If you’ve been in the BizTalk world long enough, you’ve probably heard that you can securely store name/value pairs in the Enterprise Single Sign-On (SSO) database. However, I’ve never been thrilled with the mechanism for inserting and managing these settings, so, I’ve built a tool to fill the void.
Jon Flanders did some great work with SSO for storing configuration data, and the Microsoft MSDN site also has a sample application for using SSO as a Configuration Store, but, neither gave me exactly what I wanted. I want to lower the barrier of entry for SSO since it’s such a useful way to securely store configuration data.
So, I built the SSO Config Store Application Manager.
I can go ahead and enter in an application name, description, account groups with access permissions, and finally, a collection of fields that I want to store. “Masking” has to do with confidential values and making sure they are only returned “in the clear” at runtime (using the SSO_FLAG_RUNTIME flag). Everything in the SSO database is fully encrypted, but this flag has to do with only returning clear values for runtime queries.
You may not want to abandon the “ssomanage” command line completely. So, I let you export out the “new application” configuration into the SSO-ready format. You could also change this file for each environment (different user accounts, for instance), and then from the tool, load a particular XML configuration file during installation. So, I could create XML instances for development/test/production environments, open this tool in each environment, and load the appropriate file. Then, all you have to do is click “Create.”
If you flip to the “Manage” tab of the application, you can set the field values, or delete the application. Querying an application returns all the necessary info, and, the list of property names you previously defined.
If you’re REALLY observant, and use the “ssomanage” tool to check out the created application, you’ll notice that the first field is always named “dummy.” This is because if every case I’ve tested, the SSO query API doesn’t return the first property value from the database. Drove me crazy. So, I put a “dummy” in there, so that you’re always guaranteed to get back what you put in (e.g. put in four fields, including dummy, and always get back the three you actually entered). So, you can go ahead and safely enter values for each property in the list.
So how do we actually test that this works? I’ve included a class, SSOConfigHelper.cs (slightly modified from the MSDN SSO sample) in the below zip file, that you would included in your application or class library. This class has the “read” operation you need to grab the value from any SSO application. The command is as simple as:
Finally, when you’re done messing around in development, you can delete the application.
I have plenty of situations coming up where the development team will need to secure store passwords and connection strings and I didn’t like the idea of trying to encrypt the BizTalk configuration file, or worse, just being lazy and embedding the credentials in the code itself. Now, with this tool, there’s really no excuse not to quickly build an SSO Config Store application and jam your values in there.
You can download this tool from here.
Technorati Tags: BizTalk
Wade Wegner
September 21, 2007
Great stuff, Richard! I will definitely try this out!
Chris Romp
September 26, 2007
This is great! I’ve been wanting to build something similar for some time. Thanks!
Steef-Jan Wiggers
October 10, 2007
Hi Richard,
I working for customer that uses the SSO Config Store to place configuration data in. One of the backdraws is that there is no easy UI or Tool to manage data inside the store. Your tool provides this so I am very happy not to come with a solution myself. I will introduce your tool to this customer next week and try it out.
Thx,
Steef-Jan
Richard Seroter
October 10, 2007
Hey Steef-Jan,
If your customer has any feedback, let me know.
Kelly Meade
October 11, 2007
This loooks like a very nice tool! This interface is much cleaner than some others we’ve tried.
I am curious about how to add new fields to an existing application entry. We tried adding them to the bottom of the “Manage” grid and clicking the save button, but the new entries aren’t saved – or, at least, they disappear when the “Retrieve Settings” button is clicked.
We anticipate that some of our applications will continue to grow and require additional configuration settings, but deleting and recreating an app doesn’t seem like a great approach.
Are we missing something?
Richard Seroter
October 11, 2007
Hi Kelly,
Funny enough, this topic came up at my office yesterday. In looking at the provided SSO API, you can “UpdateApplication” which lets you change settings, but, doesn’t look like there is an “UpdateFields” to allow for adding/modifying/deleting application fields.
In our case, we took the XML file from our application, added the field we wanted, deleted the old one, and created a new one.
