Hello,

Can we limit Send/Listen/Read rights to Azure Service Bus Queue and Topics to clients who have specific certificate installed?

Thank you,

Hello,

When I create a subscription in VS2013 through:

Visual Studio Azure Tools->Service Bus->Topics->Subscription

I get a subscription with $Default rule and a filter "1=1". How do I change the $Default rule's filter?

Thank you,

Hello,

I am fully aware that I can secure Azure Service Bus with Shared Access Policies.

How can I secure Azure Service Bus Send/Listen/Receive operations by using Azure AD roles?

A link to an online article of View would be a great help.

Thank you, 

Hello,

I am fully aware that I can secure Service Bus Queues and Topic with Shared Access Policy keys. I am seeking for other options.

In case we are dealing with security sensitive Azure Service Bus queues and Topics, Is there any option to hide the Service Bus Queues and Topic from the public internet and limit the access to a few Worker roles in Azure Data center?

Also, can we limit the access to a few IP addresses?

Thank you,

Hello,

What are What are Azure Service Bus->Topic->Subscription->Filter->Actions shown in the Visual Studio's Create Filter dialog box shown below:

Are Filter Actions documented anywhere?

Thank you,

Hello,

I fully understand that I can use power shell or many other Azure SB management API API to precisely (re-)create my application's SB entities in DEV/QA/Staging environment.

Is there any no code option do this?

Thank you,

Hello,

I get the following error when I create a SB Subscription Filter:

An unexpected error occurred during processing. Message is 'The operation is not supported for an entity with partitioning enabled.'

Is the error message true?

If the answer is yes, then has this crucial important limitation been documented?

How do I disable Partitioning once a Topic is created?

Thank you,

Hello,

We are using MessageSessionAsyncHandler as described here:
https://msdn.microsoft.com/en-us/library/azure/dn790528.aspx

With one difference – we register it using the provided factory method:

    QueueClient client = …;
    await this.client.RegisterSessionHandlerFactoryAsync(new QueueMessageReceiverSessionFactory(…),new SessionHandlerOptions
        {
            AutoComplete = true,
            AutoRenewTimeout = TimeSpan.FromSeconds(600),
            MaxConcurrentSessions = 500,
            MessageWaitTimeout = TimeSpan.FromSeconds(60)
        });

    class QueueMessageReceiverSessionFactory : IMessageSessionAsyncHandlerFactory
    {
        public QueueMessageReceiverSessionFactory(…)
        {
            …
        }

        public IMessageSessionAsyncHandler CreateInstance(MessageSession session, BrokeredMessage message)
        {
            return new QueueMessageReceiverSession(…);
        }

        public void DisposeInstance(IMessageSessionAsyncHandler handler)
        {
            var disposable = handler as IDisposable;

            // Dispose the handler if it is disposable
            if (disposable != null)
            {
                disposable.Dispose();
            }
        }
    }

    class QueueMessageReceiverSession : MessageSessionAsyncHandler
    {
        public QueueMessageReceiverSession(…)
        {
            …
        }

        protected override async Task OnMessageAsync(MessageSession session, BrokeredMessage brokeredMessage)
        {
            Console.WriteLine("OnMessageAsync()");
        }

        protected override Task OnCloseSessionAsync(MessageSession session)
        {
            Console.WriteLine("OnCloseSessionAsync()");
            return base.OnCloseSessionAsync(session);
        }

        protected override Task OnSessionLostAsync(Exception exception)
        {
            Console.WriteLine("OnSessionLostAsync()");
            return base.OnSessionLostAsync(exception);
        }
    }

Everything works fine, however the QueueMessageReceiverSession.OnCloseSessionAsync() method gets called only after the MessageWaitTimeout time. There is nothing blocking the OnMessageAsync() method and there are also no exceptions (execution time < 1 sec). The questions I have are as follows:
-    Why is this happening?
-    Is this the expected behavior and if so, what is the purpose of this feature?
-    Is there any concern of a resource starvation with a high rate of messaging?

Tested with Service Bus v2.6.7 and v2.7.5.

