none
Service account permission on a multi-server environment to connect to Secured WCF service RRS feed

  • Question

  • Hi,

    I've a multi server(1 to Receive, 1 to Process and 1 to Send) environment in SIT where the BizTalk is configured/running under the service account "XYZ". My application invokes a secured WCF service which requires Username, Password to be passed as part of the SOAP headers and we are achieving this by using the WCF Custom adapter/custom binding.

    In SIT I'm getting "could not create ssl tls secure connection" error when the WCF send port is trying to send the message to secured WCF service.

    I fixed this error by adding the service account "XYZ" to local administrator group of send server.I'm just wondering if this is the right way to fix it because when I go to higher environments I may not be allowed to do this fix.

    Any help is greatly appreciated.

    Thanks,

    D1986


    • Edited by D1986 Tuesday, June 11, 2013 12:48 AM
    Tuesday, June 11, 2013 12:44 AM

Answers

  • You would be the issuer's cert in the Trusted CA store and the site cert in the Personal store.  But, you have to do this with the Snap-in connected to the BizTalk Service Account.
    • Marked as answer by Pengzhen Song Monday, June 17, 2013 10:09 AM
    Tuesday, June 11, 2013 2:01 PM

All replies

  • No, that's not the right way to solve it.  :)

    95% of the time, it's just that that the certs are not properly added to the service account store.  Have you double checked that?

    Tuesday, June 11, 2013 12:45 PM
  • Hi,

    We were getting below error

    Cannot find the X.509 certificate using the following search criteria: StoreName 'Root', StoreLocation 'LocalMachine', FindType 'FindByThumbprint'  to fix this we moved the Cert to Trusted CA. After this we started to getting this error Security.SecurityNegotiationException: Could not establish secure channel for SSL/TLS with authority 'qwerty.com''. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel

    Tuesday, June 11, 2013 1:32 PM
  • Did you tried connectivity test  using SoupUI or by writing a small C# app?

    If this answers your question please mark it accordingly. If this post is helpful, please vote as helpful.

    Tuesday, June 11, 2013 1:41 PM
  • Yes we did it's working as expected thru SOAP UI.
    Tuesday, June 11, 2013 1:57 PM
  • You would be the issuer's cert in the Trusted CA store and the site cert in the Personal store.  But, you have to do this with the Snap-in connected to the BizTalk Service Account.
    • Marked as answer by Pengzhen Song Monday, June 17, 2013 10:09 AM
    Tuesday, June 11, 2013 2:01 PM