How to retrieve token for service bus from ACS? RRS feed

  • Question

  • Hi!

    I want to use ACS as a STS for the service bus. I've managed to use ACS for authentication for a web service. However, the service bus requires a token and I don't know how to retrieve such from the ACS?

    In short, I want my client services to be able to use the service bus by authenticating with certificates that matches certificates stored as service identities in the acs (the one corresponding to the service bus -sb).

    Also, I'm using NetTcpRelayBinding for the Service Bus.

    Wednesday, March 21, 2012 2:20 PM


  • Thanks clemensv. Both information sources very good but a bit too basic. I've opened a support case on this so hopefully I reach a solution soon.

    Thanks for all feedback!

    • Marked as answer by Arwind - MSFT Tuesday, March 27, 2012 11:37 AM
    Thursday, March 22, 2012 6:38 PM

All replies

  • Hi Jimmy,

    The tokens you mentioned can be created using the SBAzTool available on code.msdn.microsoft.com: http://code.msdn.microsoft.com/windowsazure/Authorization-SBAzTool-6fd76d93 With this tool you can add extra 'accounts' with token next to the default 'owner'. Now this will work if you use tokens, but I doubt this will help you in using the certificates for authentication.

    You might also want to take a look at Clemens' talk a few months ago, he explains in detail how you can start securing your SB with ACS: http://channel9.msdn.com/posts/Securing-Service-Bus-with-ACS 


    Sandrino Di Mattia | Twitter: http://twitter.com/sandrinodm | Azure Blog: http://fabriccontroller.net/blog | Blog: http://sandrinodimattia.net/blog

    Wednesday, March 21, 2012 2:42 PM
  • Thanks Sandrino for your quick response. However, I've succeeded adding service identities that uses symmetric keys. The problem is certificates. I can create new service identities in acs that uses certificate credentials and use those to authenticate client before using a web service. But I've been unable to authenticate before using the service bus.

    What am I missing here...

    Wednesday, March 21, 2012 3:01 PM
  • Hi,

    As far as i know, if you want to add ACS with ServiceBus sample, please add certificate to ACS management portal, refer to the following article for more details:


    Then you can check the sample that provided by Azure Team Blog:


    Hope it helps.

    Please mark the replies as answers if they help or unmark if not. If you have any feedback about my replies, please contact msdnmg@microsoft.com Microsoft One Code Framework

    Thursday, March 22, 2012 4:17 AM
  • Thanks Arwind! That helped and I've now managed to retrieve a SAML token from the ACS using client certificate! Next problem is that I get unauthorized error when trying to use the retrieved SAML as credentials for the service bus. And, yes, the service bus is set to use SAML 2.0 as credentials. Maybe I wrongly assume that I can use the retrieved token as credential to the service bus?

    Exception when trying to connect to service bus with saml token:

    "The token provider was unable to provide a security token while accessing 'https://XXXX-sb.accesscontrol.windows.net/WRAPv0.9/'. Token provider returned message: 'Error:Code:401:SubCode:T0:Detail::TraceID:01815c06-97c5-4a02-b0af-9fcf3e49075b:TimeStamp:2012-03-22 13:08:41Z'."

    With inner exception: "The remote server returned an error: (401) Unauthorized."

    To get the token from ACS I modified this sample:

    Thursday, March 22, 2012 1:11 PM
  • Two good sources of information:




    Service Bus is automatically paired with the ACS namespace and expects SWT tokens. You can only work with the -sb namespace to set up federation for now and the -sb namespace in ACS already has the correct baseline setup with SWT tokens.

    • Proposed as answer by clemensv Thursday, March 22, 2012 6:35 PM
    Thursday, March 22, 2012 4:37 PM
  • Thanks clemensv. Both information sources very good but a bit too basic. I've opened a support case on this so hopefully I reach a solution soon.

    Thanks for all feedback!

    • Marked as answer by Arwind - MSFT Tuesday, March 27, 2012 11:37 AM
    Thursday, March 22, 2012 6:38 PM
  • Hi Jummycarlsson,

    Did you get any solution for the issue you raised. Even I am also trying on the same senario. If you find any solution please let me know.

    Many Thanks,

    Thirumalai M

    Tuesday, April 10, 2012 7:43 AM
  • Hi Thirumalai,

    Yes, I reached a solution together with MS support. Primary problem with my approach was that I didn't need to retrieve a token from ACS before I connect to the SB. Instead, I create a token by myself and and use that to connect to the SB. Basically, I created a SAML token and signed it with my certificate.

    Let me know if you need code sample.

    Thursday, April 12, 2012 6:32 AM
  • Hi JimmyCalsson,

    Thanks for your response. I solved the issue by following code from acs\WebServices\Acs2CertificateBindingSample folder which downloadable from http://acs.codeplex.com/.

    But if you find time, Pls send me the code. I am interested to get to know the way you solved.

    Thanks you...

    Friday, April 20, 2012 9:32 AM
  • I know this does not have anything in particular to do with Jimmy Carslon's issue but I was getting the same error, it turns out changing my app.config and rebuilding an repackaging azure does not update the configuration files for azure which was what my app was running from.

    So if you ever change your issuer secret in app.config check these changes are applied to the azure config files

    Tuesday, August 7, 2012 3:15 PM
  • Hi Jimmy - I'm looking at exactly the same scenario as you were. Namely, I have an on-premises application that has a X.509 client certificate that I'd like to use as credentials to authenticate and use the Service Bus Relay to publish a WCF service's endpoint via NetTcpRelayBinding.

    As I understand it, the steps you took were:

    1. Added a Service Identity in the Service Bus's buddy -sb namespace and added the X.509 certificate (i.e., .cer) to it.

    2. Created a SAML 2 token, signed it with the X.509 certificate's private key and attached the signed SAML token to the TokenProvider before registering the WCF service with the Service Bus. I assume the SAML token had the appropriate set of Service Bus claims added to it (e.g., net.windows.servicebus.action = Listen)?

    Would it be possible to get a code sample to show how you did this? Many thanks in advance for your help and advice.

    Friday, December 7, 2012 11:22 PM