Thank you,

Alex

 I was playing around with the service bus connector, and observed, if I have 100 messages in my subscription queue ( where the connector is pointing), first 10 are read successfully, then next 10 go and sit in the deadletter queue with the message"could not be consumed". and the pattern repeats. any idea why this is happening?

We had problems this morning around 10AM BST on one of our Cloud Services, and now again for another (from 1300 BST). It appears as if our roles are have problems opening a stream to their service bus topics on West Region. Is this is known issue??

The azure service status is totally useless in our experience, never admitting to faults (more like a sales tool).

We're using the topics as part of the service bus scaleout solution for SignalR. The service bus scaler is getting "Stream is not open" when attempting to inject into the topics.

I've deleted two of the topics concerned, but now cannot recreate them with errors about "an existing conflicting operation".

VDI for the win!

Hello,

I need to create an intermediate service which will contain Notification Hub and Service Bus messaging logic. This intermediate service will interact with my Web API and other service like transaction monitor service, payment service. The only work to service bus messaging is to sent / receive a message in many to many fashion. For Example: One user swipes his card and amount is deducted from his account. While swiping card, a message will be sent to service bus messaging service then this service will return message to notify the user for deduction. So there are many scenario like this where a user specific message is sent / receive from Service bus messaging service. So my question is that what type of Service Bus Messaging Service is required for such scenario ? Also this message will be user specific as well, meaning to say message will be stored in a fashion that it must be received by actual recipient.

Another question is that how I can use Notification Hub in this scenario ? Notification will be logged into Hub and will sent to users mobile directly without any intermediate service interfacing.

Kindly let me know your answers ASAP and provide some code samples or links to clarify over this.

Thanks,

Avneesh

Question from Sanjay Singh (@_SanjaySingh) via Twitter:

I am getting 'Failed to create Event Hub' error when trying from old portal. I get the same when trying from c# code.

Thanks,

@AzureSupport

The dependency WindowsAzure.ServiceBus 2.7.5 in project WebApplication1 does not support framework DNXCore,Version=v5.0.

May i know how can my web api (asp.net 5) can talk to the Azure service bus?

I am referring to following link : https://msdn.microsoft.com/en-us/library/azure/hh780722.aspx

I am currently using java with jersey client to using this API but receiving 401. The response entity is empty and i dont know specifically what is wrong.I have tried regenerating the Primary_key from the portal but still see the same issue.

Here is the code snippet

private static final String ENDPOINT = "datamstorequeue/messages/head";
	private static final String HOST = "https://<namespace>.servicebus.windows.net/";

	@Override
	public String getMessage() {
		final ClientConfig readClientConfig = new DefaultClientConfig();
		readClientConfig.getFeatures().put(JSONConfiguration.FEATURE_POJO_MAPPING,
				Boolean.TRUE);
		Client readClient =  Client.create(readClientConfig);
		WebResource webResource = readClient.resource(HOST + ENDPOINT);
		String key = GetSASToken(HOST + ENDPOINT,"All",Constants.QUEUE_PRIMARY_KEY);
		System.out.println("key:"+ key);
		ClientResponse response = webResource.header("Authorization", key)
                                          .header("Content-Length", 0).post(ClientResponse.class);


		if (response.getStatus() != 200) {
			String output = response.getEntity(String.class);
			System.out.println("Failed : HTTP error code : "+ response.getStatus() + output);
		}

		String output = response.getEntity(String.class);
		System.out.println("Output : " + output);

		return output;
	}


    private static String GetSASToken(String resourceUri, String keyName, String key)
    {
    	long epoch = System.currentTimeMillis()/1000L + 60 ;
    	String expiry = Long.toString(epoch);

    	String sasToken = null;
try {
			String stringToSign = URLEncoder.encode(resourceUri, "UTF-8") + "\n" + expiry;

