From fb0a38cceba210733abfca303c1ba98b2c8ba1ca Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 28 Oct 2025 18:33:26 +0000
Subject: [PATCH 1/6] Initial plan
From 5382b9ce2c146de669acabe47448176bdb634f64 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 28 Oct 2025 18:56:43 +0000
Subject: [PATCH 2/6] Add Orleans TLS documentation with C# and VB code
examples
Co-authored-by: ReubenBond <203839+ReubenBond@users.noreply.github.com>
---
.../transport-layer-security/.gitignore | 2 +
.../csharp/ClientExample/ClientExample.csproj | 15 ++
.../csharp/ClientExample/Program.cs | 87 +++++++++++
.../csharp/SiloExample/Program.cs | 136 ++++++++++++++++++
.../csharp/SiloExample/SiloExample.csproj | 15 ++
.../vb/ClientExample/ClientExample.vbproj | 14 ++
.../vb/ClientExample/Program.vb | 85 +++++++++++
.../vb/SiloExample/Program.vb | 129 +++++++++++++++++
.../vb/SiloExample/SiloExample.vbproj | 14 ++
docs/orleans/host/transport-layer-security.md | 134 +++++++++++++++++
docs/orleans/toc.yml | 2 +
11 files changed, 633 insertions(+)
create mode 100644 docs/orleans/host/snippets/transport-layer-security/.gitignore
create mode 100644 docs/orleans/host/snippets/transport-layer-security/csharp/ClientExample/ClientExample.csproj
create mode 100644 docs/orleans/host/snippets/transport-layer-security/csharp/ClientExample/Program.cs
create mode 100644 docs/orleans/host/snippets/transport-layer-security/csharp/SiloExample/Program.cs
create mode 100644 docs/orleans/host/snippets/transport-layer-security/csharp/SiloExample/SiloExample.csproj
create mode 100644 docs/orleans/host/snippets/transport-layer-security/vb/ClientExample/ClientExample.vbproj
create mode 100644 docs/orleans/host/snippets/transport-layer-security/vb/ClientExample/Program.vb
create mode 100644 docs/orleans/host/snippets/transport-layer-security/vb/SiloExample/Program.vb
create mode 100644 docs/orleans/host/snippets/transport-layer-security/vb/SiloExample/SiloExample.vbproj
create mode 100644 docs/orleans/host/transport-layer-security.md
diff --git a/docs/orleans/host/snippets/transport-layer-security/.gitignore b/docs/orleans/host/snippets/transport-layer-security/.gitignore
new file mode 100644
index 0000000000000..cd42ee34e873b
--- /dev/null
+++ b/docs/orleans/host/snippets/transport-layer-security/.gitignore
@@ -0,0 +1,2 @@
+bin/
+obj/
diff --git a/docs/orleans/host/snippets/transport-layer-security/csharp/ClientExample/ClientExample.csproj b/docs/orleans/host/snippets/transport-layer-security/csharp/ClientExample/ClientExample.csproj
new file mode 100644
index 0000000000000..bb87d4a076c40
--- /dev/null
+++ b/docs/orleans/host/snippets/transport-layer-security/csharp/ClientExample/ClientExample.csproj
@@ -0,0 +1,15 @@
+
+
+
+ Exe
+ net9.0
+ enable
+ enable
+
+
+
+
+
+
+
+
diff --git a/docs/orleans/host/snippets/transport-layer-security/csharp/ClientExample/Program.cs b/docs/orleans/host/snippets/transport-layer-security/csharp/ClientExample/Program.cs
new file mode 100644
index 0000000000000..0e25be52ff25d
--- /dev/null
+++ b/docs/orleans/host/snippets/transport-layer-security/csharp/ClientExample/Program.cs
@@ -0,0 +1,87 @@
+using System.Security.Authentication;
+using System.Security.Cryptography.X509Certificates;
+using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Logging;
+using Orleans.Connections.Security;
+using Orleans.Hosting;
+
+//
+using IHost host = Host.CreateDefaultBuilder(args)
+ .UseOrleansClient(builder =>
+ {
+ builder
+ .UseLocalhostClustering()
+ .UseTls(StoreName.My, "my-certificate-subject", allowInvalid: false, StoreLocation.CurrentUser, options =>
+ {
+ options.OnAuthenticateAsServer = (connection, sslOptions) =>
+ {
+ sslOptions.ClientCertificateRequired = true;
+ };
+ });
+ })
+ .ConfigureLogging(logging => logging.AddConsole())
+ .Build();
+
+await host.RunAsync();
+//
+
+class ClientDevelopmentExample
+{
+ public static async Task ConfigureDevelopmentTls()
+ {
+ //
+ var isDevelopment = Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT") == "Development";
+
+ using IHost host = Host.CreateDefaultBuilder()
+ .UseOrleansClient(builder =>
+ {
+ builder
+ .UseLocalhostClustering()
+ .UseTls(StoreName.My, "localhost", allowInvalid: isDevelopment, StoreLocation.CurrentUser, options =>
+ {
+ if (isDevelopment)
+ {
+ options.AllowAnyRemoteCertificate();
+ }
+
+ options.OnAuthenticateAsServer = (connection, sslOptions) =>
+ {
+ sslOptions.ClientCertificateRequired = true;
+ };
+ });
+ })
+ .ConfigureLogging(logging => logging.AddConsole())
+ .Build();
+
+ await host.RunAsync();
+ //
+ }
+}
+
+class ClientCertificateExample
+{
+ public static async Task ConfigureTlsWithCertificate()
+ {
+ //
+ using var cert = X509CertificateLoader.LoadPkcs12FromFile("path/to/certificate.pfx", "password");
+
+ using IHost host = Host.CreateDefaultBuilder()
+ .UseOrleansClient(builder =>
+ {
+ builder
+ .UseLocalhostClustering()
+ .UseTls(cert, options =>
+ {
+ options.OnAuthenticateAsServer = (connection, sslOptions) =>
+ {
+ sslOptions.ClientCertificateRequired = true;
+ };
+ });
+ })
+ .ConfigureLogging(logging => logging.AddConsole())
+ .Build();
+
+ await host.RunAsync();
+ //
+ }
+}
diff --git a/docs/orleans/host/snippets/transport-layer-security/csharp/SiloExample/Program.cs b/docs/orleans/host/snippets/transport-layer-security/csharp/SiloExample/Program.cs
new file mode 100644
index 0000000000000..4acb1567ae550
--- /dev/null
+++ b/docs/orleans/host/snippets/transport-layer-security/csharp/SiloExample/Program.cs
@@ -0,0 +1,136 @@
+using System.Net;
+using System.Net.Security;
+using System.Security.Authentication;
+using System.Security.Cryptography.X509Certificates;
+using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Logging;
+using Orleans.Connections.Security;
+using Orleans.Hosting;
+
+//
+using IHost host = Host.CreateDefaultBuilder(args)
+ .UseOrleans(builder =>
