Service fabric cluster security

What’s Service Fabric?

If you are aware about the concept of micro services and keep yourself up-to-date with latest technologies, it is highly probable that you would have heard about Service Fabric. When you break your monolith applications into micro services or design brand new micro services, you would like to have an orchestrator that can manage service reliability, lifetime, scaling, upgrade mechanism, versioning, service discovery etc. Service Fabric is an orchestrator for micro services (and containers) developed by Microsoft. As per Microsoft, Service fabric is not new, it already powers many of existing highly scalable Azure services. This blog post is not about what service fabric is, but what it takes to secure your service fabric cluster (environment). One last thing, Service Fabric cluster is a collection of nodes that are used to host your services. Let’s see how to secure your cluster.

Cluster Security

When you create your cluster your should be aware available security options. Most of the advance things that are essential for security are not doable from Azure Portal (at-least they were not when I last checked) and can only be done via ARM scripts. Best time to do these things is during initial provisioning of the cluster.

Cluster Authentication

When you create your cluster there is always a scare that random nodes can join your cluster. To prevent this to happen we can use X509 certificates. Certificates are added to all valid nodes during provisioning and Service Fabric is made aware of this certificate. Only nodes with the certificate are allowed to communicate with each other and are accepted as being part of cluster. At the end I’ll provide a simple ARM script to provision a secure cluster.

Diagram of node-to-node communication

Server Authentication

You can connect to cluster from multiple clients like Visual studio, Powershell or Cloud Explorer. When you connect you have to provide your cluster endpoint, for example: You can push binaries, secrets etc. using clients to your cluster. What about getting some guarantee that you are actually communicating to the real cluster that you indented to connect? During provisioning of the cluster you can define a server authentication certificate and while connecting you can provide thumbprint of that certificate. Service Fabric will make sure the cluster you are trying to connect has certificate (pfx) with same thumbprint. If not then connection will be declined.

Diagram of client-to-node communication

Role Based Access

Azure Active Directory is used to secure access to the service fabric cluster management endpoints. A Service Fabric cluster offers several entry points to its management functionality, including the web-based Service Fabric Explorer and Visual Studio. Thus, we create two AAD applications to control access to the cluster, one web app and one native application. For fine grained authorization, web app registered in AAD will have 2 app roles; ADMIN and READONLY.

Two SGs will be created in AAD tenant, one for cluster admins and other one for read only access to cluster. These SGs will be added to AAD application roles as follows:

  • ReadOnly security group should be added to READONLY app role
  • Admin security group will be added to ADMIN app role

To check more details around RBAC for service fabric cluster please check service fabric documentation. You can use script available at – to create these AAD applications. if executed correctly with proper parameters, you will get following output that can be used in cluster creation ARM script.


Reverse Proxy, SSL and Service Fabric explorer.

  • While provisioning your cluster you should be aware of reverse proxy concept. If you enable reverse proxy on your cluster (say on port 19088), you should know that all services hosted on your cluster can be accessed from outside by browsing This means, service might be running on some random port (say 2000) and you would think that as port 2000 is blocked on firewall, your service is hidden. If you have enabled reverse proxy and reverse proxy port is open on firewall then all you services are free to be browsed from outside. Scary… Smile is it not?
  • Always use SSL to host your services
  • Management endpoint that is exposed by default on port 19080 should not be exposed to public internet. You can use jump box and only allow access to management endpoint (service fabric explorer) via jump box. This means, if anyone wants to browse service fabric explorer to manage your cluster, they will have to first remote desktop into jump box and access the explorer.

Microsoft has some good documentation on cluster security. Take some time and check that as well. In next post I’ll share a cluster ARM script using which you can manage majority of above mentioned steps.