			String signature = getHMAC256(key, stringToSign);
			//SharedAccessSignature sig=<signature-string>&se=<expiry>&skn=<keyName>&sr=<URL-encoded-resourceURI>

 			sasToken = "SharedAccessSignature sr=" + URLEncoder.encode(resourceUri, "UTF-8") +"&sig=" +
					URLEncoder.encode(signature, "UTF-8") + "&se=" + expiry + "&skn=All";
		} catch (UnsupportedEncodingException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		}

        return sasToken;
    }


	public static String getHMAC256(String key, String input) {
		byte[] base64key = Base64.decodeBase64(key.getBytes());
		Mac sha256_HMAC = null;
		String hash = null;
		try {
			sha256_HMAC = Mac.getInstance("HmacSHA256");
			SecretKeySpec secret_key = new SecretKeySpec(base64key, "HmacSHA256");
			sha256_HMAC.init(secret_key);
			hash = new String(Base64.encodeBase64(sha256_HMAC.doFinal(input.getBytes("UTF-8"))));
		} catch (InvalidKeyException e) {
			e.printStackTrace();
		} catch (NoSuchAlgorithmException e) {
			e.printStackTrace();
		} catch (IllegalStateException e) {
			e.printStackTrace();
		} catch (UnsupportedEncodingException e) {
			e.printStackTrace();
		}

		return hash;
	} 

I am not sure what can i improve in above code to correct my SAS key.

It looks something like this :

SharedAccessSignature sr=https%3A%2F%2F<namespace>.servicebus.windows.net%2Fdatamstorequeue%2Fmessages%2Fhead&sig=AHyMSNl9tmURr7l0gHzt4rOlS1jjTx9Hi4h13UzcMl4%3D&se=1437443740&skn=All

I see that version 2.0 of the Service Bus has been released onto Azure, but the Windows Server version is still stuck at version 1.0

Does Service Bus have a future for on-premise applications?  Obviously we'd all like to put everything in the Cloud, but real companies have real legacy applications running on-premise and you can't re-write them all in months (or even years).  Our ideal architecture is to use Service Bus to loosely couple legacy applications with new applications as we gradually move to the cloud, but we need to know that this is going to be supported.

Or is Microsoft just throwing all of its energy at Azure and ignoring on-premise applications?

Using Azure SDK 2.3 on my vs2013 development VM I can consume Service Bus queues hosted in Azure painlessly. However, on Windows Server 2008 R2 Standard SP1, it looks like Windows can not trust the involved certificates and an exception is thrown.

The line that throws :

// Send the message
await queueclient.SendAsync(message);

Exception message :

The X.509 certificate CN=servicebus.windows.net is not in the trusted
people store. The X.509 certificate CN=servicebus.windows.net chain
building failed. The certificate that was used has a trust chain that
cannot be verified. Replace the certificate or change the
certificateValidationMode. A certificate chain could not be built to a
trusted root authority.

The CAPI2 logs (attached below) pointed to a trust issue so I compared certificates installed on both machines. The following certificates are absent on the server :  

Intermediate Certification Authorities > Microsoft Internet Authority (Issued by Baltimore CyberTrust Root) 
Intermediate Certification Authorities > MSIT Machine Auth CA 2 (Issued by Microsoft Internet Authority)

The questions :

 1. Where does the certificates come from?
 2. Why are they missing from the server?
 3. How to fix this issue?

More detail (updated) :

 1. Installed Azure SDK 2.3 for Visual Studio 2013 on the server (no effect)
 2. Installed all Windows Updates on the server (no effect)

I also tried (no effect) :

<appSettings><add key="Microsoft.ServiceBus.X509RevocationMode" value="NoCheck"/></appSettings>

CAPI2 Verify Chain Policy event :

  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">      <System>        <Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />        <EventID>30</EventID>        <Version>0</Version>        <Level>2</Level>        <Task>30</Task>        <Opcode>0</Opcode>        <Keywords>0x4000000000000001</Keywords>        <TimeCreated SystemTime="2014-06-11T19:57:38.998656000Z" />        <EventRecordID>5642</EventRecordID>        <Correlation />        <Execution ProcessID="5280" ThreadID="8472" />        <Channel>Microsoft-Windows-CAPI2/Operational</Channel>        <Computer>ne-r026-310cn</Computer>        <Security UserID="S-1-5-82-1758914132-2364927631-3137608320-3227192193-3717738432" />      </System>      <UserData>        <CertVerifyCertificateChainPolicy>          <Policy type="CERT_CHAIN_POLICY_BASE" constant="1" />          <Certificate fileRef="3E560462C61B45BE1A59F1286B34A065A878AFA0.cer" subjectName="servicebus.windows.net" />          <CertificateChain chainRef="{19B5F58A-FA37-4213-A888-C81C340D019C}" />          <Flags value="1000" CERT_CHAIN_POLICY_IGNORE_PEER_TRUST_FLAG="true" />          <Status chainIndex="0" elementIndex="-1" />          <EventAuxInfo ProcessName="w3wp.exe" />          <CorrelationAuxInfo TaskId="{F8DE43DD-9E68-461E-8A2B-17215BA87E0C}" SeqNumber="1" />          <Result value="800B010A">A certificate chain could not be built to a trusted root authority.</Result>        </CertVerifyCertificateChainPolicy>      </UserData>    </Event>