+ {
+ builder
+ .UseLocalhostClustering()
+ .UseTls(StoreName.My, "my-certificate-subject", allowInvalid: false, StoreLocation.CurrentUser, options =>
+ {
+ options.OnAuthenticateAsClient = (connection, sslOptions) =>
+ {
+ sslOptions.TargetHost = "my-certificate-subject";
+ };
+ });
+ })
+ .ConfigureLogging(logging => logging.AddConsole())
+ .Build();
+
+await host.RunAsync();
+//
+
+class DevelopmentExample
+{
+ public static async Task ConfigureDevelopmentTls()
+ {
+ //
+ var isDevelopment = Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT") == "Development";
+
+ using IHost host = Host.CreateDefaultBuilder()
+ .UseOrleans(builder =>
+ {
+ builder
+ .UseLocalhostClustering()
+ .UseTls(StoreName.My, "localhost", allowInvalid: isDevelopment, StoreLocation.CurrentUser, options =>
+ {
+ options.OnAuthenticateAsClient = (connection, sslOptions) =>
+ {
+ sslOptions.TargetHost = "localhost";
+ };
+
+ if (isDevelopment)
+ {
+ options.AllowAnyRemoteCertificate();
+ }
+ });
+ })
+ .ConfigureLogging(logging => logging.AddConsole())
+ .Build();
+
+ await host.RunAsync();
+ //
+ }
+}
+
+class CertificateExample
+{
+ public static async Task ConfigureTlsWithCertificate()
+ {
+ //
+ using var cert = X509CertificateLoader.LoadPkcs12FromFile("path/to/certificate.pfx", "password");
+
+ using IHost host = Host.CreateDefaultBuilder()
+ .UseOrleans(builder =>
+ {
+ builder
+ .UseLocalhostClustering()
+ .UseTls(cert, options =>
+ {
+ options.OnAuthenticateAsClient = (connection, sslOptions) =>
+ {
+ sslOptions.TargetHost = cert.GetNameInfo(X509NameType.DnsName, false);
+ };
+ });
+ })
+ .ConfigureLogging(logging => logging.AddConsole())
+ .Build();
+
+ await host.RunAsync();
+ //
+ }
+}
+
+class AdvancedExample
+{
+ public static async Task ConfigureAdvancedTls()
+ {
+ //
+ using IHost host = Host.CreateDefaultBuilder()
+ .UseOrleans(builder =>
+ {
+ builder
+ .UseLocalhostClustering()
+ .UseTls(StoreName.My, "my-certificate-subject", allowInvalid: false, StoreLocation.LocalMachine, options =>
+ {
+ options.LocalServerCertificateSelector = (sender, serverName) =>
+ {
+ using var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
+ store.Open(OpenFlags.ReadOnly);
+ var certs = store.Certificates.Find(X509FindType.FindBySubjectName, serverName ?? "my-certificate-subject", validOnly: true);
+ return certs.Count > 0 ? certs[0] : null;
+ };
+
+ options.RemoteCertificateValidation = (certificate, chain, sslPolicyErrors) =>
+ {
+ if (sslPolicyErrors == SslPolicyErrors.None)
+ {
+ return true;
+ }
+
+ return false;
+ };
+
+ options.OnAuthenticateAsClient = (connection, sslOptions) =>
+ {
+ sslOptions.TargetHost = "my-certificate-subject";
+ sslOptions.EnabledSslProtocols = SslProtocols.Tls12 | SslProtocols.Tls13;
+ };
+
+ options.CheckCertificateRevocation = true;
+ });
+ })
+ .ConfigureLogging(logging => logging.AddConsole())
+ .Build();
+
+ await host.RunAsync();
+ //
+ }
+}
diff --git a/docs/orleans/host/snippets/transport-layer-security/csharp/SiloExample/SiloExample.csproj b/docs/orleans/host/snippets/transport-layer-security/csharp/SiloExample/SiloExample.csproj
new file mode 100644
index 0000000000000..32d814d0e75f6
--- /dev/null
+++ b/docs/orleans/host/snippets/transport-layer-security/csharp/SiloExample/SiloExample.csproj
@@ -0,0 +1,15 @@
+
+
+
+ Exe
+ net9.0
+ enable
+ enable
+
+
+
+
+
+
+
+
diff --git a/docs/orleans/host/snippets/transport-layer-security/vb/ClientExample/ClientExample.vbproj b/docs/orleans/host/snippets/transport-layer-security/vb/ClientExample/ClientExample.vbproj
new file mode 100644
index 0000000000000..e2abbe740c176
--- /dev/null
+++ b/docs/orleans/host/snippets/transport-layer-security/vb/ClientExample/ClientExample.vbproj
@@ -0,0 +1,14 @@
+
+
+
+ Exe
+ ClientExample
+ net9.0
+
+
+
+
+
+
+
+
diff --git a/docs/orleans/host/snippets/transport-layer-security/vb/ClientExample/Program.vb b/docs/orleans/host/snippets/transport-layer-security/vb/ClientExample/Program.vb
new file mode 100644
index 0000000000000..9feac8f2dd3ad
--- /dev/null
+++ b/docs/orleans/host/snippets/transport-layer-security/vb/ClientExample/Program.vb
@@ -0,0 +1,85 @@
+Imports System
+
+Imports System.Security.Authentication
+Imports System.Security.Cryptography.X509Certificates
+Imports Microsoft.Extensions.Hosting
+Imports Microsoft.Extensions.Logging
+Imports Orleans.Connections.Security
+Imports Orleans.Hosting
+
+Module Program
+ '
+ Sub Main(args As String())
+ Dim hostBuilder = Microsoft.Extensions.Hosting.Host.CreateDefaultBuilder(args)
+ hostBuilder.UseOrleansClient(Sub(builder)
+ builder _
+ .UseLocalhostClustering() _
+ .UseTls(StoreName.My, "my-certificate-subject", allowInvalid:=False, StoreLocation.CurrentUser,
+ Sub(options)
+ options.OnAuthenticateAsServer = Sub(connection, sslOptions)
+ sslOptions.ClientCertificateRequired = True
+ End Sub
+ End Sub)
+ End Sub)
+ hostBuilder.ConfigureLogging(Sub(logging) logging.AddConsole())
+ Dim host = hostBuilder.Build()
+
+ host.RunAsync().Wait()
+ End Sub
+ '
+End Module
+
+Class ClientDevelopmentExample
+ '
+ Public Shared Async Function ConfigureDevelopmentTls() As Task
+ Dim isDevelopment As Boolean = Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT") = "Development"
+
+ Dim hostBuilder = Microsoft.Extensions.Hosting.Host.CreateDefaultBuilder()
+ hostBuilder.UseOrleansClient(Sub(builder)
+ builder _
+ .UseLocalhostClustering() _
+ .UseTls(StoreName.My, "localhost", allowInvalid:=isDevelopment, StoreLocation.CurrentUser,
+ Sub(options)
+ If isDevelopment Then
+ options.AllowAnyRemoteCertificate()
+ End If
+
+ options.OnAuthenticateAsServer = Sub(connection, sslOptions)
+ sslOptions.ClientCertificateRequired = True
+ End Sub
+ End Sub)
+ End Sub)
+ hostBuilder.ConfigureLogging(Sub(logging) logging.AddConsole())
+ Dim host = hostBuilder.Build()
+
+ Await host.RunAsync()
+ host.Dispose()
+ End Function
