Advanced WCF Workshop


Published on

The Windows Communication Foundation (WCF) framework is being used in almost all .NET development platforms: Windows clients, ASP.NET applications, Windows Phone, Server side applications, and in Windows Azure; but have you ever wondered how WCF works? How you can extend it to your organization’s needs? How to monitor its work? How to tune it for better performance and scalability? WCF is the second largest assembly in the .NET Framework and as complex to understand.

In this 1-day workshop we will deep dive into WCF, learn how to monitor WCF services and how to troubleshoot them, how to tweak our services for better performance, how to secure them with transport and message security and discuss the pros and cons of each technique, and how to extend the WCF service pipeline to accommodate our needs.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • The CLR has a bug in the I/O thread pool.If the service needs to handle lots of calls, the SynchronizationContext should be changed to use worker threads instead of I/O threads:
  • WCF operations are executed in managed I/O threads.When using an async operation, the I/O thread is returned to the pool.The call is still counted – you cannot handle more operations than defined by the throttlingAn I/O thread that was returned to the pool can be used for other incoming operationsIf using a new worker thread for length operations – you just replace I/O threads with worker thread, the context switch will just harm performanceIf using an IOCP operation (waiting on kernel I/O) – you actually use less managed threadsBenefits:More I/O threads available for other operations (if number of operations exceed the max I/O threads) – this is usually not the caseRequires less I/O threads to be kept alive in the pool – good for preserving memory consumptionIf using IIS – this also decreases the number of managed worker threads used by IIS – relevant to .Net 3.5 only because in .NET 4 IIS worker threads are async
  • SSL (Secure Sockets Layer) allows the creation of secured transport channels between clients and servers.When a client asks a service to start a secured session (step 1), the server responds by sending it’s X.509 certificate (step 2).The certificate holds information about the server and about the issuing CA .The client validates the certificate, and verifies that the server is who it says it is.After validating the certificate, the client generates and sends a random symmetric key that will be used for the secured session (step 4).The client places the key in a message, and encrypts it with the server’s public key, which the client received in the certificate. Public key encryption can only be decrypted by the private key which only the server has.After the server decrypts the message and retrieves the key, both client and server use the symmetric encryption key to exchange messages. (step 6)The symmetric key is used for both the encryption and decryption of messages.
  • Advanced WCF Workshop

    1. 1. Upgrade your WCF skills to "Expert" (Advanced WCF Workshop) Ido Flatow, Senior Architect Sela Group
    2. 2. About Me • Senior architect, Sela Group • Co-author of: – Developing Windows Azure and Web Services – Microsoft official course – WCF 4 – Microsoft official course – Pro .NET Performance – Apress • Microsoft MVP • Focus on server, services, and cloud technologies • Manager of the Israeli Web Developers User Group
    3. 3. Agenda for Today • • • • Monitoring Services Performance Considerations WCF Security Extending the WCF Pipeline Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    4. 4. Monitoring Services
    5. 5. Monitoring WCF Services • Post Factum – Tracing – Message logs • Real-time – Performance counters – Event Tracing information – Windows Management Instrumentation (WMI) – Message sniffing tools Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    6. 6. Tracing and WCF • Various levels of tracing – – – – – Critical (fatal exceptions) Error (any exception) Warning (limits reached) Information (basic monitoring) Verbose (everything) • Can be used in clients and services • End-to-End tracing for service chains • Supports emitting custom tracing to the same file Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    7. 7. Configuring Tracing Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    8. 8. Viewing Trace Logs with SvcTraceViewer End-to-End Activity Tracing Additional information, including exceptions Informative (white) Warnings (yellow) Exceptions (red) Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    9. 9. End-To-End Tracing • • • • • Each traced activity has an ID Activity ID can travel within the AppDomain WCF can propagate the ID to chained services Track processing and exceptions across services Use the service trace viewer to see the logs together Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    10. 10. Viewing End-To-End Traces ServiceA.svclog ServiceB.svclog ServiceC.svclog Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    11. 11. Viewing End-To-End Traces Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    12. 12. Tracing an Exception End-To-End Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    13. 13. Tracing an Exception End-To-End Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    14. 14. Adding Your Own Trace Messages • • • • Create your own trace source Use the same listener for both sources Use System.Diagnostics.TraceSource to log events You can also group events into a new activity TraceSource ts = new TraceSource("MyTraceSource"); ts.TraceInformation("Doing some processing..."); if (needToThrowAnException) { ts.TraceEvent(TraceEventType.Warning, 1, "Going to throw an exception!"); throw new ArgumentException(); } Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    15. 15. Demo END-TO-END TRACING