CAPI2 Build Chain event :

    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">      <System>        <Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />        <EventID>11</EventID>        <Version>0</Version>        <Level>2</Level>        <Task>11</Task>        <Opcode>2</Opcode>        <Keywords>0x4000000000000003</Keywords>        <TimeCreated SystemTime="2014-06-11T19:57:38.998656000Z" />        <EventRecordID>5641</EventRecordID>        <Correlation />        <Execution ProcessID="5280" ThreadID="8472" />        <Channel>Microsoft-Windows-CAPI2/Operational</Channel>        <Computer>ne-r026-310cn</Computer>        <Security UserID="S-1-5-82-1758914132-2364927631-3137608320-3227192193-3717738432" />      </System>      <UserData>        <CertGetCertificateChain>          <Certificate fileRef="3E560462C61B45BE1A59F1286B34A065A878AFA0.cer" subjectName="servicebus.windows.net" />          <ValidationTime>2014-06-11T19:57:38.998Z</ValidationTime>          <AdditionalStore />          <ExtendedKeyUsage />          <Flags value="0" />          <ChainEngineInfo context="machine" />          <AdditionalInfo>            <NetworkConnectivityStatus value="1" _SENSAPI_NETWORK_ALIVE_LAN="true" />          </AdditionalInfo>          <CertificateChain chainRef="{19B5F58A-FA37-4213-A888-C81C340D019C}">            <TrustStatus>              <ErrorStatus value="10000" CERT_TRUST_IS_PARTIAL_CHAIN="true" />              <InfoStatus value="0" />            </TrustStatus>            <ChainElement>              <Certificate fileRef="3E560462C61B45BE1A59F1286B34A065A878AFA0.cer" subjectName="servicebus.windows.net" />              <SignatureAlgorithm oid="1.2.840.113549.1.1.5" hashName="SHA1" publicKeyName="RSA" />              <PublicKeyAlgorithm oid="1.2.840.113549.1.1.1" publicKeyName="RSA" publicKeyLength="2048" />              <TrustStatus>                <ErrorStatus value="0" />                <InfoStatus value="2" CERT_TRUST_HAS_KEY_MATCH_ISSUER="true" />              </TrustStatus>              <ApplicationUsage>                <Usage oid="1.3.6.1.5.5.7.3.2" name="Client Authentication" />                <Usage oid="1.3.6.1.5.5.7.3.1" name="Server Authentication" />              </ApplicationUsage>              <IssuanceUsage />            </ChainElement>          </CertificateChain>          <EventAuxInfo ProcessName="w3wp.exe" />          <CorrelationAuxInfo TaskId="{9077AB4E-95E3-449B-AF2F-0BF42E92E6B7}" SeqNumber="11" />          <Result value="800B010A">A certificate chain could not be built to a trusted root authority.</Result>        </CertGetCertificateChain>      </UserData>    </Event>

CAPI2 X509 Objects event :

