21 Maret 2012 14:20
I want to use ACS as a STS for the service bus. I've managed to use ACS for authentication for a web service. However, the service bus requires a token and I don't know how to retrieve such from the ACS?
In short, I want my client services to be able to use the service bus by authenticating with certificates that matches certificates stored as service identities in the acs (the one corresponding to the service bus -sb).
Also, I'm using NetTcpRelayBinding for the Service Bus.
21 Maret 2012 14:42
The tokens you mentioned can be created using the SBAzTool available on code.msdn.microsoft.com: http://code.msdn.microsoft.com/windowsazure/Authorization-SBAzTool-6fd76d93 With this tool you can add extra 'accounts' with token next to the default 'owner'. Now this will work if you use tokens, but I doubt this will help you in using the certificates for authentication.
You might also want to take a look at Clemens' talk a few months ago, he explains in detail how you can start securing your SB with ACS: http://channel9.msdn.com/posts/Securing-Service-Bus-with-ACS
Sandrino Di Mattia | Twitter: http://twitter.com/sandrinodm | Azure Blog: http://fabriccontroller.net/blog | Blog: http://sandrinodimattia.net/blog
21 Maret 2012 15:01
Thanks Sandrino for your quick response. However, I've succeeded adding service identities that uses symmetric keys. The problem is certificates. I can create new service identities in acs that uses certificate credentials and use those to authenticate client before using a web service. But I've been unable to authenticate before using the service bus.
What am I missing here...
22 Maret 2012 4:17Moderator
As far as i know, if you want to add ACS with ServiceBus sample, please add certificate to ACS management portal, refer to the following article for more details:
Then you can check the sample that provided by Azure Team Blog:
Hope it helps.
22 Maret 2012 13:11
Thanks Arwind! That helped and I've now managed to retrieve a SAML token from the ACS using client certificate! Next problem is that I get unauthorized error when trying to use the retrieved SAML as credentials for the service bus. And, yes, the service bus is set to use SAML 2.0 as credentials. Maybe I wrongly assume that I can use the retrieved token as credential to the service bus?
Exception when trying to connect to service bus with saml token:
"The token provider was unable to provide a security token while accessing 'https://XXXX-sb.accesscontrol.windows.net/WRAPv0.9/'. Token provider returned message: 'Error:Code:401:SubCode:T0:Detail::TraceID:01815c06-97c5-4a02-b0af-9fcf3e49075b:TimeStamp:2012-03-22 13:08:41Z'."
With inner exception: "The remote server returned an error: (401) Unauthorized."
To get the token from ACS I modified this sample:
22 Maret 2012 16:37
Two good sources of information:
Service Bus is automatically paired with the ACS namespace and expects SWT tokens. You can only work with the -sb namespace to set up federation for now and the -sb namespace in ACS already has the correct baseline setup with SWT tokens.
- Disarankan sebagai Jawaban oleh clemensv 22 Maret 2012 18:35
22 Maret 2012 18:38
Thanks clemensv. Both information sources very good but a bit too basic. I've opened a support case on this so hopefully I reach a solution soon.
Thanks for all feedback!
- Ditandai sebagai Jawaban oleh Arwind - MSFTModerator 27 Maret 2012 11:37
10 April 2012 7:43
Did you get any solution for the issue you raised. Even I am also trying on the same senario. If you find any solution please let me know.
12 April 2012 6:32
Yes, I reached a solution together with MS support. Primary problem with my approach was that I didn't need to retrieve a token from ACS before I connect to the SB. Instead, I create a token by myself and and use that to connect to the SB. Basically, I created a SAML token and signed it with my certificate.
Let me know if you need code sample.
20 April 2012 9:32
Thanks for your response. I solved the issue by following code from acs\WebServices\Acs2CertificateBindingSample folder which downloadable from http://acs.codeplex.com/.
But if you find time, Pls send me the code. I am interested to get to know the way you solved.
07 Agustus 2012 15:15
I know this does not have anything in particular to do with Jimmy Carslon's issue but I was getting the same error, it turns out changing my app.config and rebuilding an repackaging azure does not update the configuration files for azure which was what my app was running from.
So if you ever change your issuer secret in app.config check these changes are applied to the azure config files
07 Desember 2012 23:22
Hi Jimmy - I'm looking at exactly the same scenario as you were. Namely, I have an on-premises application that has a X.509 client certificate that I'd like to use as credentials to authenticate and use the Service Bus Relay to publish a WCF service's endpoint via NetTcpRelayBinding.
As I understand it, the steps you took were:
1. Added a Service Identity in the Service Bus's buddy -sb namespace and added the X.509 certificate (i.e., .cer) to it.
2. Created a SAML 2 token, signed it with the X.509 certificate's private key and attached the signed SAML token to the TokenProvider before registering the WCF service with the Service Bus. I assume the SAML token had the appropriate set of Service Bus claims added to it (e.g., net.windows.servicebus.action = Listen)?
Would it be possible to get a code sample to show how you did this? Many thanks in advance for your help and advice.
- Diedit oleh Neville J. Parakh 07 Desember 2012 23:44