none
Certificate based authentication at BizTalk receive location using WCF-CustomIsolated host adapter. RRS feed

  • Question

  • Hi,

    I am trying to implement the certificate based authentication in BizTalk. At the receive location , I am using the WCF-CustomIsolated adapter. To implement the it, I have added a endpoint behaviour extension client credential and using a certificate.

    

    Can anyone suggest me, if this is the correct way of implementation, because below error occurs in this implementation:

    The IEndpointBehavior 'ClientCredentials' cannot be used on the server side; this behavior can only be applied to clients


    Monday, January 4, 2016 7:07 AM

Answers

  • Hello Udal,

    It looks like you are adding the wrong extension. You should be adding Client Certificate under Service Behavior. There are lots of process mentioned in many blogs which may be tempting but you should know if the security need to be implemented in message layer or transport layer.

    The Steps for implementing certificate based authentication on message layer would be as:

    STEP1:

    Select the Receive location””
    Right click on the receive location >> change the type to “WCF-CustomIsolated” Adapter
    After changing type click on Configure>>

    STEP2:

    Select the binding tab.
    Binding Type-->wsHttpBinding
    Change the WshttpsecurityElement mode to “transportwithmessagecredential”

    wsHttpBindingElement-->Security-->Transport
    Both the ClientCertificateType and ProxyCredentialType should be None.

    Select the binding tab.
    Binding Type-->wsHttpBinding
    wsHttpBindingElement-->Security-->Message

    MessageSecurityOverHttpElement
    AlgorithmSuite-->Default
    ClientCredentialType-->Certificate
    NegotiateServiceCredential-->True
    EstablishSecurityContext-->False

    STEP3:

    Navigate to the next tab “behavior”

    Select Service Behaviour--> Right Click to add extensions
    Select -->ServiceCredentials
    Under ServiceCredentials-->Client Certificate

    Select Certificate and populate the client certificate details which should be present in the trusted people.

    STEP4:

    Under ServiceCredentials-->Client Certificate
    Select Authentication-->revocationmode-->Nocheck

    Click ok to exit.

    (The No check is only used if the certificate has been procured from a third party vendor and the CRL check is to be skipped due to unavailability of Internet connection in the server.)

    STEP5:

    If the WCF service already exists, you have to go into the web storage directory (wwwroot/myService) and edit the .svc file in order to handle the WCF-CustomIsolated adapter.

    Change from:
    Factory="Microsoft.BizTalk.Adapter.Wcf.Runtime.BasicHttpWebServiceHostFactory... 
    To:
    Factory="Microsoft.BizTalk.Adapter.Wcf.Runtime.CustomWebServiceHostFactory...

    In case you are looking certificate based authentication in transport layer:

    All the above step need to be followed with the inclusion of the below steps:

    Edit the Receive Location in the BizTalk Admin console, choose WCF-CustomIsolated for the Type and click Configure.

    STEP1:

    Binding Tab -->Set the textMessageEncoding --> message Version attribute to Default
    Remove the httpTransport binding element, because if you don't do this, the httpsTransport element (which is required in order to get this all to work) can't be added.

    STEP2:

    Add the security element. At this point, it should look like so (order of elements matters)

    STEP3:

    The security binding element has an attribute called authentication Mode which should be switched to CertificateOverTransport.
    The httpsTransport element has an attribute named require ClientCertificate this should be set to "true". Everything else is left with the defaults.

    Let me know if you face any difficulties with this.

    Cheers,

    Himanshu.

    Please click Vote As Helpful, Propose As Answer.

    • Proposed as answer by Integration3011 Wednesday, January 6, 2016 1:56 AM
    • Marked as answer by Angie Xu Tuesday, January 19, 2016 1:14 PM
    Tuesday, January 5, 2016 12:10 AM

All replies

  • Hi Udal,

    Thank you for posting in MSDN forum.

