none
WCF-NetTcp-adapter + certificate RRS feed

  • Question

  • I have a little problem with certificates!

    I have created a BizTalk project, the receive port uses NetTcp, security mode is message and message client credentialtype is certificate.

    Then I publish this receive port as WCF service with Biztalk WCF publishing wizard. In web.config I set the serviceSertificate to match with the certificate that I have given to receiveLocation in BizTalk.

    When I do all this I get the service working, and I can get the reference to this service with svcutil. When I create a client with svcutil and I add the clientCertificate, I get an error:

     

    The caller was not authenticated by the service.

     

    So does anyone have an idea what I'm doing wrong?

     

    Or could someone give me a step by step instructions how to do this right, I'm using Vista, IIS7 and BizTalk 2006 R2.

    Wednesday, October 8, 2008 9:06 AM

All replies

  • My first guess would be that either BizTalk or the user running svcUtil are having trouble accessing the certificate. Typically your BizTalk application would run under BTSAppHost or BTSIsolatedHost for the host account, and a user running svcUtil is usually different. If you copy the config details from the serviceCertificate element to the clientCertificate element then they will point to different certificate storage locations due to the difference in accounts. I would make sure the certificate selected in the port properties is actually accessible in a certificate store that the user running svcUtil can access.  

     

    The directions are here: http://msdn.microsoft.com/en-us/library/bb226522.aspx, and provide the basic steps but with the assumption the CA is on the same server. For most situations this is not a fair assumption so you just need to ensure that the certificate chain does have to be copied as well. The article mentions this as a special note, and this means the root CA and any intermediate CAs need to also be copied to the certificate store so that the BTS accounts and the user running svcUtil can access.

     

    Thanks,

    Tuesday, October 14, 2008 2:25 AM
    Moderator
  • I think that this is a NetTcp issue, because this works fine if I use the same certificates with basicHttp.

    These are my server side ans client side config:

    Server

    <?xml version="1.0" encoding="utf-8"?>
    <!--
        Note: As an alternative to hand editing this file you can use the
        web admin tool to configure settings for your application. Use
        the Website->Asp.Net Configuration option in Visual Studio.
        A full list of settings and comments can be found in
        machine.config.comments usually located in
        \Windows\Microsoft.Net\Framework\v2.x\Config
    -->
    <configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
      <!--
        The <configSections> section declares handlers for custom configuration sections.
      -->
      <configSections>
        <section name="bizTalkSettings" type="Microsoft.BizTalk.Adapter.Wcf.Runtime.BizTalkConfigurationSection, Microsoft.BizTalk.Adapter.Wcf.Runtime, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
      </configSections>
      <!--
        The <bizTalkSettings> section specifies BizTalk specific configuration.
      -->
      <bizTalkSettings>
        <!--
          mexServiceHostFactory debug:
          Set to "true" to launch debugger when MexServiceHostFactory.CreateServiceHost(...) is called by IIS.
          Used to debug from initial point of activation by IIS.
          Default value is "false" for normal operation.
        -->
        <mexServiceHostFactory debug="false">
          <receiveLocationMappings>
            <!--add markupFileName="*.svc" receiveLocationName="?" publicBaseAddress="protocol://host[Stick out tongueort]" /-->
            <add markupFileName="Microsoft_Samples_BizTalk_WCFBasicHttpReceiveAdapter_BizTalkApp_DeliveryProcess_DeliveryRequestPort.svc" receiveLocationName="WcfService_Microsoft.Samples.BizTalk.WCFBasicHttpReceiveAdapter.BizTalkApp/Microsoft_Samples_BizTalk_WCFBasicHttpReceiveAdapter_BizTalkApp_DeliveryProcess_DeliveryRequestPort" publicBaseAddress="http://localhost/" />
          </receiveLocationMappings>
        </mexServiceHostFactory>
        <!--
          webServiceHostFactory debug:
          Set to "true" to launch debugger when WebServiceHostFactory.CreateServiceHost(...) is called by IIS.
          Used to debug from initial point of activation by IIS.
          Default value is "false" for normal operation.
        -->
        <webServiceHostFactory debug="false" />
        <!--
          isolatedReceiver disable:
          Set to "true" to skip IBTTransportProxy.RegisterIsolatedReceiver(...) and IBTTransportProxy.TerminateIsolatedReceiver(...) calls.
          Used for testing metadata exchange without having to setup receive location.
          Default value is "false" for normal operation.
        -->
        <isolatedReceiver disable="false" />
        <!--
          btsWsdlExporter disable:
          Set to "true" to skip adding BtsWsdlExporter behavior extension to service endpoint.
          Used for testing or comparing strongly-typed WSDL customization versus weakly-typed WSDL of generic WCF service.
          Default value is "false" for normal operation.
        -->
        <btsWsdlExporter disable="false" />
      </bizTalkSettings>
      <appSettings />
      <connectionStrings />
      <system.web>
        <!--
          Set compilation debug="true" to insert debugging symbols into the compiled page.
          Because this affects performance, set this value to true only during development.
        -->
        <compilation defaultLanguage="c#" debug="false">
          <assemblies>
            <add assembly="mscorlib, version=2.0.0.0, culture=neutral, publickeytoken=b77a5c561934e089" />
            <add assembly="Microsoft.BizTalk.Adapter.Wcf.Common, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
            <add assembly="Microsoft.BizTalk.Adapter.Wcf.Runtime, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
          </assemblies>
        </compilation>
        <!--
          The <authentication> section enables configuration of the security authentication mode
          used by ASP.NET to identify an incoming user.
        -->
        <authentication mode="Windows" />
        <!--
          The <customErrors> section enables configuration of what to do if/when an unhandled error
          occurs during the execution of a request. Specifically, it enables developers to configure
          html error pages to be displayed in place of a error stack trace.
        -->
        <!--
        <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
          <error statusCode="403" redirect="NoAccess.htm" />
          <error statusCode="404" redirect="FileNotFound.htm" />
        </customErrors>
        -->
      </system.web>
      <!--
        The <system.serviceModel> section specifies Windows Communication Foundation (WCF) configuration.
      -->
      <system.serviceModel>
        <behaviors>
          <serviceBehaviors>
            <behavior name="ServiceBehaviorConfiguration">
              <serviceDebug httpHelpPageEnabled="true" httpsHelpPageEnabled="false" includeExceptionDetailInFaults="false" />
              <serviceMetadata httpGetEnabled="true" httpsGetEnabled="false" />
              <serviceCredentials>
                <serviceCertificate findValue="41A1ED6BD18A4B3FDF37949D9A30537B732283AB"
                                    storeLocation="CurrentUser"
                                    storeName="My"
                                    x509FindType="FindByThumbprint" />
              </serviceCredentials>
            </behavior>
          </serviceBehaviors>
        </behaviors>
        <services>
          <!-- Note: the service name must match the configuration name for the service implementation. -->
          <service name="Microsoft.BizTalk.Adapter.Wcf.Runtime.BizTalkServiceInstance" behaviorConfiguration="ServiceBehaviorConfiguration">
            <endpoint name="HttpMexEndpoint" address="mex" binding="mexHttpBinding" bindingConfiguration="" contract="IMetadataExchange" />
            <!--<endpoint name="HttpsMexEndpoint" address="mex" binding="mexHttpsBinding" bindingConfiguration="" contract="IMetadataExchange" />-->
          </service>
        </services>
      </system.serviceModel>
    </configuration>

     

