Azure Service Bus Relays, SAS tokens and BizTalk Server

Posted: March 29, 2016  |  Categories: Azure BizTalk Uncategorized

Many people have written about Azure Service Bus Relays in the past and a summary can be found here. Dan Rosanova recently tweeted “….We’re trying to discourage ACS for security. SAS is our preferred model.”. The ACS security pattern is described here and the SAS pattern is described here. This article attempts to summarise BizTalk adapter support for using SAS tokens.

Most BizTalk Server examples use ACS tokens rather than SAS tokens, probably because the BizTalk Adapters only allowed configuration with ACS tokens when service bus relays were first released with BizTalk 2013. BizTalk 2013 R2 has limited support for configuration of SAS tokens and most adapters only allow use of ACS tokens out of the box (OOTB). If you want to use a SAS token you have to be very inventive. I hope that BizTalk vNext will add SAS token support for all WCF adapters.

The BizTalk 2013 R2 SB-messaging adapter allows configuration of SAS tokens. The diagrams below shows the BizTalk 2013 SB-messaging adapter that only allows configuration of ACS tokens and the BizTalk 2013 R2 adapter that uses SAS tokens.

image

The BizTalk WCF-BasicHttp and WCF-NetTcp adapters can be configured to use a relay binding in two ways but only ACS tokens are supported out of the box. The two configurations are ;

  1. Selecting the in built WCF-BasicHttpRelay or WCF-NetTcpRelay adapters. See https://msdn.microsoft.com/en-us/library/jj572837.aspx and https://msdn.microsoft.com/en-us/library/jj572861.aspx. In BizTalk 2013R2 during configuration you can only choose a ACS token.image
  2. Using WCF Service Publishing Wizard choosing the  WCF-WSHttp, WCF-WebHttp, WCF-BasicHttp or WCF-CustomIsolated adapter and selecting  the Add a Service Bus checkbox and you will be presented with additional screens at the final stages of the wizard that allows you to choose a service bus namespace and specify the ACS credentials that BizTalk uses to connect to the relay.

image

I want to finish this article by highlighting that with a little bit of effort you can indeed use a service bus relay for BizTalk 2013 R2 secured with SAS tokens with other WCF adapters. We have used WCF-WebHTTP adapters with service bus relays secured with SAS tokens, following a pattern first created by Johann Cooper ( https://adventuresinsidethemessagebox.wordpress.com/2015/04/12/getting-azure-service-bus-relays-and-the-biztalk-wcf-webhttp-adapter-to-play-nice-with-each-other/). Johann said “I’ve found a way to get this to work with SAS, but more on this in another blog post”. I am going to tell you how we did it in case I forget.

Firstly we downloaded this version of the Microsoft.ServiceBus.dll and installed this in the GAC

image

Secondly we added a behaviour extension to the 32 and 64 bit machine.config files.

        <add name="transportClientEndpointBehavior" type="Microsoft.ServiceBus.Configuration.TransportClientEndpointBehaviorElement, Microsoft.ServiceBus, Version=2.6.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>

Thirdly we added a webHttpRelayBinding as a binding extension to the same machine config files.

       <add name="webHttpRelayBinding" type="Microsoft.ServiceBus.Configuration.WebHttpRelayBindingCollectionElement, Microsoft.ServiceBus, Version=2.6.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>

Finally we edited the web configuration of the WCF-WebHTTP adapter create following the article above and added a sharedAccessSignature as tokenProvider in the endpointBehaviour (circled in yellow). Once you browse to the base URL a service bus relay protected with SAS Tokens is created in Azure. We created a BizTalkAccessKey that has manage, listen and send permissions and a ClientAccessKey that has only listen permission.

image

In this article I have shown that while you can use SAS tokens with the BizTalk Server 2013 R2 WCF adapters with some customisation. I look forward to a BizTalk Server release that allows us to configure SAS tokens on the WCF Adapters.

  • Nice one Mark, thanks for documenting this since I never got around to it 🙂

    If I remember right you must update the version of Microsoft.ServiceBus (in GAC and machine.config) in order to take advantage of SAS? If I remember this right you might want to add this detail in your post?

    • mbrimble

      Well spotted. I will update the article soon.

  • Deepa Kamalanathan

    Nice article Mark!

  • Reblogged this on Mind Over Messaging and commented:
    Great article by Mark Brimble. Definitely hoping to see some better SAS support across WCF adapters in BizTalk Server 2016!

One Platform Operations, Monitoring and Analytics Software
BizTalk360

microsoft biztalk

Learn more

Over 500 customers across 30+ countries depend on BizTalk360

ServiceBus360

Azure service bus

Learn more

Start managing your Azure Service Bus namespaces in minutes

One Platform - Operations, Monitoring and Analytics Software
BizTalk360

microsoft biztalk

Learn more

Over 500 customers across 30+ countries depend on BizTalk360

One Platform - Operations, Monitoring and Analytics Software
ServiceBus360

Azure service bus

Learn more

Start managing your Azure Service Bus namespaces in minutes

Back to Top