    I suspect this is a right way to configure client certificate though,

    I would suggest please have a look into below article which describe the client certificate configuration;

    BizTalk Client Certificates Send And Receive Ports

    Installing Certificates for the WCF Adapters


    Thanks,

    If my reply is helpful please mark as Answer or vote as Helpful.

    My blog | Twitter | LinkedIn

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Monday, January 4, 2016 7:53 AM
    Moderator
  • Because the WCF-CustomIsolated Adapter runs in IIS, certain items, such as client authentication, are IIS responsibilities, not WCF.

    So, you much configure the IIS site/app for Certificate Authentication.

    You can start with this TechNet Article: https://technet.microsoft.com/en-us/library/cc732996%28v=ws.10%29.aspx

    Monday, January 4, 2016 10:16 AM
    Moderator
  • Hello Udal,

    It looks like you are adding the wrong extension. You should be adding Client Certificate under Service Behavior. There are lots of process mentioned in many blogs which may be tempting but you should know if the security need to be implemented in message layer or transport layer.

    The Steps for implementing certificate based authentication on message layer would be as:

    STEP1:

    Select the Receive location””
    Right click on the receive location >> change the type to “WCF-CustomIsolated” Adapter
    After changing type click on Configure>>

    STEP2:

    Select the binding tab.
    Binding Type-->wsHttpBinding
    Change the WshttpsecurityElement mode to “transportwithmessagecredential”

    wsHttpBindingElement-->Security-->Transport
    Both the ClientCertificateType and ProxyCredentialType should be None.

    Select the binding tab.
    Binding Type-->wsHttpBinding
    wsHttpBindingElement-->Security-->Message

    MessageSecurityOverHttpElement
    AlgorithmSuite-->Default
    ClientCredentialType-->Certificate
    NegotiateServiceCredential-->True
    EstablishSecurityContext-->False

    STEP3:

    Navigate to the next tab “behavior”

    Select Service Behaviour--> Right Click to add extensions
    Select -->ServiceCredentials
    Under ServiceCredentials-->Client Certificate

    Select Certificate and populate the client certificate details which should be present in the trusted people.

    STEP4:

    Under ServiceCredentials-->Client Certificate
    Select Authentication-->revocationmode-->Nocheck

    Click ok to exit.

    (The No check is only used if the certificate has been procured from a third party vendor and the CRL check is to be skipped due to unavailability of Internet connection in the server.)

    STEP5:

    If the WCF service already exists, you have to go into the web storage directory (wwwroot/myService) and edit the .svc file in order to handle the WCF-CustomIsolated adapter.

    Change from:
    Factory="Microsoft.BizTalk.Adapter.Wcf.Runtime.BasicHttpWebServiceHostFactory... 
    To:
    Factory="Microsoft.BizTalk.Adapter.Wcf.Runtime.CustomWebServiceHostFactory...

    In case you are looking certificate based authentication in transport layer:

    All the above step need to be followed with the inclusion of the below steps:

    Edit the Receive Location in the BizTalk Admin console, choose WCF-CustomIsolated for the Type and click Configure.

    STEP1:

    Binding Tab -->Set the textMessageEncoding --> message Version attribute to Default
    Remove the httpTransport binding element, because if you don't do this, the httpsTransport element (which is required in order to get this all to work) can't be added.

    STEP2:

    Add the security element. At this point, it should look like so (order of elements matters)

    STEP3:

    The security binding element has an attribute called authentication Mode which should be switched to CertificateOverTransport.
    The httpsTransport element has an attribute named require ClientCertificate this should be set to "true". Everything else is left with the defaults.

    Let me know if you face any difficulties with this.

    Cheers,

    Himanshu.

    Please click Vote As Helpful, Propose As Answer.

    • Proposed as answer by Integration3011 Wednesday, January 6, 2016 1:56 AM
    • Marked as answer by Angie Xu Tuesday, January 19, 2016 1:14 PM
    Tuesday, January 5, 2016 12:10 AM