The "Use MSMQ Authentication" Option

by | Oct 11, 2004 | BizTalk Community Blogs via Syndication

I recently went through a really nast bout of troubleshooting with the client I currently
work with, related to MSMQT.  Hopefully, my tale can save you similar pain.

The core issues was this: The BizTalk MSMQT adapter can be configured during installation
to integrate with Active Directory.  The default is that it will not operate
in this fashion, but rather in “workgroup” mode.  There are (at least) two reasons
why you might want to have MSMQT integrate with Active Directory: 1) you want to make
use of an MSMQ router in your environment or 2) you want to use certificate-based
authentication at a protocol level (where the public certificate is managed by AD.)  (Note:
I know this now; I didn’t know it a couple weeks ago…)

We have been installing our servers in “workgroup” mode.  To install in Active
Directory mode requires a special permission granted by the domain administrator.

Now, when you a configure a Send Port within BizTalk and select MSMQT as the transport,
the property pages in the BizTalk Explorer offer a checkbox that is labeled “Use MSMQ
Authentication”.  If you hit the “Help” button on this dialog, the explanation
that is provided is this: “Identify whether BizTalk Message Queuing uses protocol
authentication every time it sends a message on this port.” 

As it turns out, although it isn’t documented as such, a Send Port with this
option checked can only work if MSMQT has been installed in Active Directory-integrated
mode.  If you have the “Use MSMQ Authentication” option checked on a Send Port
and you are not in Active Directory-integrated mode, then messages will not flow. 
When we eventually discovered this discrepency and fixed our bindings files, the problem
was resolved.  (Note: there is a similar option when configuring Receive Locations.)

This checkbox had been checked at the point our initial binding files were exported,
and became a part of our scripted deployment.  What was worse, when we encountered
this problem a few weeks ago in QA, we began troubleshooting the BizTalk configuration
on the server directly and wound up “fixing” the problem by creating an additional
Send Port (subscribing to the same traffic as the original) that simply had the MSMQ
Auth checkbox off.  But we didn’t realize that discrepancy at the time, so we
had to troubleshoot the same problem all over again a few weeks later.  We definitely
got ourselves into the wrong troubleshooting mindset by assuming that Biztalk was
flaky in some way.

Key lesson: If you don’t get into a given environment (QA, production, whatever) with
your scripted deployment, then you really didn’t get there at all….

A few more notes.  As I said above, if you have the “Use MSMQ Authentication”
option checked on a Send Port and you are not in Active Directory-integrated mode,
then messages will not flow.  What you will see is:

  • Messages will appear in the HAT “Queries-Messages Sent in Past Day” report, but they
    will not actually have arrived in the destination queue.  (Fixed in SP1?)
  • You will see strange behavior in the HAT “Operations-Messages” view, but nothing that
    indicates an error condition.  Retry count will increment on the original service
    instance.
  • There will be no error condition reported in the event log.  (OK, Premier Support
    indicates in a phone conversation you might see something after 5 days have elapsed,
    when an exponential backoff algorithm has run its course.)

IMHO, Biztalk 2004 should be more serviceable in this regard, and should give better
error information.  And of course, the documentation for MSMQ Send Port configuration
should have mentioned that MSMQ Authentication would only work for Active Directory.

Microsoft Premier Support became involved, and after around 18 hours of analysis they
said “We see some certificate-related errors in the traces.  Do you use MSMQ
authentication?  Are you AD-integrated?”

We looked in our binding files (since the decision had long since been forgotten)
and saw this snippet:


<TransportType Name="MSMQT" Capabilities="16495"
ConfigurationClsid="9a7b0162-2cd5-4f61-b7eb-c40a3442a5f8"/>
<TransportTypeData>&lt;CustomProps&gt;&
lt;Authenticated vt="11"&gt;-1&lt;/Authenticated&gt;&lt;/CustomProps&gt;
</TransportTypeData>
<RetryCount>3</RetryCount>
<RetryInterval>5</RetryInterval>

See that in the escaped XML?  Yup, that is a property called “Authenticated”
that is an old-fashioned Variant of type bool, where “-1” means “true”.

Leaps out at you, right?  Determining if you are AD-integrated means looking
at

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTSSvc.3.0\MessageQueuing\MsmqtWorkgroupMode.

From all of this I (gently) conclude that the product instrumentation/tracing should
point out this condition more quickly to a support engineer.  In addition, the
MSMQT adapter should warn you of a mismatch during configuration with the Biztalk
Explorer and, ideally, when you deploy/import bindings.

Hindsight being 20/20, the support engineer should have asked to see our binding file
– and should have compared it with one exported from a server that was indeed sending
messages (since we had one.)  Of course, we should have made such a comparison,
too! (and much earlier…)  The engineer did look at the Biztalk Admin Console,
but of course that doesn’t give any of the detailed port configuration information
– only Visual Studio/BT Explorer does.

