Advanced WCF Workshop

Upgrade your WCF skills to "Expert"
(Advanced WCF Workshop)
Ido Flatow, Senior Architect
Sela Group

About Me
• Senior architect, Sela Group
• Co-author of:
– Developing Windows Azure and Web
Services – Microsoft official course
– WCF 4 – Microsoft official course
– Pro .NET Performance – Apress

• Microsoft MVP
• Focus on server, services, and cloud
technologies
• Manager of the Israeli Web
Developers User Group

Agenda for Today
•
•
•
•

Monitoring Services
Performance Considerations
WCF Security
Extending the WCF Pipeline

Join the conversation on Twitter: @SoftArchConf #SoftArchConf

Monitoring WCF Services
• Post Factum
– Tracing
– Message logs

• Real-time
– Performance counters
– Event Tracing information
– Windows Management Instrumentation (WMI)
– Message sniffing tools

Tracing and WCF
• Various levels of tracing
–
–
–
–
–

Critical (fatal exceptions)
Error (any exception)
Warning (limits reached)
Information (basic monitoring)
Verbose (everything)

• Can be used in clients and services
• End-to-End tracing for service chains
• Supports emitting custom tracing to the same file

Configuring Tracing


Viewing Trace Logs with SvcTraceViewer
End-to-End
Activity Tracing

Additional
information, including
exceptions
Informative (white)
Warnings (yellow)
Exceptions (red)

End-To-End Tracing
•
•
•
•
•

Each traced activity has an ID
Activity ID can travel within the AppDomain
WCF can propagate the ID to chained services
Track processing and exceptions across services
Use the service trace viewer to see the logs together


Viewing End-To-End Traces

ServiceA.svclog

ServiceB.svclog

ServiceC.svclog


Viewing End-To-End Traces


Tracing an Exception End-To-End


Adding Your Own Trace Messages
•
•
•
•

Create your own trace source
Use the same listener for both sources
Use System.Diagnostics.TraceSource to log events
You can also group events into a new activity

TraceSource ts = new TraceSource("MyTraceSource");
ts.TraceInformation("Doing some processing...");
if (needToThrowAnException)
{
ts.TraceEvent(TraceEventType.Warning, 1, "Going to throw an exception!");
throw new ArgumentException();
}


WCF Message Logging
• Logs request and response messages
• Supports logging of sensitive information
– Entire message, including the body
– Decrypted messages (service level)
– Username and password (known PII)

• Use it cautiously
–
–
–
–

Logging large content requires more time
Be careful logging sensitive information
If using IIS, don’t expose it in a vdir
Use ACLs on the log file


Enabling Message Logging


Viewing Message in SvcTraceViewer

HTTP
Headers

Requests and
Responses

SOAP
Headers

Message body
(log entire message)


Messages and Tracing Go Together!
• Combine message
logging with tracing
• Get the whole picture
• Simply load both files
to the same service
trace viewer

Tracing – What the Heck is ETW?
•
•
•
•
•
•

Event Tracing for Windows
Fast tracing solution supplied by the operating system
Kernel-mode logging mechanism
Logging can be enabled/disabled at runtime
Trace is logged to an in-memory buffer
Buffers are written to the disk asynchronously

• Exists since Windows 2000!
• WCF uses ETW!! And so can you!!!

WCF Runtime Tracing in Three Steps


Demo

RUNTIME TRACING WITH ETW

Enabling WMI
• WCF services can expose configuration
information using WMI
• The WMI provider is turned off by default


Watch WMI Information
Use WMI tools to view information about a running service


Change Settings at Runtime with WMI
• WMI Admin Tools (http://bit.ly/wmiadmin)
(Requires running in IE9 Compatibility)
• PowerShell scripts with Get-WmiObject


Demo

CONTROLLING MESSAGE LOGGING
AT RUNTIME

Sniffing the Network
• Many applications can be used to
monitor WCF communication
–
–
–
–

Microsoft Network Monitor
Wireshark
HTTP Analyzer
HTTP Only
Fiddler

• Sniffing tools usually have problems
listening to the loopback adapter (localhost)