+ '
+End Class
+
+Class ClientCertificateExample
+ '
+ Public Shared Async Function ConfigureTlsWithCertificate() As Task
+ Dim cert As X509Certificate2 = X509CertificateLoader.LoadPkcs12FromFile("path/to/certificate.pfx", "password")
+
+ Dim hostBuilder = Microsoft.Extensions.Hosting.Host.CreateDefaultBuilder()
+ hostBuilder.UseOrleansClient(Sub(builder)
+ builder _
+ .UseLocalhostClustering() _
+ .UseTls(cert,
+ Sub(options)
+ options.OnAuthenticateAsServer = Sub(connection, sslOptions)
+ sslOptions.ClientCertificateRequired = True
+ End Sub
+ End Sub)
+ End Sub)
+ hostBuilder.ConfigureLogging(Sub(logging) logging.AddConsole())
+ Dim host = hostBuilder.Build()
+
+ Await host.RunAsync()
+ host.Dispose()
+ cert.Dispose()
+ End Function
+ '
+End Class
diff --git a/docs/orleans/host/snippets/transport-layer-security/vb/SiloExample/Program.vb b/docs/orleans/host/snippets/transport-layer-security/vb/SiloExample/Program.vb
new file mode 100644
index 0000000000000..4d9b9daf3b6d6
--- /dev/null
+++ b/docs/orleans/host/snippets/transport-layer-security/vb/SiloExample/Program.vb
@@ -0,0 +1,129 @@
+Imports System
+
+Imports System.Net
+Imports System.Net.Security
+Imports System.Security.Authentication
+Imports System.Security.Cryptography.X509Certificates
+Imports Microsoft.Extensions.Hosting
+Imports Microsoft.Extensions.Logging
+Imports Orleans.Connections.Security
+Imports Orleans.Hosting
+
+Module Program
+ '
+ Sub Main(args As String())
+ Dim hostBuilder = Microsoft.Extensions.Hosting.Host.CreateDefaultBuilder(args)
+ hostBuilder.UseOrleans(Sub(builder)
+ builder _
+ .UseLocalhostClustering() _
+ .UseTls(StoreName.My, "my-certificate-subject", allowInvalid:=False, StoreLocation.CurrentUser,
+ Sub(options)
+ options.OnAuthenticateAsClient = Sub(connection, sslOptions)
+ sslOptions.TargetHost = "my-certificate-subject"
+ End Sub
+ End Sub)
+ End Sub)
+ hostBuilder.ConfigureLogging(Sub(logging) logging.AddConsole())
+ Dim host = hostBuilder.Build()
+
+ host.RunAsync().Wait()
+ End Sub
+ '
+End Module
+
+Class DevelopmentExample
+ '
+ Public Shared Async Function ConfigureDevelopmentTls() As Task
+ Dim isDevelopment As Boolean = Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT") = "Development"
+
+ Dim hostBuilder = Microsoft.Extensions.Hosting.Host.CreateDefaultBuilder()
+ hostBuilder.UseOrleans(Sub(builder)
+ builder _
+ .UseLocalhostClustering() _
+ .UseTls(StoreName.My, "localhost", allowInvalid:=isDevelopment, StoreLocation.CurrentUser,
+ Sub(options)
+ options.OnAuthenticateAsClient = Sub(connection, sslOptions)
+ sslOptions.TargetHost = "localhost"
+ End Sub
+
+ If isDevelopment Then
+ options.AllowAnyRemoteCertificate()
+ End If
+ End Sub)
+ End Sub)
+ hostBuilder.ConfigureLogging(Sub(logging) logging.AddConsole())
+ Dim host = hostBuilder.Build()
+
+ Await host.RunAsync()
+ host.Dispose()
+ End Function
+ '
+End Class
+
+Class CertificateExample
+ '
+ Public Shared Async Function ConfigureTlsWithCertificate() As Task
+ Dim cert As X509Certificate2 = X509CertificateLoader.LoadPkcs12FromFile("path/to/certificate.pfx", "password")
+
+ Dim hostBuilder = Microsoft.Extensions.Hosting.Host.CreateDefaultBuilder()
+ hostBuilder.UseOrleans(Sub(builder)
+ builder _
+ .UseLocalhostClustering() _
+ .UseTls(cert,
+ Sub(options)
+ options.OnAuthenticateAsClient = Sub(connection, sslOptions)
+ sslOptions.TargetHost = cert.GetNameInfo(X509NameType.DnsName, False)
+ End Sub
+ End Sub)
+ End Sub)
+ hostBuilder.ConfigureLogging(Sub(logging) logging.AddConsole())
+ Dim host = hostBuilder.Build()
+
+ Await host.RunAsync()
+ host.Dispose()
+ cert.Dispose()
+ End Function
+ '
+End Class
+
+Class AdvancedExample
+ '
+ Public Shared Async Function ConfigureAdvancedTls() As Task
+ Dim hostBuilder = Microsoft.Extensions.Hosting.Host.CreateDefaultBuilder()
+ hostBuilder.UseOrleans(Sub(builder)
+ builder _
+ .UseLocalhostClustering() _
+ .UseTls(StoreName.My, "my-certificate-subject", allowInvalid:=False, StoreLocation.LocalMachine,
+ Sub(options)
+ options.LocalServerCertificateSelector = Function(sender, serverName)
+ Using store As New X509Store(StoreName.My, StoreLocation.LocalMachine)
+ store.Open(OpenFlags.ReadOnly)
+ Dim certs = store.Certificates.Find(X509FindType.FindBySubjectName, If(serverName, "my-certificate-subject"), validOnly:=True)
+ Return If(certs.Count > 0, certs(0), Nothing)
+ End Using
+ End Function
+
+ options.RemoteCertificateValidation = Function(certificate, chain, sslPolicyErrors)
+ If sslPolicyErrors = SslPolicyErrors.None Then
+ Return True
+ End If
+
+ Return False
+ End Function
+
+ options.OnAuthenticateAsClient = Sub(connection, sslOptions)
+ sslOptions.TargetHost = "my-certificate-subject"
+ sslOptions.EnabledSslProtocols = SslProtocols.Tls12 Or SslProtocols.Tls13
+ End Sub
+
+ options.CheckCertificateRevocation = True
+ End Sub)
+ End Sub)
+ hostBuilder.ConfigureLogging(Sub(logging) logging.AddConsole())
+ Dim host = hostBuilder.Build()
+
+ Await host.RunAsync()
+ host.Dispose()
+ End Function
+ '
+End Class
diff --git a/docs/orleans/host/snippets/transport-layer-security/vb/SiloExample/SiloExample.vbproj b/docs/orleans/host/snippets/transport-layer-security/vb/SiloExample/SiloExample.vbproj
new file mode 100644
index 0000000000000..9aacdc7713f8a
--- /dev/null
+++ b/docs/orleans/host/snippets/transport-layer-security/vb/SiloExample/SiloExample.vbproj
@@ -0,0 +1,14 @@
+
+
+
+ Exe
+ SiloExample
+ net9.0
+
+
+
+
+
+
+
+
diff --git a/docs/orleans/host/transport-layer-security.md b/docs/orleans/host/transport-layer-security.md
new file mode 100644
index 0000000000000..b4e1e292795f1
--- /dev/null
+++ b/docs/orleans/host/transport-layer-security.md
@@ -0,0 +1,134 @@
+---
+title: Transport Layer Security (TLS)
+description: Learn how to configure Transport Layer Security (TLS) in .NET Orleans to secure network communication between hosts.