    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">      <System>        <Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />        <EventID>90</EventID>        <Version>0</Version>        <Level>4</Level>        <Task>90</Task>        <Opcode>0</Opcode>        <Keywords>0x4000000000000200</Keywords>        <TimeCreated SystemTime="2014-06-11T19:57:38.998656000Z" />        <EventRecordID>5640</EventRecordID>        <Correlation />        <Execution ProcessID="5280" ThreadID="8472" />        <Channel>Microsoft-Windows-CAPI2/Operational</Channel>        <Computer>ne-r026-310cn</Computer>        <Security UserID="S-1-5-82-1758914132-2364927631-3137608320-3227192193-3717738432" />      </System>      <UserData>        <X509Objects>          <Certificate fileRef="3E560462C61B45BE1A59F1286B34A065A878AFA0.cer" subjectName="servicebus.windows.net">            <Subject>              <CN>servicebus.windows.net</CN>            </Subject>            <SubjectKeyID computed="false" hash="BD41618C22D8DBEE9D172C12A2C549D61711ED75" />            <SignatureAlgorithm oid="1.2.840.113549.1.1.5" hashName="SHA1" publicKeyName="RSA" />            <PublicKeyAlgorithm oid="1.2.840.113549.1.1.1" publicKeyName="RSA" publicKeyLength="2048" />            <Issuer>              <CN>MSIT Machine Auth CA 2</CN>              <DC>redmond</DC>              <DC>corp</DC>              <DC>microsoft</DC>              <DC>com</DC>            </Issuer>            <SerialNumber>70DB015B000100008C58</SerialNumber>            <NotBefore>2013-07-27T03:31:06Z</NotBefore>            <NotAfter>2015-07-27T03:31:06Z</NotAfter>            <Extensions>              <KeyUsage value="B0" CERT_DIGITAL_SIGNATURE_KEY_USAGE="true" CERT_KEY_ENCIPHERMENT_KEY_USAGE="true" CERT_DATA_ENCIPHERMENT_KEY_USAGE="true" />              <ExtendedKeyUsage>                <Usage oid="1.3.6.1.5.5.7.3.2" name="Client Authentication" />                <Usage oid="1.3.6.1.5.5.7.3.1" name="Server Authentication" />              </ExtendedKeyUsage>              <SubjectAltName>                <DNSName>*.servicebus.windows.net</DNSName>                <DNSName>servicebus.windows.net</DNSName>              </SubjectAltName>              <AuthorityKeyIdentifier>                <KeyID hash="EBDB115EF8099ED8D6629CFD629DE3844A28E127" />              </AuthorityKeyIdentifier>            </Extensions>          </Certificate>          <EventAuxInfo ProcessName="w3wp.exe" />          <CorrelationAuxInfo TaskId="{9077AB4E-95E3-449B-AF2F-0BF42E92E6B7}" SeqNumber="10" />        </X509Objects>      </UserData>    </Event>

Hi All,

I've follow the article "Get Started with Event Hubs"(from Azure site) to install QPID and build the example code.

Sender(proton c version) keeps send out message but my Receiver(c# version) can not receive any message.

I the mean time, I launch C# version Sender, the Receiver receives message from it.

Anything wrong?

I wonder if I set address variable correct or not? 

--> char * address = (char *) "amqps://SendRule:oMIp0gKe9yTQqlleZ2GYXw5GI6%2F35qX%2BVrbztPVISqo%3D@miceventhub-ns.servicebus.windows.net/miceventhub";

Best Regards,

mitacyy

I'm laying down the architecture for a Web Api that will be open to third parties on a subscription basis, and the third party's own IoT Devices will need to publish events "directly" to my own Azure Event Hub.

Naturally, I have to restrict which IoT devices are capable of directly publishing to my Event Hub, and therefore in my Developer API in my own customer portal, I will have to auto-generate custom access code snippets - and perhaps even provide a library - that will enable them to publish events directly to my own Event Hub, but which will restrict the capacity to do so to those who I have authorised to have access in my developer API area and in having authorised them, given them a mechanism so that they can directly publish to my Event Hub.

I'd also need the capacity to revoke or suspend individual third party access as well.

Is it possible for me to provide Third Party Publishing Rights to my Event Hub (or any mechanism that does the job) so that DIRECT publishing access is available but restricted to my own authorised third party clients?

The alternative would be for me to channel them INDIRECTLY through my own oAuth2 Web Api and have it pipe the events to my Event Hub, but that sort-of defeats the direct 'firehose' access advantage to Azure Event Hubs as I'd have to be capable of exponentially scaling the Web Api based upon a multitude of devices worldwide, needing to publish to the Event Hub via the Web Api, every five seconds?

And naturally, in addition to 'is it possible', given that it is, then 'how'?