When a session or message is received from the subscription, the service ID Is authorized and can receive and complete or discard messages as needed.
However, when trying to access a subscription that the service ID cannot access, I don’t see UnauthorizedAccessException, nor do I see this exception. Trying to execute the rule group When an operation that does not issue a statement to the service ID, the relying party (such as sending a message or creating a topic).
On the contrary, I eventually see a TimeoutException-“Try to access https://namespace-sb .accesscontrol.windows.net/WRAPv0.9/” is the timeout when acquiring the token. The internal exception is a SecurityTokenException-“the token provider is accessing” https://namespace-sb.accesscontrol.windows.net/ WRAPv0.9/”Unable to provide a security token. The token provider returns a message: “The operation is timed out'”. This will cause problems with RetryPolicy, because the timeout exception is considered short-lived.
The strange thing is that when trying to receive the subscription instructions, I receive an UnauthorizedAccessException. According to Rights Required for Service Bus Operations, you can use the Listen statement to provide service identity within the scope of… myTopic / Subscriptions / mySubscription.
I have the following settings:
>Service identity: testidentity
>Rule group:
>Service bus default rule group
> 3 Rules, input claim: owner, output claim: manage, send, listen
> http://namespace.servicebus.windows.net/myTopic rule group
>no rules
> http://namespace.servicebus.windows.net/myTopic/Subscriptions rule group
>no rule
> http://namespace.servicebus .windows.net/m yTopic/Subscriptions/mySubscription rule group
>One rule: Input statement: testidentity, Output Claim: Listen
>Relying party application:
>Field: http ://namespace.servicebus.windows.net/myTopic/Subscriptions/mySubscription
>Token format: SWT
>Token lifetime: 10800
>Identity provider: None (ACS)
> Associated with all the rule groups listed above
I see the following questions:
var manager = NamespaceManager.CreateFromConnectionString("Endpoint=sb:/ /namespace.servicebus.windows.net/;SharedSecretIssuer=testidentity;SharedSecretValue=SSdtIE5vdCBUZWxsaW5n=");
var description = manager.GetSubscription("myTopic","mySubscription");
Causes UnauthoriszedAccessException Exception-“The remote server returned an error: (401) Unauthorized. I want to be able to retrieve the description instead of receiving this exception. Interestingly, this is the only area where the identity is accessible, and the only area where I see UnauthorizedAccessException.
var subscriptions = manager.GetSubscriptions("myTopic");
Causing TimeoutException, the internal exception type is SecurityTokenException. I will look forward to UnauthorizedAccessException here.< /p>
var client = SubscriptionClient.CreateFromConnectionString("Endpoint=sb://namespace.servicebus.windows.net/;Shar edSecretIssuer=testidentity;SharedSecretValue=SSdtIE5vdCBUZWxsaW5n=", "myTopic", "otherSubscription");
var message = client.Receive()
The result message is null, but I want to have an UnauthorizedAccessException again .Checking the output, I see an exception that occurred in the output window, but it was swallowed by the client:
A first chance exception of type'System.Net.WebException' occurred in System.dll
A first chance exception of type'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type'System.Net.WebException' occurred in System. dll
A first chance exception of type'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type'System.Net.WebException' occurred in System.dll< br />A first chance exception of type'System.Net.WebException' occurred in System.dll
A first chance exception of type'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' oc curred in Microsoft.ServiceBus.dll
A first chance exception of type'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type'System.Net.WebException' occurred in System.dll
A first chance exception of type'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type'System.Net.WebException' occurred in System.dll
A first chance exception of type'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type'System.Net.WebException' occurred in System. dll
A first chance exception of type'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type'System.Net.WebException' occurred in System.dll< br />A first chance e xception of type'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type'System.Net.WebException' occurred in System.dll
A first chance exception of type'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type'System.Net.WebException' occurred in System.dll
A first chance exception of type ' Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type'System.Net.WebException' occurred in System.dll
A first chance exception of type'Microsoft. ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type'System.Net.WebException' occurred in System.dll
A first chance exception of type'Microsoft.ServiceBus. TokenProviderHelp er.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type'System.Net.WebException' occurred in System.dll
A first chance exception of type'Microsoft.ServiceBus.TokenProviderHelper. InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type'System.Net.WebException' occurred in System.dll
A first chance exception of type'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type'System.Net.WebException' occurred in System.dll
A first chance exception of type'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type'System.Net.WebException' occurred in System.dll
A first chance exception of type'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft .ServiceBus.dll
A first chance exception of type'System.Net.WebException' occurred in System.dll
A first chance exception of type'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus .dll
A first chance exception of type'System.Net.WebException' occurred in System.dll
A first chance exception of type'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type'System.TimeoutException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type'System.TimeoutException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type'System.TimeoutException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type'System.TimeoutException' occurred in Microsoft.ServiceBus.dll
Similarly, try to create the theme , Sending a message, etc. will also cause TimeoutException.
Trying to access a field that the service identity cannot access, instead of when I expect to receive an UnauthorizedAccessException , Is this correct?
I think this setting does have the desired result-the identity cannot listen to the subscription, instead of a subscription associated with the authentication and monitoring rules identified by the authentication field, but I am worried that the error feedback is not clear, and Will result in continuous retries.
Any suggestions would be greatly appreciated.
To generate the ACS namespace, please try to use the new azuresbnamespace PowerShell cmdlet to create the SB namespace.