Having said that, the support engineers were great to work with and were certainly
dedicated to getting to the bottom of our issue.

Key lesson: Diffing binding files will prove to be a key troubleshooting technique
with Biztalk…

Shared Config Files……..

by | Oct 8, 2004 | BizTalk Community Blogs via Syndication

BizTalk server relies on a config file to store certain application information. This config file is located in \Program Files\Microsoft BizTalk Server 2004 and is named BTSNTSvc.Exe.Config.  View your file here (DO NOT CHANGE THIS FILE WITHOUT BACKING UP!!!).


Let’s say that you have some .NET components that you want to consume from your BizTalk solution.  Let’s also assume that these components are possibly shared with another solution, and make use of a config file for things such as connection strings, directory locations, etc., a fairly common situation.  Now, keep in mind when you call a component, and that component makes use of a config file, it uses the config file of the calling application (at least for EXE’s).  So, we have a couple of options.  We can take what’s in the shared components config file and paste it into the BTSNTSvc.Exe.Config file.  But, this means we now have 2 places to maintain the information.  What if we then have a multi server configuration, we now have 2 config files to maintain in more than one location.  Not good.  Wouldn’t it be nice if we could somehow have the BizTalk config file “point” to the components config file?  Then, we could maintain the other applications config file as we normally would.  Well, the good news is you can.!!!


Take a look at my sample config file to follow along.  I’ll explain a couple of the sections.  It is important to remember to always take a copy of you current BTSNTSvc.Exe.Config file before making any changes as changing it incorrectly will prevent BizTalk from running.


The key to making this work is the section.  To make this section “available”, you will have to add the following under the section of your config file –



Now that we have this in the config file, we can add the section .  I won’t copy it here to save space, so look at the example.  This section is where all the magic happens.  Some of the attributes like AssembliesPerDomain, etc you can find information about in the help documentation.  The key sections to be aware of are the section, section, and the section.



This section defines a new domain for your particular situation to run in.  *** define this a little better.  You will give your domain a name, and then you will use this name later to correlate the calling piece of your BizTalk solution with the called components config file.



This section defines where the called components config file resides.  You can use absolute paths, or I believe you can use relative paths also.



In this section you are going to link your AppDomain (which contains the ConfigurationFile section) to the part of you BizTalk solution that calls the shared component.  Let me clarify “part of your BizTalk solution”.  When you create your orchestrations, you give them a namespace.  They probably run under the same namespace, or at least the same root namespace.  So, in the example you see “Source.Test.Orchestrations.*” as the pattern assignment rule.  What this is saying is that any orchestration that is under this namespace would be associated with that particular app domain, and would then be able to make use of the configuration file listed under that app domain.


Hopefully with the example and the explanation, this will make some sense.  There is some information in the help file about adding the new sections, but they don’t go into much detail of how all the pieces fit together, and what the pattern assigment rule is really supposed to point to, etc.


DON’T FORGET…BACK UP YOUR CURRENT CONFIG FILE BEFORE MAKING CHANGES.  This will save a lot of headaches.


One last point to remember…and I won’t go into a lot of detail, but remember that if you are calling components from BizTalk, they must be GAC’d.  It is possible that the shared components you are calling didn’t require to be GAC’d prior to calling them from BizTalk.  Now that they are in the GAC however, you will need to change your shared components config file slightly.  When you are defining your section for that component, you will have to change the attributes a bit so that you are including the following –


<SECTION type=", Version=, Culture=, PublicKeyToken=” name=”” />


The values for component name, version, culture and token you can get out of .NET Framework Configuration admin tool.  Just look for you component, and make note of the values listed.  The only one that should change would be the version.

How to Allow Unrecognized Messages on Send Ports Using Message Context

by | Oct 7, 2004 | Stephen's BizTalk and Integration Blog

Have you seen an error that looks like the one below on your Send Pipelines?


There was a failure executing the send pipeline: “Microsoft.BizTalk.DefaultPipelines.XMLTransmit” Source: “XML assembler” Send Port: “some location” Reason: This Assembler cannot retrieve document specification by using this type: “namespace#rootnode”.



This is caused by not having a unique combination of namespace and root node (MessageType).  BizTalk by default does not like unrecognized messages.  The XML Disassembler has a setting to allow unrecognized messages.  But what about sending unrecognized messages?



To allow unrecognized messages inside the Send Pipeline, just set the XMLNORM.AllowUnrecognizedMessage message property to True inside a Message Construct shape.  This, of course, assumes you have to construct your output message inside the Orchestration. 



The statement inside your Construct shape should look like this:


OutMessage(XMLNORM.AllowUnrecognizedMessage) = true;

Property Promotion and Demotion in BizTalk

by | Oct 6, 2004 | Stephen's BizTalk and Integration Blog

I think most BizTalk users have some idea about what Property Promotion is.  I would say Property Promotion is the process of taking message or system data and putting it into the message context.  The tricky part is when and how properties get promoted.



