Advanced WCF Workshop

Upgrade your WCF skills to "Expert"(Advanced WCF Workshop)

Ido Flatow, Senior Architect

Sela Group

About Me

• Senior architect, Sela Group• Co-author of:

– Developing Windows Azure and Web Services – Microsoft official course

– WCF 4 – Microsoft official course– Pro .NET Performance – Apress

• Microsoft MVP• Focus on server, services, and cloud

technologies• Manager of the Israeli Web Developers User

Group

Agenda for Today

• Monitoring Services• Performance Considerations• WCF Security• Extending the WCF Pipeline

Join the conversation on Twitter: @SoftArchConf #SoftArchConf

Monitoring Services

Monitoring WCF Services

• Post Factum– Tracing– Message logs

• Real-time– Performance counters– Event Tracing information– Windows Management Instrumentation (WMI)– Message sniffing tools


Tracing and WCF

• Various levels of tracing– Critical (fatal exceptions)– Error (any exception)– Warning (limits reached)– Information (basic monitoring)– Verbose (everything)

• Can be used in clients and services• End-to-End tracing for service chains• Supports emitting custom tracing to the same file


Configuring Tracing


Viewing Trace Logs with SvcTraceViewer

Informative (white)Warnings (yellow)Exceptions (red)

End-to-EndActivity Tracing

Additional information, including exceptions


End-To-End Tracing

• Each traced activity has an ID• Activity ID can travel within the AppDomain• WCF can propagate the ID to chained services• Track processing and exceptions across services• Use the service trace viewer to see the logs together


Viewing End-To-End Traces

ServiceA.svclog

ServiceB.svclog

ServiceC.svclog


Viewing End-To-End Traces


Tracing an Exception End-To-End

Just drill deeper into the traceJoin the conversation on Twitter: @SoftArchConf #SoftArchConf

Tracing an Exception End-To-End


Adding Your Own Trace Messages

• Create your own trace source• Use the same listener for both sources• Use System.Diagnostics.TraceSource to log events• You can also group events into a new activity

TraceSource ts = new TraceSource("MyTraceSource");

ts.TraceInformation("Doing some processing...");

if (needToThrowAnException){ ts.TraceEvent(TraceEventType.Warning, 1, "Going to throw an exception!"); throw new ArgumentException();}


END-TO-END TRACINGDemo

WCF Message Logging

• Logs request and response messages• Supports logging of sensitive information

– Entire message, including the body– Decrypted messages (service level)– Username and password (known PII)

• Use it cautiously– Logging large content requires more time– Be careful logging sensitive information– If using IIS, don’t expose it in a vdir– Use ACLs on the log file


Enabling Message Logging

Step 1: Turn it on!

Step 2: Set log level and file

Step 3: Configure content


Viewing Message in SvcTraceViewer

Requests and Responses

HTTP Headers

Message body(log entire message)

SOAPHeaders


Messages and Tracing Go Together!• Combine message

logging with tracing

• Get the whole picture

• Simply load both files to the same service trace viewer


Tracing – What the Heck is ETW?

• Event Tracing for Windows• Fast tracing solution supplied by the operating system• Kernel-mode logging mechanism • Logging can be enabled/disabled at runtime• Trace is logged to an in-memory buffer• Buffers are written to the disk asynchronously

• Exists since Windows 2000!• WCF uses ETW!! And so can you!!!


WCF Runtime Tracing in Three Steps


RUNTIME TRACING WITH ETWDemo

Enabling WMI

• WCF services can expose configuration information using WMI

• The WMI provider is turned off by default


Watch WMI InformationUse WMI tools to view information about a running service


Change Settings at Runtime with WMI

• WMI Admin Tools (http://bit.ly/wmiadmin)(Requires running in IE9 Compatibility)

• PowerShell scripts with Get-WmiObject


http://bit.ly/wmiadmin

CONTROLLING MESSAGE LOGGING AT RUNTIME

Demo

Sniffing the Network

• Many applications can be used to monitor WCF communication– Microsoft Network Monitor– Wireshark– HTTP Analyzer– Fiddler

• Sniffing tools usually have problemslistening to the loopback adapter (localhost)

HTTP Only

Most sniffers just listen, but some do more...


