Forms-Based Authentication with Windows Azure Storage

Updated: October 5, 2011

Author: http://msdn.microsoft.com/de-de/library/windowsazure/hh307537.aspx

Learn more about RBA Consulting.

Forms-Based Authentication with Windows Azure Storage

This authentication model uses the ASP.NET membership provider and role provider to authenticate users of an ASP.NET web application that is hosted in Windows Azure against data that is stored in Windows Azure storage.

When to Use the Model

This section looks at the benefits and concerns associated with this model and provides guidance on when the model should be used.

Benefits

• The primary benefit of using forms-based authentication with Windows Azure storage is pricing. Windows Azure storage costs $0.15 per GB stored per month while SQL Azure costs $9.99 per GB per month.
  
  

Concerns

• While the cost for the total amount of data that is stored in Windows Azure storage is cheaper than SQL Azure, Windows Azure storage also charges for transactions ($0.01 per 10,000 transactions), whereas SQL Azure has no associated transaction fees.
  
  
• Unlike the relational models that are provided by SQL Server and SQL Azure, Windows Azure storage only allows one index per table, which prevents you from writing complex queries against the user store.
  
  
• Unlike the SqlMembershipProvider and the SqlRoleProvider, the TableStorageMembershipProvider and the TableStorageRoleProvider are not part of the .NET Framework. They are included as samples in the Windows Azure Platform Training Kit. Consequently, these providers have not been as rigorously tested as the official providers have.
  
  
• This model does not allow run-time changes to authentication logic. As a result, if the ASP.NET application's authentication code requires an update, the application must be redeployed to the Windows Azure environment.
  
  

Guidance

• ASP.NET applications with authentication and authorization requirements that can be defined in terms of user names and roles are a good fit for this model. User names and roles are supported by the TableStorageMembershipProvider and TableStorageRoleProvider. If the application has more advanced authentication and authorization requirements, select a different security model.
  
  
• If you are only concerned with expenditures for total storage size, but not on the number of transactions, this model is a good fit. Depending on the number of transactions, it can present a signification costs savings over SQL Server or SQL Azure.
  
  
• If the ASP.NET application requires analysis of user data, do not use this model. The data that stored in Windows Azure table storage is not relational, which makes any type of complex analysis difficult without additional custom code.
  
  
• The model does not support multiple applications, so it is a good choice if the authentication logic is limited to the scope of the ASP.NET application and does not have to be shared with other applications.
  
  

The Model Defined

The following figure illustrates how forms-based authentication between an ASP.NET application in Windows Azure and Windows Azure storage works.

The client's browser connects to the ASP.NET application to perform authentication. The connection is made over port 443, which is secured with HTTPS and SSL. All non-secure communication between the client's browser and the ASP.NET application use HTTP and communicate through port 80.

The ASP.NET application's Web.config file specifies the following information.

• The application's authentication mode is set to Forms.
  
  
• The logon page that is used by the application for forms authentication.
  
  
• The membership provider is set to the TableStorageMembershipProvider.
  
  
• The role provider is set to the TableStorageRoleProvider.
  
  
• The connection string that is used to connect to the user store hosted in Windows Azure table storage.
  
  

Windows Azure table storage is used to store the following pieces of information.

• User data such as user names and encrypted passwords that are used by the ASP.NET application.
  
  
• The names of roles that are used by the ASP.NET application to secure application resources.
  
  
• The association of users with roles.
  
  

The ASP.NET application uses a private key to connect to Windows Azure table storage. This key is known only to the ASP.NET application and to the Windows Azure storage account that hosts the data.

How to Implement the Model

The TableStorageMembershipProvider and TableStorageRoleProvider are currently provided as samples in the Windows Azure Platform Training Kit. To follow the steps in this section, download and install the training kit. The training kit can be downloaded at http://www.microsoft.com/downloads/en/details.aspx?FamilyID=413E88F8-5966-4A83-B309-53B7B77EDF78&displaylang=en.