    16. 16. WCF Message Logging • Logs request and response messages • Supports logging of sensitive information – Entire message, including the body – Decrypted messages (service level) – Username and password (known PII) • Use it cautiously – – – – Logging large content requires more time Be careful logging sensitive information If using IIS, don’t expose it in a vdir Use ACLs on the log file Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    17. 17. Enabling Message Logging Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    18. 18. Viewing Message in SvcTraceViewer HTTP Headers Requests and Responses SOAP Headers Message body (log entire message) Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    19. 19. Messages and Tracing Go Together! • Combine message logging with tracing • Get the whole picture • Simply load both files to the same service trace viewer Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    20. 20. Tracing – What the Heck is ETW? • • • • • • Event Tracing for Windows Fast tracing solution supplied by the operating system Kernel-mode logging mechanism Logging can be enabled/disabled at runtime Trace is logged to an in-memory buffer Buffers are written to the disk asynchronously • Exists since Windows 2000! • WCF uses ETW!! And so can you!!! Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    21. 21. WCF Runtime Tracing in Three Steps Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    23. 23. Enabling WMI • WCF services can expose configuration information using WMI • The WMI provider is turned off by default Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    24. 24. Watch WMI Information Use WMI tools to view information about a running service Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    25. 25. Change Settings at Runtime with WMI • WMI Admin Tools ( (Requires running in IE9 Compatibility) • PowerShell scripts with Get-WmiObject Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    27. 27. Sniffing the Network • Many applications can be used to monitor WCF communication – – – – Microsoft Network Monitor Wireshark HTTP Analyzer HTTP Only Fiddler • Sniffing tools usually have problems listening to the loopback adapter (localhost) Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    28. 28. Sniffing HTTP with Fiddler • Content types – – – – – XML JSON Binary Encoding Base64 Strings Gzip Compression • Features – Record & Replay – Break & Change – HTTPS Sniffing Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    29. 29. Sniffing HTTP with Fiddler • Content types – – – – – XML JSON Binary Encoding Base64 Strings Gzip Compression • Features – Record & Replay – Break & Change – HTTPS Sniffing Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    31. 31. Performance Counters • WCF has a wide collection of performance counters • Counters can be collected for a service, an endpoint, or a specific operation Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    32. 32. Performance Considerations
    33. 33. To Create or Not To Create? • When is a service instance created? – Depends on the ServiceBehaviorAttribute – Depends which binding you use • What are my options? – – – – Per call Per session (default, if supported by the binding) Single instance Custom (implement the IInstanceProvider interface) Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    34. 34. Pros and Cons of Instancing • Per call – – – – Creating an instance is usually cheap Services should be stateless by design (better scalability) Instance is disposed when finished, no book keeping Performance hit when initialization requires time / memory / CPU • Per session – – – – Save state between client calls One-time initialization, low performance hit Requires keeping instance alive Behaves badly when scaled • Single – – – – Share global state without using static fields Reduces performance hit substantially when initialization is long Can lead to concurrency issues if state is shared Very problematic to scale (distributed state) Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    35. 35. Opening the Throttle • Service host defines throttling levels – Max concurrent calls – Max session instances to managed – Max instances (running + idle sessions) • WCF 3.5 defaults ≠ WCF 4/4.5 defaults – WCF 3.5 – 16 calls, 10 sessions – WCF 4+ – 16xCores calls, 100xCores sessions • ServiceThrottling behavior controls the throttle Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    37. 37. Instancing and Concurrency • Can concurrent calls be executed using the same instance? – Per call – no such scenario, each call has its instance – Per session – a client can call multiple requests asynchronously – Single – very probable, clients can call at the same time • Which concurrency modes exist in WCF? – Single. Only one thread can use the instance at a time – Multiple. Many threads can use the instance at a time • What is the default? – Single – BEWARE !! Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    38. 38. Concurrency Explained • When an operation is executed within an instance, the instance gets locked • While the instance is locked, no other thread can use the instance • With multiple, no locks are used Client A Service Client B Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    39. 