+ms.date: 10/28/2025
+ms.topic: how-to
+ai-usage: ai-assisted
+---
+
+# Transport Layer Security (TLS)
+
+Transport Layer Security (TLS) is a cryptographic protocol that secures network communication between Orleans silos and clients. Configure TLS to implement mutual authentication and encrypt data in transit, protecting your Orleans deployment from unauthorized access and eavesdropping.
+
+## Prerequisites
+
+Before configuring TLS, ensure you have:
+
+- An Orleans application with the [Microsoft.Orleans.Server](https://www.nuget.org/packages/Microsoft.Orleans.Server) NuGet package installed for silos.
+- The [Microsoft.Orleans.Client](https://www.nuget.org/packages/Microsoft.Orleans.Client) NuGet package installed for clients.
+- The [Microsoft.Orleans.Connections.Security](https://www.nuget.org/packages/Microsoft.Orleans.Connections.Security) NuGet package installed for both silos and clients.
+- A valid X.509 certificate for authentication, either in the Windows certificate store or as a file.
+
+## Configure TLS on silos
+
+To enable TLS on an Orleans silo, use the extension method. This method provides several overloads for different certificate configuration scenarios.
+
+### Basic TLS configuration
+
+The following example shows how to configure TLS using a certificate from the Windows certificate store:
+
+:::code language="csharp" source="./snippets/transport-layer-security/csharp/SiloExample/Program.cs" id="BasicTlsConfiguration":::
+:::code language="vb" source="./snippets/transport-layer-security/vb/SiloExample/Program.vb" id="BasicTlsConfiguration":::
+
+In the preceding code:
+
+- The `StoreName.My` parameter specifies the certificate store location (Personal certificates).
+- The `"my-certificate-subject"` parameter identifies the certificate by its subject name.
+- The `allowInvalid: false` parameter ensures that only valid certificates are accepted in production.
+- The `StoreLocation.CurrentUser` parameter specifies the certificate store scope.
+- The `OnAuthenticateAsClient` callback sets the target host for client authentication.
+
+### Development environment configuration
+
+For development and testing, you might need to use self-signed certificates. The following example shows how to configure TLS with relaxed validation for development:
+
+:::code language="csharp" source="./snippets/transport-layer-security/csharp/SiloExample/Program.cs" id="DevelopmentTlsConfiguration":::
+:::code language="vb" source="./snippets/transport-layer-security/vb/SiloExample/Program.vb" id="DevelopmentTlsConfiguration":::
+
+In the preceding code:
+
+- The `isDevelopment` flag determines whether to use relaxed certificate validation.
+- The method disables certificate validation in development.
+
+> [!WARNING]
+> Never use `AllowAnyRemoteCertificate()` or `allowInvalid: true` in production deployments. These settings disable important security checks and expose your application to security vulnerabilities.
+
+### Certificate file configuration
+
+If you have a certificate file instead of using the certificate store, configure TLS as shown in the following example:
+
+:::code language="csharp" source="./snippets/transport-layer-security/csharp/SiloExample/Program.cs" id="CertificateTlsConfiguration":::
+:::code language="vb" source="./snippets/transport-layer-security/vb/SiloExample/Program.vb" id="CertificateTlsConfiguration":::
+
+In the preceding code:
+
+- The method loads a certificate from a PKCS#12 file (PFX format).
+- The certificate is passed directly to the `UseTls` method.
+
+### Advanced TLS configuration
+
+For production deployments, you might need more control over certificate validation and protocol selection. The following example demonstrates advanced TLS configuration:
+
+:::code language="csharp" source="./snippets/transport-layer-security/csharp/SiloExample/Program.cs" id="AdvancedTlsConfiguration":::
+:::code language="vb" source="./snippets/transport-layer-security/vb/SiloExample/Program.vb" id="AdvancedTlsConfiguration":::
+
+In the preceding code:
+
+- The callback dynamically selects the appropriate server certificate.
+- The callback provides custom validation logic for remote certificates.
+- The callback configures SSL protocol versions using and .
+- The property enables certificate revocation checking.
+
+## Configure TLS on clients
+
+Orleans clients require similar TLS configuration to securely connect to TLS-enabled silos.
+
+### Basic client TLS configuration
+
+The following example shows how to configure TLS on an Orleans client:
+
+:::code language="csharp" source="./snippets/transport-layer-security/csharp/ClientExample/Program.cs" id="BasicClientTlsConfiguration":::
+:::code language="vb" source="./snippets/transport-layer-security/vb/ClientExample/Program.vb" id="BasicClientTlsConfiguration":::
+
+In the preceding code:
+
+- The extension method configures TLS for the client.
+- The callback configures server authentication options.
+- The `ClientCertificateRequired` property enables mutual TLS by requiring the client to present a certificate.
+
+### Development client configuration
+
+For development environments, configure the client with relaxed validation as shown in the following example:
+
+:::code language="csharp" source="./snippets/transport-layer-security/csharp/ClientExample/Program.cs" id="ClientDevelopmentTlsConfiguration":::
+:::code language="vb" source="./snippets/transport-layer-security/vb/ClientExample/Program.vb" id="ClientDevelopmentTlsConfiguration":::
+
+### Certificate file client configuration
+
+Configure a client using a certificate file as shown in the following example:
+
+:::code language="csharp" source="./snippets/transport-layer-security/csharp/ClientExample/Program.cs" id="ClientCertificateTlsConfiguration":::
+:::code language="vb" source="./snippets/transport-layer-security/vb/ClientExample/Program.vb" id="ClientCertificateTlsConfiguration":::
+
+## Best practices
+
+Follow these best practices when configuring TLS in Orleans:
+
+- **Use the latest TLS protocol**: Always prefer TLS 1.2 or TLS 1.3 for the strongest security. Avoid TLS 1.0 and TLS 1.1, which have known vulnerabilities.
+- **Let the OS choose the protocol version**: Avoid explicitly setting TLS protocol versions in production code. Instead, defer to operating system defaults by using , which allows the OS to automatically select the best protocol.
+- **Validate certificates**: Always validate certificate chains, expiration dates, and hostname matches in production. Never use `AllowAnyRemoteCertificate()` or disable certificate validation outside of development environments.
+- **Enable certificate revocation checking**: Use to verify that certificates haven't been revoked.
+- **Use strong certificates**: Ensure your X.509 certificates use strong key lengths (at least 2048 bits for RSA) and are signed by a trusted Certificate Authority (CA).
+- **Secure certificate storage**: Protect private keys with appropriate file permissions or by using hardware security modules (HSMs).
+- **Keep certificates current**: Monitor certificate expiration dates and renew certificates before they expire.
+- **Keep software updated**: Regularly update your .NET runtime and operating system to receive the latest security patches and protocol support.