Currently listening to – ALL THE STARS [KENDRICK]


Azure AD–Using App roles for authorization

Role based authorization

In intranet applications, AuthZ is generally implemented using Windows security groups with ASP.NET IsInRole() functionality. Following is a list of steps we take to make this work:

  • Define high level application roles. For example; in an expense application we can have approver and administrator as two roles with higher (or different privileges) than normal user.
  • Identify initial set of Windows security groups that will be mapped to app roles. This list should be dynamic and will probably change.
  • Use a mapping mechanism, either DB or configuration file, to keep a mapping of application roles and security groups.
  • In your application, once you get the token after authenticating the user, write code to check group claim and assign appropriate role claim (based on your mapping) to the user.
  • Indicate to ASP.NET pipeline that you want to use Role claim for IsInRole functionality.
  • That is pretty much it. Now, you can just place Authorize attribute wherever you want to check for that role or call IsInRole() to do the same.

Here comes Azure Active Directory

Now we want to move our on-premises (intranet) application (Windows Auth) to cloud. I’m skipping ADFS (STS) here, as at a high level the claims you get in the SAML token are similar to claims present in Kerberos token.

As of today, recommended service for AuthN and AuthZ on cloud is Azure AD (AAD). Moving your app to AAD bring some challenges as well as provide some opportunities to improve things.


  • Tokens that you receive from AAD does not contain group claims by default. You have to enable it using these steps.
  • Even if you enable, there is a limit to groups that you can get in the token. I will not go into those details. Please check this for more info around this. 


  • Did you notice all work that is required to make application roles really work even in traditional (intranet) application?
  • You have to have mechanism to map app roles with security groups, fetch the mapping and add role claim.
  • Just like authentication, all this should ideally be offloaded to some common service.
  • Let’s see how we can improve this.


AAD provides application roles that can be used for authorization. I’ll show you in detail how it is done. This is a step by step guide and will have lot of screen shots.

Note: Make sure you have a valid subscription before you proceed beyond this point.

Set up your infrastructure

Create User and Group in AAD

  • Select your directory
  • Add 2 users. For example, add a users Bob and add another user Samantha.2
  • Add a group.
  • Add Bob to the group.
  • At the end of this step you should have 2 users and a group. One of the user should be part of the group.

Create Application in AAD

  • Add application to the directory using Application option from top menu and then clicking Add link in the bottom menu. For more details use this link.45
  • Give a friendly name, sign on URL and app id URI. For more details use this link.
  • Note down client ID from configuration tab. This we will use in our web app to set up authentication.

Create web app and make authentication work

  • Create a simple ASP.NET MVC web app and update OWIN Auth configuration with your application’s client ID and tenant name.
  • Download completed code from github
  • After updating required values, try to run the sample. I used the Individual account template while creating the project due to which there are few extra files and steps before login. From home page, click login and then click OpenIDConnet button. This will initiate login process with AAD.
  • You can put breakpoint in Contact action method in Home Controller to check available claims. Notice that there is neither group nor role claim.

Add role to AAD application

  • Open application in AAD and download manifest file. Currently, you can not add application roles from portal UI. We will use manifest file to add roles. 10
  • Open manifest in a text editor (preferably JSON editor). App roles will be blank.
  • 11
  • Add following text to app roles section in manifest file. This is the place where we are adding 2 roles.
    “appRoles”: [
                    “allowedMemberTypes”: [
                    “description”: “Approvers can mark expenses as approved”,
                    “displayName”: “Approver”,
                    “id”: “8F29F99B-5C77-4FBA-A310-4A5C0574E8FF”,
                    “isEnabled”: “true”,
                    “value”: “approver”
                    “allowedMemberTypes”: [
                    “description”: “Administrators can change all settings and do all other operations”,
                    “displayName”: “Administrator”,
                    “id”: “0866623F-2159-4F90-A575-2D1D4D3F7391”,
                    “isEnabled”: “true”,
                    “value”: “administrator”
  • Resulting manifest should look like this12
  • Upload the manifest back to the application.

Assign group to a role

  • Go to application in AAD and open Users and Group option. Please note, I’m using a premium subscription to do this. In a non premium subscription only user can be assigned to a role. This is just a UI limitation and can be worked around by using Graph API. I’ll show how to do this in my next post. But for now, for simplicity, I’ll use portal UI.
  • Search for the group you want to assign to the role. For now use the group we created above. Select the group from the grid and click Assign from bottom menu. Choose the role and complete the process.
  • We are done with infrastructure changes. Most of these are one time things and going forward we just have to change assignments based on requirements.

