Connecting to Windows Server Service Bus on AWS
Question
I am starting work on a new project using the new Windows Server Service Bus 1.0 Beta. I am trying to set up a test environment on an AWS EC2 virtual machine.
I have installed the Service Bus on a Windows Server 2008 R2 instance running on AWS EC2 and setup a new Farm, Container and Host according to the examples in the MSDN documentatoin. I have all of the proper ports open on the server (4443 and 9354). I also followed the instructions from [this page][1] to export the self generated certificate onto my client machine.
I have a very simple C# program that creates a queue, queues a message, and receives it. This program works fine when I copy the executable up to the VM and run it there, so I believe that I am using the API correctly. However I get security exceptions when I run the program from my local development box pointing to the AWS server.
My code Looks like this:
var servername = "X.X.X.X"; // <-- An IP Address, not FQDN
var sbNamespace = "MyNamespace";
var httpPort = 4446;
var tcpPort = 9354;
//create SB uris
var rootAddressManagement = ServiceBusEnvironment.CreatePathBasedServiceUri("sb", sbNamespace, string.Format("{0}:{1}", servername, httpPort));
var rootAddressRuntime = ServiceBusEnvironment.CreatePathBasedServiceUri("sb", sbNamespace, string.Format("{0}:{1}", servername, tcpPort));
var tokenProvider = TokenProvider.CreateWindowsTokenProvider(new List<Uri>() { rootAddressManagement });
var namespaceManager = new NamespaceManager(rootAddressManagement,
new NamespaceManagerSettings()
{
TokenProvider = tokenProvider
});
var factory = MessagingFactory.Create(rootAddressRuntime,
new MessagingFactorySettings()
{
TokenProvider = tokenProvider,
//OperationTimeout = TimeSpan.FromMinutes(30)
});
if (!namespaceManager.QueueExists("OrderQueue")) <-- EXCEPTION OCCURRS HERE
{
// Code to create a queue that is never reached.
}
My exception trace looks like this:
[Microsoft.ServiceBus.Messaging.ServiceBusResourceOperations+GetAsyncResult`1[[Microsoft.ServiceBus.Messaging.QueueDescription, Microsoft.ServiceBus, Version=1.6.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]] IteratorAsyncResult failed to move to the next step due to an exception; System.UnauthorizedAccessException: The token provider was unable to provide a security token while accessing 'https://107.23.15.5:4446/APIHealthcare/$STS/Windows/'. Token provider returned message: 'The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.'. ---> System.IdentityModel.Tokens.SecurityTokenException: The token provider was unable to provide a security token while accessing 'https://107.23.15.5:4446/APIHealthcare/$STS/Windows/'. Token provider returned message: 'The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.'. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.ConnectStream.WriteHeaders(Boolean async)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context)
at System.Net.HttpWebRequest.GetRequestStream()
at Microsoft.ServiceBus.TokenProviderHelper.GetWindowsAccessTokenCore(IEnumerator`1 stsUris, Func`2 uriBuilder, String requestToken, TimeSpan timeout, DateTime& expiresIn)
--- End of inner exception stack trace ---
at Microsoft.ServiceBus.TokenProviderHelper.ThrowException(Uri requestUri, WebException exception)
at Microsoft.ServiceBus.TokenProviderHelper.GetWindowsAccessTokenCore(IEnumerator`1 stsUris, Func`2 uriBuilder, String requestToken, TimeSpan timeout, DateTime& expiresIn)
at Microsoft.ServiceBus.WindowsTokenProvider.OnBeginGetWebToken(String appliesTo, String action, TimeSpan timeout, AsyncCallback callback, Object state)
at Microsoft.ServiceBus.TokenProvider.GetWebTokenAsyncResult..ctor(TokenProvider tokenProvider, String appliesTo, String action, Boolean bypassCache, TimeSpan timeout, AsyncCallback callback, Object state)