The items that are promoted using a property schema attached to your schema are promoted in the pipelines.  When and how the system properties are promoted is somewhat of a mystery.  I think some items are promoted in the adapters (like the specific file, HTTP, and FTP properties) while others seem to be promoted as the messages enters or leaves the Orchestration (like Sending Orchestration Type).  



Some properties are only available inside the Receive Pipeline and Orchestration (like Received Port Name and Received File Name).  In the sample below I manually copy them into the message inside the Orchestration.



It is possible to overwrite read only properties inside the pipeline (like MessageType).  This is dangerous but I am sure could have some benefits.  The MessageType property is read only inside the Orchestration but if it is promoted inside the Receive Pipeline the promoted value is used rather then the true message type.



It appears that system properties that are manually promoted in the Receive Pipeline are carried throughout the whole message flow and the system does not change them.  I can set Message ID to 12345 on the Receive Port and that value comes back out on the Send Port.  But, this message ID does not seems to actually be used internally. 



MessageType on the other hand is used by the system if promoted in the Receive Pipeline.  If I change this property, it shows up in HAT with the value I set for it.  I have found one exception to this.  It is the MessageType property when working with untyped messages.  That property is cleared when the message is sent out of the Orchestration.



Property Demotion.  This is something a little less known to BizTalk users.  This is the process of taking message context data and putting it into the message.  This is done in the Send Pipeline.  It is sometimes hard to determine what values are actually in the context and only values in the message context can be demoted. 



CRITICAL: If you use a pass through pipeline your properties are not demoted.  They are only demoted using the XML Assembler component.



Ok, so how do you go about Demoting values into your message?  First, you have to add the Property Schema to your schema that contains the values you want to demote.  If you want BTS System properties follow the steps below.



How to add the BizTalk System Properties Schema to your Schema:


1. Go to the Promote Properties Dialog Box


2. Go to Property Fields Tab


3. Go to the BizTalk Type Picker by clicking on the folder icon


4. Expand Microsoft.BizTalk.GlobalPropertySchema


5. Select BTS.bts_system_properties



Then, follow the same steps just like you are promoting the properties by selecting the elements you want to promote and select the corresponding element in the Property Schema.  It is that simple.



CRITICAL: If you have the same schema on the inbound and outbound you may inadvertently promote or demote values.



I have put together a sample working with both Typed messages and Untyped messages.  I have included several start messages that set various values.  You can check out the schema to see how I accessed the propertied for Promotion and Demotion.



DOWNLOAD: Promotion and Demotion Sample



Take Away: Property Promotion and Demotion is an important part of BizTalk allowing for message context data to be demoted into a message that is sent out of the system.

Role Links in BizTalk Server 2004

by | Oct 6, 2004 | Stephen's BizTalk and Integration Blog


Make sure you check out Todd Uhl’s Blog.  He has a sample working with Role Links in BizTalk 2004.  This is something I had not looked into yet but his sample makes it look easy and useful. 



Todd is working on the Tech Arch team on my current project.  Watch for more great deployment and architecture posts from him in the near future.

Parallel Sequential Convoy in BizTalk Server 2004

by | Oct 5, 2004 | Stephen's BizTalk and Integration Blog

Here is another sample of a Sequential Convoy in BizTalk 2004.  This is a little different then most, it contains a Parallel Action shape that allows for concurrent parallel processing of inbound messages.



What does this accomplish?  It is all about control.  This process allows for processing a pre-defined number of messages at the same time in a controlled manner.



Performance?  Ok, it is not the fasting running Orchestration I have ever seen.  Actually, in some of my tests this parallel action processed 1/2 to 1/3 less messages per minutes then a single process convoy.  In case you are wondering, running 100 messages has 203 persistence points. 



What’s the point then?  Well, I could see a need for something like this in a de-batching scenario when the parallel actions will take an unknown account of time to complete and the overall status of all the messages is important.



Download the sample below.  I have 4 parallel actions processing messages.  I added a random delay to simulate message submission to an outside system or web service.  I have a Win Form test harness for easy running.  If you want to test the performance, download my single convoy example and remove the delay shapes inside this sample.



The key to this solution is the Synchronized Scope shapes that maintain the overall message count inside the Orchestration.



DOWNLOAD: Parallel Sequential Convoy Sample



See the read me file for set up instructions.  Make sure you run “Clean Up” before you rerun and samples.



A better approach?  I think it would be better to remove the processing logic inside the Parallel Actions and call an additional Orchestration to do any work.  This would increase the overall flexibility and maintenance of the solution.



Take Away: Parallel Convoys allow for better control of your de-batching process but the overall throughput of your messages is decreased.