39. What Can Possibly Happen? • Single concurrency – Requests will get synchronized – Requests might reach timeout limits • Multiple concurrency – – – – Concurrency issues in code End up using critical sections Critical sections will lead to synchronization Critical sections are hard to test • Recommendations – Prefer using Per-Call instancing – Minimize the state managed by the instance – Use thread-safe types in your state Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    40. 40. Reentrant Mixing Single and Multiple • What if the running operation needs to call another service? Or invoke a callback in the client (duplex)? • Instance is still locked, and won’t handle other requests • Such scenarios can even lead to deadlock (why?) • Reentrant – releases the lock when an outgoing WCF call is detected Client A Service Client B Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    42. 42. Handling Many Calls. How Many is Many? • • • • • WCF uses the Thread Pool’s I/O threads Default maximum number of threads - 1000 You can increase the limit, is that wise? What if you have many lengthy operations? “I heard asynchronous service operations might help”, indeed? Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    43. 43. The Truth Behind Async Service Operations • Async operations allow running our code on another thread, releasing the current thread back to the pool • But isn’t the other thread just another pooled thread? • True for CPU work, not true for I/O work • Use async operations only when doing lengthy I/O operations (disk, network, db) • Use the async I/O method calls – Stream.BeginRead, SqlCommand.BeginExecuteReader • Using async operations for CPU intensive work may decrease performance (why?) Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    44. 44. Call to Action The WCF Thread Pool Bug • Increasing the min I/O threads helps dealing with bursts of requests • In WCF 3.5 and WCF 4 there is a bug in the Thread Pool usage • Under continuous load, the counter for available I/O threads starts to fake • Result – WCF cannot scale fast enough to handle the burst, and requests get queued Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    45. 45. Call to Action The WCF Thread Pool Bug • What to do? Change WCF to use worker threads • • Resolved in WCF 4.5 • Worker threads also have default maximum number of threads – .NET 3.5 – 250 threads per core – .NET 4 – 1023 threads (32-bit), or 32768 (64-bit) Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    46. 46. Call to Action TCP Port Sharing Bug • • • • WCF introduced port sharing for TCP Managed by a Windows Service (SMSvcHost.exe) IIS automatically uses port sharing for TCP endpoints WCF 4 has a known bug in the port sharing Windows service that can cause it to stop responding • What to do? Install the hotfix! • • To diagnose network errors, turn on tracing in the port sharing service ( Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    47. 47. Know Thy Settings • Service behavior – Throttling – Concurrency / Instancing – DataContractSerializer • Binding configuration – – – – – – Network timeouts (opening, sending, receiving, closing) MaxReceivedMessageSize MaxBufferSize ReaderQuotas MaxConnections (TCP binding) InactivityTimeout (Reliable Session) Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    48. 48. Know Thy Settings – cont. • Thread Pool – Minimum settings - fast response for bursts – Maximum settings – more concurrent calls • IIS classic pipeline (system.web section) – MinFreeThreads / MinLocalRequestFreeThreads (HttpRuntime) – AutoConfig (ProcessModel, in machine.config) • IIS Integrated mode – MaxConcurrentRequestsPerCPU registry key HKLMSOFTWAREMicrosoftASP.NET{FW} – Application Pool’s CLRConfigFile setting Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    49. 49. Limits and Timeout Settings – cont. • IIS/ASP.NET limitations – ExecutionTimeout (in release mode) – MaxRequestLength • system.webServer | security | requestFiltering – maxAllowedContentLength • Outgoing HTTP communication – System.Net.ServicePointManager.DefaultConnectionLimit More information and workarounds in the following link Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    50. 50. And One Final Tip Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    51. 51. Security
    52. 52. Securing a Service • Message Protection – Integrity – Confidentiality • Authentication – Client Authentication – Service Authentication • Authorization – Role-based Authorization – Claim-based Authorization • Auditing Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    53. 53. Transport Security • With transport security, the operating system handles the protection of the channel • Supported for HTTP (SSL over HTTPS), TCP, IPC, and MSMQ • Requires a service certificate • IIS is easy – assign certificate to HTTPS binding • Self-hosting is less fun – need to use netsh • Self-Signed certificates are no fun at all!! Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    54. 54. How Secure Sockets Layer Works 3. Client verifies certificate’s authenticity 1. Client requests a secured session 2. Server responds with an X.509 certificate 4. Client sends a symmetric encryption key (encrypted with the server’s public key) 6. Client and server exchange encrypted messages (encrypted with the symmetric key) 5. Server decrypts the encryption key with its private key Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    56. 