Sniffing HTTP with Fiddler

• Content types– XML– JSON– Binary Encoding– Base64 Strings– Gzip Compression

• Features– Record & Replay– Break & Change– HTTPS Sniffing


SNIFFING WCF MESSAGESDemo

Performance Counters

• WCF has a wide collection of performance counters• Counters can be collected for a service, an endpoint,

or a specific operation


Performance Considerations

To Create or Not To Create?

• When is a service instance created?– Depends on the ServiceBehaviorAttribute– Depends which binding you use

• What are my options?– Per call– Per session (default, if supported by the binding)– Single instance– Custom (implement the IInstanceProvider interface)


• Per call– Creating an instance is usually cheap– Services should be stateless by design (better scalability)– Instance is disposed when finished, no book keeping– Performance hit when initialization requires time / memory / CPU

• Per session– Save state between client calls– One-time initialization, low performance hit– Requires keeping instance alive– Behaves badly when scaled

• Single– Share global state without using static fields– Reduces performance hit substantially when initialization is long– Can lead to concurrency issues if state is shared– Very problematic to scale (distributed state)


Pros and Cons of Instancing

Opening the Throttle

• Service host defines throttling levels– Max concurrent calls– Max session instances to managed– Max instances (running + idle sessions)

• WCF 3.5 defaults ≠ WCF 4/4.5 defaults– WCF 3.5 – 16 calls, 10 sessions– WCF 4+ – 16xCores calls, 100xCores sessions

• ServiceThrottling behavior controls the throttle

Always load test your throttlingJoin the conversation on Twitter: @SoftArchConf #SoftArchConf

TESTING THE THROTTLEDemo

Instancing and Concurrency

• Can concurrent calls be executed using the same instance?– Per call – no such scenario, each call has its instance– Per session – a client can call multiple requests

asynchronously– Single – very probable, clients can call at the same time

• Which concurrency modes exist in WCF?– Single. Only one thread can use the instance at a time– Multiple. Many threads can use the instance at a time

• What is the default?– Single – BEWARE !!


Concurrency Explained

• When an operation is executed within an instance, the instance gets locked

• While the instance is locked, no other thread can use the instance

• With multiple, no locks are used

Client AClient AServiceService


Client BClient B

What Can Possibly Happen?

• Single concurrency– Requests will get synchronized– Requests might reach timeout limits

• Multiple concurrency– Concurrency issues in code– End up using critical sections– Critical sections will lead to synchronization– Critical sections are hard to test

• Recommendations– Prefer using Per-Call instancing– Minimize the state managed by the instance– Use thread-safe types in your state


ReentrantMixing Single and Multiple

• What if the running operation needs to call another service? Or invoke a callback in the client (duplex)?

• Instance is still locked, and won’t handle other requests• Such scenarios can even lead to deadlock (why?)• Reentrant – releases the lock when an outgoing WCF

call is detected

Client AClient AServiceService


Client BClient B

TESTING CONCURRENCYDemo

Handling Many Calls. How Many is Many?

• WCF uses the Thread Pool’s I/O threads• Default maximum number of threads - 1000• You can increase the limit, is that wise?• What if you have many lengthy operations?• “I heard asynchronous service operations

might help”, indeed?


The Truth Behind Async Service Operations

• Async operations allow running our code on another thread, releasing the current thread back to the pool

• But isn’t the other thread just another pooled thread? • True for CPU work, not true for I/O work• Use async operations only when doing lengthy I/O

operations (disk, network, db)• Use the async I/O method calls

– Stream.BeginRead, SqlCommand.BeginExecuteReader• Using async operations for CPU intensive

work may decrease performance (why?)


Call to ActionThe WCF Thread Pool Bug

• Increasing the min I/O threads helps dealing with bursts of requests

• In WCF 3.5 and WCF 4 there is a bug in the Thread Pool usage

• Under continuous load, the counter for available I/O threads starts to fake

• Result – WCF cannot scale fast enough to handle the burst, and requests get queued


