WCF services and certificates

Question

Hi everyone,

I have several WCF services that will be deployed in Azure (not in a VM). These services need to access few certificates for decrypting various ‘secrets’ but I want to be able to restrict access to some certificates to only selected services – can I achieve this level of control? I imagine that it could be something like in Windows server, I install a WCF service under a specific OS user identity, the certificate is installed ONLY for this OS user and therefore only WCF services installed under the same OS user as the certificate will be able to load it and use it ... but I don’t know if this can be achieved yet in Azure.

Answer 1

can you not club the deployment of wcf services such a way that all services needing access to a certificate gets deployed on one web/worker role and others needing access to another common certificate gets deployed as another web/worker role.

---

Vishal Narayan Saxena http://twitter.com/vishalishere http://www.ogleogle.com/vishal/

Answer 2

You could move the services to dedicated roles as @vishalishere mentions and that would give you a much better control over who can access which certificates as the VMs would only ever have the certificates they need installed. However that's a bit complicated and can get expensive if you have quite a number of services.

You could also move each web service into a dedicated site or virtual application and make each application have its own application pool. You could then force each application pool to use it's own service account and then set the permissions on the certificate private keys such that only the necessary application pools have access to the keys. This is extremely complicated though and you have to configure it all manually via a startup script or something similar.

The first option is by far more secure.

---

Developer Security MVP | www.syfuhs.net

Answer 3

Thanks for the suggestions guys. 

I have indeed quite a number of services and dedicating a role only for security matters will get very expensive. But at least I know my options and I could probably rationalize services and functionality towards deploying in dedicated role(s).

I was wondering if I'd be able to assign to a WCF service, at deployment time, an 'identity' from Azure Directory - but I'm not yet familiar with how Azure AD has evolved, it was pretty limited a year or so ago. If this would be possible, then I can have an extra service that can act as the manager of certificates (maintaining a map of Azure AD identity and certificate) and return the appropriate certificate only to services that identify themselves with the appropriate AD identity.

Answer 4

Hi,

If you're using a web role, then it is quite difficult to change the IIS application pool identity. Theoretically it can be done with startup tasks, but that can be very complex. So you may want to use a virtual machine, which allows you to create standard Windows accounts and assign them to different application pools via standard Windows UI. You can also deploy an active directory to a virtual network (see http://msdn.microsoft.com/en-us/library/windowsazure/jj156090.aspx). You can then integrate it with WAAD if you want, but note WAAD is mainly used to authenticate and authorize users, not to provide identities for services to access local resources.
 
Additionally, if all services are developed by you, you can enforce policies in your code so they don't access the wrong certificate.