none
BizTalk 2010 FTP Adapter + SSL Send Port? RRS feed

  • Question

  • Hi all,

    Running into a bit of a perplexing problem with an FTP Adapter Send Port using SSL to send data off to a third party. The FTP adapter is configured with no proxy and has an SSL client certificate hash, a connection mode of Explicit, and data protection/SSL both set to true. 

    The FTP endpoint is configured using a self-signed certificate. The certificate has been added to the trusted CA store on the machine hosting the BizTalk service, as well as to the personal certificate store for the BizTalk service account. When I provide the certificate thumbprint as the certificate hash, I get the following error:

        - No credentials are available in the security package 

    If I omit the certificate thumbprint, then I see this error:

        - Either the client certificate is not provided or it failed to authenticate on the server. Make sure you provide a valid client certificate.

    I've granted the BizTalk service account full control access to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates, as advised by another thread I found, but no luck.

    The target FTP endpoint is indeed configured as an explicit mode FTP server requiring data protection and SSL, but I'm not able to make much progress here.

    Any advice? 

    Thanks!




    • Edited by Gabriel Isenberg Monday, August 1, 2011 8:55 PM included biztalk version
    Monday, August 1, 2011 8:41 PM

Answers

  • Hi Gabriel,

    In BizTalk Hotrod 10 Enhanced FTP Adapter with FTPS Support article I read:


    "If BizTalk Server throws an exception in the event log that says “No credentials are available in the security package” or "No Client Certificate matching the provided client certificate hash was found. Verify if the certificate is present in the personal store of the corresponding BizTalk host instance user account.", ensure you log on to the machine as the BizTalk Server host instance user for the handler selected on the port then load the right certificate in to the user’s Personal store"

    I know from experience with working with certificates and BizTalk that certificates need to be installed in appropiate store (installed under account that host runs under usually if certificates need to be personal store!).

    HTH

    Regards,

    Steef-Jan Wiggers
    MVP & MCTS BizTalk Server 2010
    http://soa-thoughts.blogspot.com/
    If this answers your question please mark it accordingly

     


    BizTalk
    Tuesday, August 2, 2011 8:22 AM
    Moderator
  • Hi Ruben,

    Sorry for the delayed response. So we also spent a lot of time on this error. Everything worked fine when we used our self generated certificate with local ftp site. It just didnt work with the thirdparty ftp site and their certificate.

    I reached out to MS BizTalk support and they asked me not to use the certificate and just use FTP over SSL without certificate. We also changed the ftp firewall mode to passive and allocate storage to no.

    This was not the kind of solution i was expecting but it worked.

    I recommend using sftp adapter either from codeplex (free) or nsoftware (fee).

    Let me know if you have any more questions

    Amit

    Friday, November 18, 2011 5:35 PM

All replies

  • See this post of Mikael Håkansson to see how to use and configure FTPS adapter:

    Verify the following steps:

    ·         Enable the FTPS on your FTP site

    ·         Install the public key (used for configuring the FTPS) on your BizTalk machine.

    ·         Specify client certificate hash.


    Don't forget to mark the post as answer or vote as helpful if it does, Regards -Rohit Sharma (http://rohitbiztalk.blogspot.com)
    Tuesday, August 2, 2011 3:41 AM
    Moderator
  • Hi Gabriel,

    In BizTalk Hotrod 10 Enhanced FTP Adapter with FTPS Support article I read:


    "If BizTalk Server throws an exception in the event log that says “No credentials are available in the security package” or "No Client Certificate matching the provided client certificate hash was found. Verify if the certificate is present in the personal store of the corresponding BizTalk host instance user account.", ensure you log on to the machine as the BizTalk Server host instance user for the handler selected on the port then load the right certificate in to the user’s Personal store"

    I know from experience with working with certificates and BizTalk that certificates need to be installed in appropiate store (installed under account that host runs under usually if certificates need to be personal store!).

    HTH

    Regards,

    Steef-Jan Wiggers
    MVP & MCTS BizTalk Server 2010
    http://soa-thoughts.blogspot.com/
    If this answers your question please mark it accordingly

     


    BizTalk
    Tuesday, August 2, 2011 8:22 AM
    Moderator
  • Hi Steef,

    Did you find a resolution to the "No credentials are available in the security package" issue? We have the certificate imported into the personal store of BizTalk Service Account.

    We are able to connect to FTP server using WINSCP utility via SSL but not BizTalk.

    I appreciate any help on this issue.

