CCF 2009 simple architecture

I’ve been working with CCF the last days, CCF you say what is that? Well its a product from Microsoft that can be used to enhance the experience of users when working with multiple applications that require the same input. Say we have a call center with many applications. When a customer calls the agent asks for your zip code or address. Then you state your problem and the agent needs to open a different program and re-enter your zip code, then the company needs to send you a package and for that application he again needs your address details.. annoying for you (every time the agent asks you for your creds and even more annoying for the call center agent since he/she has to type the same info multiple times.

So CCF can help you with requires a lot of programming to integrate all the apps, but it could be worth it.. are you designing CCF? are you interested in the architecture.. check out this post …

1     Introduction

CCF is based on a client-server model. The client is a .net application that runs on a client computer for example all computers in a call-center. When the client connects to CCF it creates a connection on a HTTP port of the CCF server and it receives the application configuration. When the client starts one of the retrieved applications, it creates a direct connection to that application. This connection is based on the configuration and connection information retrieved from CCF. CCF itself does not create a direct connection to the application but only hosts the connection and configuration information for each application it can grant access.When opening the application CCF can use Enterprise Single Sign-On to automatically log the user into the application. The CCF client actually types the username and password for the application in the background so that a generic work experience is received.

While multiple applications are accessible through the CCF console, each application can have a different access path. Some applications are installed locally on the client while others are accessible through web services or other client components. If an application is set to local program this could also imply that the client component is only installed on the Client Agent computer and that additional server connections for that application can apply.

2     Server architecture

Internet Information Services is used on the CCF server as the connection point for the client. The (default) website will be extended during the installation with CCF web applications. The web applications use SQL and XML or directory services to store information and configuration data. The directory services are best to be based on the Active Directory Application Mode (ADAM) component Active Directory Directory Services. When using multiple web servers each server can hosts its own instance of the ADAM directory store and replication amongst these stores is automatically configured. For availability the databases should be hosted on an SQL cluster that will host four databases for the CCF infrastructure. Apart from the SSO database, the databases are soley used by the CCF web applications. The SSO database is used to store encrypted credential information for signle-sign-on services. This service (Microsoft Enteprise SSO) should also present on each node and reads / writes data and configuration to this database.

All the applications run under a single application pool account. As services will run under Active Directory user service accounts. The CCF service is dependant on the Active Directory Service (or called Active Directory domain) and its dependant services like name resolving and authentication service providers.

A high available CCF solution would be based on a network load balanced architecture, where multiple CCF servers provide the services. Each node is configured to be able to work independantly from the other nodes, so that if one node has a full service failure, the CCF service will not be affected.

The installation of each server in the web services infrastructure is manual, however the configuration stored in the SQL server and ADAM store are to be shared amongst all servers. The ADAM service on each node will be part of the same application directory and replication amongst all ADAM instances will be automatically configured. Each webserver node will contact “msldap://localhost:389” for these directory services. While localhost is used, this ensures each webservice node can work idependantly from another.

2.1 Kerberos architecture

Kerberos is the required authentication mechanism for CCF. Any other authentication protocol will not be accepted and an access denied on the resource will be the outcome of the authentication attempt. Kerberos requires Service Principal Names (SPN) to function as they are the fundamental basis of kerberos. Each resource will need an SPN based on the address of the resource. The SPN must be registered on the Active Directory object hosting the resource. Within CCF all web applications are hosted on a single user service account. This account will have the web URL as an SPN registered. SQL will also require an SPN. This is usually set during installation. While the ADAM service and the Enteprise SSO services are hosted under the same account as the web applications, and since they are on the same physical machine further configuration will not be required. For the Web Application pool account to be able to impersonate the user logged on to the main CCF site, the Web Application Pool Account must be given Keberos Delegation rights.. we can setup three types of delegation

* Unconstraint delegation:   Users must log on using Kerberos to the main website in order for the Web Application Pool account to impersonate them towards the SQL Server or any other service in the Active Directory Forest

* Constraint delegation: Users must log on using Kerberos to the main website in order for the Web Application Pool account to impersonate them towards the SQL service account registered SPN.

* Constraint delegation with protocol transition: Users can logon using any method to the main website in order for the Web Application Pool account to impersonate them towards the SQL Service account registered SPN (basically the SQL service) only.

more info: