything relevant within ASMX context or within ASP.Net context.
Thanks in advance.
Related
If I understand correctly part of the motivation of ASP.NET vNext is to reduce overhead. An MVC6 application can be self hosting. My question is what is the best practice way of hosting a ASP.NET vNext application. Is there something similar to the WCF activation services that monitor the health of the service or is there some way of doing this from within the application?
The "best" way to host ASP.NET MVC 6 is to choose the way that best matches your app's needs, of course! But that perhaps isn't so helpful as far as advice goes.
First, you need to consider the requirements of the application, such as:
Does it need to run cross-platform?
Does it need health management?
Does it need to use existing IIS modules?
Does it need to run in the context of another application?
Does it need to use Windows Authentication?
And no doubt many more requirements...
Here's a brief summary of the various hosting options and their pros/cons:
IIS is perhaps the most well-known host. It has been hardened for well over a decade. Many popular modules are available for it, including providing various security features. IIS has built-in support for Windows Authentication, logging, app warmup, health management, remote administration, and lots of other features.
IIS Express shares the same codebase as IIS, but can be run without admin privileges.
Kestrel is a cross-platform web server that is being written as part of ASP.NET 5 and is currently most suited for development work. It's very lightweight, which can be both good (nothing in the way!) and bad (not very many features).
Self-host is where you are master of your own domain. Nearly everything is up to you, including figuring out what should happen if there is an unrecoverable error. Self-hosting is a great option if you need to host a server within your app (e.g. a client app that uses a web server to host UI or services that the app directly uses).
There is certainly no one "best" way to host an ASP.NET MVC 6 app, but there are certainly many solutions catered to a variety of needs.
In my answer to ASP.NET vNext is host agnostic, what does it deeply mean? I covered a few other aspects of host agnosticism.
ASP.NET Core 1.1 Answer
The 1.1 release added GZIP compression and response caching.
Kestrel is still not security tested and should not be used without IIS or NGINX as a reverse proxy. This will change at some point.
Kestrel still does not support HTTP 2.0.
Using IIS or NGINX with MVC 6 is slower than MVC 5. Yes MVC 6 is supposed to be faster but only if you use Kestrel on it's own.
ASP.NET Core 1.0 Answer
IIS or NGINX is by far the best host for an ASP.NET MVC 6 application. Below are a list of features you will not get without IIS or NGINX without lots of extra work. Note that all of these features require a small amount of config in the web.config file.
The Kestrel web server has not been battle hardened and tested for security. It's not supposed to be exposed to the internet...yet.
Kestrel does not support HTTP 2.0.
GZIP compression of HTTP requests for saving bandwidth and better performance. This alone is a big enough reason.
Error handling outside of ASP.NET. What happens when you have a .dll file missing? Well IIS will still show an error page and you can customize the error page too.
Dynamic IP security - During a Denial of Service (DoS) attack, a very simple and small 403.501 or 403.502 Forbidden static error page is displayed.
Objective:
We have a Windows Service/generic EXE that also hosts a WCF service (.Net 3.5). I'd like to be able to take a third party ASP.NET component in a DLL, and host it through that WCF Service.
Is this possible to do, in any way?
It seems like if you want to host a ASP.NET app, it must be through IIS, but we don't use IIS.
Is there any way that we could load the ASP.NET app into memory, make the app available through an endpoint, and receive requests back from the app?
Specifically, we'd like to take the "Microsoft.ReportViewer.WebForms.dll", expose the web form in a web page, and accept any requests back from the web form.
http://msdn.microsoft.com/en-us/library/ms251723.aspx
Looking for anything to get me started. Thx.
From owin.org
"OWIN defines a standard interface between .NET web servers and web applications. The goal of the OWIN interface is to decouple server and application, encourage the development of simple modules for .NET web development, and, by being an open standard, stimulate the open source ecosystem of .NET web development tools."
Essentially Owin implementations, like Katana (OWIN implementations for Microsoft servers and frameworks.), help you self host web apps, even in a Windows NT Service.
According to this post, hosting a WebForms app outside IIS/ASP.NET is not possible.
WebForms are tightly coupled to ASP.NET/IIS and cannot run directly on
OWIN/Katana (e.g. outside of ASP.NET/IIS). However, you should be able
to use Katana's middleware (Security, CORS, etc.) in a WebForms
application.
http://katanaproject.codeplex.com/discussions/571291
I have a C# ASP.NET/MVC Web Role that is hosted on Azure. I want it to service one or more Azure hosted web sites as an API provider available via AJAX calls. Normally making AJAX requests from two different web locations violates the browser cross site security restrictions. But I'm wondering if there is a procedure or a set of steps I can take to configure my Webs Sites and Web Role that would avoid violating the browser security restrictions? The Web Sites and Web Role are all under my control and all running under the same Azure account, so perhaps there are things I can do to mitigate this restriction?
Windows Azure is a magic wand for solving all the problems of Web Programming. The fact that you own all the resources, does not change the security model for WEB and its restrictions.
Fortunately we live in 21st century and technology changes with hours, not days nor years.
What can take a look at, are the following articles:
Using CORS to access ASP.NET services across domains
CORS Support in WebAPI, MVC and IIS using thinktecture IdentityModel
What you can do, is enable CORS support on your WebRole. You can read more on CORS here, here and here.
I am using WCF with asp.net 4.0 (using Dynamic Data).
I need to tell my Client how many domains does he require to book. So, do i require a separate domain/sub-domain for WCF or just 1 domain for website and WCF would work.
FYI: We might acquire a hosting space at shared hosting servers like GoDaddy.com. I need to calculate the hosting cost of the application.
Thanks
You can host WCF in IIS, or you can host it in a separate program/service. If you're hosting it in IIS, you can create a .svc file and have it live alongside your other ASP.NET pages.
So it's entirely possible to have your WCF service live in the same domain as your ASP.NET app.
The service has been debugged and is running in its own website.
We already have the SSL certificate and DNS configured for the application. It would save some work if we could host the service in the application.
Application is hosted and used behind our firewall. No public access at all . No cross domain security issues.
Application and service will be hosted on the same server even if in different websites. That's the plan for now anyway.
How do I do this? Or should I just consume the service from the website it’s currently hosted in?
I would keep the service as a separate ASP.NET application. It allows for more flexibility. But if you wanted to do it, simply copy the .svc file, along with all the service and data contracts to the ASP.NET application and modify web.config to add the <services> section. Or if those data and service contracts are in a separate class library all you need is to reference this class library.