Servicebus authentication at subnamespace level RRS feed

  • Question

  • Is it  possible to setup authentication at a sub namespace level?

    Let's say a service bus namespace "mysbnamespace.servicebus.windows.net" exists, and two relay services are running under subnamespaces

    • mysbnamespace.servicebus.windows.net/relayhost1
    • mysbnamespace.servicebus.windows.net/relayhost2

    Can relayhost1, relayhost2 have their own credentials without using shared key? If relayhost1 credentials are leaked, relayhost2 should not be comprimised. (clients should be not able to relay messages to relayhost2 with credentials used by relayhost1)

    One obvious option is to use different namespaces for running relayhost1 and relayhost2, but I am trying to run these hosts under one namespace?

    If there is a way, can you help me to get started?

    Thanks in advance

    Anil Lingamallu

    Tuesday, September 11, 2012 5:59 PM


All replies

  • Yep, it is doable. In a nutshell, you need to go into the old portal, select the namespace you want to work with and click on "access control service" in the toolbar. Then create a new "relying party applications" under that namespace using the URI's you referrence above.

    Next, you can create new service identities (one for each relay host). And lastly, add the identities to a rule group with the proper claims (List, Send, Manage).

    A couple of MSDN reference links that should help you are:

    Relying Party Applications: http://msdn.microsoft.com/en-us/library/gg185906

    Identities: http://msdn.microsoft.com/en-us/library/gg185945.aspx

    Rule Groups and Rules: http://msdn.microsoft.com/en-us/library/gg185923

    Tuesday, September 11, 2012 6:15 PM
  • Hi,

    To add to Brent's reply, you can also use the SBAZTool sample to manage the Relying Party Applications, Identities and Rule Groups. I find it a lot easyer ´when working with service bus authentication.

    The tool is available here: http://code.msdn.microsoft.com/windowsazure/Authorization-SBAzTool-6fd76d93

    There is a good blog post on using it here: http://middlewareinthecloud.com/2012/06/20/azure-service-busdont-run-as-root/

    The blog post uses queues, but the same applies for the relay service. The service identity should have Listen granted, the client identity should have Send granted.

    When you use SBAZTool, its good to use the portal to check out what Identities, Relying Party Applications and Rule Groups are bing created in ACS.



    Free EBook: "Windows Azure Service Bus Developer Guide" http://www.cloudcasts.net/devguide/

    Tuesday, September 11, 2012 6:31 PM
  • Thank you Brent and Alan for the help! I am going to try them out.
    Tuesday, September 11, 2012 6:52 PM
  • Thanks a lot for the help. I tried SBAzTool and it worked great. Downloaded the code and modified it to automate our tenant provisioning. There is a minor bug in library that the tool uses (which I fixed on my side).

    AddManagementTokenWithRightPermission method of ManagementServiceHelper class in not thread safe and also does not cache at SWT at namespace level. If I use a different namespace, the web request still appends the SWT of first namespace, which causes ACS to reject the request.

    Tuesday, September 18, 2012 9:23 PM
  • Hi,

    Thanks for raising that, I passed it on to the team.



    Free EBook: "Windows Azure Service Bus Developer Guide" http://www.cloudcasts.net/devguide/

    Tuesday, September 18, 2012 9:41 PM