none
Success: Getting Azure IIS site status via .NET code ... BUT ... How to avoid impersonation of my Azure Admin account?

    Question

  • Hello,

    I was successful in getting this code to work, which will tap IIS to get my webrole site application pool status for each site ... just so I can quickly toss the information into a webpage. BTW: Yes, I do understand that this is only going to hit IIS on the server where this instance is running. I'm just messing around getting info out of Azure without having to use log files and polling and parsing data out of log files. I was just looking for a quick and easy way to get app status tossed into a webpage. I speculate that another way would be to use the Service Management API endpoints and check the apps are running by interacting directly with their endpoints ... VIP targeting of each instance endpoint perhaps? Anyhow ... here is what I was playing with:

    Using serverManager As New Microsoft.Web.Administration.ServerManager
        Dim sb As New StringBuilder
        Dim appSiteCollection As SiteCollection = serverManager.Sites()
        For Each app As Site In appSiteCollection
            sb.Append(app.Name & ": " & app.State.ToString & vbCrLf)
        Next
        Me.TextBox_Output.Text = sb.ToString
    End Using

    I had to add references to:
    System.DirectoryServices
    Microsoft.Web.Administration (found at: C:\Windows\System32\inetserv)

    and running in ServiceDefinition.csdef:
    <Runtime executionContext="elevated" />

    However, I also had to impersonate my Azure Admin account in Web.config to avoid a nasty access permission exception:
    <identity impersonate="true" userName="<MyAzureUserName>" password="<MyAzurePassword>" />

    Question: How can I make this work without having to impersonate? I DON'T want to leave my credientials in the Web.config file like this. Can I connect to the webrole instances and set permissions manually for NETWORK SERVICE to access IIS? That might not survive webrole restart/reboots, but it would be a lot better than exposing my admin account like this.



    • Edited by SellRex Saturday, March 17, 2012 11:11 PM Another grammer change
    Saturday, March 17, 2012 11:05 PM

Answers

  • Hi,

    Base on my understanding, I would like to suggest you to use a startup task to start a console application which runs in the background. Give it elevated permission, and it will be able to collect the server’s information. Please do not put the code in the web application itself, if you want the web application to communicate with the background application, you can also host a WCF service using NetNamedPipeBinding inside the console application.

    Best Regards,

    Ming Xu.


    Please mark the replies as answers if they help or unmark if not.
    If you have any feedback about my replies, please contact msdnmg@microsoft.com.
    Microsoft One Code Framework

    Monday, March 26, 2012 9:00 AM
    Moderator

All replies

  • Hi,

    I would like to know what’s the purpose. If it is just for testing, then I think it is fine to just hard code some credential in web.config. No one other than you can see it(Unless your application queries this information and displays it on the web page, or you send the source code/package to someone else). If it is for producting, then it is highly recommended you to use a more mature solution. It is difficult to avoid diagnostics/logging. But that solution is much more mature compared to your current solution. Running the whole service as administrator is not a very good idea.

    Best Regards,

    Ming Xu.


    Please mark the replies as answers if they help or unmark if not.
    If you have any feedback about my replies, please contact msdnmg@microsoft.com.
    Microsoft One Code Framework

    Monday, March 19, 2012 12:48 PM
    Moderator
  • I agree with you and DON'T want to use impersonation in order to get info out of IIS. No ... this is not merely for testing. Without a lot of overhead, I'd love to just use Microsoft.Web.Administration.ServerManager to reach those IIS application pools, grab the pool status (Started, Stopped) and throw that into a management webpage. No logs ... no crazy diagnostics ... just a quick and dirty call out to IIS: 'Hey! What'r my AppPools doing right now?'

    I have had on a few occasions an application pool stop on me. When that happened (due to some bug in the app), I needed in each case to log into the webrole (via RDC) and go into IIS and into the AppPools and restart the AppPool. It would just be nice to see AppPool status quick and easy (as I show above that it can be done). I just don't want to have to impersonate my Azure service credentials to reach IIS in the webrole.

    I have some new good news: I think Nate uses ServerManager within the Microsoft Azure Accelerator for Webroles. I'm going to dig into his source and see if I can discern how he's getting good calls to ServerManager without throwing permissions exceptions. I'll post back what I find out sometime in the next few days/weeks ... whenever I can get to it.

    In the meantime, if anybody knows how to call ServerManager to reach IIS sites without impersonation, please ... I'm ALL EARS! Thanks --

    Luke

    Saturday, March 24, 2012 7:43 AM
  • Hi,

    Base on my understanding, I would like to suggest you to use a startup task to start a console application which runs in the background. Give it elevated permission, and it will be able to collect the server’s information. Please do not put the code in the web application itself, if you want the web application to communicate with the background application, you can also host a WCF service using NetNamedPipeBinding inside the console application.

    Best Regards,

    Ming Xu.


    Please mark the replies as answers if they help or unmark if not.
    If you have any feedback about my replies, please contact msdnmg@microsoft.com.
    Microsoft One Code Framework

    Monday, March 26, 2012 9:00 AM
    Moderator