locked
Encryption in BizTalk RRS feed

  • Question

  • Hi guys,

    Without biztalk, the client sends the request to third party web service,now we implemented biztalk in middle , so can we achieve encryption in BizTalk ? Will it affect on third party service ? Does the third party service need to decrypt the message send by biztalk ? 

    My scenario is as follows :

    I am using message based scenario where I made a filter of receive port in send port.I have only one request response receive port and one solicit response send port.This is a WCF base service.In the receive location , I am using WCF-Custom adapter,in the configuration I have given the address of the service(http://172.12.12.12/ABC/ABC.svc),choose the ws-Http binding and in behavior tab I have given the path of my custom wsdl file(http://172.12.12.12/ABC/ABC.wsdl).The path of this wsdl file is :

    C:\inetpub\wwwroot\ABC

    I am using PassThruTransmit and PassThruReceive pipeline on receive and send side.

    In solicit response send port ,I am using WCF-WSHttp adapter ; in configuration I have given the address of the service(http://172.13.13.13/ABC/ABC.svc),in bindng tab maximun receive message size is 100000000 bytes

    When Message comes to biztalk then I have to encrypt it at solicit response send port and send to third party service .

    Here I want to know one thing after encrypting the message in BizTalk at solicit response send port , does the third party service need to decrypt the message send by biztalk ?

    Thanks in advance !


    • Edited by Shivay_ Thursday, May 12, 2016 5:55 AM
    Thursday, May 12, 2016 5:49 AM

Answers

  • You can use private/public key certificates to achieve this.

    The service needs to take initiative if this needs to happen - they will have to share a public key certificate to you. The private key certificate of this pair of certificates would be owned by them. Whenever you send the service a message, you can use the public key to encrypt the message. The service would then use the private key to decrypt your message before actual processing happens on the message.

    Some references on how to set this up in BizTalk side-

    https://seroter.wordpress.com/2007/03/05/building-a-complete-certificate-scenario-with-biztalk-server-2006/

    https://msdn.microsoft.com/en-us/library/aa562085.aspx

    https://blogs.msdn.microsoft.com/brajens/2006/10/08/understanding-inbound-outbound-message-security-in-biztalk/


    Thanks Arindam

    • Marked as answer by Shivay_ Friday, May 20, 2016 9:41 AM
    Thursday, May 12, 2016 6:13 AM
    Moderator
  • To be able to send encrypted messages with BizTalk Server you will need to install the certificate from communication partner(s) in the Local Computer\Other People store (see MSDN How to Install the Certificates for Encrypted Messages ).

    SSL certificates contain a private (.pfx) and a public key (.cer) which will need to be installed in the appropriate certification stores. 

    For test scenarios, you can create your own certificate using the Makecert.exe tool which is part of the .Net Framework. (For production environments SSL certificates need to be purchased from a Certificate Authority (CA). But in the case of using SSL certificates in a BizTalk application, the certificates are probably provided by the third party to which the application connects to.

    Yes, The partners will have to decrypt the message at their end.

    Refer: http://social.technet.microsoft.com/wiki/contents/articles/32743.biztalk-2013-ssl-certificates-to-encrypt-messages.aspx

    http://social.technet.microsoft.com/wiki/contents/articles/18737.biztalk-server-2013-encrypting-and-decrypting-a-message.aspx

    http://tutorial.wmlcloud.com/windows_server/biztalk-2009---exposing-a-wcf-service-(part-1)---securing-requests-with-message-level-certificate-encryption.aspx


    Rachit Sikroria (Microsoft Azure MVP)


    Thursday, May 12, 2016 6:16 AM
    Moderator
  • Ok, launch mmc.exe.

    File -> Add/remove Snap-In.

    Select certificates -> Add

    Select Computer Account -> Next -> Local Computer -> Finish.

    Now you will find the Certificate Stores you need.


    Thanks Arindam

    • Marked as answer by Shivay_ Saturday, May 21, 2016 11:43 AM
    Thursday, May 12, 2016 10:41 AM
    Moderator
  • Import your certificate in the Trusted Root Certification Authorities store as well.

    Thanks Arindam

    • Marked as answer by Shivay_ Saturday, May 21, 2016 11:44 AM
    Thursday, May 12, 2016 11:27 AM
    Moderator
  • Hi Hari

    "If we apply message security or transport security at service level and biztalk level then it is already encrypted ."

