This document describes the sample usage of the Trust Services in the context of a multi-role ASP.Net application. Sample follows the scenario of an application for HR management with following roles:
  • Administrator: full-control of dataset, stores and restores data, establish encryption policies, authorizes other roles for protected data access

  • HR: creates new entity for the dataset, view some employee data

  • Employee: sees only limited dataset

  • Unauthorized user: sees only clear text data

Please visit Trust Services Samples page to download this sample.


Private X.509 Certificates

Such certificate can be obtained from a certificate authority or can be created as a self-signed certificate. The sample locates the certificate in the Windows Certificate Store, Local Machine \Personal folder. In order to explore certificates in this folder please run mmc.exe and add certificate snap-in to access certificate management console.

You can create your own certificates by running the following command from a Visual Studio command prompt and create a self-signed certificate:

makecert -r -pe -n "CN=Azure.Trust.Sample.Role" -sky exchange –sr LocalMachine -ss my

Current sample uses three different certificates identifying each of the roles: Admin / HR / Employee.

Trust Server

You will need to sign up for Trust Services Lab and create a Trust Server. Export the public key for the certificates above (.cer file) using ”certificates” snap-in for the  mmc.exe management console.  Upload the Admin certificate as TSPA to the server you created using the Trust Services Portal. This will allow you to connect to the Trust Services API service using the Admin certificate, and add HR and Employee certs using the Add-Principal command in the Trust Services command shell. Please see Getting Started Tutorial for step-by-step instructions.


Trust Services SDK

The machine running the sample needs to be equipped with Trust Services client installed by Trust Services SDK and Management Tool Labs MSI.



This Sample utilizes ASP.Net  MVC v3. Please see for install options.

Windows Azure SDK 1.6 (Optional)

If web application will be deployed to Windows Azure environments Visual Studio 2010 SP1 and Azure SDK 1.6 required. Please visit  for setup package.

Sample Usage

1. Open ASP.NetTrustSample.sln using Visual Studio 2010. Add references to the Trust Services SDK DLLs.

2. Update Web.config file changing the fields for:

  • "AdminThumbprint", “HRThumbprint”, “EmployeeThumbprint” – matching the X509Certificates used

  • "trustServerName" - matching the server

  • "trustServiceURL" - matching the service URL advertised on Trust Services Web Portal

3. Deploy web application:

A)     For IIS running on Windows Azure Web Role:

  • Upload used certificates to the Windows Azure Certificate Store according to .
  • In “Deployment” project of the sample locate “MVC3Razor” role and update its properties specifying the thumbprint of used X509Certificates.
  • Use “Deployment” project follow the “Publish” wizard to add a new instance of Windows Azure hosted service running current sample.

B)     For IIS running on-premise

The sample can also be just run from ASP.Net Developer Server just by launching default project for Mvc3Razor solution in Visual Studio.

You can find more information about Trust Services here.