+
+For more information on .NET TLS best practices, see [Transport Layer Security (TLS) best practices with .NET](../../framework/network-programming/tls.md) and [TLS/SSL best practices](../../core/extensions/sslstream-best-practices.md).
+
+## See also
+
+- [Client configuration](configuration-guide/client-configuration.md)
+- [Server configuration](configuration-guide/server-configuration.md)
+-
+-
+- [Orleans Transport Layer Security (TLS) sample](/samples/dotnet/samples/orleans-transport-layer-security-tls/)
diff --git a/docs/orleans/toc.yml b/docs/orleans/toc.yml
index dfe8f075f6811..6f3d4f43b5fd3 100644
--- a/docs/orleans/toc.yml
+++ b/docs/orleans/toc.yml
@@ -128,6 +128,8 @@ items:
href: host/grain-directory.md
- name: PowerShell client module
href: host/powershell-client.md
+ - name: Transport Layer Security (TLS)
+ href: host/transport-layer-security.md
- name: Configuration guide
items:
- name: Overview
From afc2a9853ebb281f820a0b94efe8952ea8283f07 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 28 Oct 2025 19:01:50 +0000
Subject: [PATCH 3/6] Update TLS documentation to follow OS default protocol
best practices
Co-authored-by: ReubenBond <203839+ReubenBond@users.noreply.github.com>
---
.../transport-layer-security/csharp/SiloExample/Program.cs | 1 -
.../transport-layer-security/vb/SiloExample/Program.vb | 1 -
docs/orleans/host/transport-layer-security.md | 3 +--
3 files changed, 1 insertion(+), 4 deletions(-)
diff --git a/docs/orleans/host/snippets/transport-layer-security/csharp/SiloExample/Program.cs b/docs/orleans/host/snippets/transport-layer-security/csharp/SiloExample/Program.cs
index 4acb1567ae550..b545e380217ff 100644
--- a/docs/orleans/host/snippets/transport-layer-security/csharp/SiloExample/Program.cs
+++ b/docs/orleans/host/snippets/transport-layer-security/csharp/SiloExample/Program.cs
@@ -121,7 +121,6 @@ public static async Task ConfigureAdvancedTls()
options.OnAuthenticateAsClient = (connection, sslOptions) =>
{
sslOptions.TargetHost = "my-certificate-subject";
- sslOptions.EnabledSslProtocols = SslProtocols.Tls12 | SslProtocols.Tls13;
};
options.CheckCertificateRevocation = true;
diff --git a/docs/orleans/host/snippets/transport-layer-security/vb/SiloExample/Program.vb b/docs/orleans/host/snippets/transport-layer-security/vb/SiloExample/Program.vb
index 4d9b9daf3b6d6..860bac8317015 100644
--- a/docs/orleans/host/snippets/transport-layer-security/vb/SiloExample/Program.vb
+++ b/docs/orleans/host/snippets/transport-layer-security/vb/SiloExample/Program.vb
@@ -113,7 +113,6 @@ Class AdvancedExample
options.OnAuthenticateAsClient = Sub(connection, sslOptions)
sslOptions.TargetHost = "my-certificate-subject"
- sslOptions.EnabledSslProtocols = SslProtocols.Tls12 Or SslProtocols.Tls13
End Sub
options.CheckCertificateRevocation = True
diff --git a/docs/orleans/host/transport-layer-security.md b/docs/orleans/host/transport-layer-security.md
index b4e1e292795f1..669498b578b15 100644
--- a/docs/orleans/host/transport-layer-security.md
+++ b/docs/orleans/host/transport-layer-security.md
@@ -76,7 +76,6 @@ In the preceding code:
- The callback dynamically selects the appropriate server certificate.
- The callback provides custom validation logic for remote certificates.
-- The callback configures SSL protocol versions using and .
- The property enables certificate revocation checking.
## Configure TLS on clients
@@ -115,7 +114,7 @@ Configure a client using a certificate file as shown in the following example:
Follow these best practices when configuring TLS in Orleans:
- **Use the latest TLS protocol**: Always prefer TLS 1.2 or TLS 1.3 for the strongest security. Avoid TLS 1.0 and TLS 1.1, which have known vulnerabilities.
-- **Let the OS choose the protocol version**: Avoid explicitly setting TLS protocol versions in production code. Instead, defer to operating system defaults by using , which allows the OS to automatically select the best protocol.
+- **Let the OS choose the protocol version**: Don't explicitly set TLS protocol versions in production code. Instead, defer to operating system defaults to automatically select the best protocol. Only explicitly set protocol versions if you have a specific compatibility requirement with legacy systems. When you explicitly set protocol versions, your application can't automatically benefit from newer protocols added in future OS updates.
- **Validate certificates**: Always validate certificate chains, expiration dates, and hostname matches in production. Never use `AllowAnyRemoteCertificate()` or disable certificate validation outside of development environments.
- **Enable certificate revocation checking**: Use to verify that certificates haven't been revoked.
- **Use strong certificates**: Ensure your X.509 certificates use strong key lengths (at least 2048 bits for RSA) and are signed by a trusted Certificate Authority (CA).