    This applies only to WCF, and therefore to .NET services/clients. You are correct, if you turn on wsHttpBinding with securityMode = Message, by default the message payload is encrypted using Windows token from the service. Encryption/decryption happens at the WCF layer, and not a single line of code is needed to get this working.

    However, you mentioned earlier that you also have java services, this will not work in this case. There is no WCF for java, so they have to handle the SOAP message(s) that WCF generates using their stack - you need to check with the developers of that service.

    Also note that, you can set other credential Types like username, when using wsHttpBinding. So, first check with owners of your JAVA service, what kind of security they want. Once you have those details, we can suggest options for you to achieve encryption. The encryption requirements flow from a service, and not the client,


    Thanks Arindam


    Friday, May 13, 2016 8:50 AM
    Moderator
  • Hi Hari

    1. This is probably because you are hosting the service in-proc and not in IIS. So the client is not getting the correct metadata of this service as metadata is not browsable. You have to publish your wsdl file manually in a IIS virtual directory first, and reference that from your WCF-Custom adapter.

    "on the Behavior tab, I added a Service Behavior and selected the serviceMetadata behavior from the list.  I set the externalMetadataLocation to the URL of my custom WSDL and flipped the httpGetEnabled value to True."

    2010.12.05oneway04

    https://seroter.wordpress.com/2010/12/05/error-with-one-way-wsdl-operations-and-biztalk-receive-locations/

    Maybe you can publish the service to IIS first using WCF publishing wizard. Grab this wsdl file by appending   

    ?wsdl after the .svc in the published service. Use this wsdl as a starting point, and make appropriate modifications to it, like service URL etc., and now create a new virtual directory in IIS, copy your wsdl file here. Make sure this custom wsdl is browsable, and set the properties shown above in the screenshot.

    Before doing any of this, as a test publish a test service to IIS using WCF Publishing Wizard with wsHttpBinding, and try to consume this service in console app, and check if you are getting the correct bindings. Sometimes Add Service Reference doesn't import the exact WCF bindings from a service. There are cases when just modifying the client bindings as you have done is the only solution.

    2. Make sure http://178.12.12.12/AB/AB.svc is browsable from IE.

    This case may be related to metadata not being browsable as well.

    Error suggests that metadata for the service is not getting downloaded at the client side. Try to make changes as per first suggestion, and see if this gets resolved as well.


    Thanks Arindam












    Tuesday, May 17, 2016 8:21 AM
    Moderator
  • Actually I want to use that security in biztalk by which the client only needs to change in config file not in any client code ? Which would be the best option ? 

    The choice of security mode and client credentials should be driven by business need, what kind of environment the client and service are located in.

    For example, the client and service both may be in the same Windows domain - best choice is to use Windows auth over netTcp binding.

    Now, the client and service maybe external to each other- maybe access happens over the internet. In that case, you can use other client auth scheme like UserName, Certificate, etc. You can turn on either Transport or Message security.

    Another thing to consider is are both service/client on WCF. If not, things get bit more complex.

    So, in short first figure out the above considerations. Once you know the exact requirements, you should be able to setup all types of modes via config itself, if both sides are on WCF. 


    Thanks Arindam

    • Marked as answer by Shivay_ Saturday, May 21, 2016 11:52 AM
    Tuesday, May 17, 2016 1:00 PM
    Moderator
  • Hi Hari

    There are two parts here-

    • When negotiation is enabled (Negotiate service credential),the client does not need access to service certificate - may not be interoperable for non-WCF clients.
    • When negotiation is disabled,the client must have access to the public key certificate of the service.
    In this case, when you generate the proxy using svcutil, the base-64 encoded public key will be included in the client config file itself, in <identity>/<certificate> element. If using non-WCF clients, you have to install the public key cert in local store and reference it explicitly.


    Thanks Arindam


    Friday, May 20, 2016 5:29 AM
    Moderator
  • Hi Hari

    If there are JAVA apps, you will not be able to use netTcp binding, as it's not interoperable.