     

    Thanks

    AB

     

    Wednesday, September 21, 2011 6:44 PM
  • Hi AmitBohra

    Did you log on to the machine as the BizTalk Server host instance user for the handler selected on the send port and then load the right certificate in to the user’s Personal store. Also please install it into the trusted certificate store. Let me know.

    Thursday, September 22, 2011 5:48 PM
  • We have followed all the recommended steps. Login to machine as BTS host instance user for send handler, import the public key into personal store and into trusted certificate store.

    Thursday, September 22, 2011 6:23 PM
  • Hi Amitbohra,

    Did you managed to make the connection? We have the same issue here, i completed all recommended steps, but still the same error.

    Anyone that can help me?

    Ruben

     

    Thursday, November 10, 2011 10:34 AM
  • Hi,

    Has anybody managed to find a resolution to this?

    I can get FTPS to work against IIS 7.5 with my own self signed certificate. I cannot get it to work with a third party's FTPS site who've supplied their public key issued by Verisign.

    I have tried every suggestion above along with adding the certificate to Trusted People, Trusted Certificate Authorities & Other People in both the service account store and local machine store. I've Granted permissions to the BizTalk service account to C:\ProgramData\Microsoft\Crypto\RSA. If I change the thumbprint to one I know doesn't exist I get an error indicating that the certificate does not exist but with the valid thumbprint I get the No credentials are available in the security package.

     

    Help! At a complete loss to solve this except to go to the open source SFTP adapter or even the nsoftware SFTP adapter as the license fee would cost less than the time already spent trying to get this working.

    Cheers,

     

    Tim

    • Proposed as answer by AmitBohra Friday, November 18, 2011 5:26 PM
    • Unproposed as answer by AmitBohra Friday, November 18, 2011 5:26 PM
    Friday, November 18, 2011 4:40 PM
  • Hi Ruben,

    Sorry for the delayed response. So we also spent a lot of time on this error. Everything worked fine when we used our self generated certificate with local ftp site. It just didnt work with the thirdparty ftp site and their certificate.

    I reached out to MS BizTalk support and they asked me not to use the certificate and just use FTP over SSL without certificate. We also changed the ftp firewall mode to passive and allocate storage to no.

    This was not the kind of solution i was expecting but it worked.

    I recommend using sftp adapter either from codeplex (free) or nsoftware (fee).

    Let me know if you have any more questions

    Amit

    Friday, November 18, 2011 5:35 PM
  • Thanks for the feedback Amit.

    I also just noticed every time we get the error No credentials are available in the security package in the Application Event Log we also get the following error in the System Event Log.

    The SSL client credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.

    The certificate looks fine in certificate manager. I think the out of box FTP adapter has so many issues in general that it should be avoided.

    Cheers,

    Tim

    Monday, November 21, 2011 9:57 AM
  • I've finally made a breakthrough on this (for me anyway, I might be stating the obvious to everyone else). My lack of understanding of certificates and what the adapter was actually trying to do lead to a couple of wasted days and the assumption that there was something wrong with the 2010 FTP adapter.

    The CLIENT certificate thumbprint used by the adapater is nothing to do with the public certificate of the 3rd party server that you are trying to connect to. I had been trying to use the 3rd party certificate as a few others seems to have been doing.

    In the end I generated an IIS self-signed certificate on my BizTalk box, exported it (inc private key) to a PKCS #12, then imported that to the Personal store of the BizTalk Service account. I then used that thumbprint in the adapter SSL config ( not the 3rd party certificate hash)

    In this instance the FTPS server I am connecting to doesn't require the client certificate for authentication. If the one you connect to requires this then you'd need to securely exchange client cert request/response and import that or get a CA Client cert from one of their trusted CAs ( I think !)

    I hope this helps someone !

    Thursday, December 1, 2011 3:59 PM
  • Hey I saw this thread today and had the same problems. Lucky for me my client had the private key for the FTP server and I had to load this onto the application host's user account. I did have to login with the application host's user account to load the certificate. I tried just with the public key certificate (*.cer) but BizTalk could not find the cert.

    I did also get a certificate mismatch error when trying to use the IP so I switched to the FQDN for the FTP site and because this matched the certificate subject I got past the mismatch error.

    It should be easier than this, it took a lot of work to get the FTPS adapter to work with SSL.

    Thanks,


    If this answers your question, please use the "Answer" button to say so | Ben Cline

    Thursday, December 10, 2015 2:00 AM
    Moderator