Store IIS logs in Windows Azure - iis

I need to persist all IIS logs automatically in Azure storage, how to enable it?
I see that there are different properties in DiagnosticMonitorConfiguration class, e.g. DiagnosticInfrastructureLogs, Logs, Directories, etc. Which of the above is responsible for the IIS logs? What blob/table are the logs stored to?
Thanks!

Under Directory Buffers, you have two options.. IIS Logs and Failed RequestLogs.
Here's a snippet from the diagnostic schema definition that outlines these options:
<Directories bufferQuotaInMB="1024"
scheduledTransferPeriod="PT1M">
<!-- These three elements specify the special directories
that are set up for the log types -->
<CrashDumps container="wad-crash-dumps" directoryQuotaInMB="256" />
<FailedRequestLogs container="wad-frq" directoryQuotaInMB="256" />
<IISLogs container="wad-iis" directoryQuotaInMB="256" />
<!-- For regular directories the DataSources element is used -->
<DataSources>
<DirectoryConfiguration container="wad-panther" directoryQuotaInMB="128">
<!-- Absolute specifies an absolute path with optional environment expansion -->
<Absolute expandEnvironment="true" path="%SystemRoot%\system32\sysprep\Panther" />
</DirectoryConfiguration>
<DirectoryConfiguration container="wad-custom" directoryQuotaInMB="128">
<!-- LocalResource specifies a path relative to a local
resource defined in the service definition -->
<LocalResource name="MyLoggingLocalResource" relativePath="logs" />
</DirectoryConfiguration>
</DataSources>

Related

Service Fabric Reverse Proxy not working

I have reverse proxy properly configured on both local and deployed cluster but Iam unable to access my owin based webAPI on reverse proxy port here is the response I get on this port
I have followed this link and am sure that its configured properly. The question is do I need to change some thing in my project or code to make it work.
Here is my service manifest for the webAPI :
<?xml version="1.0" encoding="utf-8"?>
<ServiceManifest Name="BimWebApiPkg"
Version="1.0.9"
xmlns="http://schemas.microsoft.com/2011/01/fabric"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ServiceTypes>
<!-- This is the name of your ServiceType.
This name must match the string used in RegisterServiceType call in Program.cs. -->
<StatelessServiceType ServiceTypeName="BimWebApiType" />
</ServiceTypes>
<!-- Code package is your service executable. -->
<CodePackage Name="Code" Version="1.0.9">
<EntryPoint>
<ExeHost>
<Program>BimWebApi.exe</Program>
<WorkingFolder>CodePackage</WorkingFolder>
</ExeHost>
</EntryPoint>
</CodePackage>
<!-- Config package is the contents of the Config directoy under PackageRoot that contains an
independently-updateable and versioned set of custom configuration settings for your service. -->
<ConfigPackage Name="Config" Version="1.0.9" />
<Resources>
<Endpoints>
<!-- This endpoint is used by the communication listener to obtain the port on which to
listen. Please note that if your service is partitioned, this port is shared with
replicas of different partitions that are placed in your code. -->
<Endpoint Protocol="http" Name="ServiceEndpoint" Type="Input" Port="80" />
</Endpoints>
</Resources>
</ServiceManifest>
I also tried without specifying any port but that too didn't work.
Seems like the url is incorrect. It's missing the part where you should have app name and service name specified. Try this -
http://localhost:19081/YOUR_APP_NAME/BimWebApi/api/TestAPI/GetString/