    So, for communication between your .NET/BizTalk apps/services setup your authentication as Windows over WCF netTcp binding-

    https://msdn.microsoft.com/en-us/library/ff647180.aspx

    https://msdn.microsoft.com/en-us/library/bb226332.aspx

    http://www.codeproject.com/Articles/314327/Implement-windows-authentication-and-security-in-W

    Where JAVA service/clients are involved, you have to use different options - like either Message security using SOAP security standards (WS-BasicProfile/WS-*), or transport layer security (SSL/TLS).

    Note: If your JAVA service/client is talking over https and not http, the communication is secure/encrypted by default using SSL/TLS.

    If you need advanced security, like encrypting the message payload itself end-to-end, you will have to consider implementing SOAP security standards on both sides. For a .NET/WCF app, that means turning on SecurityMode = Message. How to do this at JAVA side, you need to check with people who wrote the app how they can enable SOAP based message security.


    Thanks Arindam


    Friday, May 13, 2016 6:40 AM
    Moderator

All replies

  • Without biztalk, the client sends the request to third party web service,now we implemented biztalk in middle , so can we achieve encryption in BizTalk ? Will it affect on third party service ? Does the third party service need to decrypt the message send by biztalk ? 

    Yes, if you encrypt the message in BizTalk, your service should first decrypt it, before the service operation can be executed. This part has to be implemented at the service side.

    When Message comes to biztalk then I have to encrypt it at solicit response send port and send to third party service .

    Here I want to know one thing after encrypting the message in BizTalk at solicit response send port , does the third party service need to decrypt the message send by biztalk ?

    Yes, as noted above.


    Thanks Arindam


    Thursday, May 12, 2016 6:07 AM
    Moderator
  • You can use private/public key certificates to achieve this.

    The service needs to take initiative if this needs to happen - they will have to share a public key certificate to you. The private key certificate of this pair of certificates would be owned by them. Whenever you send the service a message, you can use the public key to encrypt the message. The service would then use the private key to decrypt your message before actual processing happens on the message.

    Some references on how to set this up in BizTalk side-

    https://seroter.wordpress.com/2007/03/05/building-a-complete-certificate-scenario-with-biztalk-server-2006/

    https://msdn.microsoft.com/en-us/library/aa562085.aspx

    https://blogs.msdn.microsoft.com/brajens/2006/10/08/understanding-inbound-outbound-message-security-in-biztalk/


    Thanks Arindam

    • Marked as answer by Shivay_ Friday, May 20, 2016 9:41 AM
    Thursday, May 12, 2016 6:13 AM
    Moderator
  • To be able to send encrypted messages with BizTalk Server you will need to install the certificate from communication partner(s) in the Local Computer\Other People store (see MSDN How to Install the Certificates for Encrypted Messages ).

    SSL certificates contain a private (.pfx) and a public key (.cer) which will need to be installed in the appropriate certification stores. 

    For test scenarios, you can create your own certificate using the Makecert.exe tool which is part of the .Net Framework. (For production environments SSL certificates need to be purchased from a Certificate Authority (CA). But in the case of using SSL certificates in a BizTalk application, the certificates are probably provided by the third party to which the application connects to.

    Yes, The partners will have to decrypt the message at their end.

    Refer: http://social.technet.microsoft.com/wiki/contents/articles/32743.biztalk-2013-ssl-certificates-to-encrypt-messages.aspx

    http://social.technet.microsoft.com/wiki/contents/articles/18737.biztalk-server-2013-encrypting-and-decrypting-a-message.aspx

    http://tutorial.wmlcloud.com/windows_server/biztalk-2009---exposing-a-wcf-service-(part-1)---securing-requests-with-message-level-certificate-encryption.aspx


    Rachit Sikroria (Microsoft Azure MVP)


    Thursday, May 12, 2016 6:16 AM
    Moderator
  • Thanks Arindam for the nice link :

    https://seroter.wordpress.com/2007/03/05/building-a-complete-certificate-scenario-with-biztalk-server-2006/

    For creating certificate I used the following step :

    In the above picture,I got the certificate for current user but not for local computer as given in the above link.

    And then export private and public key to a location in G drive.After creating the send pipeline with MIME/SMIME encoder, I tried to to browse encryption certificate on send port but did not get any certificate :

    Is it possible to create certificate in this way or I have to purchase it or create it through makecert tool ?

