Share via


BizTalk: Setting Authentication on BizTalk Service Endpoints Using BTDF

Introduction 

Sometimes when exposing BizTalk artifacts as WCF service or as REST API, it becomes necessary that some security measure is to be applied to the service. Most common kind of authentication that is used to secure the service endpoint is Windows authentication and sometimes Basic Authentication. To secure the BizTalk end point manually, administrators need to go to the IIS and set the authentication on the application that is bound to the BizTalk receive location. Another option is to use the BTDF and configure the settings in the btdf project. This article explains how to set up the authentication on BizTalk end point using BTDF.

↑ Back To Top 

What is BTDF?

BTDF is an open source deployment framework used for deploying BizTalk applications on local dev boxes as well as different environments. It provides many facilities that can be used to club together the task that require to be performed pre and post deployment of the BizTalk deployment e.g restarting of the concerned Host Instances, IIS reset etc. Another advantage of BTDF is that it is very flexible and can be configured to do a lot of tasks before, during and after the deployment of BizTalk application. All these tasks can be packaged up as a single msi file and can be installed on the target environment. It also provides facility to define the variables related to different environments in a spreadsheet which simplifies the task of manually maintaining the binding files for the BizTalk application for Multiple environment. These are some of the features of BTDF. BTDF has proven to be a very reliable tool for creating build msi for BizTalk. It is a necessary weapon in the arsenal of a professional working on BizTalk platform. 

This article uses the latest version 5.7 that is released. To learn more about the installation of the btdf and step by step guide for configuring the BTDF, refer following link. The link discusses the steps taken for BizTalk 2016 and Visual Studio 2015 , but same can be followed for other versions of BizTalk.

Step by Step Guide For Installation and Configuration of BTDF for BizTalk 2016 and Visual Studio 2015  

↑ Back To Top 

Setting UP BTDF Project File

BTDF works on MSBuild and hence developers have the ability to create custom targets and call them at specific point of execution when the msi is deploying the BizTalk application. In order to deploy BizTalk artifacts as WCF service/ REST api, BTDF uses the target "DeployVDirs", this target is called after the BizTalk application is deployed and just before the IIS reset. In order to set up the authentication on the IIS application deployed by the "DeployVDirs" target, BTDF should call the custom target just after. The appcmd.exe command is a great command to set up the properties of the artifacts in IIS like IIS application, virtual directories, application pools etc.

Following is a sample target which disables the anonymous authentication and sets up windows authentication for an IIS application which houses a REST endpoint for BizTalk app.

<Target AfterTargets="DeployVDirs" Name="DisableAnoymousAutnentication">
  <Exec Command= ""$(AppCmd)" set config "Default Web Site/WebHttpLocationDemo" -section:system.webServer/security/authentication/anonymousAuthentication /enabled:false /commit:apphost" />
  <Exec Command= ""$(AppCmd)" set config "Default Web Site/WebHttpLocationDemo" -section:system.webServer/security/authentication/windowsAuthentication  /enabled:true /commit:apphost" />
</Target>

Note: Ensure that the " are properly escaped using "

The AfterTargets attribute tells the BTDF that this target should be called only after the DeployVDirs target is executed, hence the custom target will always have an IIS application to set.  The $AppCmd variable is populated by BTDF by itself and it calls the appcmd.exe command. 

Following is a part of the extract of the deployment log which confirms that the custom target is called as required.

DeployIISAppPools:
  Creating IIS application pool 'webHTTPAdapterDemoAppPool'...
  Created/updated IIS application pool 'webHTTPAdapterDemoAppPool'.
DeployIISApplications:
  Creating IIS application '/WebHttpLocationDemo'...
  Created/updated IIS application '/WebHttpLocationDemo'.
DeployNTFSPermissionsOnVDirPaths:
  Granting NTFS permissions on 'E:\VisualStudioProjects\WebHttpLocationBTDFDemo\WebHttpLocationBTDFDemo.Services' to 'xyz\Mandar Dharmadhikari'...
  Granted NTFS permissions on 'E:\VisualStudioProjects\WebHttpLocationBTDFDemo\WebHttpLocationBTDFDemo.Services'.
DisableAnoymousAutnentication:
  "C:\Windows\System32\inetsrv\appcmd.exe" set config "Default Web Site/WebHttpLocationDemo" -section:system.webServer/security/authentication/anonymousAuthentication /enabled:false /commit:apphost
  Applied configuration changes to section "system.webServer/security/authentication/anonymousAuthentication" for "MACHINE/WEBROOT/APPHOST/Default Web Site/WebHttpLocationDemo" at configuration commit path "MACHINE/WEBROOT/APPHOST"
  "C:\Windows\System32\inetsrv\appcmd.exe" set config "Default Web Site/WebHttpLocationDemo" -section:system.webServer/security/authentication/windowsAuthentication  /enabled:true /commit:apphost
  Applied configuration changes to section "system.webServer/security/authentication/windowsAuthentication" for "MACHINE/WEBROOT/APPHOST/Default Web Site/WebHttpLocationDemo" at configuration commit path "MACHINE/WEBROOT/APPHOST"
BounceBizTalk:
  Recycling IIS application pool 'webHTTPAdapterDemoAppPool'...          Recycled IIS application pool     'webHTTPAdapterDemoAppPool'    .  

↑ Back To Top 

Another Problem

When the client applications try to consume the service, they will run into an error, and the error they can encounter is as follows.

The solution to the above issue becomes obvious after reading the error message. The Security property on the receive location needs to be set to Transport or TransportCredentialsOnly. Refer following Screenshot.

This setting can be added to the receive location by exporting the binding from the BizTalk app and then copying it across to Port Bindings Master.

↑ Back To Top 

Conclusion

This concludes the process to set up the authentication on the IIS application using BTDF.

↑ Back To Top 

See Also

An important place to find a huge amount of BizTalk related articles is the TechNet Wiki itself. The best entry point is BizTalk Server Resources on Technet Wiki 

↑ Back To Top 

References

Following articles were referred while writing this article

↑ Back To Top