    Client

    <?xml version="1.0" encoding="utf-8"?>
    <configuration>
        <system.serviceModel>
            <behaviors>
                <endpointBehaviors>
                    <behavior name="NewBehavior">
                        <clientCredentials>
                            <clientCertificate findValue="B2A988CC3B571C1B0E114C418BEDFA12D49F6E36"
                                x509FindType="FindByThumbprint" />
                        </clientCredentials>
                    </behavior>
                </endpointBehaviors>
            </behaviors>
            <bindings>
                <netTcpBinding>
                    <binding name="NetTcpBinding_ITwoWayAsync" closeTimeout="00:01:00"
                        openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
                        transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions"
                        hostNameComparisonMode="StrongWildcard" listenBacklog="10"
                        maxBufferPoolSize="524288" maxBufferSize="65536" maxConnections="10"
                        maxReceivedMessageSize="65536">
                        <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                            maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                        <reliableSession ordered="true" inactivityTimeout="00:10:00"
                            enabled="false" />
                        <security mode="Message">
                            <transport clientCredentialType="Windows" protectionLevel="EncryptAndSign" />
                            <message clientCredentialType="Certificate" />
                        </security>
                    </binding>
                </netTcpBinding>
            </bindings>
            <client>
                <endpoint address="net.tcp://ikvistapuntavil/WcfBasic" behaviorConfiguration="NewBehavior"
                    binding="netTcpBinding" bindingConfiguration="NetTcpBinding_ITwoWayAsync"
                    contract="Microsoft_Samples_BizTalk_WCFBasicHttpReceiveAdapter_BizTalkApp_DeliveryProcess_DeliveryRequestPort"
                    name="NetTcpBinding_ITwoWayAsync">
                    <identity>
                        <certificate encodedValue="AwAAAAEAAAAUAAAAQaHta9GKSz/fN5SdmjBTe3Mig6sgAAAAAQAAAIwEAAAwggSIMIIDcKADAgECAgoZ8/0IAAAAAAANMA0GCSqGSIb3DQEBBQUAMDQxMjAwBgNVBAMTKUluZGlzcHV0YWJsZUtleVJvb3RDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MB4XDTA4MTAwMzA3NTMxMFoXDTA5MTAwMzA4MDMxMFowGjEYMBYGA1UEAxMPSUtWaXN0YVB1bnRhdmlsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvAIpOIlGF/5Yql2iOsDyW4dYwh5bTL/JZvk8O1RXsuDs8nqXprXK684ZK97TUJ1QqRmzX5DOXAVHqRX2T9NHHpjITWi7HU67nHTRI1hxhkn4NxSy3CLdmEwxxl05/rUPVmwUCFg6WS5OsP1oXks+Eat9q/ccJA4DWHoLi5LdZgQIDAQABo4ICODCCAjQwDgYDVR0PAQH/BAQDAgTwMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB0GA1UdDgQWBBSmKicrwRtRvXbiYHGKkQ1sMQq0BTAfBgNVHSMEGDAWgBRv76rsmaOZIB5FRUTAWL8mPKoq8TCBxAYDVR0fBIG8MIG5MIG2oIGzoIGwhlVodHRwOi8vdnc5OTk5MDIuZXUudGlldG8uY29tL0NlcnRFbnJvbGwvSW5kaXNwdXRhYmxlS2V5Um9vdENlcnRpZmljYXRpb25BdXRob3JpdHkuY3JshldmaWxlOi8vXFxWVzk5OTkwMi5ldS50aWV0by5jb21cQ2VydEVucm9sbFxJbmRpc3B1dGFibGVLZXlSb290Q2VydGlmaWNhdGlvbkF1dGhvcml0eS5jcmwwggEEBggrBgEFBQcBAQSB9zCB9DB3BggrBgEFBQcwAoZraHR0cDovL3Z3OTk5OTAyLmV1LnRpZXRvLmNvbS9DZXJ0RW5yb2xsL1ZXOTk5OTAyLmV1LnRpZXRvLmNvbV9JbmRpc3B1dGFibGVLZXlSb290Q2VydGlmaWNhdGlvbkF1dGhvcml0eS5jcnQweQYIKwYBBQUHMAKGbWZpbGU6Ly9cXFZXOTk5OTAyLmV1LnRpZXRvLmNvbVxDZXJ0RW5yb2xsXFZXOTk5OTAyLmV1LnRpZXRvLmNvbV9JbmRpc3B1dGFibGVLZXlSb290Q2VydGlmaWNhdGlvbkF1dGhvcml0eS5jcnQwDQYJKoZIhvcNAQEFBQADggEBAD5dfODg6dWjFkTAxK+DP5nuaHTi7MPtOiBGhbDGG0zgEMWXHEGJfaaWkx7tWF05CFaFWne5T+rRr2Ur0YR6GeT30ocvpmntVGlT5Ox5xMRG+vEQ5SMIJrKAk80hu08VunPF42u6thpor6XDjBFZ5gVzxtqee9RdK6VCTIELnW2+w0MO/ti3gqrUt6wn9UP1jSnCaOAyWB9kAPOsYN11eWJGdXNJMPFtYgyxNcqmCgRxk8dL0w62/S1CJU6RXE23wFdqscCYGAeKbwE3UBBD6KYTuprSerTkruQugAFcbzY3P9pO2ie3uYMghA7xyHoWdEcBqO9FCW79s+RT0yEhw3g=" />
                    </identity>
                </endpoint>
            </client>
        </system.serviceModel>
    </configuration>

     

    I'm out of ideas, so I hope someone can help me.

    Wednesday, October 15, 2008 6:01 AM