Enterprise single sign-on, how it works?

Home Page Forums BizTalk 2004 – BizTalk 2010 Enterprise single sign-on, how it works?

Viewing 1 reply thread
  • Author
    • #14262

      hi, i’m still not sure that i understand the Entreprise SSO concept.
      I have tried create a simple orchestration that concume a flatfile, and create an output file from database.
      problem is it seems that the SSO works only when i map the user that run Biztalk Server application to an external application, in my case, it’s an Oracle DB.
      I don’t know why it does not use the Windows User that I log on, if i don’t create a map from a Biztalk service user to an Oracle DB so nothing works at all. Do i miss something here or any additional settings, i might not be aware of? Any sample would be appreciate.

      Thanks (again)

    • #14263

      Thanks Stephen! 💡
      You point out about authentication trusted property of the biztalk host, and i really think that causes my problem. I just read the documentation and it seems that the default host that i uses, is an untrusted host by intallation setting default. So i beleive that i need to create a seperate host in this case.

      The Oracle Adapter uses a System DSN, but there’s only user name but no passwd setting in ODBC, the only place where i can set oracle passwd is at the tranportation properties of the send port. But here you have another choice to use a single sign-on user so theorically i don’t have to set a user name/passwd here.

      Will let you know whether it works…

      • #14264

        i tried create and use a new biztalk server instance that is an authentication trusted host and make all my adapters use this host instance.

        Nothing has changed, the orchestration is still running under biztalk trusted server application instance user.

        do i also need to sign or set message authentication? According to documentation it does not seem to be a requirement. i could not really figure out for to make SSO works for individual windows user.
        any more helps?

        • #14265

          Yes, i want to impersonate a current Windows user to map to an oracle user/passwd using Affialiate application in SSO setting. In another word, a current Domain user who logs on the windows and sends a message, Biztalk should still use this user to map to another oracle user to send a query to Oracle.

          My problem is Biztalk recieves a message and change a user ssid to be another user who runs the host instance, and so it maps to an incorrect oracle user.

          I think the tranport properties in the oracle send port that i set user/passwd is something new, so i believe that it does not use a user that associate with System DSN.

          • #14266

            Thanks Greg,
            Oracle Adapter is suppoet SSO, i can set this property on the oracle send/revieve port. It sounds make sense to me with the SSOTicket, but in my orchestration, i don’t create any new message, since i use the schema that generate from the adapter to send a call store procedure and recieve a result back.
            i try to send a message using HTTP adapter, so it also supports SSO. It just weird that message context seem to always overwrite to a biztalk host instance user.

            Are there any way I can track who sends a message ex. by seeing SSID or which tables in BiztalkMsgBox that contains this information??

            • #14267

              hi again. Yes i runs Biztalk 2006 Beta 2 also with the new oracle adapter that comes with it.
              i’ve tracked the messages, it contains the correct windows user and SSOTicket, and it’s different when i logged on as different domain user.

              So the problem must be either the Orchestration process, that overwrites this context user with the user that runs host instance or the Oracles Adapter does not pick up the correct user.

              My orchestration is very simple, i use only send and recieve message, no transformation or create any new messages, it can illustrate as belows:

              message to http —————–> orchestration <———> Oracle Adapter
              response <—————-

              The http adapter is set up to use SSO, and IIS has integrated windows authentication. Oracle adapter port has also set to use SSO with my affiliate application that i created, and the windows user is mapped into oracle user. i can’t really see where it can go wrong here. All the ports and orchestration runs under trusted host instance (both in-process and isolated). [/img]

              • #14268

                hi, yes i could be problem with adapter, i have sent a bug to Microsoft Beta team, but not 100% sure that it’s a bug.

                I’m sure it does not use system DSN user name, when i change a map from host instance user to different oracle user, i recieve a different result from the same call store procedure. So that means adapter uses different oracle user to connect, not always system DSN.

                • #14269

                  I have not worked much with ESS myself.

                  I think the Oracle DB Adapter using a System DSN with an embedded user name?

                  In any case, as I understand it BizTalk will never use the account you log in under. It will use the account that the host your use to receive your message. Now, you can have trusted and untrusted host. Trusted hosts will pass forward the SID of the user who submitted it.

                  Are you using a trusted host?

                  • #14270

                    Ok, let me make sure I have this correct. You want to use a different user account / password based on who sent the message?

                    Not sure how to do this with the system DSN. But, I am not strong in this area.

                    When I worked with Oracle, we set the user id and password in the system DSN.

                    As far as I knew, you set the user id and password on the send port but I didn’t think that was even used at run time.

                    Please keep me updated if you get it working.

                    • #14271

                      I wonder if the Oracle Adapter does not support SSO on the send side?

                      I think it uses the System DSN Settings that have an embedded user name. Can user names in a System DSN be overridden?

                      • #14272

                        Very interesting.

                        I was told something different, but maybe I miss understood him.

                        It would be great if you could post a response once you get this resolved.


                      • #14273

                        SSO requires the co-operation of the adapters to work and not all adapters support SSO.
                        Basically when a message is received the adapter will retrieve an SSO Ticket based on the user that submitted the message. This ticket is added to the message context (BTS.SSOTicket) and follows the message thru Biztalk. If you create a new message in an orchestration you will need to copy the BTS.SSOTicket context property.

                        When the message is sent the SSO ticket and Affiliate application name are used to retrieve the correct user/password from the SSODb.

                        So the receive adapter must support SSO e.g. SOAP or HTTP and the send adapter must support SSO e.g SOAP,HTTP, FTP

                      • #14275

                        Looking directly into the BiztalkMsgBoxDb is far too hard, use the HAT or the admin console(I assume you are using Biztalk 2006)

                        The easiest way to track this is to stop(do not unenlist) the orchestration and send port and submit a message.
                        Use the HAT to look at the message and the message context.
                        The inbound HTTP request should appear in the message box, you can check the BTS.SSOTicket and also the HTTP.InboundHttpHeaders which should contain the windows username. These will be in the message context.
                        Now start the orchestration, you can check the output of the orchestration, making sure the BTS.SSOTicket is the same.
                        Lastly start the Send port. The message should then be sent to Oracle.

                        Do you have any logic in your orchestration or do you just receive and send same message.


Viewing 1 reply thread
  • The forum ‘BizTalk 2004 – BizTalk 2010’ is closed to new topics and replies.