none
How to retrieve token for service bus from ACS?

    Întrebare

  • Hi!

    I want to use ACS as a STS for the service bus. I've managed to use ACS for authentication for a web service. However, the service bus requires a token and I don't know how to retrieve such from the ACS?

    In short, I want my client services to be able to use the service bus by authenticating with certificates that matches certificates stored as service identities in the acs (the one corresponding to the service bus -sb).

    Also, I'm using NetTcpRelayBinding for the Service Bus.

    21 martie 2012 14:20

Răspunsuri

  • Thanks clemensv. Both information sources very good but a bit too basic. I've opened a support case on this so hopefully I reach a solution soon.

    Thanks for all feedback!

    22 martie 2012 18:38

Toate mesajele

  • Hi Jimmy,

    The tokens you mentioned can be created using the SBAzTool available on code.msdn.microsoft.com: http://code.msdn.microsoft.com/windowsazure/Authorization-SBAzTool-6fd76d93 With this tool you can add extra 'accounts' with token next to the default 'owner'. Now this will work if you use tokens, but I doubt this will help you in using the certificates for authentication.

    You might also want to take a look at Clemens' talk a few months ago, he explains in detail how you can start securing your SB with ACS: http://channel9.msdn.com/posts/Securing-Service-Bus-with-ACS 

    Sandrino


    Sandrino Di Mattia | Twitter: http://twitter.com/sandrinodm | Azure Blog: http://fabriccontroller.net/blog | Blog: http://sandrinodimattia.net/blog

    21 martie 2012 14:42
  • Thanks Sandrino for your quick response. However, I've succeeded adding service identities that uses symmetric keys. The problem is certificates. I can create new service identities in acs that uses certificate credentials and use those to authenticate client before using a web service. But I've been unable to authenticate before using the service bus.

    What am I missing here...

    21 martie 2012 15:01
  • Hi,

    As far as i know, if you want to add ACS with ServiceBus sample, please add certificate to ACS management portal, refer to the following article for more details:

    http://msdn.microsoft.com/en-us/library/windowsazure/hh135144.aspx

    Then you can check the sample that provided by Azure Team Blog:

    http://blogs.msdn.com/b/windowsazureappfabric/archive/2010/06/30/new-sample-consuming-acs-and-service-bus-from-flash.aspx

    Hope it helps.


    Please mark the replies as answers if they help or unmark if not. If you have any feedback about my replies, please contact msdnmg@microsoft.com Microsoft One Code Framework

    22 martie 2012 04:17
    Moderator
  • Thanks Arwind! That helped and I've now managed to retrieve a SAML token from the ACS using client certificate! Next problem is that I get unauthorized error when trying to use the retrieved SAML as credentials for the service bus. And, yes, the service bus is set to use SAML 2.0 as credentials. Maybe I wrongly assume that I can use the retrieved token as credential to the service bus?

    Exception when trying to connect to service bus with saml token:

    "The token provider was unable to provide a security token while accessing 'https://XXXX-sb.accesscontrol.windows.net/WRAPv0.9/'. Token provider returned message: 'Error:Code:401:SubCode:T0:Detail::TraceID:01815c06-97c5-4a02-b0af-9fcf3e49075b:TimeStamp:2012-03-22 13:08:41Z'."

    With inner exception: "The remote server returned an error: (401) Unauthorized."

    To get the token from ACS I modified this sample:
    http://www.wadewegner.com/2010/11/using-the-saml-credentialtype-to-authenticate-to-the-service-bus/

    22 martie 2012 13:11
  • Two good sources of information:

    http://msdn.microsoft.com/en-us/library/windowsazure/hh403962.aspx

    and

    http://channel9.msdn.com/posts/Securing-Service-Bus-with-ACS

    Service Bus is automatically paired with the ACS namespace and expects SWT tokens. You can only work with the -sb namespace to set up federation for now and the -sb namespace in ACS already has the correct baseline setup with SWT tokens.

    • Propus ca răspuns de clemensv 22 martie 2012 18:35
    22 martie 2012 16:37
  • Thanks clemensv. Both information sources very good but a bit too basic. I've opened a support case on this so hopefully I reach a solution soon.

    Thanks for all feedback!

    22 martie 2012 18:38
  • Hi Jummycarlsson,

    Did you get any solution for the issue you raised. Even I am also trying on the same senario. If you find any solution please let me know.

    Many Thanks,

    Thirumalai M

    10 aprilie 2012 07:43
  • Hi Thirumalai,

    Yes, I reached a solution together with MS support. Primary problem with my approach was that I didn't need to retrieve a token from ACS before I connect to the SB. Instead, I create a token by myself and and use that to connect to the SB. Basically, I created a SAML token and signed it with my certificate.

    Let me know if you need code sample.

    12 aprilie 2012 06:32
  • Hi JimmyCalsson,

    Thanks for your response. I solved the issue by following code from acs\WebServices\Acs2CertificateBindingSample folder which downloadable from http://acs.codeplex.com/.

    But if you find time, Pls send me the code. I am interested to get to know the way you solved.

    Thanks you...

    20 aprilie 2012 09:32
  • I know this does not have anything in particular to do with Jimmy Carslon's issue but I was getting the same error, it turns out changing my app.config and rebuilding an repackaging azure does not update the configuration files for azure which was what my app was running from.

    So if you ever change your issuer secret in app.config check these changes are applied to the azure config files

    7 august 2012 15:15
  • Hi Jimmy - I'm looking at exactly the same scenario as you were. Namely, I have an on-premises application that has a X.509 client certificate that I'd like to use as credentials to authenticate and use the Service Bus Relay to publish a WCF service's endpoint via NetTcpRelayBinding.

    As I understand it, the steps you took were:

    1. Added a Service Identity in the Service Bus's buddy -sb namespace and added the X.509 certificate (i.e., .cer) to it.

    2. Created a SAML 2 token, signed it with the X.509 certificate's private key and attached the signed SAML token to the TokenProvider before registering the WCF service with the Service Bus. I assume the SAML token had the appropriate set of Service Bus claims added to it (e.g., net.windows.servicebus.action = Listen)?

    Would it be possible to get a code sample to show how you did this? Many thanks in advance for your help and advice.


    7 decembrie 2012 23:22
  • "Primary problem with my approach was that I didn't need to retrieve a token from ACS before I connect to the SB."

    This is interesting, because the SB endpoint would behave like an ordinary https endpoint with client certificate authentication. I'm very interested in this scenario and would like to see the code.

    So far, I've only seen clients which were specifically designed to use the Service Bus bindings.

    9 august 2013 15:52