none
As2 Certificate needs override Best Practices? RRS feed

  • Question

  • I have seen written in multiple places that your Host instances and inprocess intances should not be a biztalk administrator. However, In order to load the personal certificate into the GROUP PROPERTIES in the BIZTALK ADMINISTRATIVE CONSOLE you must be a BizTalk administrator since the Administrator console will not even connect with the BT instance server without being an admin.

    So we created the host instance user, used it for both process hosts (in process and isolated).  Promoted it to admin so that it could reset it certificates.  THe test went great.   THe moment we removed them as a BizTalk Admin the decryption started to fail again.

    Are best practices thrown away when dealing with AS2?

    I will be posting about the at the blog below later, considering I have had to power through 10 or so AS2 quirks already.


    Mark Rowe MCTS:Biztalk http://everythingworkflow.spaces.live.com/
    Tuesday, August 31, 2010 1:00 PM

Answers

  • It seems that since the BTUser was a local administrator when configuring and allowing trust to certificates. When I removed the user  from the local box administrators group the Trust was gone therefore creating the decrypt errors. (Which I did at the same time as removing them from the BT administrators.)

    It wasn't due ot removing them from the BT Administrators group.  I readded the user to the [local]\administrators group and the messages started processing again.


    Mark Rowe MCTS:Biztalk http://everythingworkflow.spaces.live.com/
    • Marked as answer by Mark.Rowe Tuesday, August 31, 2010 4:29 PM
    Tuesday, August 31, 2010 4:28 PM
  • Do you mean the decryption from an HTTP Receive?  As in Isolated Host Receive?  If so the trick is that you need to set the app pool to load the user profile in order for this to work correctly.  I normally do what you have just mentioned, promote to admin, install the cert, remove from admin.  And it works fine. 

     

    Kind Regards,

    -Dan

    • Marked as answer by Mark.Rowe Thursday, September 2, 2010 2:52 PM
    Thursday, September 2, 2010 2:50 PM

All replies

  • It seems that since the BTUser was a local administrator when configuring and allowing trust to certificates. When I removed the user  from the local box administrators group the Trust was gone therefore creating the decrypt errors. (Which I did at the same time as removing them from the BT administrators.)

    It wasn't due ot removing them from the BT Administrators group.  I readded the user to the [local]\administrators group and the messages started processing again.


    Mark Rowe MCTS:Biztalk http://everythingworkflow.spaces.live.com/
    • Marked as answer by Mark.Rowe Tuesday, August 31, 2010 4:29 PM
    Tuesday, August 31, 2010 4:28 PM
  • Do you mean the decryption from an HTTP Receive?  As in Isolated Host Receive?  If so the trick is that you need to set the app pool to load the user profile in order for this to work correctly.  I normally do what you have just mentioned, promote to admin, install the cert, remove from admin.  And it works fine. 

     

    Kind Regards,

    -Dan

    • Marked as answer by Mark.Rowe Thursday, September 2, 2010 2:52 PM
    Thursday, September 2, 2010 2:50 PM
  • Thanks for the tips, I will add to the blog I am keeping on the AS2 challenges. 

    I have had some challenges with the BT2010 BITS and App pools that need to remain .net 4.0 which I had to work through back in Early June in order to get the WCF services to load properly into IIS.   I had to do pretty much the same thing with that (though no certificates involved) http://everythingworkflow.spaces.live.com/blog/cns!1C0A3085568F1B39!243.entry

     

    I appreciate you taking time out of your day to comment.


    Mark Rowe MCTS:Biztalk http://everythingworkflow.spaces.live.com/

    Thursday, September 2, 2010 2:53 PM
  • Thank you for posting and even more for blogging about this all.  AS2 on BT is one of those things you look back on and it's so easy... but to get there can be like climbing a mountain. 

    Cheers,

    -Dan

    Thursday, September 2, 2010 3:33 PM