Sniffing HTTP with Fiddler
• Content types
–
–
–
–
–

XML
JSON
Binary Encoding
Base64 Strings
Gzip Compression

• Features
– Record & Replay
– Break & Change
– HTTPS Sniffing

Performance Counters
• WCF has a wide collection of performance
counters
• Counters can be collected for a service, an
endpoint, or a specific operation


To Create or Not To Create?
• When is a service instance created?
– Depends on the ServiceBehaviorAttribute
– Depends which binding you use

• What are my options?
–
–
–
–

Per call
Per session (default, if supported by the binding)
Single instance
Custom (implement the IInstanceProvider interface)


Pros and Cons of Instancing
• Per call
–
–
–
–

Creating an instance is usually cheap
Services should be stateless by design (better scalability)
Instance is disposed when finished, no book keeping
Performance hit when initialization requires time / memory / CPU

• Per session
–
–
–
–

Save state between client calls
One-time initialization, low performance hit
Requires keeping instance alive
Behaves badly when scaled

• Single
–
–
–
–

Share global state without using static fields
Reduces performance hit substantially when initialization is long
Can lead to concurrency issues if state is shared
Very problematic to scale (distributed state)


Opening the Throttle
• Service host defines throttling levels
– Max concurrent calls
– Max session instances to managed
– Max instances (running + idle sessions)

• WCF 3.5 defaults ≠ WCF 4/4.5 defaults
– WCF 3.5 – 16 calls, 10 sessions
– WCF 4+ – 16xCores calls, 100xCores sessions

• ServiceThrottling behavior controls the throttle


Instancing and Concurrency
• Can concurrent calls be executed using the same
instance?
– Per call – no such scenario, each call has its instance
– Per session – a client can call multiple requests
asynchronously
– Single – very probable, clients can call at the same time

• Which concurrency modes exist in WCF?
– Single. Only one thread can use the instance at a time
– Multiple. Many threads can use the instance at a time

• What is the default?
– Single – BEWARE !!

Concurrency Explained
• When an operation is executed within an
instance, the instance gets locked
• While the instance is locked, no other thread
can use the instance
• With multiple, no locks are used
Client A
Service
Client B


What Can Possibly Happen?
• Single concurrency
– Requests will get synchronized
– Requests might reach timeout limits

• Multiple concurrency
–
–
–
–

Concurrency issues in code
End up using critical sections
Critical sections will lead to synchronization
Critical sections are hard to test

• Recommendations
– Prefer using Per-Call instancing
– Minimize the state managed by the instance
– Use thread-safe types in your state

Reentrant
Mixing Single and Multiple
• What if the running operation needs to call another
service? Or invoke a callback in the client (duplex)?
• Instance is still locked, and won’t handle other requests
• Such scenarios can even lead to deadlock (why?)
• Reentrant – releases the lock when an outgoing WCF
call is detected
Client A
Service
Client B


Handling Many Calls. How Many is Many?
•
•
•
•
•

WCF uses the Thread Pool’s I/O threads
Default maximum number of threads - 1000
You can increase the limit, is that wise?
What if you have many lengthy operations?
“I heard asynchronous service operations
might help”, indeed?


The Truth Behind Async Service Operations
• Async operations allow running our code on another
thread, releasing the current thread back to the pool
• But isn’t the other thread just another pooled thread?
• True for CPU work, not true for I/O work
• Use async operations only when doing lengthy I/O
operations (disk, network, db)
• Use the async I/O method calls
– Stream.BeginRead, SqlCommand.BeginExecuteReader

• Using async operations for CPU intensive
work may decrease performance (why?)