Responder Error with Shibboleth and Node.js

I have set up a shibboleth service provider on a server, 40.78.18.242. When I try to access http://40.78.18.242/secure/index.html , everything works as planned. I'm redirected to my identity provider and then, once I login, I am able to access resources in my secure directory.
I'm trying to secure a node.js application with this same Shibboleth service provider setup. I have looked into the passport-saml module, and I'm running the test project # https://github.com/gbraad/passport-saml-example/ with the following changes made to the config file:
But whenever I get redirected to the login page at the IdP, the response gives me this error:
I have a feeling I'm not understanding the requirements for passport-js correctly, as this error message only had 1-2 results in google.
Am I entering an incorrect entry point or issuer? Or can you gather what those would be, given my shibboleth2.xml file?
A snippet of my shibboleth file looks like this:
<?xml version="1.0" encoding="ISO-8859-1"?>
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
logger="/etc/shibboleth/syslog.logger" clockSkew="180">
<!-- The OutOfProcess section contains properties affecting the shibd daemon. -->
<OutOfProcess logger="/etc/shibboleth/shibd.logger">
<!--
<Extensions>
<Library path="odbc-store.so" fatal="true"/>
</Extensions>
-->
</OutOfProcess>
<InProcess logger="/etc/shibboleth/native.logger" />
<UnixListener address="shibd.sock" />
<!-- This set of components stores sessions and other persistent data in daemon memory. -->
<StorageService type="Memory" id="mem" cleanupInterval="900"/>
<SessionCache type="StorageService" StorageService="mem" cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
<ReplayCache StorageService="mem"/>
<ArtifactMap artifactTTL="180"/>
<!-- This set of components stores sessions and other persistent data in an ODBC database. -->
<!--
<StorageService type="ODBC" id="db" cleanupInterval="900">
<ConnectionString>
DRIVER=drivername;SERVER=dbserver;UID=shibboleth;PWD=password;DATABASE=shibboleth;APP=Shibboleth
</ConnectionString>
</StorageService>
<SessionCache type="StorageService" StorageService="db" cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
<ReplayCache StorageService="db"/>
<ArtifactMap StorageService="db" artifactTTL="180"/>
-->
<!-- To customize behavior, map hostnames and path components to applicationId and other settings. -->
<RequestMapper type="Native">
<RequestMap applicationId="default">
<!--
The example requires a session for documents in /secure on the containing host with http and
https on the default ports. Note that the name and port in the <Host> elements MUST match
Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element
below.
-->
<Host name="40.78.18.242"
applicationId="rename--my-application-name"
authType="shibboleth"
requireSession="true"
exportAssertion="false">
<AccessControl>
<!-- IMPORTANT: You must replace this with your application's entitlement
when switching to production! -->
<Rule require="entitlement">urn:mace:usc.edu:gds:entitlement:stmn7vt3</Rule>
</AccessControl>
</Host>
<!-- Examples of a second vhost mapped to a different applicationId. -->
<!--
<Host name="admin.example.org" applicationId="admin" authType="shibboleth" requireSession="true"/>
or
<Host name="admin.example.org">
<Path name="applicationPath" applicationId="admin" authType="shibboleth" requireSession="true" exportAssertion="false">
<AccessControl>
<Rule require="entitlement">urn:mace:usc.edu:gds:entitlement:yourentitlementvaluehere</Rule>
</AccessControl>
</Path>
</Host>
-->
</RequestMap>
</RequestMapper>
<!--
The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined.
Resource requests are mapped by the RequestMapper to an applicationId that
points into to this section.
These are the default global settings for all applications.
!DO NOT CHANGE THIS SECTION! Application-specific settings are set in the
<ApplicationOverride> section.
-->
<ApplicationDefaults id="default" policyId="default"
entityID="https://www.usc.edu/do-not-use"
homeURL="https://www.usc.edu/"
REMOTE_USER="eppn persistent-id targeted-id"
signing="true" encryption="false"
>
<!--
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
You MUST supply an effectively unique handlerURL value for each of your applications.
The value can be a relative path, a URL with no hostname (https:///path) or a full URL.
The system can compute a relative value based on the virtual host. Using handlerSSL="true"
will force the protocol to be https. You should also add a cookieProps setting of "; path=/; secure; HttpOnly"
in that case. Note that while we default checkAddress to "false", this has a negative
impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
-->
<Sessions lifetime="7200" timeout="3600" checkAddress="false" consistentAddress="true"
handlerURL="/Shibboleth.sso" handlerSSL="true"
exportLocation="http://localhost/Shibboleth.sso/GetAssertion"
cookieProps="; path=/; secure; HttpOnly"
idpHistory="true" idpHistoryDays="7">
<!--
SessionInitiators handle session requests and relay them to a Discovery page,
or to an IdP if possible. Automatic session setup will use the default or first
element (or requireSessionWith can specify a specific id to use).
-->
<!-- Default example directs to a specific IdP's SSO service (favoring SAML 2 over Shib 1). -->
<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet"
relayState="cookie" entityID="https://shibboleth-test.usc.edu/shibboleth-idp"
acsByIndex="false">
<SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/>
<SessionInitiator type="Shib1" acsIndex="5"/>
</SessionInitiator>
<!-- An example using an old-style WAYF, which means Shib 1 only unless an entityID is provided. -->
<SessionInitiator type="Chaining" Location="/WAYF/shibboleth.usc.edu" id="usc" relayState="cookie">
<SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/>
<SessionInitiator type="Shib1" acsIndex="5"/>