Call to ActionThe WCF Thread Pool Bug

• What to do? Change WCF to use worker threads

• http://bit.ly/wcf-threadpool-bug• Resolved in WCF 4.5 • Worker threads also have default maximum

number of threads– .NET 3.5 – 250 threads per core– .NET 4 – 1023 threads (32-bit), or 32768 (64-bit)


http://bit.ly/wcf-threadpool-bug

Call to ActionTCP Port Sharing Bug

• WCF introduced port sharing for TCP• Managed by a Windows Service (SMSvcHost.exe)• IIS automatically uses port sharing for TCP endpoints• WCF 4 has a known bug in the port sharing Windows

service that can cause it to stop responding• What to do? Install the hotfix!• http://support.microsoft.com/kb/2536618• To diagnose network errors, turn on tracing in the port

sharing service (http://bit.ly/wcf-portsharing-trace)


http://support.microsoft.com/kb/2536618

http://bit.ly/wcf-portsharing-trace

Know Thy Settings• Service behavior

– Throttling– Concurrency / Instancing– DataContractSerializer

• Binding configuration– Network timeouts (opening, sending, receiving, closing)– MaxReceivedMessageSize– MaxBufferSize– ReaderQuotas – MaxConnections (TCP binding)– InactivityTimeout (Reliable Session)


Know Thy Settings – cont.

• Thread Pool– Minimum settings - fast response for bursts– Maximum settings – more concurrent calls

• IIS classic pipeline (system.web section)– MinFreeThreads / MinLocalRequestFreeThreads

(HttpRuntime)– AutoConfig (ProcessModel, in machine.config)

• IIS Integrated mode– MaxConcurrentRequestsPerCPU registry key HKLM\

SOFTWARE\Microsoft\ASP.NET\{FW}\– Application Pool’s CLRConfigFile setting


Limits and Timeout Settings – cont.

• IIS/ASP.NET limitations– ExecutionTimeout (in release mode)– MaxRequestLength

• system.webServer | security | requestFiltering– maxAllowedContentLength

• Outgoing HTTP communication – System.Net.ServicePointManager.DefaultConnectionLimit

More information and workarounds in the following linkhttp://bit.ly/asp-iis-threading


http://bit.ly/asp-iis-threading

And One Final Tip

WCF 4 clients support IIS Compression

TURN IT ON!


Security

Securing a Service

• Message Protection– Integrity– Confidentiality

• Authentication– Client Authentication– Service Authentication

• Authorization– Role-based Authorization– Claim-based Authorization

• Auditing

Our focus


Transport Security

• With transport security, the operating system handles the protection of the channel

• Supported for HTTP (SSL over HTTPS), TCP, IPC, and MSMQ

• Requires a service certificate• IIS is easy – assign certificate to HTTPS binding• Self-hosting is less fun – need to use netsh• Self-Signed certificates are no fun at all!!


1. Client requests a secured session

2. Server responds with an X.509 certificate

3. Client verifies certificate’s authenticity

4. Client sends a symmetric encryption key

(encrypted with the server’s public key)

6. Client and server exchange encrypted messages

(encrypted with the symmetric key)

5. Server decrypts the encryption key with its private key

How Secure Sockets Layer Works


CREATING, INSTALLING, AND USING CERTIFICATES

Demo

Message Security

• WCF handles everything• Used by default in WsHttpBinding• Secure the channel using either:

– Service Certificate– Windows Identities (service + client)

• Certificate validation can be handled in code– Change the CertificateValidationMode– Create your own validation code


Service Authentication

• By default, WCF uses negotiation to authenticate the service against the client

• The implementation of WS-Trust is not fully interoperable (e.g. Java)

• If using non-WCF clients, turn off negotiation and use Out-of-Band (ahead of time) authentication

• In the binding configuration (service + client), set NegotiateServiceCredential to false

• In the client endpoint configuration, add the identity element and set the service’s credentials


• Service Certificate– Install the certificate on the client machine– Set the client endpoint’s identity to the certificate

• Windows Credentials– If you use a system account (NetworkService, LocalSystem)

the machine’s Service Principal Name (SPN) is used– If you use a domain account, register a new SPN in Active

Directory, and set the SPN identity in the service endpoint– Set the client endpoint’s identity to the SPN

Steps for Out-of-Band Authentication


When using “Add Service Reference”The principal / certificate is automatically copied to the client