1. Open Visual Studio and create a new Windows Azure Project.
   
   
   
   
   
   
2. Add an ASP.NET Web Role to the project.
   
   
   
   
   
   
3. In Solution Explorer, right-click the solution, select Add, and select Existing Project.
   
   
   
   
   
   
4. In the Add Existing Project dialog box, browse to the following location in the Windows Azure Platform Training Kit [install directory]:\WAPTK\Labs\BuildAspNetAppsWithWindowsAzure\Source\Assets\AspProviders, and select AspProviders.csproj.
   
   
5. In Solution Explorer, expand the Roles folder underneath the Windows Azure Project, and double-click the ASP.NET web role.
   
   
   
   
   
   
6. Click Settings, click Add Setting, and add a setting with the following values:
   
   
   • Name = DataConnectionString
     
     
   • Type = Connection String
     
     
   • Value = UseDevelopmentStorage=true
     
     
     
     
     
     
7. Open the Web.config file for the ASP.NET application, and add the following section under the configuration element.
   
   
     <appSettings>
       <add key="DataConnectionString" 
   value="UseDevelopmentStorage=true" />
     </appSettings>
   
   

8. Locate the membership element and replace it with the following XML code.
   
   
       <membership defaultProvider="TableStorageMembershipProvider" 
         userIsOnlineTimeWindow="20">
         <providers>
           <clear/>
           <add name="TableStorageMembershipProvider"
                type="Microsoft.Samples.ServiceHosting.AspProviders.TableStorageMembershipProvider"
                description="Membership provider using table storage"
                applicationName="AzureStore"
                enablePasswordRetrieval="false"
                enablePasswordReset="true"
                requiresQuestionAndAnswer="false"
                minRequiredPasswordLength="1"
                minRequiredNonalphanumericCharacters="0"
                requiresUniqueEmail="true"
                passwordFormat="Hashed"/>
         </providers>
       </membership>
   
   

9. Locate the roleManager element and replace it with the following XML code.
   
   
       <roleManager enabled="true"
                    defaultProvider="TableStorageRoleProvider" 
                    cacheRolesInCookie="true" 
                    cookieName=".ASPXROLES" 
                    cookieTimeout="30" 
                    cookiePath="/" 
                    cookieRequireSSL="false" 
                    cookieSlidingExpiration="true" 
                    cookieProtection="All">
         <providers>
           <clear/>
           <add name="TableStorageRoleProvider"
              type="Microsoft.Samples.ServiceHosting.AspProviders.TableStorageRoleProvider"
                description="Role provider using table storage"
                applicationName="AzureStore" />
         </providers>
       </roleManager>
   

10. The ASP.NET application is now configured to use Windows Azure storage for forms authentication. To test the functionality, start the application from Visual Studio.
    
    
11. Click the Log In link that is on the right side of the page that appears.
    
    
    
    
    
    
12. On the next screen, click the Register link.
    
    
    
    
    
    
13. Fill out the fields on the Create a New Account page that appears and click the Create User button.
    
    
    
    
    
    
14. If everything works as expected, you will see the user name you entered on the registration page in the upper right corner of the page you are redirected to when registration is complete.
    
    
    
    
    
    
15. To verify that data was written to Windows Azure storage, open the Server Explorer in Visual Studio, expand the Windows Azure Storage node, expand the (Development) node, expand the Tables node, and double-click the Membership table to see the entity that was added.
    
    
    
    
    
    
16. Before deploying the solution to Azure, update the DataConnectionString setting that you created in step 6, to a valid Windows Azure storage account. The updated value should look like this:
    
    
    
    
    DefaultEndpointsProtocol=https;AccountName=[your storage account 
    name];AccountKey=[your storage account key]
    
    

Conclusion

There are a number of options to consider when you implement the familiar forms-based authentication model for ASP.NET applications that are hosted on the Windows Azure platform. From latency, to cost, to data structure and migration, each model has its benefits and limitations. In the end, it is up to you, the developer, to understand the authentication and authorization needs of your ASP.NET applications to determine which model is the best fit.