none
Error signing MDN response message RRS feed

  • Question

  • BizTalk communicate with external partners by AS2 protocoll over HTP(s). Communication is initiated from both sides, meaning we initiate traffic towards our partner, and our partner initiates traffic toward us. Messages are signed and encrypted, with synchronous MDN that is signed, but not encrypted.

    Traffic/messages that we send out, works perfect. Messages gets encrypted, signed and sent to partner. Partner verify the signature, and decrypts the message successfully. An mdn is then issued, signed and sent back to us. We then verify the signature and everything is ok.

    Problem occurs when partner sends messages to us. The partner encrypt it, sign it and sends it over. We are able to verify signature and decrypt the message. We also generates MDN, but when we try to sign the MDN response, following 3 errormessages occurs in eventlog:

     

    1: A BTS MIME error was encountered when attempting to encode a message.  Error: Exception of type 'Microsoft.BizTalk.Component.MIMEException' was thrown., HResult:-1061152225

     

    2: There was a failure executing the response(send) pipeline: "Microsoft.BizTalk.EdiInt.DefaultPipelines.AS2Send, Microsoft.BizTalk.Edi.EdiIntPipelines, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" Source: "AS2 encoder" Receive Port: "AS2" URI: "/Services/AS2/BTSHTTPReceive/BTSHTTPReceive.dll" Reason: The MIME encoder failed to sign the message because the certificate has private key protection turned on or the private key does not exist.

     Please disable private key protection to allow BizTalk to use a certificate for signing.

     

    3: A response message sent to adapter "HTTP" on receive port "AS2" with URI "/Services/AS2/BTSHTTPReceive/BTSHTTPReceive.dll" is suspended.

     Error details: There was a failure executing the response(send) pipeline: "Microsoft.BizTalk.EdiInt.DefaultPipelines.AS2Send, Microsoft.BizTalk.Edi.EdiIntPipelines, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" Source: "AS2 encoder" Receive Port: "AS2" URI: "/Services/AS2/BTSHTTPReceive/BTSHTTPReceive.dll" Reason: The MIME encoder failed to sign the message because the certificate has private key protection turned on or the private key does not exist.

     Please disable private key protection to allow BizTalk to use a certificate for signing.  

     MessageId:  {4392D2F2-4178-40B9-9E88-B24C1B388A91}

    InstanceID: {1E72FB80-5D37-4906-8C65-7D0744C095EF}

     

    As far as I understand, those messages can’t be correct. The certificate used for signing the MDN is the same certificate that signs our outgoing messages, and those messages are ok. I have also checked, and double checked that the certificate that is installed do not have  the “protect the private key” option checked. Certificate also has the private key intact.

    To me this seems kind of strange. How can the signing of outgoing messages work fine, while signing of MDN response message do not?

    Our configuration looks like this:

    Windows 2008 Server standard 64bit

    BizTalk Server 2009 Developer Version

    SQL Server 2008 Developer Edition


    Any idea would be greatly appreciated.

    regards
    Tore Tjotta
    Wednesday, January 20, 2010 8:23 AM

Answers

  • An update to this issue. I did some more testing, and managed isolated the issue. It seems to be a kind of permissions problem. In order to make the signing of the mdn work I did:

    Do a remote desktop connection to the server that biztalk runs on, and log on as the same user as is running the isolated host
    As long as this user is logged, everything works perfect.
    But, as soon as this user is logged off, I'm back to my original problem.

    So, how to solve this? 

    On the application pool in IIS, under advanced setting, there is an setting "load user profile", which is default set to false. Setting this to true, restart the app pool, and voila. Problem solved:)

    This is something that should have been written in the documentation from Microsoft (at least I couldn't find it). Can't really understand that nobody else have the same problem as me??
    • Marked as answer by Tore Tjotta Thursday, January 21, 2010 1:18 PM
    Thursday, January 21, 2010 1:18 PM

All replies

  • There is one exception - if you specify a certificate for your AS2 partner (Party properties) then it overrides the BizTalk group certificate. So look at your AS2 parter properties to see if it actually refers to a certificate copy that does not have the private key preserved.

    This does seem a little weird, but here is what it says in Party Properties\Certificates:

      This certificate when set, will be used for signing outgoing AS2 messages and MDNs to this party, overriding the certificate set under BizTalk Group - Group Properties.

    Thanks,


    If this answers your question, please use the "Answer" button to say so | Ben Cline
    Thursday, January 21, 2010 5:30 AM
    Moderator
  • Thanks for your suggestion, but I'm not sure that I understand what you mean. 

    Under BizTalk Group - Group Properties we have set our certificate, which we have the private key from (just checked the certificate again). This certificate is used for signing outgoing AS2 messages and MDNs

    I don't know where you found the statement: 

    "
     This certificate when set, will be used for signing outgoing AS2 messages and MDNs to this party, overriding the certificate set under BizTalk Group - Group Properties.
    "

    Under party properties - Certificate, it say's: "The Party Certificate is used to resolve and validate the identity of this party". This certificate is my partners public key certificate, but this is not /should not be used in signing our outgoing MDN's

    Could you please try to clarify this for me once more.

    Thanks
    Thursday, January 21, 2010 6:09 AM
  • An update to this issue. I did some more testing, and managed isolated the issue. It seems to be a kind of permissions problem. In order to make the signing of the mdn work I did:

    Do a remote desktop connection to the server that biztalk runs on, and log on as the same user as is running the isolated host
    As long as this user is logged, everything works perfect.
    But, as soon as this user is logged off, I'm back to my original problem.

    So, how to solve this? 

    On the application pool in IIS, under advanced setting, there is an setting "load user profile", which is default set to false. Setting this to true, restart the app pool, and voila. Problem solved:)

    This is something that should have been written in the documentation from Microsoft (at least I couldn't find it). Can't really understand that nobody else have the same problem as me??
    • Marked as answer by Tore Tjotta Thursday, January 21, 2010 1:18 PM
    Thursday, January 21, 2010 1:18 PM
  • Thank you Tore Tjotta. That helped me in resolving the similar issue i got.
    • Edited by dilip bandi Saturday, October 22, 2011 9:14 PM
    Saturday, October 22, 2011 9:13 PM