at Microsoft.ServiceBus.TokenProvider.BeginGetWebToken(String appliesTo, String action, Boolean bypassCache, TimeSpan timeout, AsyncCallback callback, Object state)
at Microsoft.ServiceBus.TokenProviderUtility.GetMessagingWebToken(ITokenProvider tokenProvider, String appliesTo, String action, Boolean bypassCache, TimeSpan timeout)
--- End of inner exception stack trace ---
at Microsoft.ServiceBus.TokenProviderUtility.GetMessagingWebToken(ITokenProvider tokenProvider, String appliesTo, String action, Boolean bypassCache, TimeSpan timeout)
at Microsoft.ServiceBus.Messaging.HttpWebRequestExtensions.AddAuthorizationHeader(HttpWebRequest request, ITokenProvider tokenProvider, Uri baseAddress, String action)
at Microsoft.ServiceBus.Messaging.ServiceBusResourceOperations.GetAsyncResult`1.<GetAsyncSteps>d__c.MoveNext()
at Microsoft.ServiceBus.Messaging.IteratorAsyncResult`1.MoveNextStep()
A first chance exception of type 'System.UnauthorizedAccessException' occurred in Microsoft.ServiceBus.dll
System.UnauthorizedAccessException: The token provider was unable to provide a security token while accessing 'https://107.23.15.5:4446/APIHealthcare/$STS/Windows/'. Token provider returned message: 'The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.'. ---> System.IdentityModel.Tokens.SecurityTokenException: The token provider was unable to provide a security token while accessing 'https://107.23.15.5:4446/APIHealthcare/$STS/Windows/'. Token provider returned message: 'The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.'. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.ConnectStream.WriteHeaders(Boolean async)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context)
at System.Net.HttpWebRequest.GetRequestStream()
at Microsoft.ServiceBus.TokenProviderHelper.GetWindowsAccessTokenCore(IEnumerator`1 stsUris, Func`2 uriBuilder, String requestToken, TimeSpan timeout, DateTime& expiresIn)
--- End of inner exception stack trace ---
at Microsoft.ServiceBus.TokenProviderHelper.ThrowException(Uri requestUri, WebException exception)
at Microsoft.ServiceBus.TokenProviderHelper.GetWindowsAccessTokenCore(IEnumerator`1 stsUris, Func`2 uriBuilder, String requestToken, TimeSpan timeout, DateTime& expiresIn)
at Microsoft.ServiceBus.WindowsTokenProvider.OnBeginGetWebToken(String appliesTo, String action, TimeSpan timeout, AsyncCallback callback, Object state)
at Microsoft.ServiceBus.TokenProvider.GetWebTokenAsyncResult..ctor(TokenProvider tokenProvider, String appliesTo, String action, Boolean bypassCache, TimeSpan timeout, AsyncCallback callback, Object state)
at Microsoft.ServiceBus.TokenProvider.BeginGetWebToken(String appliesTo, String action, Boolean bypassCache, TimeSpan timeout, AsyncCallback callback, Object state)
at Microsoft.ServiceBus.TokenProviderUtility.GetMessagingWebToken(ITokenProvider tokenProvider, String appliesTo, String action, Boolean bypassCache, TimeSpan timeout)
--- End of inner exception stack trace ---
Server stack trace:
at Microsoft.ServiceBus.TokenProviderUtility.GetMessagingWebToken(ITokenProvider tokenProvider, String appliesTo, String action, Boolean bypassCache, TimeSpan timeout)
at Microsoft.ServiceBus.Messaging.HttpWebRequestExtensions.AddAuthorizationHeader(HttpWebRequest request, ITokenProvider tokenProvider, Uri baseAddress, String action)
at Microsoft.ServiceBus.Messaging.ServiceBusResourceOperations.GetAsyncResult`1.<GetAsyncSteps>d__c.MoveNext()
at Microsoft.ServiceBus.Messaging.IteratorAsyncResult`1.MoveNextStep()
at Microsoft.ServiceBus.Messaging.IteratorAsyncResult`1.EnumerateSteps(CurrentThreadType state)
at Microsoft.ServiceBus.Messaging.IteratorAsyncResult`1.Start()
Exception rethrown at [0]:
at Microsoft.ServiceBus.Common.AsyncResult.End[TAsyncResult](IAsyncResult result)
at Microsoft.ServiceBus.Messaging.IteratorAsyncResult`1.End(IAsyncResult asyncResult)
at Microsoft.ServiceBus.Messaging.ServiceBusResourceOperations.EndGet[TEntityDescription](IAsyncResult asyncResult)
