Many people have written about Azure Service Bus Relays in the past and a summary can be found here. Dan Rosanova recently tweeted “….We’re trying to discourage ACS for security. SAS is our preferred model.”. The ACS security pattern is described here and the SAS pattern is described here. This article attempts to summarise BizTalk adapter support for using SAS tokens.
Most BizTalk Server examples use ACS tokens rather than SAS tokens, probably because the BizTalk Adapters only allowed configuration with ACS tokens when service bus relays were first released with BizTalk 2013. BizTalk 2013 R2 has limited support for configuration of SAS tokens and most adapters only allow use of ACS tokens out of the box (OOTB). If you want to use a SAS token you have to be very inventive. I hope that BizTalk vNext will add SAS token support for all WCF adapters.
The BizTalk 2013 R2 SB-messaging adapter allows configuration of SAS tokens. The diagrams below shows the BizTalk 2013 SB-messaging adapter that only allows configuration of ACS tokens and the BizTalk 2013 R2 adapter that uses SAS tokens.
The BizTalk WCF-BasicHttp and WCF-NetTcp adapters can be configured to use a relay binding in two ways but only ACS tokens are supported out of the box. The two configurations are ;
- Selecting the in built WCF-BasicHttpRelay or WCF-NetTcpRelay adapters. See https://msdn.microsoft.com/en-us/library/jj572837.aspx and https://msdn.microsoft.com/en-us/library/jj572861.aspx. In BizTalk 2013R2 during configuration you can only choose a ACS token.
- Using WCF Service Publishing Wizard choosing the WCF-WSHttp, WCF-WebHttp, WCF-BasicHttp or WCF-CustomIsolated adapter and selecting the Add a Service Bus checkbox and you will be presented with additional screens at the final stages of the wizard that allows you to choose a service bus namespace and specify the ACS credentials that BizTalk uses to connect to the relay.
I want to finish this article by highlighting that with a little bit of effort you can indeed use a service bus relay for BizTalk 2013 R2 secured with SAS tokens with other WCF adapters. We have used WCF-WebHTTP adapters with service bus relays secured with SAS tokens, following a pattern first created by Johann Cooper ( https://adventuresinsidethemessagebox.wordpress.com/2015/04/12/getting-azure-service-bus-relays-and-the-biztalk-wcf-webhttp-adapter-to-play-nice-with-each-other/). Johann said “I’ve found a way to get this to work with SAS, but more on this in another blog post”. I am going to tell you how we did it in case I forget.
Firstly we downloaded this version of the Microsoft.ServiceBus.dll and installed this in the GAC
Secondly we added a behaviour extension to the 32 and 64 bit machine.config files.
<add name="transportClientEndpointBehavior" type="Microsoft.ServiceBus.Configuration.TransportClientEndpointBehaviorElement, Microsoft.ServiceBus, Version=22.214.171.124, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
Thirdly we added a webHttpRelayBinding as a binding extension to the same machine config files.
<add name="webHttpRelayBinding" type="Microsoft.ServiceBus.Configuration.WebHttpRelayBindingCollectionElement, Microsoft.ServiceBus, Version=126.96.36.199, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
Finally we edited the web configuration of the WCF-WebHTTP adapter create following the article above and added a sharedAccessSignature as tokenProvider in the endpointBehaviour (circled in yellow). Once you browse to the base URL a service bus relay protected with SAS Tokens is created in Azure. We created a BizTalkAccessKey that has manage, listen and send permissions and a ClientAccessKey that has only listen permission.
In this article I have shown that while you can use SAS tokens with the BizTalk Server 2013 R2 WCF adapters with some customisation. I look forward to a BizTalk Server release that allows us to configure SAS tokens on the WCF Adapters.