Double hop authentication with the gateway

Jan 15, 2014 at 4:38 PM
Hello,

I am trying to use Service Gateway to temporarily restrict access to my web roles that are under active development now. The idea is that anyone who needs to access a web role must be authenticated using Windows Azure Active Directory that is set up on the gateway and once they are authenticated they can access the web role. I got this scenario working as long as the web role does not require additional authentication. The problem starts when I attempt to log in to the web role (Forms Authentication). It takes very long to process and at the end I am getting following error:
"502 - Web server received an invalid response while acting as a gateway or proxy server."
Could you tell me please what am I missing here ?
Coordinator
Jan 16, 2014 at 2:27 AM
This discussion has been copied to a work item. Click here to go to the work item and continue the discussion.
Coordinator
Jan 16, 2014 at 2:28 AM
Hi,

Theoretically, what you propose should work. The federated authentication performed by the Gateway will not conflict with the forms authentication on your downstream role (both methods remember the state via cookies, but they are different cookies). Note that the identity of the authenticated user is available to the downstream role via the X-REMOTE-USER header.

I suspect the problem that you are encountering is associated with a different bug that the Gateway appears to posses in that, under some circumstances, the form data of a POST request is not being correctly sent to the downstream role. The role receives the request with a non-zero Content-Length header, but because the Gateway is not forwarding the request body, the role times out trying to read it.

I have created a work item https://sg.codeplex.com/workitem/2 to track resolution of this issue.

James
Coordinator
Jan 17, 2014 at 1:54 AM
Hi,

We have fixed the underlying issue that was causing forms-based requests (POST & PUT verbs) to not forward the request body correctly.

Your double-hop authentication scenario should now work.

Thanks for reporting the issue.

James
Jan 17, 2014 at 11:43 AM
Hi,

That is great news! I will let you know how it worked out for me as soon as I had it tested in my dev env.

Thanks a lot

Bernard
Jan 17, 2014 at 7:56 PM
Hello again,

I was trying to publish latest version of the gateway but since I have VS 2013 and Azure SDK 2.2 installed I had to update references and that my be the reason of the deployment issues on my side. It takes very long time and then the deployment fails. Is there any other way that I could get latest whole deployment package that includes fixes for POST & PUT requests ?
Thanks

Bernard
Coordinator
Jan 17, 2014 at 8:21 PM

Hi Bernard,

We have the package pre-built at http://configtest.blob.core.windows.net/gatewaypackage/CloudProject.cspkg. Unfortunately, the WA Portal will not allow you to deploy directly from that location, so you will need to download the package and then use the portal to deploy the package from your local filesystem.

James

Jan 17, 2014 at 9:30 PM
Hi James,

I tried deploying the package but unfortunately it didn't go through. Getting this error:
Your role instances have recycled a number of times during an update or upgrade operation. This indicates that the new version of your service or the configuration settings you provided when configuring the service prevent the role instances from running. Verify your code does not throw unhandled exceptions and that your configuration settings are correct and then start another update or upgrade operation. The long running operation tracking ID was: e7e4dddc9465542abe143056453046a3.
Is there anything in particular that I should look at to diagnose the problem ?

Bernard
Coordinator
Jan 17, 2014 at 9:35 PM

Hi Bernard,

Can you share the configuration files for the Gateway (send them direct to me: [email removed] if you want to not air them publicly)?

The failure you reported earlier with the trace logs indicates that there may be issues with the config.

Cheers,

James

Jan 17, 2014 at 9:44 PM
Hi James,

I'd be glad to send you the config files, but it seems like your email got removed from your last post...

Bernard
Coordinator
Jan 17, 2014 at 10:58 PM
Jan 17, 2014 at 11:39 PM
Hi James,

Thanks for your email address but I think I have finally found the issue. My config files used "RedirectBase" key instead "Target". I assume this change was introduced after my initial download of the gateway back in mid December. Does it sound reasonably ?

Thanks

Bernard
Coordinator
Jan 18, 2014 at 12:11 AM
Hi Bernard,

Yes. We did introduce a breaking change in the configuration to support A/B testing. RedirectBase -> Target. Target can be either a simple string (non-flighted redirection) or an array of objects thus:
Target : [
  {
    Weight : Integer specifying relative distribution of target,
    Redirect : URL/Server name of redirection,
  }
]
See the Configuration Guide for full details.

Sorry about the lack of announcement around the breaking change. We will attempt to improve this part of the process :(.

James
Feb 3, 2014 at 2:58 PM
I manged to fix the my configuration files- it works great. POST requests work fine as well :)
Thanks a lot

Bernard