Overcoming WinSCP Assembly Issues in BizTalk 2016

Recently I was having issues on BizTalk 2016 getting the SFTP adapter to work correctly. I had followed all of the steps listed at Michael Stephenson’s blog entry here, but I was still getting this error:

A message sent to adapter “SFTP” on send port “<send port name>” with URI “sftp://<port URI>” is suspended.
Error details: System.TypeLoadException: Could not load type “WinSCP.RemotePath” from assembly “WinSCPnet, Version=1.3.7.7601, Culture=neutral, PublicKeyToken=…”

I made sure nothing was GAC’ed and the correct version of the dll was in the BizTalk program files folder, but still I had this error.

I was able to add a reference to the dll that had this version in a project and in the object browser it showed that the RemotePath type did not exist in the dll file. I checked on Nuget for WinSCP but could not find a version that matched and had the RemotePath type in it.

Here is my solution:

  1. I downloaded the absolute latest version from the Nuget WinSCP site. When running Michael’s script it downloads an older version of the dll. I installed the absolute latest version and then copied the WinSCP.exe and WinSCPnet.dll files from the C:\Program Files (x86)\WinSCP folder to the BizTalk program files folder just like the script does. For me the files had version 1.7.2.10905
  2. Then I added an assembly binding redirect to the BizTalk config files (what I added is between the dependentAssembly tags in purple):
<runtime>
   <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
      <probing privatePath="BizTalk Assemblies;Developer Tools;Tracking;Tracking\interop" />
      <dependentAssembly>
        <assemblyIdentity name="WinSCPnet" publicKeyToken="2271ec4a3c56d0bf" culture="neutral" />
        <bindingRedirect oldVersion="1.3.7.7601" newVersion="1.7.2.10905" />
      </dependentAssembly>

    </assemblyBinding>
  </runtime>

This binding redirect ensures that a version of the WinSCP code runs that has the RemotePath type when the version 1.3.7.7601 is invoked. It appears the BizTalk SFTP adapter was bound to this version but I could not find a version that had the RemotePath type.

I updated both the BTSNTSvc.exe.config and the BTSNTSvc64.exe.config files and restarted the host instances.

Note: I noticed that the BizTalk 2016 CU 7 updated its support for WinSCP to a newer version so after applying the cumulative update the BizTalk SFTP adapter will be referencing a new version of WinSCP so you may not need this any longer after CU 7.

0

No more BizTalk forums?

I was checking on the community recently and found that the MSDN BizTalk forums had all been closed since September 2020 and the new Microsoft Q&A site that is supposed to be the new home for Microsoft forums did not have any BizTalk tags and the Microsoft people were all tagging the BizTalk questions as “not-supported” because they did not think you could post a BizTalk question on the Q&A site.

This seems completely wrong.

I looked at the BizTalkGurus.com page that used to have forums but the site did not appear to be working any more. I could not get the forum topics to show up now.

I used to support the BizTalk forums a long time back so I am surprised to see them basically just gone now. I was surprised too when the Microsoft physical stores closed up completely too. All I can suggest is to try tagging a post on the Q&A site as azure-logic-apps and then talk about BizTalk there.

You can still reach me on this site if you have any questions or look me up on LinkedIn.

2

Surface Power Supply Fix

New Surface hack: Using a power cord from a printer instead of the provided outlet cord.

My Surface 3 power adapter has recently stopped working. There are 2 parts to it – the part that connects to the device and the part that connects to the outlet. These both connect together to form the power supply. For a while I had trouble with the combined parts and it only worked again when I rammed the 2 parts together to form a very strong connection. The combined parts stopped working today.

After looking at the part that goes to the outlet I realized it looked just alike to power adapter used with most printers. So I swapped it out with my printer cord and my Surface is charging again!

This should be a much better replacement part than buying a whole new Surface power adapter for up to $100. Just find your HP printer (or buy a super cheap one anywhere) and use this part instead.

I will add some pictures here soon.

0

BizTalk PowerShell Provider officially updated

A few days ago I blogged that I had put together an unofficial update to the BizTalk PowerShell Provider. I joined up with the project on CodePlex and they put me to work quick!

Tonight I checked in some updates and now we have a new release, 1.3.0.0, which works on BizTalk 2013. I will be taking down the link for the unofficial release now. Please try it out and report any issues on the CodePlex site.

Please let me know if you have any suggestions for new cmdlets. I have a couple ideas I am going to be working on and will also be working on expanding the documentation and examples. I am also interested in making some cmdlets that work with the BizTalk Services components of Windows Azure.