    Please suggest !

    Thursday, May 12, 2016 9:29 AM
  • Hi

    For encryption/sending encrypted messages, the certificate should be provided by the service, it should NOT be your certificate, but that of the service's.

    So first check with the 3rd party service if they want to accept encrypted messages. If yes, ask them for the public key certificate. Rest of the steps to follow are there in the links I shared - we can discuss more on this further if you run into issues.


    Thanks Arindam

    Thursday, May 12, 2016 9:40 AM
    Moderator
  • Now to answer your question(note you should not be creating the encryption certificate yourself - refer my earlier post).

    You are not seeing the certificate (both in Local computer and in Send Port Certificate) since the certificate is getting created in your Personal certificate store.

    Refer the steps in the link you are following and create the test certificate using makecert tool - then, you can import that certificate in the Local Computer certificate store - follow the steps in that blog, it's shown very clearly.


    Thanks Arindam

    Thursday, May 12, 2016 9:54 AM
    Moderator
  • Hi Arindum,

    I just want to do a POC so that I can show my management that encryption can be implemented in biztalk.

    The third party service is ready to accept the encrypted message.

    I tried with the makecert tool but still got the same problem.

    Thursday, May 12, 2016 10:18 AM
  • Hi

    Did you follow the exact/complete set of steps in the link you're following?

    You have to export and then import the same certificate in the Local Computer certificate store, after makecert generates it for you-


    Thanks Arindam



    Thursday, May 12, 2016 10:23 AM
    Moderator
  • I am using windows server 2008 and other people tab is not showing to me :

    I am generating the certificate by following command :

    And then got the following key :

    Then I export the private and public keys to a location in G drive.

    Thursday, May 12, 2016 10:35 AM
  • Ok, launch mmc.exe.

    File -> Add/remove Snap-In.

    Select certificates -> Add

    Select Computer Account -> Next -> Local Computer -> Finish.

    Now you will find the Certificate Stores you need.


    Thanks Arindam

    • Marked as answer by Shivay_ Saturday, May 21, 2016 11:43 AM
    Thursday, May 12, 2016 10:41 AM
    Moderator
  • On the Host , I am able to see the certificate as follows :

    But not in the send port.

    Thursday, May 12, 2016 10:42 AM
  • For this you need to export only the Public key cert, and import in Other People store-

    https://msdn.microsoft.com/en-us/library/aa559322.aspx

    Partner's public key

    Other People store on each computer that has a host instance that has a send pipeline with a MIME/SMIME Encoder pipeline component configured to encrypt messages (Enable encryption property set to True). For more information, see How to Configure BizTalk Server for Sending Encrypted Messages.


    Thanks Arindam

    Thursday, May 12, 2016 10:47 AM
    Moderator
  • Now showing the certificate on send port by importing the certificate on other people tab of local computer.

    But got the following error in admin console :

    could not validate the trust chain of the encryption certificate . The certificate issuing authority may not be a trusted certificate authority.

    Thursday, May 12, 2016 11:20 AM
  • Import your certificate in the Trusted Root Certification Authorities store as well.

    Thanks Arindam

    • Marked as answer by Shivay_ Saturday, May 21, 2016 11:44 AM
    Thursday, May 12, 2016 11:27 AM
    Moderator
  • Hold one everyone...

    I have to point out that all the answers provided so far are just guesses or assumptions.

    No one has asked the OP what exactly they mean by "encryption".  TLS/SSL?  PGP?  sMIME?  AS/2?  Something else?  While sMIME is mentioned, is that really what the Service requires?  Are there other options?

    Either way, yes, BizTalk can do any type of encryption, and authentication, you need, there's really no need to prove it.

    Thursday, May 12, 2016 11:50 AM
    Moderator
  • Hi Arindam,

    Successfully got the encrypted message ; but now issue with decrypted message.

    While decrypting the message which I just encrypted got the following issue :

    There was a authentication failure .Decoder could not find the decryption certificate in the "Current User\Personal" certificate store.Unable to decrypt the message.

    Hi John,

    Now my focus is on SMIME encryption, while It is done successfully I will go for further encryption as well.

    Thursday, May 12, 2016 1:19 PM
  • This issue also has been solved :

    Personal store was under user account , now I have changed it with host user account. And it is running successfully.