Not great, but workable. I’ll see if there’s a way to add this via some other channel …
Anonymous
October 12, 2007
Hi Richard,
I have been really trying to implement the SSO solution for our windows applications across the company. I have not found a real good sample which helps to integrate all windows applications (desktop/web [asp/asp.net 1.0,1.4,2.0 etc]) using Biztalk SSO.
Please let me know if you have any ideas/resources relating this.
My email id is jacobmathew@hotmail.com.
Thank you
Jacob
Wade Wegner
October 14, 2007
Richard, I was able to finally use this in one of our solutions, and it’s awesome. Thank you for taking the time to put this together and publish it!
Richard Seroter
October 15, 2007
Thanks Wade.
And Jacob, I haven’t considered using BizTalk SSO in that broad a fashion. No reason it’s not possible to do so (esp. with AD integration), but I can’t provide you too much direction on this.
Mark
February 19, 2008
Hi Richard,
This looks like a great tool. Is there any guidance on how this compares with the MMC snap-in? I don’t seem to be able to see applications created in one tool when viewing in the other?
Also, are you intending to publish the source code?
Cheers
Mark
Richard Seroter
February 25, 2008
Hey Mark,
This does things a bit differently than the snap in. I personally didn’t have as much luck using the built in snap in, thus this tool. I should spend more time comparing the two and seeing how to get the applications created in each to show up for the other.
As for source code, yeah, I need to do that. I’ll try and throw it up on CodePlex this week …
Richard Seroter
February 28, 2008
Mark, source code is here … http://seroter.wordpress.com/2008/02/28/sso-config-data-store-tool-biztalkwcf-scenario-source-code-available/
Philippe
March 6, 2008
hello,
thanks for the code for that nice little UI, im about to make some changes to your UI to be able to handle an XML inside a field value. I found a way to by pass the problems regarding the static number of field that you can use… that must be set at the SSO application creation. I will probaly attach some text field to your list so you can see much better the XMl value, its hard to see inside a list.
SO we basically have 1 field only in the SSO, that field contain an XML string that you list in it all you config field and values… so it allow you change it as you need.
I also made a rapper around the SSOCOnffighelper class it retreive from the XML(the XML value) the value you want.
thanks again for your code… so i didnt have to completly redevelop such a tool.
Those any1 know if new Biztalk version (other then 2006) will address those COnfig store issue… and have a great UUI for it !!!!
Ilya
April 27, 2008
How do I manage SSO config properties using SSO command line tools, if it is at all possible? I could never find any info on this.
Richard Seroter
April 27, 2008
Ilya,
Do you mean application-specific properties, or SSO-wide configuration properties? If the latter, you can use the ssoconfig tool to change some things, or use the SSO Admin Snap In to change general SSO properties.
Paul Petrov
May 16, 2008
Richard,
Thanks for the great utility. I added some extensions to import/export actual field values to the same configuration file.
Details: http://geekswithblogs.net/paulp/archive/2008/05/16/122205.aspx
Richard Seroter
May 16, 2008
That’s awesome, Paul. Smart addition.
Richard Hallgren
May 31, 2008
Excellent tool. I use it all the time. Just remember not use dots (.) in your application names …
Nick Heppleston
July 8, 2008
Hi Richard,
Do you have an updated version of this tool that exports existing applications (i.e. from the ‘Manage Application’ tab?) as the File -> Save Configuration to Xml option appears to be grey-ed out; or, can you suggest a way to acheive this?
I appreciate that this sort of defeats the point of an encrypted config store, however our ops team wants a tangible backup before they apply any further changes to the store.
Cheers, Nick.
Richard Seroter
July 8, 2008
Hey Nick,
Were you thinking of exporting the “config+data” or just be able to export the configuration of existing applications?
Nick Heppleston
July 11, 2008
Config+data, but just for a single app.
Richard Seroter
July 15, 2008
Hey Nick,
I guess we’d have to add a feature to export the data as well, and, when loading it back in, populate the UI controls. I’ll have to take a look at that and see if you’re proposed “Export Application” is easy to put in.
