LOB Security in BizTalk Adapter Service

 

Important

Microsoft Azure BizTalk Services (MABS) is being retired, and replaced with Azure Logic Apps. If you currently use MABS, then Move from BizTalk Services to Logic Appsprovides some guidance on moving your integration solutions to Logic Apps.

If you're brand new to Logic Apps, then we suggest getting started here:

• What are logic apps

• Create your first logic app, or quickly get started using a pre-built template

• View all the available connectors you can use in your logic apps

In Microsoft Azure BizTalk Services, BizTalk Adapter Service security refers to authentication with Bridge Configuration cloud application and the on-premises Line-of-Business (LOB) systems. Authentication credentials are specified during Design time and Runtime.

Design Time Security

Visual Studio is used to create and add LOB Targets to the BizTalk Service project project. This process creates web services in IIS, writes data to the back-end Configuration Store database, and connects to the LOB system. As a result, you must do the following:

• Open Visual Studio with Administrative privileges

• Join the local Administrators group

• Get the System Administrator right on the back-end SQL Server

• Get the System Administrator right on the on-premises source LOB system

When a LOB Target is added to a BizTalk Service project project in Visual Studio, the Connection can be configured using one of the following options:

• Windows Authentication

• User name and password

Note

Not all options may be available for the individual LOB adapters.

These credentials are used to connect to the LOB system, retrieve the metadata and perform operations like INSERT or DELETE. These credentials will then create a LOB Target by selecting an operation. The individual LOB components provide more information on creating the Connection:

Connect to Oracle Database or eBusiness Suite in a BizTalk Services Project

Connect to mySAP Business Suite in a BizTalk Services Project

Connect to Siebel eBusiness Applications in a BizTalk Services Project

Connect to SQL Server in a BizTalk Services Project

Runtime Security

Runtime authentication occurs when a message is sent through the Service Bus (on the cloud) to the BizTalk Adapter Service Runtime (on-premises) and then to the LOB system (on-premises). The LOB Target supports the following security mechanisms:

Fixed Username	The username and password specified when the Connection is configured. These credentials will persist and connect to the LOB system when a message for that LOB Target is received. Select this option if you are using a username and password created locally on the LOB system.
Fixed Windows Credentials	The username and password specified when the Connection is configured. These credentials will persist and connect to the LOB system when a message for that LOB Target is received. Select this option to use a Windows domain account.
Custom SOAP Header	The logon credentials are part of the message using a SOAP header.
Message Credential	The logon credentials are part of the message using a standard web service header.

Note

Not all options may be available for the individual LOB adapters.

To specify the Runtime security, configure the LOB Target in Visual Studio. The individual LOB components provide more information on creating a LOB Target:

Connect to Oracle Database or eBusiness Suite in a BizTalk Services Project

Connect to mySAP Business Suite in a BizTalk Services Project

Connect to Siebel eBusiness Applications in a BizTalk Services Project

Connect to SQL Server in a BizTalk Services Project

Additional Security Precautions

Enable HTTP 1.1 through Proxy

When using a Proxy Server, enable HTTP 1.1. There are several ways to enable HTTP 1.1 through proxy connections:

• In Internet Explorer, go to the Tools menu and select Internet Options. In the Advanced tab, check Use HTTP 1.1 and Use HTTP 1.1 through proxy connections. By default, these are enabled.

  These settings update the EnableHttp1_1 and ProxyHttp1.1 values with a DWORD value of one (1) in the following registry key:

  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  

  Tip

  The ProxyHttp1.1 value is not listed in the registry until the value is modified from its default value; which is enabled. If ProxyHttp1.1 is not listed in this registry key and Use HTTP 1.1 through proxy connections is checked in the Internet Explorer settings, then ProxyHttp1.1 is enabled.

• Modify the Proxy Server settings to allow HTTP 1.1.

• Create a Group Policy to enable HTTP 1.1 through proxy connections. This policy can then be applied to multiple users.

  When creating the policy, it’s typically applied to the Current User.

Configure the Firewall

The BizTalk Adapter Service uses Service Bus Relays. For outgoing TCP communication, Service Bus Relays use TCP ports 9350 to 9354. Depending on your firewall settings, you may need to create an Outbound Rule for these TCP ports.

Hosting Behind a Firewall with the Service Bus provides Service Bus information for Firewalls and Proxy Servers.

See Also

Troubleshoot the BizTalk Adapter Service
Using the BizTalk Adapter Service (BAS)