    Thursday, May 12, 2016 1:38 PM
  • If I want to apply SSL encryption then should I create a custom pipeline component for it ?

    Thursday, May 12, 2016 1:41 PM
  • Now my focus is on SMIME encryption, while It is done successfully I will go for further encryption as well.
    That's great, but is that what the service requires?  Don't waste you time on something that won't be used.
    Thursday, May 12, 2016 2:09 PM
    Moderator
  • No, SSL encryption happens over the transport layer. So, for example if you are calling a service over https, the packets that are exchanged over the network are encrypted - all of that happens by negotiating a symmetric key before the actual transmission begins at the network layer. No application code is needed for this.

    Read this-

    https://support.microsoft.com/en-in/kb/257591


    Thanks Arindam


    Thursday, May 12, 2016 2:12 PM
    Moderator
  • Thanks Arindam;

    My requirement is as follows :

    For testing purpose, first I have to create a wcf service(let A) which sends a encrypted message to biztalk then biztalk will decrypt it and then send to a another service(let B) in encrypted form.Then that encrypted message is decrypted by service B and it will send  encrypted message to biztalk which again decrypt by biztalk and then biztalk will send a encrypted messaeg to service A.

    I have to create all these two service (A,B) and also use biztalk.

    Which encryption will be best for the above requirement ?

    Should I have to write any code for services(A,B) or for biztalk ?

    Please help !

    Friday, May 13, 2016 5:25 AM
  • Again, what does the eventual target service require?

    Doing POC just to prove BizTalk can encrypt things is pretty pointless.  Yes, it can, many ways.  It's even worse if you demo the wrong thing.

    Without knowing what you need, all the above answers are just guesses.

    Friday, May 13, 2016 5:52 AM
    Moderator
  • Hi Hari

    First thing to consider is - where are all of these services located/hosted?

    If all of these services/clients are on your domain (internal)/not exposed outside - your best bet is to use WCF netTcp binding with Windows authentication. If your client and the 3rd party service are also .NET based, it will be very easy to setup netTCP binding at all of these places via config itself- you will get encryption out of the box for you.

    You will have to do more work if you have external services/clients, and if some of them are not .NET based.


    Thanks Arindam

    Friday, May 13, 2016 5:57 AM
    Moderator
  • Hi Arindam,

    All services are on same domain and some of the services are .net base some are java base.

    Could you please provide some links regarding this  ?


    • Edited by Shivay_ Friday, May 13, 2016 6:10 AM
    Friday, May 13, 2016 6:10 AM
  • Hi Hari

    If there are JAVA apps, you will not be able to use netTcp binding, as it's not interoperable.

    So, for communication between your .NET/BizTalk apps/services setup your authentication as Windows over WCF netTcp binding-

    https://msdn.microsoft.com/en-us/library/ff647180.aspx

    https://msdn.microsoft.com/en-us/library/bb226332.aspx

    http://www.codeproject.com/Articles/314327/Implement-windows-authentication-and-security-in-W

    Where JAVA service/clients are involved, you have to use different options - like either Message security using SOAP security standards (WS-BasicProfile/WS-*), or transport layer security (SSL/TLS).

    Note: If your JAVA service/client is talking over https and not http, the communication is secure/encrypted by default using SSL/TLS.

    If you need advanced security, like encrypting the message payload itself end-to-end, you will have to consider implementing SOAP security standards on both sides. For a .NET/WCF app, that means turning on SecurityMode = Message. How to do this at JAVA side, you need to check with people who wrote the app how they can enable SOAP based message security.


    Thanks Arindam


    Friday, May 13, 2016 6:40 AM
    Moderator
  • Well, no, that is not the way to go, that's not how the netTcpBinding works.

    Once you have determined the actual requirement of the existing services, please start a new thread so we can provide you the correct guidance.


    Friday, May 13, 2016 6:45 AM
    Moderator
  • Hi Arindam,

    Actually the services which are implemented in Biztalk use wsHttp binding and the third party services also used wshttp binding and we can not change the binding for third party service.


    • Edited by Shivay_ Friday, May 13, 2016 7:07 AM
    Friday, May 13, 2016 7:07 AM
  • Hi Arindam,

    If we apply message security or transport security at service level and biztalk level then it is already encrypted .