MESSAGE SECURITY AND CERTIFICATES

Demo

Impersonation

• A WCF service can impersonate the client’s Windows identity

• Clients must use a domain account• If the client is ASP.NET, the app pool must use

a domain account, or also use impersonation• Three ways to impersonate

– [OperationBehavior(Impersonation = ImpersonationOption.Required)]– ServiceSecurityContext.Current.WindowsIdentity.Impersonate()– <serviceAuthorization impersonateCallerForAllOperations="true"/>


Delegation

• Impersonating a client only works for one hop– Access local resources and local services

• To call another hop you need delegation– Access remote services, databases, and file shares

• Delegation requires enabling the account and the machine for delegation in the Active Directory

• Verify support for delegation in your service before you call out: WindowsIdentity.ImpersonationLevel == TokenImpersonationLevel.Delegation


USING IMPERSONATION AND DELEGATION

Demo

I Don’t have a demoI’m not in a domain

Extending the Pipeline

Service Instance

Channel DispatcherChannel Stack

The WCF Service Pipeline

Transport Encoder Protocol Protocol

Endpoint Dispatcher

DispatchRuntime

DispatchOperation

DispatchOperation

ServiceMethod

ServiceMethod


Client Code

Client Channel

Channel Stack

The WCF Client Has a Pipeline Too

Transport Encoder Protocol Protocol

Client Proxy

ClientRuntime

ClientOperation

ClientOperation

Method

Method


Where Can We Interfere?Where What One/Many Client/Service

Channel Dispatcher Error Handler Many Service

Channel Stack Message Encoder One Both

Endpoint DispatcherAddress Filter One Service

Contract Filter One Service

Dispatch / ClientRuntime

Operation Selector One Service

Message Inspector Many Both

Instance Context Initializer Many Service

Instance Provider One Service

Dispatch / ClientOperation

Message Formatter One Both

Parameter Inspector One Both

Operation Invoker Many Service


How Do We Interfere?

• Through Behaviors!• Behaviors tune the WCF pipeline to your needs• Write your own custom behavior• Attach the behavior to the WCF pipeline

– Code (custom attribute)– Configuration (add to the behaviors section)

We created a class that implemented the interface, but how do we hook it to WCF?


Which Custom Behavior to Use?• IServiceBehavior

– Implement as a custom attribute or a configuration element– Apply behavior for service, channels, endpoints, and operations

• IEndpointBehavior– Implement as a configuration element– Apply behavior for specific endpoints and their operations

• IContractBehavior– Implement as a custom attribute– Apply behavior for specific contracts and their operations

• IOperationBehavior– Implement as a custom attribute– Apply behavior for specific operations


CREATING A CUSTOM ERROR HANDLER

Demo

Summary

• WCF has many hidden gems• WCF has at least as many unknowns• No course or lecture can replace

experience• Perhaps now it will be easier to

connect the dots


What’s New in WCF 4.5

Ido Flatow, Senior Architect

Sela Group

Thursday16:00-17:00

Resources• Sites, forums, and blogs

– WCF Developer Centermsdn.microsoft.com/en-us/library/dd456779.aspx

– MSDN’s WCF Forumsocial.msdn.microsoft.com/Forums/en/wcf

– Blogs about WCFblogs.msdn.com/b/carlosfigueirablogs.msdn.com/b/endpointblogs.msdn.com/b/drnick

– Many WCF code samplesbit.ly/wcf-wf-samples

• Presentation & code samples– sdrv.ms/1a6RyB5

• My Info– blogs.microsoft.co.il/blogs/idof– [email protected]– @IdoFlatow


http://msdn.microsoft.com/en-us/library/dd456779.aspx

http://blogs.msdn.com/b/endpoint





http://blogs.msdn.com/b/drnick

http://blogs.msdn.com/b/drnick

http://bit.ly/wcf-wf-samples





http://sdrv.ms/1a6RyB5

One Slide about ASP.NET Web API

• WCF support non-HTTP bindings, such as TCP and Named Pipes

• WCF supports message patterns, such as one-way and message queue

• WS-* adds infrastructure features such as reliable sessions, message security, and transactions

• SOAP-based services support detailed description of the service with WSDL


Why Not Ditch WCF and Switch to Web API

More on WCF and ASP.NET Web API historyhttp://bit.ly/wcf-vs-webapi

http://bit.ly/wcf-vs-webapi

Advanced WCF Workshop

Technology

Transcript of Advanced WCF Workshop