<SessionInitiator type="WAYF" acsIndex="5" URL="https://shibboleth-test.usc.edu/idp/profile/Shibboleth/SSO"/>
</SessionInitiator>
<!--
md:AssertionConsumerService locations handle specific SSO protocol bindings,
such as SAML 2.0 POST or SAML 1.1 Artifact. The isDefault and index attributes
are used when sessions are initiated to determine how to tell the IdP where and
how to return the response.
-->
<md:AssertionConsumerService Location="/SAML2/POST" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
<md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<md:AssertionConsumerService Location="/SAML2/ECP" index="4"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
<md:AssertionConsumerService Location="/SAML/POST" index="5"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
<md:AssertionConsumerService Location="/SAML/Artifact" index="6"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
<!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->
<LogoutInitiator type="Chaining" Location="/Logout" relayState="cookie" >
<!-- <LogoutInitiator type="SAML2" template="bindingTemplate.html"/> -->
<LogoutInitiator type="Local" />
</LogoutInitiator>
<!-- md:SingleLogoutService locations handle single logout (SLO) protocol messages. -->
<md:SingleLogoutService Location="/SLO/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:SingleLogoutService Location="/SLO/Redirect" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:SingleLogoutService Location="/SLO/POST" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:SingleLogoutService Location="/SLO/Artifact" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<!-- md:ManageNameIDService locations handle NameID management (NIM) protocol messages. -->
<md:ManageNameIDService Location="/NIM/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:ManageNameIDService Location="/NIM/Redirect" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:ManageNameIDService Location="/NIM/POST" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:ManageNameIDService Location="/NIM/Artifact" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<!--
md:ArtifactResolutionService locations resolve artifacts issued when using the
SAML 2.0 HTTP-Artifact binding on outgoing messages, generally uses SOAP.
-->
<md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="true" />
</Sessions>
<!--
You should customize these pages! You can add attributes with values that can be plugged
into your templates. You can remove the access attribute to cause the module to return a
standard 403 Forbidden error code if authorization fails, and then customize that condition
using your web server.
-->
<Errors session="/etc/shibboleth/sessionError.html"
metadata="/etc/shibboleth/metadataError.html"
access="/etc/shibboleth/accessError.html"
ssl="/etc/shibboleth/sslError.html"
localLogout="/etc/shibboleth/localLogout.html"
globalLogout="/etc/shibboleth/globalLogout.html"
supportContact="peter.kaminski09#gmail.com"
logoLocation="/shibboleth-sp/logo.jpg"
styleSheet="/shibboleth-sp/main.css"/>
<MetadataProvider type="XML"
url="https://shibboleth.usc.edu/USC-metadata.xml"
backingFilePath="USC-metadata.xml"
reloadInterval="86400" />
<!-- Chain the two built-in trust engines together. -->
<TrustEngine type="Chaining">
<TrustEngine type="ExplicitKey"/>
<TrustEngine type="PKIX"/>
</TrustEngine>
<!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor type="XML" path="/etc/shibboleth/attribute-map.xml"/>
<!-- Use a SAML query if no attributes are supplied during SSO. -->
<AttributeResolver type="Query"/>
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
<AttributeFilter type="XML" path="/etc/shibboleth/attribute-policy.xml"/>
<!-- Simple file-based resolver for using a single keypair. -->
<CredentialResolver type="File"
key="/etc/shibboleth/sp-key.pem"
certificate="/etc/shibboleth/sp-cert.pem"/>
<!-- *************************************** -->
<!-- Custom application settings begin here. -->
<!-- *************************************** -->
<!--
In the ApplicationOverride section:
id - should match the name you use in the RequestMapper
Rename this value to the name of your application.
If you have multiple applications, they will have
multiple ApplicationOverride sections with different id=""
entityID - should be set for you automatically by the generator
please follow the instructions in detail from the website
regarding your entityID. This is an overall identifer
for your application and should not be linked to a
specific box, but should be a link into the space of
your overall departmental website. It does not have
to resolve to anything, but may one day be used to
house a configuration file.
homeURL - this value will vary by machine. This is where shibboleth
will return when it can do nothing further with a request.
REMOTE_USER - If you would like the standard REMOTE_USER definition
in the environment of your application, set this value.
For example, if you receive uscNetID, you would set:
REMOTE_USER="ShibuscNetID"
(That is the identifier defined in attribute-map.xml)
-->
<ApplicationOverride id="rename--my-application-name"
entityID="https://www.trojantime.usc.edu/timesheethistorial/shibboleth-sp"
homeURL="http://40.78.18.242/"
REMOTE_USER="ShibuscNetID" />
</ApplicationDefaults>
<!-- Policies that determine how to process and authenticate runtime messages. -->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
</SPConfig>
According to passport-saml docs, the default NameID Format is urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, quoting:
identifierFormat: optional name identifier format to request from identity provider (default: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress)
So your IDP is not supported the requested NameID Format. You need either to change the SP passport settings to a NameID Format IDP supports, or request to IDP admin (if you don't have direct access to it) to accept emailAddress.