From 3b308aa6725929f8cbff8c7d13d2b6090ad9c3b8 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 28 Oct 2025 19:29:31 +0000
Subject: [PATCH 4/6] Address PR feedback: Remove VB examples, use
IsDevelopment, add mTLS, update title
Co-authored-by: ReubenBond <203839+ReubenBond@users.noreply.github.com>
---
.../csharp/ClientExample/Program.cs | 10 +-
.../csharp/SiloExample/Program.cs | 10 +-
.../vb/ClientExample/ClientExample.vbproj | 14 --
.../vb/ClientExample/Program.vb | 85 ------------
.../vb/SiloExample/Program.vb | 128 ------------------
.../vb/SiloExample/SiloExample.vbproj | 14 --
docs/orleans/host/transport-layer-security.md | 17 +--
7 files changed, 17 insertions(+), 261 deletions(-)
delete mode 100644 docs/orleans/host/snippets/transport-layer-security/vb/ClientExample/ClientExample.vbproj
delete mode 100644 docs/orleans/host/snippets/transport-layer-security/vb/ClientExample/Program.vb
delete mode 100644 docs/orleans/host/snippets/transport-layer-security/vb/SiloExample/Program.vb
delete mode 100644 docs/orleans/host/snippets/transport-layer-security/vb/SiloExample/SiloExample.vbproj
diff --git a/docs/orleans/host/snippets/transport-layer-security/csharp/ClientExample/Program.cs b/docs/orleans/host/snippets/transport-layer-security/csharp/ClientExample/Program.cs
index 0e25be52ff25d..e6fac4f7cc2cc 100644
--- a/docs/orleans/host/snippets/transport-layer-security/csharp/ClientExample/Program.cs
+++ b/docs/orleans/host/snippets/transport-layer-security/csharp/ClientExample/Program.cs
@@ -30,11 +30,13 @@ class ClientDevelopmentExample
public static async Task ConfigureDevelopmentTls()
{
//
- var isDevelopment = Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT") == "Development";
-
- using IHost host = Host.CreateDefaultBuilder()
- .UseOrleansClient(builder =>
+ var hostBuilder = Host.CreateDefaultBuilder();
+
+ using IHost host = hostBuilder
+ .UseOrleansClient((context, builder) =>
{
+ var isDevelopment = context.HostingEnvironment.IsDevelopment();
+
builder
.UseLocalhostClustering()
.UseTls(StoreName.My, "localhost", allowInvalid: isDevelopment, StoreLocation.CurrentUser, options =>
diff --git a/docs/orleans/host/snippets/transport-layer-security/csharp/SiloExample/Program.cs b/docs/orleans/host/snippets/transport-layer-security/csharp/SiloExample/Program.cs
index b545e380217ff..d1a05cf59bcf0 100644
--- a/docs/orleans/host/snippets/transport-layer-security/csharp/SiloExample/Program.cs
+++ b/docs/orleans/host/snippets/transport-layer-security/csharp/SiloExample/Program.cs
@@ -32,11 +32,13 @@ class DevelopmentExample
public static async Task ConfigureDevelopmentTls()
{
//
- var isDevelopment = Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT") == "Development";
-
- using IHost host = Host.CreateDefaultBuilder()
- .UseOrleans(builder =>
+ var hostBuilder = Host.CreateDefaultBuilder();
+
+ using IHost host = hostBuilder
+ .UseOrleans((context, builder) =>
{
+ var isDevelopment = context.HostingEnvironment.IsDevelopment();
+
builder
.UseLocalhostClustering()
.UseTls(StoreName.My, "localhost", allowInvalid: isDevelopment, StoreLocation.CurrentUser, options =>
diff --git a/docs/orleans/host/snippets/transport-layer-security/vb/ClientExample/ClientExample.vbproj b/docs/orleans/host/snippets/transport-layer-security/vb/ClientExample/ClientExample.vbproj
deleted file mode 100644
index e2abbe740c176..0000000000000
--- a/docs/orleans/host/snippets/transport-layer-security/vb/ClientExample/ClientExample.vbproj
+++ /dev/null
@@ -1,14 +0,0 @@
-
-
-
- Exe
- ClientExample
- net9.0
-
-
-
-
-
-
-
-
diff --git a/docs/orleans/host/snippets/transport-layer-security/vb/ClientExample/Program.vb b/docs/orleans/host/snippets/transport-layer-security/vb/ClientExample/Program.vb
deleted file mode 100644
index 9feac8f2dd3ad..0000000000000
--- a/docs/orleans/host/snippets/transport-layer-security/vb/ClientExample/Program.vb
+++ /dev/null
@@ -1,85 +0,0 @@
-Imports System
-
-Imports System.Security.Authentication
-Imports System.Security.Cryptography.X509Certificates
-Imports Microsoft.Extensions.Hosting
-Imports Microsoft.Extensions.Logging
-Imports Orleans.Connections.Security
-Imports Orleans.Hosting
-
-Module Program
- '
- Sub Main(args As String())
- Dim hostBuilder = Microsoft.Extensions.Hosting.Host.CreateDefaultBuilder(args)
- hostBuilder.UseOrleansClient(Sub(builder)
- builder _
- .UseLocalhostClustering() _
- .UseTls(StoreName.My, "my-certificate-subject", allowInvalid:=False, StoreLocation.CurrentUser,
- Sub(options)
- options.OnAuthenticateAsServer = Sub(connection, sslOptions)
- sslOptions.ClientCertificateRequired = True
- End Sub
- End Sub)
- End Sub)
- hostBuilder.ConfigureLogging(Sub(logging) logging.AddConsole())
- Dim host = hostBuilder.Build()
-
- host.RunAsync().Wait()
- End Sub
- '
-End Module
-
-Class ClientDevelopmentExample
- '
- Public Shared Async Function ConfigureDevelopmentTls() As Task
- Dim isDevelopment As Boolean = Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT") = "Development"
-
- Dim hostBuilder = Microsoft.Extensions.Hosting.Host.CreateDefaultBuilder()
- hostBuilder.UseOrleansClient(Sub(builder)
- builder _
- .UseLocalhostClustering() _
- .UseTls(StoreName.My, "localhost", allowInvalid:=isDevelopment, StoreLocation.CurrentUser,
- Sub(options)
- If isDevelopment Then
- options.AllowAnyRemoteCertificate()
- End If
-
- options.OnAuthenticateAsServer = Sub(connection, sslOptions)
- sslOptions.ClientCertificateRequired = True
- End Sub
- End Sub)
- End Sub)
- hostBuilder.ConfigureLogging(Sub(logging) logging.AddConsole())
- Dim host = hostBuilder.Build()
-
- Await host.RunAsync()
- host.Dispose()
- End Function
- '
-End Class
-
-Class ClientCertificateExample
- '
- Public Shared Async Function ConfigureTlsWithCertificate() As Task
- Dim cert As X509Certificate2 = X509CertificateLoader.LoadPkcs12FromFile("path/to/certificate.pfx", "password")
-
- Dim hostBuilder = Microsoft.Extensions.Hosting.Host.CreateDefaultBuilder()
- hostBuilder.UseOrleansClient(Sub(builder)
- builder _
- .UseLocalhostClustering() _
- .UseTls(cert,
- Sub(options)
- options.OnAuthenticateAsServer = Sub(connection, sslOptions)
- sslOptions.ClientCertificateRequired = True
- End Sub
- End Sub)
- End Sub)
- hostBuilder.ConfigureLogging(Sub(logging) logging.AddConsole())
