(0) exportieren Drucken
Alle erweitern

Authenticating Service Management Requests

Letzte Aktualisierung: Juli 2011

The Windows Azure Service Management API use mutual authentication of management certificates over SSL to ensure that a request made to the service is secure. No anonymous requests are allowed.

This topic discusses how to use existing management certificates to authenticate requests to the Service Management API. If you are unfamiliar with management certificates in Windows Azure, see Verwalten von Zertifikaten in Windows Azure.

Requests using the Service Management API require that a management certificate is associated with your subscription. If you have multiple subscriptions and want to use the same management certificate to authenticate requests on each of them, the certificate must be associated with each subscription. Once a management certificate has been added to the subscription, you can authenticate requests to the service by signing the request with that certificate. For information on creating management certificates and associating them with a subscription, see Erstellen eines Verwaltungszertifikats für Windows Azure.

When designing an application that uses Service Management API, keep the following points about management certificates in mind:

  • The Service Management API does not verify that a certificate is still valid. Authentication will succeed against an expired certificate.

  • All management certificates carry the same set of privileges. There is no notion of “role-based” authentication where one management certificate can be configured in one role and another on the same subscription is configured in a different role.

Attaching a Certificate to a Management Service Request

To authenticate requests using the management service, you must attach a certificate to the request. In this section, we will demonstrate how to authenticate your requests for the management service using C# and the System.Net and System.Security.Cryptography.X509Certificates libraries.

The sample code snippet creates an HttpWebRequest object that targets the List Cloud Services operation of the Service Management API. The code requires the following name space.

using System.Net;

Your subscription ID is required for all service management requests, a fictional ID is provided for illustrative purposes.

            // Values for the subscription ID and List Hosted Services operation.
            string subscriptionId = "a01234b5c-d6e7-8f9g-h0123-4567i890j1k";

            // The opperation to be performed. This value can be modified to reflect the operation being performed.
            string operationName = "hostedservices";

            // Build a URI for https://management.core.windows.net/<subscription-id>/services/<operation-type>
            Uri requestUri = new Uri("https://management.core.windows.net/"
                                    + subscriptionId
                                    + "/services/"
                                    + operationName);

            // Create the request and specify attributes of the request.
            HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(requestUri);

            // Define the requred headers to specify the API version and operation type.
            request.Headers.Add("x-ms-version", "2010-10-28");
            request.Method = "GET";
            request.ContentType = "application/xml";

Next, you must attach the certificate to the request. The following name spaces are required.

using System.IO;
using System.Security;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;

The following code opens the local certificate store named My and finds the certificate that matches the thumbprint value. Then, it attaches the matching certificate to the request by adding it to the ClientCertificates collection of our HttpWebRequest object.

            // The thumbprint value of the management certificate.
            // You must replace the string with the thumbprint of a 
            // management certificate associated with your subscription.
            string certThumbprint = "33CE879AB4BC2683F6205C83A1BB376A4829695B";
            // Create a reference to the My certificate store.
            X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);

            // Try to open the store.
            catch (Exception e)
                if (e is CryptographicException)
                    Console.WriteLine("Error: The store is unreadable.");
                else if (e is SecurityException)
                    Console.WriteLine("Error: You don't have the required permission.");
                else if (e is ArgumentException)
                    Console.WriteLine("Error: Invalid values in the store.");

            // Find the certificate that matches the thumbprint.
            X509Certificate2Collection certCollection = certStore.Certificates.Find(X509FindType.FindByThumbprint, certThumbprint, false);

            // Check to see if our certificate was added to the collection. If no, throw an error, if yes, create a certificate using it.
            if (0 == certCollection.Count)
                throw new Exception("Error: No certificate found containing thumbprint " + certThumbprint);

            // Create an X509Certificate2 object using our matching certificate.
            X509Certificate2 certificate = certCollection[0];

            // Attach the certificate to the request.

With our URI and certificate attached, the request is ready to be executed by calling the GetResponse() method of the request object.

                // Make the call using the web request.
                HttpWebResponse response = (HttpWebResponse)request.GetResponse();

                // Display the web response status code.
                Console.WriteLine("Response status code: " + response.StatusCode);

                // Display the request ID returned by Windows Azure.
                if (null != response.Headers)
                    Console.WriteLine("x-ms-request-id: "
                    + response.Headers["x-ms-request-id"]);

                // Parse the web response.
                Stream responseStream = response.GetResponseStream();
                StreamReader reader = new StreamReader(responseStream);

                // Display the raw response.
                Console.WriteLine("Response output:");

                // Close the resources no longer needed.
            catch (Exception e)

For a complete code sample and discussion of the management service request process, see Code Quick Start: Create a console application that lists your Windows Azure hosted services.

Siehe auch

© 2014 Microsoft