Thanks!

2

BizTalk PowerShell Add-In updated for BizTalk 2013

I was working on building out the BizTalk 2013 environments for a client when one of the guys in IT mentioned that the BizTalk PowerShell snap-in was not updated for working with BizTalk 2013. The CodePlex site at http://psbiztalk.codeplex.com/ mentions the currently released version only works on BizTalk 2010.

So I downloaded the source and rebuilt from my BizTalk 2013 VM. I only had to go through the migration wizard and install WiX to get all of the projects to build. Then I ran the installer and started using it from a PowerShell prompt. It appears to be working fine to me. I uploaded the file as PSBizTalk BizTalk 2013 Verison 0.1 to my SkyDrive. (update: I updated the provider officially on CodePlex. Please go to the 1.3.0.0 release page).

I did not increment the version information or do anything else you might expect would be done, just rebuilt it into the MSI so you can use it in your BizTalk applications. Please let me know if you try out the updated version and if there are any issues.

Thanks,

Ben Cline

4

BizTalk 2013 RTM is out now!

The latest full version of BizTalk was released yesterday to MSDN. Here is the official announcement: http://blogs.msdn.com/b/biztalk_server_team_blog/archive/2013/03/21/biztalk-server-2013-is-now-rtm.aspx. General availability is coming up soon.

I downloaded the Standard edition from MSDN yesterday but the Developer edition has not made it to MSDN yet.

There are many new and improved features but the ones I am most excited about are the improved ones. The new features are primarily around updates to the platform for working with the cloud and working with the latest versions of the underlying technologies and tool versions.

A comprehensive list of the updates is available at: http://blogs.msdn.com/b/nitinme/archive/2012/11/15/biztalk-server-2013-beta-what-s-new.aspx. Microsoft has done a good job of continuing to release updates for BizTalk through the cumulative updates. But there are often things about the product that you wish could change. In the 2013 release there are many updates that fix some of these architectural annoyances.

For example, dynamic send ports have always run under the default host for the adapter which led to unusual errors and problems when different hosts have separate accounts. I once worked for a customer that wanted to reduce the attack surface of his BizTalk hosts by running each one under a separate account. Unfortunately the customer used dynamic send ports extensively and these all executed under the same account across all of the BizTalk applications. This behavior was a problem because we had to set NTFS permissions on the paths the dynamic send port used but kept using the wrong account to set this. This problem has been overcome in the 2013 release.

Another improvement in the new product is the ESB toolkit is now part of the main product and there are much fewer steps to deploying the ESB Toolkit. In BizTalk 2010 the ESB Toolkit setup often took a full day to a couple days to setup properly unless you scripted it yourself. Having the toolkit baked into the main product is a real time saver and will make it easier to deploy BizTalk solutions.

It is great to see the new version of BizTalk because it is a reminder of Microsoft’s long-term commitment to BizTalk customers.

0

Changes in ADFS 2.1 from ADFS 2.0

Well it has been a while since I last posted. I have been sitting on a couple things and wanted to get this information out there.

Recently I had to work on an ADFS 2.0 to 2.1 migration. There is apparently not any supported easy way to upgrade an ADFS environment to work on Windows Server 2012 with SQL Server 2012. I had to recreate all of the ADFS artifacts such as claim provider trusts, relying party trusts, attribute stores, etc. This is a little painful if you created all of these manually but is much easier if you have saved off PowerShell scripts for creating these objects.

In this post I am blogging about the changes I uncovered working with ADFS 2.1. Most of the changes to ADFS in 2.1 are relatively trivial. In my experience almost everything appears the same in the user interfaces for ADFS. Now the ADFS installation is a role rather than a separate hotfix installer and is part of the base Windows Server 2012 install.

If you have saved off any scripts or other tools for working with ADFS 2.0, you will need to update these for ADFS 2.1. Changes that will be required are:

  • The ADFS PowerShell snap-in is no longer required to be added manually. This was my experience with having the PowerShell 3.0 feature installed. So any lines such as the following lines below can just be removed:

Add-PSSnapin Microsoft.ADFS.PowerShell
Remove-PSSnapin Microsoft.ADFS.PowerShell

  • Also, the PowerShell 3.0 ISE tool now includes Intellisense-like support so it is possible to enter cmdlet arguments much easier. This is a huge help.
  • The folder of the ADFS files is now at C:\Windows\ADFS rather than C:\Program Files\Active Directory Federation Services 2.0. If you use a script to call fsconfig.exe you will need to update the script with this new path to fsconfig.exe.
  • The custom claim rules policies base class is now in a .NET 4 assembly so you will be required to update all assemblies that reference this base class to .NET 4.0. So any classes that derive from Microsoft.IdentityServer.ClaimsPolicy.dll must have their build configuration updated to be .NET 4.0 or later.