- Dim host = hostBuilder.Build()
-
- Await host.RunAsync()
- host.Dispose()
- cert.Dispose()
- End Function
- '
-End Class
diff --git a/docs/orleans/host/snippets/transport-layer-security/vb/SiloExample/Program.vb b/docs/orleans/host/snippets/transport-layer-security/vb/SiloExample/Program.vb
deleted file mode 100644
index 860bac8317015..0000000000000
--- a/docs/orleans/host/snippets/transport-layer-security/vb/SiloExample/Program.vb
+++ /dev/null
@@ -1,128 +0,0 @@
-Imports System
-
-Imports System.Net
-Imports System.Net.Security
-Imports System.Security.Authentication
-Imports System.Security.Cryptography.X509Certificates
-Imports Microsoft.Extensions.Hosting
-Imports Microsoft.Extensions.Logging
-Imports Orleans.Connections.Security
-Imports Orleans.Hosting
-
-Module Program
- '
- Sub Main(args As String())
- Dim hostBuilder = Microsoft.Extensions.Hosting.Host.CreateDefaultBuilder(args)
- hostBuilder.UseOrleans(Sub(builder)
- builder _
- .UseLocalhostClustering() _
- .UseTls(StoreName.My, "my-certificate-subject", allowInvalid:=False, StoreLocation.CurrentUser,
- Sub(options)
- options.OnAuthenticateAsClient = Sub(connection, sslOptions)
- sslOptions.TargetHost = "my-certificate-subject"
- End Sub
- End Sub)
- End Sub)
- hostBuilder.ConfigureLogging(Sub(logging) logging.AddConsole())
- Dim host = hostBuilder.Build()
-
- host.RunAsync().Wait()
- End Sub
- '
-End Module
-
-Class DevelopmentExample
- '
- Public Shared Async Function ConfigureDevelopmentTls() As Task
- Dim isDevelopment As Boolean = Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT") = "Development"
-
- Dim hostBuilder = Microsoft.Extensions.Hosting.Host.CreateDefaultBuilder()
- hostBuilder.UseOrleans(Sub(builder)
- builder _
- .UseLocalhostClustering() _
- .UseTls(StoreName.My, "localhost", allowInvalid:=isDevelopment, StoreLocation.CurrentUser,
- Sub(options)
- options.OnAuthenticateAsClient = Sub(connection, sslOptions)
- sslOptions.TargetHost = "localhost"
- End Sub
-
- If isDevelopment Then
- options.AllowAnyRemoteCertificate()
- End If
- End Sub)
- End Sub)
- hostBuilder.ConfigureLogging(Sub(logging) logging.AddConsole())
- Dim host = hostBuilder.Build()
-
- Await host.RunAsync()
- host.Dispose()
- End Function
- '
-End Class
-
-Class CertificateExample
- '
- Public Shared Async Function ConfigureTlsWithCertificate() As Task
- Dim cert As X509Certificate2 = X509CertificateLoader.LoadPkcs12FromFile("path/to/certificate.pfx", "password")
-
- Dim hostBuilder = Microsoft.Extensions.Hosting.Host.CreateDefaultBuilder()
- hostBuilder.UseOrleans(Sub(builder)
- builder _
- .UseLocalhostClustering() _
- .UseTls(cert,
- Sub(options)
- options.OnAuthenticateAsClient = Sub(connection, sslOptions)
- sslOptions.TargetHost = cert.GetNameInfo(X509NameType.DnsName, False)
- End Sub
- End Sub)
- End Sub)
- hostBuilder.ConfigureLogging(Sub(logging) logging.AddConsole())
- Dim host = hostBuilder.Build()
-
- Await host.RunAsync()
- host.Dispose()
- cert.Dispose()
- End Function
- '
-End Class
-
-Class AdvancedExample
- '
- Public Shared Async Function ConfigureAdvancedTls() As Task
- Dim hostBuilder = Microsoft.Extensions.Hosting.Host.CreateDefaultBuilder()
- hostBuilder.UseOrleans(Sub(builder)
- builder _
- .UseLocalhostClustering() _
- .UseTls(StoreName.My, "my-certificate-subject", allowInvalid:=False, StoreLocation.LocalMachine,
- Sub(options)
- options.LocalServerCertificateSelector = Function(sender, serverName)
- Using store As New X509Store(StoreName.My, StoreLocation.LocalMachine)
- store.Open(OpenFlags.ReadOnly)
- Dim certs = store.Certificates.Find(X509FindType.FindBySubjectName, If(serverName, "my-certificate-subject"), validOnly:=True)
- Return If(certs.Count > 0, certs(0), Nothing)
- End Using
- End Function
-
- options.RemoteCertificateValidation = Function(certificate, chain, sslPolicyErrors)
- If sslPolicyErrors = SslPolicyErrors.None Then
- Return True
- End If
-
- Return False
- End Function
-
- options.OnAuthenticateAsClient = Sub(connection, sslOptions)
- sslOptions.TargetHost = "my-certificate-subject"
- End Sub
-
- options.CheckCertificateRevocation = True
- End Sub)
- End Sub)
- hostBuilder.ConfigureLogging(Sub(logging) logging.AddConsole())
- Dim host = hostBuilder.Build()
-
- Await host.RunAsync()
- host.Dispose()
- End Function
- '
-End Class
diff --git a/docs/orleans/host/snippets/transport-layer-security/vb/SiloExample/SiloExample.vbproj b/docs/orleans/host/snippets/transport-layer-security/vb/SiloExample/SiloExample.vbproj
deleted file mode 100644
index 9aacdc7713f8a..0000000000000
--- a/docs/orleans/host/snippets/transport-layer-security/vb/SiloExample/SiloExample.vbproj
+++ /dev/null
@@ -1,14 +0,0 @@
-
-
-
- Exe
- SiloExample
- net9.0
-
-
-
-
-
-
-
-
diff --git a/docs/orleans/host/transport-layer-security.md b/docs/orleans/host/transport-layer-security.md
index 669498b578b15..2104e4ad77712 100644
--- a/docs/orleans/host/transport-layer-security.md
+++ b/docs/orleans/host/transport-layer-security.md
@@ -1,14 +1,14 @@
---
-title: Transport Layer Security (TLS)
-description: Learn how to configure Transport Layer Security (TLS) in .NET Orleans to secure network communication between hosts.
+title: Orleans Transport Layer Security (TLS)
+description: Learn how to configure Transport Layer Security (TLS) and mutual TLS (mTLS) in .NET Orleans to secure network communication between hosts.
ms.date: 10/28/2025
ms.topic: how-to
ai-usage: ai-assisted
---
-# Transport Layer Security (TLS)
+# Orleans Transport Layer Security (TLS)
-Transport Layer Security (TLS) is a cryptographic protocol that secures network communication between Orleans silos and clients. Configure TLS to implement mutual authentication and encrypt data in transit, protecting your Orleans deployment from unauthorized access and eavesdropping.
+Transport Layer Security (TLS) is a cryptographic protocol that secures network communication between Orleans silos and clients. Configure TLS to implement mutual authentication (mTLS) and encrypt data in transit, protecting your Orleans deployment from unauthorized access and eavesdropping.
## Prerequisites
@@ -28,7 +28,6 @@ To enable TLS on an Orleans silo, use the method disables certificate validation in development.
