none
BizTalk 2009 HTTP Adapter and SHA-2 client certificate RRS feed

  • Question

  • Hi,

    I'm using BizTalk 2009 and I need to call a Web Endpoint with the HTTP adapter. The endpoint requires a client certificate.

    The server and the client certificates were generated with SHA256 algorithm because of the partner requirements.

    I configured a send port to use the client certificate and I installed the certificate in the required certificate stores.

    Thanks to wireshark, I can see that BizTalk is not sending the client certificate to the endpoint. It is not an error with the certificate thumbprint neither certificate stores, I double checked it.

    I think that it could be due to the fact that the client and server certificates are SHA-2, because I think that these certificates are not supported to be used with BizTalk 2009. Am I right? Where can I find an official statement about that?

    Thanks.

    Sunday, February 5, 2017 1:29 PM

Answers

All replies

  • Correct, BizTalk Server 2009 supports only SHA 1.

    BizTalk Server 2010 and 2013 R1/2 support SHA 2 certificates only through a CU.

    BizTalk Server 2016 supports SHA 2 certificates and SHA 2 operations, encryption, signing, etc.

    The official statement is by inference only, meaning they say SHA 2 is supported only in BizTalk Server 2016.

    https://msdn.microsoft.com/en-us/library/aa547244.aspx

    https://msdn.microsoft.com/en-us/library/mt670742.aspx?f=255&MSPPError=-2147217396

    Sunday, February 5, 2017 2:26 PM
    Moderator
  • Hi, thanks.

    Do you think that because it is not supported, I just have an error regarding the SSL channel that can't be created and not a very clear explanation about SHA2.

    Because I want to be sure that it is the root cause. I'm going to try using a SHA1 certificate for the client auth, just to see if in this particular use case it is sent to the server. What do you think?.

    But in order to do that, I need to have a Web Endpoint that requires a client certificate and if it already exists online (like httpbin but with client cert auth)?

    Sunday, February 5, 2017 2:36 PM
  • I actually don't know though presumably if BizTalk Server 2010 had to be updated to accommodate SHA2, then previous versions won't work.

    I guess you'll know after trying the SHA1 cert.


    Tuesday, February 7, 2017 1:17 PM
    Moderator
  • Hi,

    I tried to use BizTalk 2013 R2 with the exact same configuration (send port HTTP to point to a HTTPS endpoint that requires client cert authentication).

    I used my SHA2 client certificate.

    When I look into WireShark capture, I can see that during the client certificate exchange, BizTalk don't send the certificate.... and I don't know why.

    I tried to use WFetch test client and with this utility it works fine.

    Any ideas?

    Tuesday, February 7, 2017 1:20 PM
  • If you change the thumbprint to something wrong, do you get an error?

    Also, are you sure the server is requesting the correct cert?  And are you sure you have the correct cert specified?

    Weird, I just had this problem and it was because the serve was using an unusual (wrong) configuration.

    Tuesday, February 7, 2017 2:04 PM
    Moderator
  • Yes, if I change the thumbprint to use a wrong one, I get an error.

    I don't know if the server is requesting the correct cert but what I'm sure is that:

    • When I use IE as a client, it works
    • When I use FireFox it works
    • When I use WFetch it works

    All from the same machine and with the same client cert...

    Tuesday, February 7, 2017 2:06 PM