Clement Baker
August 5, 2008
Absolutely fantastic. We were about to do something like. You saved our time.:)
Mark
September 22, 2008
Hey Richard! Great tool! Ur the man!
Ankur
November 19, 2008
Hi,
I’m receiving following error while trying to use code for Helper class:
Class ‘ConfigurationPropertyBag’ must implement ‘Sub Read(propName As String, ByRef ptrVar As Object, errorLog As Integer)’ for interface ‘Microsoft.BizTalk.SSOClient.Interop.IPropertyBag’.
I copied the code as is from your helper class and converted that to Vb.NET.
Let me know if i’m missing something?
john
November 24, 2008
Hi Richard,
great tool. thanks.
When i try to use it in biztalk 2006R2 on the send port the affiliated application doesnt show. It must be something in the database. If you ever figure it out please let me know.
I think it is the same reason that biztalk SSO admin tool doesnt show it.
Thanks
Richard Seroter
November 30, 2008
Ankur,
What happens if you leave the class in c#, compile it into an assembly, and reference it from VB.NET code instead?
Mattias Hammarsten
December 22, 2008
Hi Richard!
It’s a Great tool you’ve got here. Would really want to use it for storing username/passwords in our FTP-ports.
I’ve experimented with it a little bit and it works fine apart from the thing that “john” noticed. The affiliate application wont list neither in the “SSO Affiliate” drop list (in the FTP port config) nor by running “ssomanage -listapps” (nor from the mmc but I guess thats pretty much the same).
However I see it in the SSODB SSOX_ApplicationInfo table and i can use your tool to retrieve the settings.
Perhaps this is not a problem (since there are a bunch of other apps in the SSOX_ApplicationInfo table that don’t get listed either) but I’m new to this so frankly I don’t know. Perhaps I should mention that I’ve tested it on my local developer machine that isn’t connected to a domain (no AD accounts).
The thing here is that I think it would be nice for our administrators to be able to see what apps there are via the standard mmc GUI.
It would be really happy if could help out and shed some light on this.
Best regards/Merry Xmas
Mattias Hammarsten
Allen
February 13, 2009
Richard,
The Save Configuration as XML function is disabled from the Manage Application tab. How do I get it to work?
Richard Seroter
February 14, 2009
Hi there,
I think that option is only enabled when you create a new application, not when you view an existing one.
Patrick Smith
October 19, 2009
Hi Richard
I’ve developed a GUI tool that does a similar job to yours except that you can view all apps and associated key/value pairs.
The problem I have is that if a single app contains more than 512 config entries, the SSODB throws a fit and responds with the following error: [RPC: 0x800706F7: The stub recieved bad data] and none of the config data is viewable.
I was wondering if you’ve ever come across this limitation on the number of config entries an app can contain and, if you have, if you know of a workaround.
Regards
Patrick
Richard Seroter
November 2, 2009
Hey Patrick,
I haven’t seen that limitation and unfortunately am not aware of a resolution except for splitting up the values into multiple apps!
PS
November 10, 2009
Sir,
I know it is slightly off the topic but do you know if and how I can package this onto a applicaion using deployment framework. Also, am I allowed to do that from a licencing perspective(since it is your code)
regards,
PS
Richard Seroter
November 11, 2009
Not sure how to package it, but you are certainly welcome to do so without any fear of me chasing you down later. All I ask is that you keep the acknowledgements of me as the author.
Colin Basterfield
December 3, 2009
Hi Richard,
This is a great tool, but in the time since you last commented on this is there a better way to ‘update’ the application beyond the workaround you posted in response to Kelly Meade’s question about this?
Many thanks for such a great tool, and I’ve enjoyed your book
regards
Colin
Richard Seroter
December 10, 2009
Hey Colin,
I haven’t made any changes to it that address that scenario. I do include the source here though, so hopefully this is something you could figure out!
Vivek
March 29, 2010
Great tool Richard.
I am facing a small glitch. I was able to retrieve the information from SSODB on my dev box (stand-alone installation). But it threw an exception when i moved it to a multi-server deployment. Though, I was able to make it work by having the SSO service run under the same account as my biztlak host. but it doesn’t seem to be a good practice. Do you have any recommendation/suggestion on this?