Call to Action
The WCF Thread Pool Bug
• Increasing the min I/O threads helps dealing
with bursts of requests
• In WCF 3.5 and WCF 4 there is a bug in the
Thread Pool usage
• Under continuous load, the counter for
available I/O threads starts to fake
• Result – WCF cannot scale fast enough to
handle the burst, and requests get queued

Call to Action
The WCF Thread Pool Bug
• What to do? Change WCF to use worker
threads
• http://bit.ly/wcf-threadpool-bug
• Resolved in WCF 4.5
• Worker threads also have default maximum
number of threads
– .NET 3.5 – 250 threads per core
– .NET 4 – 1023 threads (32-bit), or 32768 (64-bit)

Call to Action
TCP Port Sharing Bug
•
•
•
•

WCF introduced port sharing for TCP
Managed by a Windows Service (SMSvcHost.exe)
IIS automatically uses port sharing for TCP endpoints
WCF 4 has a known bug in the port sharing Windows
service that can cause it to stop responding
• What to do? Install the hotfix!
• http://support.microsoft.com/kb/2536618
• To diagnose network errors, turn on tracing in the port
sharing service (http://bit.ly/wcf-portsharing-trace)


Know Thy Settings
• Service behavior
– Throttling
– Concurrency / Instancing
– DataContractSerializer

• Binding configuration
–
–
–
–
–
–

Network timeouts (opening, sending, receiving, closing)
MaxReceivedMessageSize
MaxBufferSize
ReaderQuotas
MaxConnections (TCP binding)
InactivityTimeout (Reliable Session)


Know Thy Settings – cont.
• Thread Pool
– Minimum settings - fast response for bursts
– Maximum settings – more concurrent calls

• IIS classic pipeline (system.web section)
– MinFreeThreads / MinLocalRequestFreeThreads
(HttpRuntime)
– AutoConfig (ProcessModel, in machine.config)

• IIS Integrated mode
– MaxConcurrentRequestsPerCPU registry key
HKLMSOFTWAREMicrosoftASP.NET{FW}
– Application Pool’s CLRConfigFile setting


Limits and Timeout Settings – cont.
• IIS/ASP.NET limitations
– ExecutionTimeout (in release mode)
– MaxRequestLength

• system.webServer | security | requestFiltering
– maxAllowedContentLength

• Outgoing HTTP communication
– System.Net.ServicePointManager.DefaultConnectionLimit
More information and workarounds in the following link
http://bit.ly/asp-iis-threading

And One Final Tip


Securing a Service
• Message Protection
– Integrity
– Confidentiality

• Authentication
– Client Authentication
– Service Authentication

• Authorization
– Role-based Authorization
– Claim-based Authorization

• Auditing

Transport Security
• With transport security, the operating system
handles the protection of the channel
• Supported for HTTP (SSL over HTTPS), TCP, IPC,
and MSMQ
• Requires a service certificate
• IIS is easy – assign certificate to HTTPS binding
• Self-hosting is less fun – need to use netsh
• Self-Signed certificates are no fun at all!!

How Secure Sockets Layer Works
3. Client verifies certificate’s
authenticity
1. Client requests a secured session
2. Server responds with an X.509 certificate
4. Client sends a symmetric encryption key
(encrypted with the server’s public key)
6. Client and server exchange encrypted messages
(encrypted with the symmetric key)

5. Server decrypts the encryption
key with its private key

Demo

CREATING, INSTALLING, AND USING
CERTIFICATES

Message Security
• WCF handles everything
• Used by default in WsHttpBinding
• Secure the channel using either:
– Service Certificate
– Windows Identities (service + client)

• Certificate validation can be handled in code
– Change the CertificateValidationMode
– Create your own validation code

Service Authentication
• By default, WCF uses negotiation to authenticate
the service against the client
• The implementation of WS-Trust is not fully
interoperable (e.g. Java)
• If using non-WCF clients, turn off negotiation and
use Out-of-Band (ahead of time) authentication
• In the binding configuration (service + client), set
NegotiateServiceCredential to false
• In the client endpoint configuration, add the
identity element and set the service’s credentials

Steps for Out-of-Band Authentication
• Service Certificate
– Install the certificate on the client machine
– Set the client endpoint’s identity to the certificate

• Windows Credentials
– If you use a system account (NetworkService, LocalSystem)
the machine’s Service Principal Name (SPN) is used
– If you use a domain account, register a new SPN in Active
Directory, and set the SPN identity in the service endpoint
– Set the client endpoint’s identity to the SPN