Where to store configuration values in Azure Service fabric application

I am working on Azure Service Fabric Reliable Actor implementation. Any idea/link on where can I store the Configuration value (e.g. DB connection string) and how to access that in code.
A Service Fabric application consists of the code package, a config package, and the data (https://azure.microsoft.com/en-gb/documentation/articles/service-fabric-application-model/).
You can use the config package to store and retrieve any kind of key-value pairs you need e.g. a connection string. Have a look at this article https://azure.microsoft.com/en-us/documentation/articles/service-fabric-manage-multiple-environment-app-configuration/ for more information.
You can add multiple ApplicationParameters file. Just copy and paste the same from Cloud.Xml and use for multiple environment configurations.
Steps to Make necessary changes
The values given in the Settings.xml need to be overridden in the ApplicationManifest.xml when it imports the ServiceManifest.xml .Below is the code supporting the overriding changes add them in the ApplicationManifest.xml.
a) Add the Parameter Default value first
<Parameters>
<Parameter Name="StatelessService1_InstanceCount" DefaultValue="-1" />
<!-- Default Value is set to Point to Dev Database -->
<Parameter Name="DatabaseString"DefaultValue="Server=someserver.database.windows.net\;Database=DbDev;user id=[userid];password=[Password];Trusted_Connection=false;" />
</Parameters>
b) Then override it in the ServiceManifestImport
<ServiceManifestImport>
<ServiceManifestRef ServiceManifestName="StatelessServicePkg"
ServiceManifestVersion="1.0.0" />
<ConfigOverrides>
<ConfigOverride Name="Config">
<Settings>
<Section Name="DatabaseConnections">
<Parameter Name="DbString" Value="[DatabaseString]" />
</Section>
</Settings>
</ConfigOverride>
</ConfigOverrides>
</ServiceManifestImport>
The above code change will override the following code in settings.xml
<Section Name="DatabaseConnections">
<Parameter Name="DbString" Value="Server=someserver.database.windows.net\;Database=DbDev;user id=[userid];password=[Password];Trusted_Connection=false;" />
</Section>
Overall when the application is deployed the values in the ApplicationParameter DevParam.xml or QaParam.xml or ProdParam.xml will overtake all the setting values.
<Parameters>
<Parameter Name="StatelessService1_InstanceCount" Value="-1" />
<Parameter Name="DatabaseString" Value="Server=someserverqa.database.windows.net\;Database=DbQA;user id=[userid];password=[Password];Trusted_Connection=false;" />
</Parameters>
In addition to the above info, it is important to know the order in which ASF overrides application setting:
Service Fabric will always choose from the application parameter file
first (if specified), then the application manifest, and finally the
configuration package (source)
For more info:
http://www.binaryradix.com/2016/10/reading-from-configuration-within-azure.html

