We are designing a system with Appfabric caching. We are wondering about the security.
How does the server that has the cache item know that the request for the item is coming from another server in the cache cluster or an authorized server?
What we are worried about is: Can anyone with access to the Appfabric cache port, read items from the cache?
No, accessing the port is not enough to read the cache items.
AppFabric Cache uses WCF communication internally over net.tcp. Thus, Windows security is on by default. When your client code accesses the cache this results the process identity to be passed. On the cache cluster the identity is checked and if you didn't grant cache access for that identity the request is denied (You see this as weird "There is a temporary failure. Please retry later").
It's usual to create a special account to run your process/app pool under. You can grant access using Caching Administration Windows PowerShell:
PS C:\Windows\system32> Grant-CacheAllowedClientAccount YOURDOMAIN\ProcessAccount
To check access use the following command:
PS C:\Windows\system32> Get-CacheAllowedClientAccounts
Administrators
NETWORKSERVICE
IIS APPPOOL\ASP.NET v4.0
YOURDOMAIN\ProcessAccount
Hope this helps.