none
Security on the cache service

    Question

  • I've been looking into security on the cache service. Documentation seems light. I've been able to figure out the following:

    1. The generated token in the config is really just a base64 encoded version of the string whose format is:

    string.Format("acs:https://{0}-cache.accesscontrol.windows.net/WRAPv0.9/&{1}&{2}&http://{0}.cache.windows.net",
            cacheNamespace, user, symmetricKey);

    2. The owner token is assigned the right net.windows.cache.action: ReadWrite

    However, when I try to create a new Service Identity with the same rule as the one applied to the owner token, the token I then send to ACS fails to authenticate. Does caching only allow the owner token at this point, or is there something else at play? I have verified that my auth token generation method matches the token presented for owner in the Web Portal. The method is simple:

    static string GenerateAuthToken(string cacheNamespace, string user, string symmetricKey)
    {
      var stringToEncode = string.Format("acs:https://{0}-cache.accesscontrol.windows.net/WRAPv0.9/&{1}&{2}&http://{0}.cache.windows.net",
        cacheNamespace, user, symmetricKey);
      var bytes = Encoding.UTF8.GetBytes(stringToEncode);
      return Convert.ToBase64String(bytes);
    }

    The exception I get back for my efforts is:

    ErrorCode<ERRCA0030>:SubStatus<ES0001>:Acs Request for Token failed. One of the reasons could be an invalid authorization token.Error:Code:403:SubCode:T0:Detail:ACS50012: Authentication failed. :TraceID:4e687164-22fe-4cb5-a6d2-0ac63cfaff13:TimeStamp:2011-09-26 00:40:25Z

    This fails on a call to DataCacheFactory.GetDefaultCache() for the custom Service Identities. The code works flawlessly when I use the owner token.

     


    Scott Seely

    oops-- Figured out anwer. Will leave here for posterity. The ACS authentication uses the Password, not the Symmetric key for authentication. I added passwords that matched my symmetric key (laziness here) and everything worked!

    • Edited by Scott Seely Monday, September 26, 2011 12:45 AM
    Monday, September 26, 2011 12:41 AM

Answers

  • Ming--

    I've resolved this one. See the edit at the end of the original post:

     

    "The ACS authentication uses the Password, not the Symmetric key for authentication. I added passwords that matched my symmetric key (laziness here) and everything worked!"


    Scott Seely
    • Edited by Scott Seely Monday, September 26, 2011 2:45 PM
    • Marked as answer by Scott Seely Monday, September 26, 2011 2:45 PM
    Monday, September 26, 2011 2:44 PM

All replies

  • Hello Scott,

    Thank you for your post!

    This is a quick note to let you know that I am performing research on this issue and will get back to you as soon as possible. I appreciate your patience.

     

    Best Regards,

    Ming Xu.


    Please mark the replies as answers if they help or unmark if not.
    If you have any feedback about my replies, please contact msdnmg@microsoft.com.
    Microsoft One Code Framework
    Monday, September 26, 2011 1:59 PM
    Moderator
  • Ming--

    I've resolved this one. See the edit at the end of the original post:

     

    "The ACS authentication uses the Password, not the Symmetric key for authentication. I added passwords that matched my symmetric key (laziness here) and everything worked!"


    Scott Seely
    • Edited by Scott Seely Monday, September 26, 2011 2:45 PM
    • Marked as answer by Scott Seely Monday, September 26, 2011 2:45 PM
    Monday, September 26, 2011 2:44 PM
  • Hi,

    I'm glad to hear that you resolve this issue.
    Thank you for sharing your solutions and experience here. It will be very beneficial for other community members who have similar questions.

     

    Best Regards,

    Ming Xu.


    Please mark the replies as answers if they help or unmark if not.
    If you have any feedback about my replies, please contact msdnmg@microsoft.com.
    Microsoft One Code Framework
    Monday, September 26, 2011 3:23 PM
    Moderator