I am using an access control service to authorize access to a specific service bus subscription with a specific service ID .
When receiving a session or message from a subscription, the service identity is authorized, and the message can be received and completed or discarded as needed.
However, when trying to access the service identity I did not see UnauthorizedAccessException when the subscription was not accessible, nor did I see this exception when trying to perform operations that the rule group will not issue a statement to the service identity, the relying party (such as sending a message or creating a topic).
< p>Instead, I ended up seeing a TimeoutException-“Trying to get the token when accessing https://namespace-sb.accesscontrol.windows.net/WRAPv0.9/” timeout. The internal exception is a SecurityTokenException- “The token provider cannot provide a security token when accessing “https://namespace-sb.accesscontrol.windows.net/WRAPv0.9/”. The token provider returns a message: “The operation is time up”. This Will cause problems with RetryPolicy, because the timeout exception is considered short-lived.
The strange thing is that when trying to receive the subscription instructions, I receive an UnauthorizedAccessException. According to Rights Required for Service Bus Operations ,You can use the Listen statement to provide service identity within the scope of… myTopic / Subscriptions / mySubscription.
I have the following settings:
>Service identity: t estidentity
>rule group:
>Service Bus’s default rule group
> 3 rules, input claim: owner, output claim: manage, send, listen
p>
> http://namespace.servicebus.windows.net/myTopic rule group
>no rule
> http://namespace.servicebus.windows.net /myTopic/Subscriptions rule group
>No rule
> http://namespace.servicebus.windows.net/myTopic/Subscriptions/mySubscription rule group
>One rule: Input statement: testidentity, Output Claim: Listen
>Relying party application:
>Field: http://namespace.servicebus.windows.net/myTopic/Subscriptions /mySubscription
>Token format: SWT
>Token lifetime: 10800
>Identity provider: None (ACS)
>Associated with all rule groups listed above
I see the following questions:
var manager = NamespaceManager.CreateFromConnectionString("Endpoint=sb://namespace.servicebus.windows.net/;SharedSecretIssuer=testidentity; SharedSecretValue=SSdtIE5vdCBUZWxsaW5n=");
var description = manager.GetSubscription("myTopic","mySubscription");
Causing UnauthoriszedAccessException-“The remote server returned an error: (401) Unauthorized. I want to be able to retrieve the description instead of receiving this exception. Interestingly, this is the only field accessible by the identity, and the only field where I see UnauthorizedAccessException.
var su bscriptions = manager.GetSubscriptions("myTopic");
Causes TimeoutException, the internal exception type is SecurityTokenException. I will look forward to UnauthorizedAccessException here.
var client = SubscriptionClient.CreateFromConnectionString("Endpoint=sb://namespace.servicebus.windows.net/;SharedSecretIssuer=testidentity;SharedSecretValue=SSdtIE5vdCBUZWxsaW5n=", "myTopic", "otherSubscription");
var message = client.Receive ()
The result message is null, but again I want to have an UnauthorizedAccessException. Checking the output, I see an exception that occurred in the output window, but it was swallowed by the client:
< /p>
A first chance exception of type'System.Net.WebException' occurred in System.dll
A first chance exception of type'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type'System.Net.WebException' occurred in System.dll
A first chance exception of type'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first cha nce exception of type'System.Net.WebException' occurred in System.dll
A first chance exception of type'System.Net.WebException' occurred in System.dll
A first chance exception of type'Microsoft .ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type'System .Net.WebException' occurred in System.dll
A first chance exception of type'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type'System.Net .WebException' occurred in System.dll
A first chance exception of type'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type'System.Net.WebException' occurred in System .dll
A first chance exception of type'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type'System.Net.WebException' occurred in System.dll
A first chance exception of type'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type'System.Net.WebException' occurred in System.dll
A first chance exception of type'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type'System.Net.WebException' occurred in System.dll
A first chance exception of type'Mi crosoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type'System.Net.WebException' occurred in System.dll
A first chance exception of type'Microsoft. ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type'System.Net.WebException' occurred in System.dll
A first chance exception of type'Microsoft.ServiceBus. TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type'System.Net.WebException' occurred in System.dll
A first chance exception of type'Microsoft.ServiceBus.TokenProviderHelper. InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type'System.Net.WebException' occurred in System.dll
A first chance exception of type'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityT okenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type'System.Net.WebException' occurred in System.dll
A first chance exception of type'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type'System.Net.WebException' occurred in System.dll
A first chance exception of type'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type'System.Net.WebException' occurred in System.dll
A first chance exception of type'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft. ServiceBus.dll
A first chance exception of type'System.TimeoutException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type'System.TimeoutException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.TimeoutException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type'System.TimeoutException' occurred in Microsoft.ServiceBus.dll
Similarly, try to create a topic, send a message, etc. It will also cause TimeoutException.
Is this correct when trying to access a realm that the service identity cannot access, instead of when I expect to receive an UnauthorizedAccessException?
I think this setting does have the desired result-the identity cannot listen to the subscription, instead of a subscription associated with the authentication and monitoring rules identified by the authentication field, but I am worried that the error feedback is not clear, and Will result in continuous retries.
Any suggestions would be greatly appreciated.
A new one created after 8/22 through the Azure portal The SB namespace no longer generates the accompanying ACS namespace. So it is entirely possible that the timeout you receive is the correct behavior.
To generate the ACS namespace, try the new azuresbnamespace PowerShell cmdlet creates SB namespace.