Demo

MESSAGE SECURITY AND
CERTIFICATES

Impersonation
• A WCF service can impersonate the client’s
Windows identity
• Clients must use a domain account
• If the client is ASP.NET, the app pool must use
a domain account, or also use impersonation
• Three ways to impersonate
– [OperationBehavior(Impersonation = ImpersonationOption.Required)]
– ServiceSecurityContext.Current.WindowsIdentity.Impersonate()
– <serviceAuthorization impersonateCallerForAllOperations="true"/>

Delegation
• Impersonating a client only works for one hop
– Access local resources and local services

• To call another hop you need delegation
– Access remote services, databases, and file shares

• Delegation requires enabling the account and the
machine for delegation in the Active Directory
• Verify support for delegation in your service before you call
out:
WindowsIdentity.ImpersonationLevel ==
TokenImpersonationLevel.Delegation

Demo

USING IMPERSONATION AND
DELEGATION

The WCF Service Pipeline
Channel Dispatcher
Channel Stack
Transport

Service Instance

Encoder

Protocol

Protocol

Endpoint Dispatcher

Service
Method

Dispatch
Operation

Service
Method

Dispatch
Operation


Dispatch
Runtime

The WCF Client Has a Pipeline Too
Client Channel
Client Code

Client Proxy
Client
Operation

Method

Client
Runtime

Client
Operation

Method

Channel Stack
Transport

Encoder


Protocol

Protocol

Where Can We Interfere?
Where

What

One/Many

Client/Service

Many

Service

Channel Dispatcher

Error Handler

Channel Stack

Message Encoder

One

Both

Address Filter

One

Service

Contract Filter

One

Service

Operation Selector

One

Service

Message Inspector

Many

Both

Instance Context Initializer

Many

Service

Instance Provider

One

Service

Message Formatter

One

Both

Parameter Inspector

One

Both

Many

Service

Endpoint Dispatcher

Dispatch / Client
Runtime

Dispatch / Client
Operation

Operation Invoker


How Do We Interfere?

•
•
•
•

Through Behaviors!
Behaviors tune the WCF pipeline to your needs
Write your own custom behavior
Attach the behavior to the WCF pipeline
– Code (custom attribute)
– Configuration (add to the behaviors section)


Which Custom Behavior to Use?
• IServiceBehavior
– Implement as a custom attribute or a configuration element
– Apply behavior for service, channels, endpoints, and operations

• IEndpointBehavior
– Implement as a configuration element
– Apply behavior for specific endpoints and their operations

• IContractBehavior
– Implement as a custom attribute
– Apply behavior for specific contracts and their operations

• IOperationBehavior
– Implement as a custom attribute
– Apply behavior for specific operations


Demo

CREATING A CUSTOM ERROR
HANDLER

Summary
• WCF has many hidden gems
• WCF has at least as many unknowns
• No course or lecture can replace
experience
• Perhaps now it will be easier to
connect the dots

What’s New in WCF 4.5
Ido Flatow, Senior Architect
Sela Group

Resources
• Sites, forums, and blogs
– WCF Developer Center
msdn.microsoft.com/en-us/library/dd456779.aspx
– MSDN’s WCF Forum
social.msdn.microsoft.com/Forums/en/wcf
– Blogs about WCF
blogs.msdn.com/b/carlosfigueira
blogs.msdn.com/b/endpoint
blogs.msdn.com/b/drnick
– Many WCF code samples
bit.ly/wcf-wf-samples

• Presentation & code samples
– sdrv.ms/1a6RyB5

• My Info
– blogs.microsoft.co.il/blogs/idof
– idof@sela.co.il
– @IdoFlatow


Why Not Ditch WCF and Switch to
One Slide about ASP.NET Web API
Web API
• WCF support non-HTTP bindings, such as TCP and
Named Pipes
• WCF supports message patterns, such as one-way
and message queue
• WS-* adds infrastructure features such as reliable
sessions, message security, and transactions
• SOAP-based services support detailed description
of the service with WSDL
More on WCF and ASP.NET Web API history
http://bit.ly/wcf-vs-webapi

Advanced WCF Workshop

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Advanced WCF Workshop (20)

More from Ido Flatow (16)

Recently uploaded (20)

Advanced WCF Workshop

Editor's Notes