Gunnar Peipman's ASP.NET blog

ASP.NET, C#, SharePoint, SQL Server and general software development topics.

Sponsors

News

 
 
 
DZone MVB

Links

Social

DiscountASP–Winner of my daily WTF today

Today I tried to put up simple ASP.NET MVC application to DiscountASP shared hosting. It all started well but ended with most strange security and server architecture I’ve ever seen. I don’t want to insult them but it is really shocking and unexpected when some of top hosting providers just spits on web security.

Okay, I uploaded my ASP.NET MVC application to server using WebDeploy – it works fine, no problems at all. It was also very easy to put my database and get application running. Public side of application works fine and it was time to log in to admin area. Now that’s the point where things started to stink bad.

Windows Identity Foundation happens today

Well… as I don’t like to invent the wheels and I don’t like easy to break security solutions like classic username and password stuff I’m using Windows Identity Foundation and Windows Azure AppFabric Access Control Services to authenticate administrators. It’s all damn easy to set up and configure and it all works like charm. What’s best – Windows Identity Foundation provides way better and stronger security than all those homemade pieces of crap that people love to use.

If you want to find out more about WIF then I can suggest you some of my resources:

This is what Microsoft offers for better and safe web.

After short discussion with DiscountASP technical staff it turned out that on their shared hosting service it is impossible to follow these simple steps that make WIF work:

  • Open IIS Manager.
  • Find out what AppPool your application is using by selecting your App, right-click on it, and Select Manage Application -> Advanced Settings.
  • After that, on the top left hand side, select Applications Pools, and go ahead and select the App Pool used by your app.
  • Right-click on the App Pool, and select Advanced Settings, Go to the Process Model Section and Find the "Load User Profile" Option and set it to true.

On their web I didn’t saw warning saying that please only legacy systems…

Let’s do it DiscountASP way

As DiscountASP cannot help me with their service I started thinking how looks secure web application in DiscountASP world. The best (and it is really stupid) way to do secure things on their hosting is here (although I’m not sure about security of the link between custom box and MSSQL).

Secure web DiscountASP way

Site is hosted in DiscountASP servers and copy of site runs on some custom box that is able to run IIS 7.5. This custom box serves admin interface to administrators. This box can be everywhere – even in your home under your table if you have good connection. And this custom box extends DiscountASP legacy hosting with todays secure web mechanisms. Cool? :)

Where to go next?

Seems like it’s not wise to make bets on top providers as they have stuck to mainstream and have no will to improve their services. I think Windows Azure will be the next place to  stop with all my public systems as there I have lot more control over my technical environment although I have only very small wishes. Also it seems to me that new services have less legacy to carry on and they are more interested in keeping users they get.

Posted: Jun 15 2011, 11:10 PM by DigiMortal | with 2 comment(s)
Filed under: , , ,

Comments

ScottJ said:

I'm not a DiscountASP customer but did use them for several years and was very satisfied. I no longer needed a 'personal' site. Their environment could be setup using MSFT best practices. Based on what you describe I'm not surprised a shared hosting service doesn't support it. Also, DiscountASP is a 'discount' provider. There are some great people there, I think you are a little hard on them. I appeciate your info on WIF and your previous contributions via your blog.

# June 15, 2011 9:22 PM

Michael Phillips said:

Hello Gunnar,

What you have to bear in mind is that not every new Microsoft technology is created with shared hosting in mind. In fact, very few of them are. And WIF was most definitely not designed with a shared hosting environment in mind.

But before I get to that, I would like to point out that we have posted a working WIF method on our blog, "Claims Based Authentication using Windows Identity Foundation" -  blog.discountasp.net/claims-based-authentication-using-windows-identity-foundation - for anyone who does want to utilize WIF on our shared hosting platform.

There are a few reasons it isn't feasible to support out-of-the-box WIF such as you want to use in a shared environment. Mainly, configuring IIS to load a user profile for each site/application on a shared server would require maintaining thousands of profiles on each server, since we run each application with its own identity. The problems inherent in that should be clear. Even if someone running a shared hosting environment did feel compelled for some reason to maintain thousands of profiles on each server, they could not control the disk quota on the profile directory, along with several other issues that would impact performance and generally make managing such a server very difficult (and potentially very insecure).

But the reasons why it isn't appropriate for shared hosting aside, I think your diagram under the "Let’s do it DiscountASP way" heading gives the false impression that somehow that is a simplified view of what our network architecture looks like, and obviously that is not the case. I know that isn't the point you are making, but that's how it looks, and it's not fair to give people the impression that we are some kind of idiots.

Your overall insulting tone is kind of disappointing as well. Calling us a "legacy host," characterizing our service as "strange," "shocking." I don't understand where the hyperbole and viciousness are coming from. You act like we killed your puppy or something. We would never do that. We love dogs.

I can only point out that a lot of people in the .NET world would disagree with your characterization of our service, seeing as we were named best ASP.NET Hosting Service for the past six years in a row in asp.netPRO Magazine's/DevProConnections Readers' Choice Award Poll, and were also voted Best ASP.NET Hosting Service in The Code Project's Members' Choice Award Poll for the past 3 years straight.

Just saying.

mjp

# July 7, 2011 9:22 PM