Final changes to web app and test

  • In your OWIN Auth configuration, add following code snippet to tell ASP.NET pipeline to use role claim for Authorization
  • Modify controllers to use Authorize attribute and IsInRole() as required.
  • We are done. We successfully offloaded our authorization infrastructure to Azure AD.
  • Inspect the claims by logging in with the user who is member of group assigned to role as well as the user who is not a member of that group.

Caution & other important stuff

  • User should be direct member of the group which is assigned to the role. If a user is member of inner group, claims will not contain relevant roles.
  • Apart of groups, users can also be assigned to the roles.
  • Current portal UI only supports assigning a group to only one role. What if you want a group to have multiple roles? For example, our group can be used for both approvers and administrators. Good thing is, this is just a portal UI limitation and we can easily do this via Graph API. I’ll add a sample in my next post.
  • As I told earlier, groups can only be assigned to roles from portal UI if you have premium subscription. Again this is just portal UI limitation and can be easily done via Graph API. I’ll add a sample in my next post.

That is it. I think it is pretty simple and powerful way to offload authorization infrastructure of your application.



Simplest way to prevent Phishing Attack on IE 8

Phishing attacks are becoming common these days. Recently there was a massive phishing attack reported on Hotmail. There are few easy ways by which we can prevent phishing attacks.

I use IE 8 as my default browser and it provides a nice feature known as Smart Screen Filter which helps us in identifying phishing attacks. There is also a online publication provided by Microsoft that helps in identifying phishing attacks.

I follow a simple funda while browsing web sites, whenever I require entering important information like user name, password or financial information, I look at the IE 8’s address bar and identify the actual domain name of the URL. IE 8 highlight the domain name by marking it black in color while rest of the url remains grey. This helps a lot. Screen shot of Windows Live login screen is shown below.

Happy Surfing!

Secure Strings in .Net

[System].String objects contains an array of characters that reside somewhere in memory. We usually store our confidential entities (information that is meant to be secure) in these String objects. This information can range from your password to you salary code. If some un-managed/ unsafe code is allowed to run, that code can get into our process’s address space, find out the required String object and use it in any way as it like.

As we all know, Strings objects are immutable i.e. once a string object is created they never change. Old versions of String object are scattered all over memory. There is no guarantee when garbage collector will run and clean up our application’s managed heap. Before GC wakes up, these string objects are within reach of some unsafe code. Unsafe here means code that is manipulating memory pointer. Even if string objects are used for short time and then are garbage collected by the run time, this doesn’t mean that memory space used by string will be allocated to another object just after garbage collection (especially if string object was in older generation).

If some government office like CBI (Indian Investigating Agency) approaches you to create a secure application which will handle data about national security, “System.String” type objects will not meet stringent security requirements that application needs. Sensitive information lying in memory can be very tempting for anti social elements (this includes hackers). Due to these requirements Microsoft introduced another type of string class:

  • Class Name: SecureString
  • Name Space: System.Security

When we create an object of SecureString type, it internally allocates a block of memory that contains an array of characters. Now the surprise! this is an un-managed block of memory and this is because runtime don’t want garbage collector to know about these SecureString objects. GC knows about all the objects lying in the heap. It has no information regarding object type but it knows its memory address. This class is just in its budding phase and does not provide only few features that are provided with System.String class. Data is encrypted before storing and decrypted before being read. So with good functionality it gives us some bad performance overheads.

System.Secure.SecureString class implements Dispose pattern i.e. it implements IDisposable interface. Another surprise, its Dispose method is called implicitly (i.e. automatically). You don’t need to call this method explicitly. CLR calls SecureString’s Dispose when it realizes that this string is not needed or it is out of scope. Dispose ensures that all memory contents used by object of SecureString type are zeroed out. This class is derived from CriticalFinalizerObject which ensures that finalize method of this class is called no matter what happens. CriticalFinalizerObject in itself deserves a good amount of space. But I’ll leave it for now.

There are certain limitations around usage of SecureString in .Net 2.0.

to be continued…