locked
WS-AT endpoint certificate problem in MSDTC

    Question

  • Hi,

    I am trying to configure the WS-AT support for the WCF service that interacts with a Java service on GlassFish. I get the following error when I try to select and apply the endpoint certificate for WS-AT tab in MSDTC properties.

    Environment : Windows Server 2003, 64-bit, .NET Framework 3.5SP1

    Error:
    "Unable to modify the private key for the selected endpoint cerificate. Select a certiifcate with a private key than can be accessed for read access by the MSDTC process."

    I generated the cerfiicate through MMC snap-in (Personal --> Request New Certficate ) which has the private key and is intended for client and server authentication. I also made sure that I am using an admin accont and Application Data --> Microsoft --> Crypto -->RSA --> key file has the necessary full permissions to the admin account I am using.

    Please let me know if any one has any idea on this. - Thanks

    Monday, December 07, 2009 2:26 PM

Answers

  • Hi,

    Could you generate the certificate using the following steps:

    The certificate does require some stringent properties. Among them is the Enhanced Key Usage of ServerAuthentication and ClientAuthentication as well as a SubjectName that equals the FQDN of the machine in question (System.Net/Http.sys requirement).  Creating one for testing purposes is fairly easy however:

     1. Make cert and pvk file for CA (Trusted Root Certificate which can be the same on each participating machine)
    makecert.exe -pe -n CN=MSDTC-Wsat-CA -cy authority -r -sv Msdtc.pvk Msdtc.cer
    2. Install CA cert
    makecert.exe -ss Root -sr LocalMachine -n CN=MSDTC-Wsat-CA -cy authority -r -sv Msdtc.pvk
    3. Make/Install cert from CA's pvk file and cert file (Certificate which is different for each participating machine -- Chains to the CA cert created above)
    makecert -ss My -sr LocalMachine -n CN=%COMPUTERNAME%.%USERDNSDOMAIN% -sky exchange -ir LocalMachine -iv Msdtc.pvk -ic Msdtc.cer

    If computers are on a workgroup, remove the .%USERDNSDOMAIN% from the above command
    Rafael Barcelos - SDET Transactions/Agreements Team
    Wednesday, December 09, 2009 1:58 AM
    Moderator