Today I tried to put up simple ASP.NET MVC application to DiscountASP shared hosting. It all started well but ended with most strange security and server architecture I’ve ever seen. I don’t want to insult them but it is really shocking and unexpected when some of top hosting providers just spits on web security.
Okay, I uploaded my ASP.NET MVC application to server using WebDeploy – it works fine, no problems at all. It was also very easy to put my database and get application running. Public side of application works fine and it was time to log in to admin area. Now that’s the point where things started to stink bad.
Windows Identity Foundation happens today
Well… as I don’t like to invent the wheels and I don’t like easy to break security solutions like classic username and password stuff I’m using Windows Identity Foundation and Windows Azure AppFabric Access Control Services to authenticate administrators. It’s all damn easy to set up and configure and it all works like charm. What’s best – Windows Identity Foundation provides way better and stronger security than all those homemade pieces of crap that people love to use.
If you want to find out more about WIF then I can suggest you some of my resources:
- Webcast: Brief introduction to Windows Identity Foundation
- 5 minutes WIF: Make your ASP.NET application use test-STS
This is what Microsoft offers for better and safe web.
After short discussion with DiscountASP technical staff it turned out that on their shared hosting service it is impossible to follow these simple steps that make WIF work:
- Open IIS Manager.
- Find out what AppPool your application is using by selecting your App, right-click on it, and Select Manage Application -> Advanced Settings.
- After that, on the top left hand side, select Applications Pools, and go ahead and select the App Pool used by your app.
- Right-click on the App Pool, and select Advanced Settings, Go to the Process Model Section and Find the "Load User Profile" Option and set it to true.
On their web I didn’t saw warning saying that please only legacy systems…
Let’s do it DiscountASP way
As DiscountASP cannot help me with their service I started thinking how looks secure web application in DiscountASP world. The best (and it is really stupid) way to do secure things on their hosting is here (although I’m not sure about security of the link between custom box and MSSQL).
Site is hosted in DiscountASP servers and copy of site runs on some custom box that is able to run IIS 7.5. This custom box serves admin interface to administrators. This box can be everywhere – even in your home under your table if you have good connection. And this custom box extends DiscountASP legacy hosting with todays secure web mechanisms. Cool? :)
Where to go next?
Seems like it’s not wise to make bets on top providers as they have stuck to mainstream and have no will to improve their services. I think Windows Azure will be the next place to stop with all my public systems as there I have lot more control over my technical environment although I have only very small wishes. Also it seems to me that new services have less legacy to carry on and they are more interested in keeping users they get.