56. Message Security • WCF handles everything • Used by default in WsHttpBinding • Secure the channel using either: – Service Certificate – Windows Identities (service + client) • Certificate validation can be handled in code – Change the CertificateValidationMode – Create your own validation code Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    57. 57. Service Authentication • By default, WCF uses negotiation to authenticate the service against the client • The implementation of WS-Trust is not fully interoperable (e.g. Java) • If using non-WCF clients, turn off negotiation and use Out-of-Band (ahead of time) authentication • In the binding configuration (service + client), set NegotiateServiceCredential to false • In the client endpoint configuration, add the identity element and set the service’s credentials Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    58. 58. Steps for Out-of-Band Authentication • Service Certificate – Install the certificate on the client machine – Set the client endpoint’s identity to the certificate • Windows Credentials – If you use a system account (NetworkService, LocalSystem) the machine’s Service Principal Name (SPN) is used – If you use a domain account, register a new SPN in Active Directory, and set the SPN identity in the service endpoint – Set the client endpoint’s identity to the SPN Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    60. 60. Impersonation • A WCF service can impersonate the client’s Windows identity • Clients must use a domain account • If the client is ASP.NET, the app pool must use a domain account, or also use impersonation • Three ways to impersonate – [OperationBehavior(Impersonation = ImpersonationOption.Required)] – ServiceSecurityContext.Current.WindowsIdentity.Impersonate() – <serviceAuthorization impersonateCallerForAllOperations="true"/> Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    61. 61. Delegation • Impersonating a client only works for one hop – Access local resources and local services • To call another hop you need delegation – Access remote services, databases, and file shares • Delegation requires enabling the account and the machine for delegation in the Active Directory • Verify support for delegation in your service before you call out: WindowsIdentity.ImpersonationLevel == TokenImpersonationLevel.Delegation Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    63. 63. Extending the Pipeline
    64. 64. The WCF Service Pipeline Channel Dispatcher Channel Stack Transport Service Instance Encoder Protocol Protocol Endpoint Dispatcher Service Method Dispatch Operation Service Method Dispatch Operation Join the conversation on Twitter: @SoftArchConf #SoftArchConf Dispatch Runtime
    65. 65. The WCF Client Has a Pipeline Too Client Channel Client Code Client Proxy Client Operation Method Client Runtime Client Operation Method Channel Stack Transport Encoder Join the conversation on Twitter: @SoftArchConf #SoftArchConf Protocol Protocol
    66. 66. Where Can We Interfere? Where What One/Many Client/Service Many Service Channel Dispatcher Error Handler Channel Stack Message Encoder One Both Address Filter One Service Contract Filter One Service Operation Selector One Service Message Inspector Many Both Instance Context Initializer Many Service Instance Provider One Service Message Formatter One Both Parameter Inspector One Both Many Service Endpoint Dispatcher Dispatch / Client Runtime Dispatch / Client Operation Operation Invoker Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    67. 67. How Do We Interfere? • • • • Through Behaviors! Behaviors tune the WCF pipeline to your needs Write your own custom behavior Attach the behavior to the WCF pipeline – Code (custom attribute) – Configuration (add to the behaviors section) Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    68. 68. Which Custom Behavior to Use? • IServiceBehavior – Implement as a custom attribute or a configuration element – Apply behavior for service, channels, endpoints, and operations • IEndpointBehavior – Implement as a configuration element – Apply behavior for specific endpoints and their operations • IContractBehavior – Implement as a custom attribute – Apply behavior for specific contracts and their operations • IOperationBehavior – Implement as a custom attribute – Apply behavior for specific operations Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    70. 70. Summary • WCF has many hidden gems • WCF has at least as many unknowns • No course or lecture can replace experience • Perhaps now it will be easier to connect the dots Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    71. 71. What’s New in WCF 4.5 Ido Flatow, Senior Architect Sela Group
    72. 72. Resources • Sites, forums, and blogs – WCF Developer Center – MSDN’s WCF Forum – Blogs about WCF – Many WCF code samples • Presentation & code samples – • My Info – – – @IdoFlatow Join the conversation on Twitter: @SoftArchConf #SoftArchConf
    73. 73. Why Not Ditch WCF and Switch to One Slide about ASP.NET Web API Web API • WCF support non-HTTP bindings, such as TCP and Named Pipes • WCF supports message patterns, such as one-way and message queue • WS-* adds infrastructure features such as reliable sessions, message security, and transactions • SOAP-based services support detailed description of the service with WSDL More on WCF and ASP.NET Web API history Join the conversation on Twitter: @SoftArchConf #SoftArchConf