    No need to write any code at service level as well as biztalk level .

    In service level,we have to change security in config file :

    <bindings>

    <wsHttpBinding>

    <binding name="ABC">

    <security mode="Message"/>

    </binding>

    <wsHttpBinding>

    </bindings>

    At BizTalk level message security can be applied as follows:


    By applying this we are automatically sending the message in encrypted manner.

    Please correct me If I am wrong !

    • Edited by Shivay_ Friday, May 13, 2016 7:38 AM
    Friday, May 13, 2016 7:35 AM
  • Hi Hari

    "If we apply message security or transport security at service level and biztalk level then it is already encrypted ."

    This applies only to WCF, and therefore to .NET services/clients. You are correct, if you turn on wsHttpBinding with securityMode = Message, by default the message payload is encrypted using Windows token from the service. Encryption/decryption happens at the WCF layer, and not a single line of code is needed to get this working.

    However, you mentioned earlier that you also have java services, this will not work in this case. There is no WCF for java, so they have to handle the SOAP message(s) that WCF generates using their stack - you need to check with the developers of that service.

    Also note that, you can set other credential Types like username, when using wsHttpBinding. So, first check with owners of your JAVA service, what kind of security they want. Once you have those details, we can suggest options for you to achieve encryption. The encryption requirements flow from a service, and not the client,


    Thanks Arindam


    Friday, May 13, 2016 8:50 AM
    Moderator
  • The other key thing to worry about when other technologies than .NET are involved is interoperability. So, not everything WCF supports/can do would be supported by Java.

    Sometimes, you have to take the lowest/minimum viable path - which is why bindings like basicHttpbinding exist. wsHttpBinding offers extra features but not all of them would be compatible with your java service.


    Thanks Arindam

    Friday, May 13, 2016 8:55 AM
    Moderator
  • Hi Arindam,

    Thanks for all your replies.

    Just have two confusion :

    First doubt: I am using WCF-Custom adapter with wsHttpBinding and security mode is message as seen below :

    I am using in-process host for this location. Here client credential Type is Windows. But when I tried to consume the URL in console app then the security mode is None in app.config file. But when I tried to invoke through console app then there is error saying binding mismatch, when I changed security mode to Message in config file of console app then I am getting the desired result.Why it is behaving in this way ?

    2nd Doubt: Now I use security mode message but  client credential Type is UserName as seen below:

    But When I consume the service then error shows as follows:

    Cannot obtain metadata from http://178.12.12.12/AB/AB.svc .There was no endpoint listening at http://178.12.12.12/AB/AB.svc that could accept the message.

    Please suggest something !

    Tuesday, May 17, 2016 7:55 AM
  • Hi Hari

    1. This is probably because you are hosting the service in-proc and not in IIS. So the client is not getting the correct metadata of this service as metadata is not browsable. You have to publish your wsdl file manually in a IIS virtual directory first, and reference that from your WCF-Custom adapter.

    "on the Behavior tab, I added a Service Behavior and selected the serviceMetadata behavior from the list.  I set the externalMetadataLocation to the URL of my custom WSDL and flipped the httpGetEnabled value to True."

    2010.12.05oneway04

    https://seroter.wordpress.com/2010/12/05/error-with-one-way-wsdl-operations-and-biztalk-receive-locations/

    Maybe you can publish the service to IIS first using WCF publishing wizard. Grab this wsdl file by appending   

    ?wsdl after the .svc in the published service. Use this wsdl as a starting point, and make appropriate modifications to it, like service URL etc., and now create a new virtual directory in IIS, copy your wsdl file here. Make sure this custom wsdl is browsable, and set the properties shown above in the screenshot.

    Before doing any of this, as a test publish a test service to IIS using WCF Publishing Wizard with wsHttpBinding, and try to consume this service in console app, and check if you are getting the correct bindings. Sometimes Add Service Reference doesn't import the exact WCF bindings from a service. There are cases when just modifying the client bindings as you have done is the only solution.

    2. Make sure http://178.12.12.12/AB/AB.svc is browsable from IE.

    This case may be related to metadata not being browsable as well.

    Error suggests that metadata for the service is not getting downloaded at the client side. Try to make changes as per first suggestion, and see if this gets resolved as well.


