Home Library Learn Samples Downloads Support Community Forums
Microsoft Developer Network >
WS-AT endpoint certificate problem in MSDTC

Locked WS-AT endpoint certificate problem in MSDTC

  • Monday, December 07, 2009 2:26 PM
     
     
    Sign In to Vote
    0

    Hi,

    I am trying to configure the WS-AT support for the WCF service that interacts with a Java service on GlassFish. I get the following error when I try to select and apply the endpoint certificate for WS-AT tab in MSDTC properties.

    Environment : Windows Server 2003, 64-bit, .NET Framework 3.5SP1

    Error:
    "Unable to modify the private key for the selected endpoint cerificate. Select a certiifcate with a private key than can be accessed for read access by the MSDTC process."

    I generated the cerfiicate through MMC snap-in (Personal --> Request New Certficate ) which has the private key and is intended for client and server authentication. I also made sure that I am using an admin accont and Application Data --> Microsoft --> Crypto -->RSA --> key file has the necessary full permissions to the admin account I am using.

    Please let me know if any one has any idea on this. - Thanks

       

    All Replies

    • Wednesday, December 09, 2009 1:58 AM
      Moderator
       
       Answered
      Sign In to Vote
      0
      Hi,

      Could you generate the certificate using the following steps:

      The certificate does require some stringent properties. Among them is the Enhanced Key Usage of ServerAuthentication and ClientAuthentication as well as a SubjectName that equals the FQDN of the machine in question (System.Net/Http.sys requirement).  Creating one for testing purposes is fairly easy however:

       1. Make cert and pvk file for CA (Trusted Root Certificate which can be the same on each participating machine)
      makecert.exe -pe -n CN=MSDTC-Wsat-CA -cy authority -r -sv Msdtc.pvk Msdtc.cer
      2. Install CA cert
      makecert.exe -ss Root -sr LocalMachine -n CN=MSDTC-Wsat-CA -cy authority -r -sv Msdtc.pvk
      3. Make/Install cert from CA's pvk file and cert file (Certificate which is different for each participating machine -- Chains to the CA cert created above)
      makecert -ss My -sr LocalMachine -n CN=%COMPUTERNAME%.%USERDNSDOMAIN% -sky exchange -ir LocalMachine -iv Msdtc.pvk -ic Msdtc.cer

      If computers are on a workgroup, remove the .%USERDNSDOMAIN% from the above command
      Rafael Barcelos - SDET Transactions/Agreements Team
         
      © 2013 Microsoft. All rights reserved.