Flowing credentials through BizTalk

pierreml — Fri, 13 Feb 2009 19:54:00 GMT

Scenario: You have a client application, with a user logged on with a domain user ( kerberos credentilas ). The application calls a BizTalk Server 2004 orchestration ( a business process ) that calls a Back End Web Service. The Web Service needs to know who is the logged user to take a decision on which task it has to execute.

Solution: Extract from the input message the OriginatorSID context property (that
contains the LogonUser string ) then impersonate it using a helper
component :

for example with an expression shape like this:
bizImpHelper.Impersonate(IncomingMessage(Microsoft.BizTalk.XLANGs.BTXEngine.OriginatorSID));

This is the helper class that does the impersonation:

[Serializable]
public class BizTalkImpersonationHelper
{
private BizTalkImpersonationContext bizImpCtxt;
public BizTalkImpersonationHelper()
{}

public void Impersonate( string logonUser )
{
int slash = logonUser.IndexOf("\\");
if( slash > 0 ){
   string domain = logonUser.Substring(0,slash);
   string user = logonUser.Substring(slash+1);
   logonUser = user + "@" + domain;
   }
   bizImpCtxt = new BizTalkImpersonationContext();
   bizImpCtxt.Impersonate(logonUser);
}

   public void UnDo()
   {
if( bizImpCtxt != null )
   bizImpCtxt.Undo();
   }
}

[Serializable]
internal class BizTalkImpersonationContext
{
   private System.Security.Principal.WindowsIdentity identity;
[ThreadStatic]
static WindowsImpersonationContext wic ;
internal void Impersonate( string logonUser )
{
   if( wic != null )
   wic.Undo();
   identity = new System.Security.Principal.WindowsIdentity(logonUser);
   wic =
((System.Security.Principal.WindowsIdentity)identity).Impersonate();
}

internal void Undo()
{
if( wic != null)
   wic.Undo();
}
}

Declare the WindowsImpersonationContext thread static, to avoid
collisions between different running orchestrations.

In the orchestration you should define a scope to:

1. Impersonate the caller
2. Send the message and receive the response
3. Undo the impersonation to restablish the biztalk service security context

In the exception handler
Undo the impersonation

Note that the BizTalk host has to run under a domain account, that you have to create a service principal name for that account, and configure it to be trusted for delegation to the specified service

A better approach maybe is to encapsulate that logic inside a pipeline
component, that you can apply to any send port that needs to flow
credentials.

BizMock - BizTalk Fluent Tests

pierreml — Fri, 13 Feb 2009 19:27:00 GMT

BizMock is a framework for testing BizTalk solutions, using a Domain Driven Design (DDD) approach and fluent interface API. It has mocking capabilities, so no need to rely on dependent infraestructure like web services or DBs. The tests are writen and executed from within VS using regular Visual Studio Tests and C# code, allowing a TDD and agile development style of BizTalk solutions.

it's main advantages are:

Rapid testing of Biztalk scenarios ( no more excuses to not test biztalk code)
No need to leave the Visual Studio IDE
We use regular Visual Studio C# Unit Tests code ( no puzzling xml) .
Favors agile iterative development cycles with continous Integration.
No need to rely on real implementations of dependent infraestructure like web services, Databases, etc. ( isolated on the developer machine or build server )
Increasead level of abstraction thanks to its Domain Driven Design approach and fluent interface.
Rapid and guided development thanks to intelisense and its fluent interface API.
Reusability of domain artifacts across tests, like ports, messages, verifiers etc.
Extensibility model to allow the creation of new artifacts, actions, and expectations types over time and reused across solutions
Leverages DDT ( Data Driven Test)
In future releases can be enhanced with Visual Studio addins and tools: to automatically update deployments, autogenerate artifacts, autogenerate map and message verifiers tests.
In future releases can be enhanced with guidance automation to guide the process and implement best practices
In fututre realeases can be integrated wirth functional testing tools like FIT, to quickly create integration scenarios test cases

To know more visit http://www.codeplex.com/bizmock

Milet's Logbook

Flowing credentials through BizTalk

BizMock - BizTalk Fluent Tests