    Thanks Arindam












    Tuesday, May 17, 2016 8:21 AM
    Moderator
  • Hi Arindam,

    ServiceMetadataLocation and httpGetEnabled is already mentioned under Service Behaviour but still my service is unable to browse.

    Actually when security mode is message and client credential type is windows then the service is able to browse but when security mode is message and client credential type is UserName then the service is unable to browse.

    What could be the reason ? Please suggest !

    If I change securtiy mode to message or trasnport, will the wsdl file change automatically ?

    If no then what changes I have to made on wsdl file .

    Actually I want to use that security in biztalk by which the client only needs to change in config file not in any client code ? Which would be the best option ? Please suggest !
    • Edited by Shivay_ Tuesday, May 17, 2016 10:34 AM
    Tuesday, May 17, 2016 10:23 AM
  • Hi Hari

    Since you have specified an external wsdl location via externalMetadataLocation property, WCF/BizTalk will not update that wsdl at all. If you are making changes in the BizTalk WCF adapter config, you have to manually edit and keep the wsdl updated. This is something you have to manage yourself.

    The way to figure out what will be the correct wsdl file for security mode :message and client credential type: UserName, you can try what I mentioned earlier. Create a test BizTalk WCF service using BizTalk WCF Service Publishing Wizard in IIS. Change the security settings as per your need in the Receive Location created by the BizTalk WCF Service Publishing Wizard. Now browse to the wsdl in IIS - it will have the correct settings. 

    You can use this wsdl as a starting point for your actual service over WCF-Custom. You will have to edit certain settings like service URL, etc. Now, copy this new wsdl over to the IIS virtual directory path that externalMetadataLocation property is set to for your actual WCF-Custom Receive Location.


    Thanks Arindam




    Tuesday, May 17, 2016 12:50 PM
    Moderator
  • Actually I want to use that security in biztalk by which the client only needs to change in config file not in any client code ? Which would be the best option ? 

    The choice of security mode and client credentials should be driven by business need, what kind of environment the client and service are located in.

    For example, the client and service both may be in the same Windows domain - best choice is to use Windows auth over netTcp binding.

    Now, the client and service maybe external to each other- maybe access happens over the internet. In that case, you can use other client auth scheme like UserName, Certificate, etc. You can turn on either Transport or Message security.

    Another thing to consider is are both service/client on WCF. If not, things get bit more complex.

    So, in short first figure out the above considerations. Once you know the exact requirements, you should be able to setup all types of modes via config itself, if both sides are on WCF. 


    Thanks Arindam

    • Marked as answer by Shivay_ Saturday, May 21, 2016 11:52 AM
    Tuesday, May 17, 2016 1:00 PM
    Moderator
  • Hi Arindam,

    I have created a service on IIS through BizTalk using BizTalkServerIsolatedHost as mentioned by you.

    Binding is ws-Http , in security tab security mode is message, message client credential type is windows and algorithm suite is Basic256 as seen below:

    In wsdl file I got one extra identity tab as seen below :

    in wsdl file I also got some extra tab for security policy.

    I consume the service in console app and got the following app.config file :

    Now here I want to ask two things :

    First thing its not showing any security tag with client credential type. 

    2nd thing it is showing identity tag with userPrincipalName. 

    Please explain !

    When I call the service it is working fine.But when I remove identity tag its not work.

    Now I copy same identity tag and security in my custom wsdl file for in-process host and try to call the service but its work even you provide identity or not. Please explain why ?
    • Edited by Shivay_ Thursday, May 19, 2016 9:26 AM
    Thursday, May 19, 2016 9:19 AM
  • First thing its not showing any security tag with client credential type. 

    That's because the clientCredentialType defaults to Windows, so defaults are in use.

    2nd thing it is showing identity tag with userPrincipalName. 

    That is the serviceIdentity that is used for authenticating the service at client side. See this for more details-

    https://social.msdn.microsoft.com/Forums/vstudio/en-US/78638457-ca7a-4f88-b8a9-9bc32d4b5c7d/userprincipalname-element-generated-in-client-config?forum=wcf

    Now I copy same identity tag and security in my custom wsdl file for in-process host and try to call the service but its work even you provide identity or not.

