Running Full Trust applications under Windows Azure.

What is Windows Azure?

Microsoft’s Azure Services Platform is a cloud platform (cloud computing platform as a service) offering that “provides a wide range of Internet services that can be consumed from both on-premises environments or the Internet (though the platform itself will not be made available for on-premises deployments.

To read more about Azure please visit Microsoft’s Official Website on Azure Services Platform.

What is Full Trust and why is it required?

Full trust (CAS - Code Access Security Level) allows ASP.NET applications to execute native code, to read from the Registry and Windows Event Log, and to read and write to files outside of the application’s virtual directory. In short, with full trust one web application could delete the entire contents of another web application.

To read more on Full Trust Hosting please visit What is ASP.NET Full trust hosting?

Looking for good Full Trust Windows / ASP.NET Hosting Plans - Try Webhost4life OR Alentus (We have been using them for years now)

Windows Azure and Full Trust.

Windows Azure now offers the option of running the code in your Web and Worker roles under full trust. As a developer this opens up a lot of exciting and compelling options -

• Inter-process Communication via Named Pipes:

  If you application spawns processes, you can communicate among them via named pipes.

• Invoking non-.NET Code:

  Many developers have existing investments in native code or may choose to use native code for some specialized tasks. .NET full trust makes it possible to use native code via spawning processes or Platform Invoke (P/Invoke).

• Using .NET Libraries that Require Full Trust:

  Certain .NET libraries, including libraries in the .NET Services SDK, require full trust and can now be used in Windows Azure.

To enable full trust, simply add the enableNativeCodeExecution attribute to your role in the Service Definition file and set the attribute value to true:

<?xml version=”1.0″ encoding=”utf-8″?>

<ServiceDefinition name=”MyService” xmlns=”http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceDefinition”>

  <WebRole name=”WebRole” enableNativeCodeExecution=”true”>

    <InputEndpoints>

      <InputEndpoint name=”HttpIn” protocol=”http” port=”80″ />

    </InputEndpoints>

  </WebRole>

</ServiceDefinition>

Windows Azure applications run with restricted “User” privileges in the cloud.  Accordingly, certain operations such as modifying the registry and writing to the system directory are not possible at this time (even though they may succeed in your local development environment). To read more on more on Custom Trust visit Why Full Trust hosting is not recommended when using a shared ASP.NET or shared Windows hosting plan?

Why Full Trust hosting is not recommended when using a shared ASP.NET or shared Windows hosting plan?

The default trust level for ASP.NET web applications is Full, which grants unrestricted permissions. This is a dangerous trust level when working in a shared environment because it allows one web application to interact with the file system of other web applications on the same server.

For example, if you are in a shared environment that physically arranges its shared web applications in a common folder (i.e., C:\Inetpub\wwwroot\WebApp1, C:\Inetpub\wwwroot\WebApp2, …, C:\Inetpub\wwwroot\WebApp3, and so on), one web application could use the following code to display the Web.config contents of all of the other web applications on the server:

For Each folder As DirectoryInfo In parentPathInfo.GetDirectories()
Dim fileOfInterest As String = Path.Combine(folder.FullName, "Web.config")
If File.Exists(fileOfInterest) Then
Dim webConfigReader As StreamReader = File.OpenText(fileOfInterest)
Response.Write(String.Format("<p><b>Data for File {0}:</b></p><p>{1}</p><hr />", fileOfInterest, _                                                 Server.HtmlEncode(webConfigReader.ReadToEnd())))
webConfigReader.Close()
End If
Next

Since connection strings are usually placed in Web.config, the user running the above code would now be able to connect to other customers databases, where there might be sensitive customer information. The point is, if an ASP.NET application is running in full trust, there’s nothing to stop them from reading, creating, modifying, or deleting files in your web application’s file system.

Looking for good Full Trust Windows / ASP.NET Hosting Plans - Try Webhost4life OR Alentus (We have been using them for years now) 

Fortunately, most web hosting companies follow the advice in Microsoft’s ASP.NET 2.0 Hosting Deployment Guide and place their shared web applications in medium trust. This is accomplished by modifying the machine-level Web.config file in the %windir%\Microsoft.NET\Framework\{version}\CONFIG folder. Moreover, this setting can be locked by the web hosting company.

Here are the permissions granted by the medium trust level:

Medium
Permissions are limited to what the application can access within the directory structure of the application.
No file access is permitted outside of the application’s virtual directory hierarchy.
Can access SQL Server
Can send email by using SMTP servers
Limited rights to certain common environment variables
No reflection permissions whatsoever
No sockets permission
To access Web resources, you must explicitly add endpoint ‘URLs’ - either in the originUrl attribute of the element or inside the policy file.

The following exceptions have been granted in addition to the ones listed above:
ODBC
OLEDB
Reflection Permissions
Web Permission

The main differences between ASP.NET 1.1 and ASP.NET 2.0 for the trust levels are the following:
In version 2.0, SQL Server access is available at Medium trust level because the SQL Server .NET Data Provider no longer demands full trust. In version 2.0, SMTP Permission is available at Full, High and Medium trust levels. This allows applications to send email.

To protect shared environment, you can also set the CAS (code access security) Level to Custom (some hosting companies do provide these settings). The custom setting is basically medium level with some exceptions including ODBC, OLEDB, sockets, Reflection Permissions and Web Permissions. Hosting company can set these custom permissions and can add more privileges. This setting cannot be overridden though, which is good.

Install dasBlog, you need Full trust hosting (or modified full trust)

I wanted to share my experiences as a web developer for long now and was looking for a good ASP.NET Blogging engine. Being a full time employee I never had time to develop my own BLOG application neither do I wanted to reinvent the wheel. So I decided to use an existing BLOG engine and then will try to contribute towards its development. Well, I narrowed down to three ASP.NET Blog’s - SubText, SingleUserBlog and dasBlog. I was able to successfully install all three on my local machine

But when I tried to install both dasBlog and Single User Blog on my shared hosting, I found that both the applications need to run under Full Trust. Unfortunately the shared hosting I was using at that time do not let apps run under full trust. Well I did some R&D and find that there are hosting servers which let applications to run under modified Full Trust and that is when I find webhost4life (you can click on the link at the bottom to find out more about webhost4life) Same cost as my previous shared hosting and much much better…….till now you will not find so many features under one roof in any other shared hosting provider.

Good Full Trust Hosting Options -

WebHost4Life.com (Click HERE to visit) (WebHost4Life.com is what I use and have been using it for last 4 years now with no problems and provides a fantastic customer support)

I am satisfied with both WebHost4Life.com and Softsys hosting. The only reason I am using 2 different hostings is because I am linking between my existing sites and Google crawlers dont give a very good search ranking if your linked sites are on the same server.

Well, I tried to nest dasBlog under my current website www.coolwebdeveloper.com and I got the following error and the solution I found was - I created a subdomain blog.coolwebdeveloper.com and setup my blog under this subdomain as an application as you can currently see. I did not find any other way around this, if someone knows please leave a comment. I will appreciate that.

Configuration Error

Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

Parser Error Message: It is an error to use a section registered as allowDefinition=’MachineToApplication’ beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.

Source Error:

Line 109: <!– <httpCookies httpOnlyCookies=”false”/> –>

Line 110:

Line 111: <authentication mode=”Forms”>

Line 112: <!– NOTE: If you want to run MULTIPLE dasBlogs on the SAME Domain Name

Line 113: include the path in each blog’s Web.Config like path=”/dasblog1″

and path=”/yoursite”

Source File: C:\Inetpub\wwwroot\DasBlog\source\newtelligence.DasBlog.Web\web.config Line: 111