> [!WARNING]
@@ -58,7 +56,6 @@ In the preceding code:
If you have a certificate file instead of using the certificate store, configure TLS as shown in the following example:
:::code language="csharp" source="./snippets/transport-layer-security/csharp/SiloExample/Program.cs" id="CertificateTlsConfiguration":::
-:::code language="vb" source="./snippets/transport-layer-security/vb/SiloExample/Program.vb" id="CertificateTlsConfiguration":::
In the preceding code:
@@ -70,7 +67,6 @@ In the preceding code:
For production deployments, you might need more control over certificate validation and protocol selection. The following example demonstrates advanced TLS configuration:
:::code language="csharp" source="./snippets/transport-layer-security/csharp/SiloExample/Program.cs" id="AdvancedTlsConfiguration":::
-:::code language="vb" source="./snippets/transport-layer-security/vb/SiloExample/Program.vb" id="AdvancedTlsConfiguration":::
In the preceding code:
@@ -87,7 +83,6 @@ Orleans clients require similar TLS configuration to securely connect to TLS-ena
The following example shows how to configure TLS on an Orleans client:
:::code language="csharp" source="./snippets/transport-layer-security/csharp/ClientExample/Program.cs" id="BasicClientTlsConfiguration":::
-:::code language="vb" source="./snippets/transport-layer-security/vb/ClientExample/Program.vb" id="BasicClientTlsConfiguration":::
In the preceding code:
@@ -100,14 +95,12 @@ In the preceding code:
For development environments, configure the client with relaxed validation as shown in the following example:
:::code language="csharp" source="./snippets/transport-layer-security/csharp/ClientExample/Program.cs" id="ClientDevelopmentTlsConfiguration":::
-:::code language="vb" source="./snippets/transport-layer-security/vb/ClientExample/Program.vb" id="ClientDevelopmentTlsConfiguration":::
### Certificate file client configuration
Configure a client using a certificate file as shown in the following example:
:::code language="csharp" source="./snippets/transport-layer-security/csharp/ClientExample/Program.cs" id="ClientCertificateTlsConfiguration":::
-:::code language="vb" source="./snippets/transport-layer-security/vb/ClientExample/Program.vb" id="ClientCertificateTlsConfiguration":::
## Best practices
From 07d6f8cbc26a1d00bbd7e346540d01090eab7388 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 28 Oct 2025 19:57:56 +0000
Subject: [PATCH 5/6] Add solution file and README to ensure samples build
Co-authored-by: ReubenBond <203839+ReubenBond@users.noreply.github.com>
---
.../transport-layer-security/csharp/README.md | 27 +++++++++++++++++++
1 file changed, 27 insertions(+)
create mode 100644 docs/orleans/host/snippets/transport-layer-security/csharp/README.md
diff --git a/docs/orleans/host/snippets/transport-layer-security/csharp/README.md b/docs/orleans/host/snippets/transport-layer-security/csharp/README.md
new file mode 100644
index 0000000000000..0888a35bdc7d2
--- /dev/null
+++ b/docs/orleans/host/snippets/transport-layer-security/csharp/README.md
@@ -0,0 +1,27 @@
+# Transport Layer Security (TLS) Code Samples
+
+This directory contains code samples demonstrating how to configure Transport Layer Security (TLS) in Orleans applications.
+
+## Projects
+
+- **SiloExample**: Demonstrates TLS configuration for Orleans silos
+- **ClientExample**: Demonstrates TLS configuration for Orleans clients
+
+## Building the Samples
+
+To build all samples:
+
+```bash
+dotnet build transport-layer-security.sln
+```
+
+To build individual projects:
+
+```bash
+dotnet build SiloExample/SiloExample.csproj
+dotnet build ClientExample/ClientExample.csproj
+```
+
+## Note
+
+These samples are intended for documentation purposes and demonstrate various TLS configuration scenarios including basic setup, development environments, certificate files, and advanced configurations.
From 1c0c8a9d408296b2dd07af1fc87eefceb06cc463 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 28 Oct 2025 19:59:09 +0000
Subject: [PATCH 6/6] Add solution file for TLS samples
Co-authored-by: ReubenBond <203839+ReubenBond@users.noreply.github.com>
---
.../csharp/transport-layer-security.sln | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 docs/orleans/host/snippets/transport-layer-security/csharp/transport-layer-security.sln
diff --git a/docs/orleans/host/snippets/transport-layer-security/csharp/transport-layer-security.sln b/docs/orleans/host/snippets/transport-layer-security/csharp/transport-layer-security.sln
new file mode 100644
index 0000000000000..38d7cc75364a3
--- /dev/null
+++ b/docs/orleans/host/snippets/transport-layer-security/csharp/transport-layer-security.sln
@@ -0,0 +1,48 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 17
+VisualStudioVersion = 17.0.31903.59
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SiloExample", "SiloExample\SiloExample.csproj", "{FEC1D74E-6879-4473-8D45-A846339B8063}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "ClientExample", "ClientExample\ClientExample.csproj", "{72192298-953F-4F4E-976D-A2C38A6175CC}"
+EndProject
+Global
+ GlobalSection(SolutionConfigurationPlatforms) = preSolution
+ Debug|Any CPU = Debug|Any CPU
+ Debug|x64 = Debug|x64
+ Debug|x86 = Debug|x86
+ Release|Any CPU = Release|Any CPU
+ Release|x64 = Release|x64
+ Release|x86 = Release|x86
+ EndGlobalSection
+ GlobalSection(ProjectConfigurationPlatforms) = postSolution
+ {FEC1D74E-6879-4473-8D45-A846339B8063}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+ {FEC1D74E-6879-4473-8D45-A846339B8063}.Debug|Any CPU.Build.0 = Debug|Any CPU
+ {FEC1D74E-6879-4473-8D45-A846339B8063}.Debug|x64.ActiveCfg = Debug|Any CPU
+ {FEC1D74E-6879-4473-8D45-A846339B8063}.Debug|x64.Build.0 = Debug|Any CPU
+ {FEC1D74E-6879-4473-8D45-A846339B8063}.Debug|x86.ActiveCfg = Debug|Any CPU
+ {FEC1D74E-6879-4473-8D45-A846339B8063}.Debug|x86.Build.0 = Debug|Any CPU
+ {FEC1D74E-6879-4473-8D45-A846339B8063}.Release|Any CPU.ActiveCfg = Release|Any CPU
+ {FEC1D74E-6879-4473-8D45-A846339B8063}.Release|Any CPU.Build.0 = Release|Any CPU
+ {FEC1D74E-6879-4473-8D45-A846339B8063}.Release|x64.ActiveCfg = Release|Any CPU
+ {FEC1D74E-6879-4473-8D45-A846339B8063}.Release|x64.Build.0 = Release|Any CPU
+ {FEC1D74E-6879-4473-8D45-A846339B8063}.Release|x86.ActiveCfg = Release|Any CPU
+ {FEC1D74E-6879-4473-8D45-A846339B8063}.Release|x86.Build.0 = Release|Any CPU
+ {72192298-953F-4F4E-976D-A2C38A6175CC}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+ {72192298-953F-4F4E-976D-A2C38A6175CC}.Debug|Any CPU.Build.0 = Debug|Any CPU
+ {72192298-953F-4F4E-976D-A2C38A6175CC}.Debug|x64.ActiveCfg = Debug|Any CPU
+ {72192298-953F-4F4E-976D-A2C38A6175CC}.Debug|x64.Build.0 = Debug|Any CPU
+ {72192298-953F-4F4E-976D-A2C38A6175CC}.Debug|x86.ActiveCfg = Debug|Any CPU
+ {72192298-953F-4F4E-976D-A2C38A6175CC}.Debug|x86.Build.0 = Debug|Any CPU
+ {72192298-953F-4F4E-976D-A2C38A6175CC}.Release|Any CPU.ActiveCfg = Release|Any CPU
+ {72192298-953F-4F4E-976D-A2C38A6175CC}.Release|Any CPU.Build.0 = Release|Any CPU
+ {72192298-953F-4F4E-976D-A2C38A6175CC}.Release|x64.ActiveCfg = Release|Any CPU
+ {72192298-953F-4F4E-976D-A2C38A6175CC}.Release|x64.Build.0 = Release|Any CPU
+ {72192298-953F-4F4E-976D-A2C38A6175CC}.Release|x86.ActiveCfg = Release|Any CPU
+ {72192298-953F-4F4E-976D-A2C38A6175CC}.Release|x86.Build.0 = Release|Any CPU
+ EndGlobalSection
+ GlobalSection(SolutionProperties) = preSolution
+ HideSolutionNode = FALSE
+ EndGlobalSection
+EndGlobal