at Microsoft.ServiceBus.NamespaceManager.OnEndQueueExists(IAsyncResult result)
at Microsoft.ServiceBus.NamespaceManager.EndQueueExists(IAsyncResult result)
at Microsoft.ServiceBus.NamespaceManager.QueueExists(String path)
at ServiceBusSandbox.ServiceBusSampleApp.CreateAQueue(NamespaceManager namespaceManager) in c:\Users\cent049\Documents\Visual Studio 2012\Projects\ServiceBusSandbox\ServiceBusSandbox\ServiceBusSampleApp.cs:line 15
at ServiceBusSandbox.ServiceBusSampleApp.Main(String[] args) in c:\Users\cent049\DocumentThe thread 'vshost.RunParkingWindow' (0x2608) has exited with code 0 (0x0).
I have a hunch that the problem is that I am connecting using the IP address of the VM and not a FQDN, however I don't know how to confirm that, nor do I know how to get a Domain name for my AWS server. The server has a machine name but is simply on workgroup "WORKGROUP", not on a domain.
Any and all help would be greatly appreciated.
4 answers
solution1
8 2012-09-18 16:33:38
Use the CreateOAuthTokenProvider instead of the CreateWindowsTokenProvider.
- First, you need to create an account in the machine at: rootAddressManagement.
- Add the newly created account as an Manage user of your namespace. Set-SBNamespace -Name "YourNamespace" -Manage YourUser
- Since you are using an ipaddress, add the cert validation code before you do any call to SB. ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback((s, cert, chain, ssl) => {return true; });
- Third, use TokenProvider.CreateOAuthTokenProvider(new List() { rootAddressManagement }, new NetworkCredential("YouUser", "YouPassword"));
Note: do not specify machine name as part of YourUser
solution2
2 2012-10-17 22:56:00
I got bad news and good news. bad news is could't send the message using microsoft.servicebus.dll method. For me i am unable to connect windows service bus using microsoft windows.servicebus.dll. When i tryed to send the message i stuck on sendmessage operation and couldnt proceed beyond that point. I suspect the issue is Publish to Azure Service Bus over http behind proxy that is a bug in current release.
Good news is i managed to do all the service bus operation using rest api.
First thing is getting the authentication token using following code sample provide by microsft.
http://msdn.microsoft.com/en-us/library/windowsazure/jj193003%28v=azure.10%29.aspx
Once u get the token rest of operation (create que, send messages, recive messages) are same as windows azure service bus. please see the detail about microsoft documentation about service bus operation.
http://msdn.microsoft.com/en-us/library/windowsazure/hh690927.aspx hope this helpful. THanks.
solution3
0 2012-09-18 16:36:22
Yes, your hunch is correct. You're running into that issue because the certificate used by the server is issued to the FQDN of the machine, and using the IP will cause a certificate name mismatch.
Short term, you can work around this by using a CertificateValidation callback to ignore the error: http://msdn.microsoft.com/en-us/library/system.net.servicepointmanager.servercertificatevalidationcallback.aspx
Long term, you might want to check how to get the external facing name of the VM, and use a certificate that matches that.
solution4
0 2012-10-15 23:23:03
i am stuck in the same error. i followed the steps as describe in second post. but finally end up with "This got me one step further. My app did connect and create the queue, but it failed when trying to place a message on the queue. The message I'm getting now is: System.IdentityModel.Tokens.SecurityTokenValidationException: The X.509 certificate CN= MACHINE_NAME is not in the trusted people store. The X.509 certificate CN= MACHINE_NAME chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. The revocation function was unable to check revocation for the certificate."
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.