Update!

I did find another change with ADFS 2.1. If you have made any customizations to the web.config file of the ADFS virtual directory, you will need to update the version details in the web.config as well as remove the reference to Microsoft.IdentityModel. What I did to update this file was to do the following find/replace tasks on the web.config:

  • Update 3.5.0.0 version details to 4.0.0.0
  • Update 6.1.0.0 version details to 6.2.0.0

I will keep updating this page with any other changes I find with ADFS 2.1. Thanks!

3

Workaround for Kerberos SSPI Context Errors in BizTalk

A couple weeks ago one of my clients was experiencing constant “Cannot generate SSPI Context” errors in BizTalk. These are Kerberos errors and they are extremely annoying because they happen constantly whenever you are trying to use any database function with BizTalk. These would fill up the event logs on my client’s server and was a huge time waster because they would prevent me from doing just about anything with BizTalk.  I would receive these errors when trying to start a host or change almost anything in the BizTalk admin console. I think the source of the problem is that something about the domain membership was different than some of the accounts on the server and this led to Kerberos authentication problems.

As a temporary fix I was able to restart the BizTalk server but the errors eventually came back again. The errors basically paralyze a BizTalk server and they are complicated to diagnose and sometimes you just do not have enough time to do diagnostics – like in a production environment. The fix provided next is similarly a workaround, it does not solve the root problem but at least provides another way to get the server working.

To attempt to resolve the problem, I tried a couple different things such as removing the server from the domain and adding it back in, but none of these things were successful at removing the problem completely. I did also try switching my Enterprise Single Sign On account and master key but this did not conclusively solve the problem.  I was looking at the article at http://support.microsoft.com/kb/811889 and tried some of the suggestions but was not getting anywhere. Then I tried disabling TCP/IP for SQL connections and just use named pipes based on using SQL Configuration Manager or the SQL Network Configuration tool. TCP/IP seemed like such a fundamental protocol that I was not optimistic the problem would go away by switching protocols, but it worked for me. Many people also think that named pipes only works on a single server and functions like IPC but this is not exactly right.

My use of this workaround was on BizTalk 2010, W2K8 R2, with SQL 2K8 R2 when SQL is on a separate server than BizTalk.

The KB article above solely mentions this workaround in the context of SQL and Kerberos so I am blogging that this fix is working for me on my BizTalk server too. ‘

Thanks,

2

Changing ADFS Proxy App Pool Account

A few days ago I was working on finishing up an ADFS implementation and I had customized quite a bit of the built-in ADFS website pages. I needed to use Windows authentication to access a database, and I realized that the ADFS Proxy website app pool by default runs under Network Service. This was troubling because I did not want to grant permissions to Network Service in the database so I needed to modify this account.

I went through the standard stuff to modify the app pool identity and got this error:

Encountered error during federation passive request.

Additional Data

Exception details:

System.IO.FileNotFoundException: Error reading the C:\Program Files\Active Directory Federation Services 2.0\PT directory.

at System.IO.FileSystemWatcher.StartRaisingEvents()

at Microsoft.IdentityServer.ProxyTrust.ProxyTrustManager.StartTokenWatch()

at Microsoft.IdentityServer.ProxyTrust.ProxyTrustManager.get_Current()

at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreReadOnlyTransferClient.GetServiceChannel()

at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreReadOnlyTransferClient.GetState(String serviceObjectType, String mask, FilterData filter, Int32 clientVersionNumber)

at Microsoft.IdentityServer.ProxyConfiguration.ProxyConfigurationReader.GetServiceSettingsData()

at Microsoft.IdentityServer.ProxyConfiguration.ProxyConfigurationReader.GetFederationPassiveConfiguration()

at Microsoft.IdentityServer.Web.PassivePolicyManager.GetPassiveEndpointAbsolutePath()

at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.GetPassiveEndpointAbsolutePath()

So I opened the path at “C:\Program Files\Active Directory Federation Services 2.0\PT” which is the folder for the stored proxy token and granted full control to my domain account user. The file written to this directory is constantly updated, so the account does need to be able to remove the file. By default the Network Service account has full control, most likely because the ADFS proxy Windows service also runs under Network Service.

Then I just restarted IIS and this worked.

Thanks

0

Blog at WordPress.com.

Up ↑