Thanks.
Richard Seroter
April 7, 2010
Vivek, I don’t have any good suggestions for you on that one. I assume that whatever account you’re accessing SSO as needs to be in the proper SSO groups.
Vivek
April 8, 2010
Richard,
I was able to solve the problem by adding the account under which my Biztalk host(s) run under to the “SSO Application Users” domain group.
Ron
June 17, 2010
Richard,
You have a really great tool here. I am actually in the process of re-writing it though. I’ve added a schema and it’s supporting class to work with single or multiple application configurations. I’ve also added the ability to mass export and import configurations that are contained in a single file. ie. multiple applications. The reason for the mass import and export feature is for moving our applications from one environment to the next without having to hand enter each application. I have a couple more features I would like to add to it before I write a tutorail on it. If anyone has features they would like to see just let me know and I’ll do my best to get them in. Also I am looking for a good place to write my turtorial/blog, I’m definately open to suggestions there as well.
Thanks,
Ron
Richard Seroter
July 1, 2010
Ron, thanks for adding features to the tool. There have been a few folks who have done that, and I’ve been meaning to write a blog post pointing them out.
Kumar
July 16, 2010
Hi Richard,
I am using the SSO Config Store Application Manager tool to configure the BizTalk SSO applications.
I am getting some errors while creating the application.
1) I am seeing the Applictions in the List which are not created.
2) When I try to select that its throwing an error “Application does not exisit”
I have freshly installed a new SQL Server and configured the BizTalk Server. Before this it was using other server which is fully configured.
Can you please help me out in removing these applications ?
Thanks
Kumar
Richard Seroter
July 17, 2010
Kumar,
Are you getting errors while creating or deleting? You are seeing applications in the list which are not created. I’m not sure what that means.
Kumar
July 17, 2010
Hi Richard,
I have deleted all the applications in the SSO tool and created the Application with couple of parameters. When I Click Create New Application , It gives me a response saying Application Successfully created.
When I go back to the Manage Applications Tab and enter the Application name and click Retrive Settings its give an error saying that Applicion Does Not Exist.
Thanks
Mallesh B
Kumar
July 19, 2010
Hi Richard,
I got this one fixed.
The issue was the SSO was referencing the other Message Box. I reconfigured the Enterprise SSO through command promt ssomanage and assigned the local BizTalk server.
Now I am able to create the Applciations and assign the values to the parameters.
Thanks for all your support.
–Kumar
Richard Seroter
July 19, 2010
Nice! Glad you got it.
Jason Slemons
April 18, 2012
I have looked through a few different solutions for the SSODB/Config problem and aside from looking at how the methods are used, how do you know how so much about Microsoft.EnterpriseSingleSignOn.Interop? Like how does one find out what SSOConfigStore really has in it, or what GetConfigInfo does if the code is all internal to microsoft?
Richard Seroter
April 26, 2012
A lot of trial and error, most likely
The documentation starts to point you in the right direction (http://technet.microsoft.com/en-us/library/ee255336(BTS.10).aspx) and I had used various other samples to try things out.
Ratna Kishore Kalvakolanu
September 5, 2012
Hi Seroter,
I am impressed with the tool that aim using since 3 years with out any problem. Now i need to call this .exe file using commandline by passing the .xml. if you have any example or document related to invoking ssoconfig.exe through Commandline utility, please share with me.
Ratna
Atif
October 2, 2012
Hi Richard,
I left a post on your other blog about the same tool, the one updated 2010, but i see you active in 2012 on this one. Great tool, but i really have a need for the options that is buggy in your tool. Its the same issue Kelly described up above. Cant save if you edit in manage and add or chnage a property/value. Did you ever resolve that? One way could be to read the app, delete it, add the new values or changed values and then create it again.. ?
Let me know if there is a version with a fix.
Richard Seroter
October 2, 2012
Hey, feel free to check out the source code and see if I have a condition there that is preventing this from working for you. I hadn’t heard of others with the issue, but maybe they were too polite to mention it!