Cache Host config in Azure In-Role caching

Accordingly to this MSDN article (on AppFabric Caching, which is what Azure is run on), I should be able to find a DistributedCacheService.exe.config file located at \Windows\System32\AppFabric, but it doesn't exist on any of the instances.
When remoting into one of the instances and searching for configs, I find several cache-related config files in E:\plugins\Caching.
The CacheService.config.exe file looks very promising (similar to DistributedCacheService .exe.config), except that the dataCacheConfig is not initialized:
<dataCacheConfig cacheHostName="">
<!-- Comment/uncomment below line to disable/enable file sink logging.
Also location attribute is not honored. It is just specified since its mandatory. -->
<!--<log logLevel="3" location="" />-->
<clusterConfig connectionString="" />
</dataCacheConfig>
I need to confirm that certain data cache settings are being configured properly on the server side in order to solve a previous post of mine.
My client-side web.config looks something like this:
<dataCacheClients>
<dataCacheClient name="DataCache1">
<autoDiscover isEnabled="true" identifier="MyRoleName" />
<transportProperties maxBufferPoolSize="6400000" maxBufferSize="256" />
</dataCacheClient>
<dataCacheClient name="DataCache2">
<autoDiscover isEnabled="true" identifier="MyRoleName" />
<transportProperties maxBufferPoolSize="0" maxBufferSize="10485760" />
</dataCacheClient>
<dataCacheClient name="DataCache3">
<autoDiscover isEnabled="true" identifier="MyRoleName" />
<transportProperties maxBufferPoolSize="3276800" maxBufferSize="32768" />
</dataCacheClient>
</dataCacheClients>
Where do I find the cache host configuration file in Azure In-Role caching (colocated)?
The host property that you configure in on premise AppFabric cache is dynamically initialized in InRole Cache. You can check Caching.csplugin at Program Files\Microsoft SDKs\Windows Azure.NET SDK\v2.2\bin\plugins\Caching to see the endpoints for the cache server.

How do I configure Azure Cache to use my custom IDataCacheObjectSerializer class?

How do I configure Azure Cache in web roles to use my custom IDataCacheObjectSerializer class? In case you are wondering why I want to use a custom serializer: I want to use the compact text based style JSON(.net) serialization combined with compression. In my .config files I can enable compression:
<dataCacheClient name="default" isCompressionEnabled="true"/>
But how / where do I tell Azure Cache (preview) to use my custom IDataCacheObjectSerializer class that uses JSON serialization?
Jagan Peri has a relevant blog post.
From the post:
<dataCacheClients>
<tracing sinkType="DiagnosticSink" traceLevel="Verbose" />
<!-- This is the default config which is used for all Named Caches
This can be overriden by specifying other dataCacheClient sections with name being the NamedCache name -->
<dataCacheClient name="default" useLegacyProtocol="false">
<autoDiscover isEnabled="true" identifier="WorkerRole1" />
<!--<localCache isEnabled="true" sync="TimeoutBased" objectCount="100000" ttlValue="300" />-->
<serializationProperties serializer="CustomSerializer" customSerializerType="Your.Fully.Qualified.Path.To.IDataCacheObjectSerializer,WorkerRole1" />
</dataCacheClient>
</dataCacheClients>

Resources