    Did you regenerate the proxy class in client code by pointing to new wsdl? If yes, are you getting <identity> in new client config file?
    What are the bindings in place in BizTalk for the WCF-Custom adapter?


    Thanks Arindam



    Thursday, May 19, 2016 10:07 AM
    Moderator
  • Thanks Arindam, I regenerate the proxy class in client code by pointing to new wsdl and I am getting the <identity> in new client config file but after calling from wcf test client got the following error : An error occured when verfying security for the message. I am using ws-http binding in WCF-custom adapter. The value of userPrincipalName can be anything ? Please help !
    Thursday, May 19, 2016 10:49 AM
  • No, value of userPrincipalName must be the one that is set in the client config for you after you refresh the proxy - this represents the identity of the service.

    Thanks Arindam

    Thursday, May 19, 2016 11:03 AM
    Moderator
  • For those services which uses in-process host we have to create this identity tag manually in changing custom wsdl file.Is it right ?

    Now what is happening when I use BizTalk server isolated host for creating service then  the value of identity is reflecting i.e. when I remove the identity tag then then it is not working.

    But in the case of those services which are under in-process host the value of identity is not reflecting i.e. when I remove the identity tag then it is also working. Don't know why. Even I have change the custom wsdl file and after consuming in client I am also getting the identity tag.

    Please suggest something !

    Thursday, May 19, 2016 12:33 PM
  • I tried with the following setting as well for BizTalkServer Isolated Host base service :

    I created a local certificate .

    When I consume the service on console app and tried to call the service, it throws a error saying :

    the username is not provided. specify username in client credential.

    Where to provide this username and what will be its value ? Because I did not provide any user value anywhere in setting.

    Please suggest !

    Thursday, May 19, 2016 12:51 PM
  • For those services which uses in-process host we have to create this identity tag manually in changing custom wsdl file.Is it right ?

    Yes, the wsdl file for in-proc host has to be kept updated manually, since it is published independently - WCF has no control to modify it if you change your in-proc adapter bindings. Any changes made in adapter config has to be manually updated in your wsdl file.

    So, use the wsdl that you are getting from your service in IIS. Make similar entries in your custom wsdl, provided the security and other settings are the same for IIS based ReceiveLocation and your in-proc Receive Location.

    Once you have updated the wsdl, disable and enable your in-proc Receive Location. Now, try to generate a new proxy from your console app. You will get correct bindings.


    Thanks Arindam





    Thursday, May 19, 2016 1:39 PM
    Moderator
  • Again, default settings are coming into play :).

    So, the default WCF userNamePasswordValidationMode is Windows. So, from the client you have to set your Windows domain id and password.

    https://msdn.microsoft.com/en-us/library/ms731315%28v=vs.110%29.aspx

    The certificate you provided is not for client authentication, it's for service authentication - using that the client knows that it's talking to the correct service.


    Thanks Arindam


    Thursday, May 19, 2016 1:52 PM
    Moderator
  • Thanks Arindam,

    So if I use a certificate so whats the role of private key and public key here.

    The client needs to use public key for using my service ?

    Friday, May 20, 2016 5:03 AM
  • Hi Hari

    There are two parts here-

    • When negotiation is enabled (Negotiate service credential),the client does not need access to service certificate - may not be interoperable for non-WCF clients.
    • When negotiation is disabled,the client must have access to the public key certificate of the service.
    In this case, when you generate the proxy using svcutil, the base-64 encoded public key will be included in the client config file itself, in <identity>/<certificate> element. If using non-WCF clients, you have to install the public key cert in local store and reference it explicitly.


    Thanks Arindam


    Friday, May 20, 2016 5:29 AM
    Moderator
  • Hi Hari

    Given this thread is getting rather long involving multiple questions, I would request you to mark the replies that helped in answering your various queries, and then create separate thread(s) for specific questions that you have. This would help other forum members to search for the issues in future.

    Thanks!


    Thanks Arindam



    Friday, May 20, 2016 8:57 AM
    Moderator
  • To add on, there were multiple resolutions provided to your various new queries across this thread. If any reply was an answer for your specific/new query and helped you, you should mark all of them appropriately.

    Thanks Arindam




    Friday, May 20, 2016 9:51 AM
    Moderator