Correctly Installing a Certificate for Two-Factor Authentication via the HTTP Send Adapter

I spent several hours last week banging my head against the proverbial brick wall while trying to identify the correct certificate store to be used for authentication by the HTTP Send Adapter – as the answer is a little obscure on the interweb, I’m posting the information here to help any weary BizTalk traveller in the future….

HTTP Transport Properties First, the obligatory background: The HTTP Send Adapter can use a public key certificate to identify itself as part of a two-factor authentication process when accessing a website (two-factor authentication ensures you are who you say you are by asking for information you know (i.e. username/password) and something you have (i.e. a RSA SecureID Token or a public key certificate)). The certificate it uses to perform this authentication is identified by the ‘SSL Client Certificate Thumbprint’ value of the Authentication tab on the adapter config dialog box, as shown to the left:

The adapter looks in the Personal Certificate Store of the user under which the BizTalk Windows Service is running, as detailed in the HTTP Send Adapter page on MSDN. Note that this is different to certificates used on the Send and Receive Ports and on Hosts, the settings for these can be found on MSDN at Certificate Stores that BizTalk Server 2006 Uses (which annoyingly doesn’t document the HTTP adapter).

More information on using two-factor authentication can be found at WindowsSecurity.com, however this article focuses on an end-to-end solution for securing a corporate web-site and is not very BizTalk specific; probably a good excuse to write a post on it in the future!

Advertisements

5 thoughts on “Correctly Installing a Certificate for Two-Factor Authentication via the HTTP Send Adapter

  1. Hi,

    I had this similar error message and tried all of the things you suggested. It did not work.
    DNS services were not enabled in the server I was running and I was accessing the remote website using ip-address. The Certificate was of course issued to the full domain name of the remote server. So I added the name of the server to my servers hosts file and changed the address of the http-port to use that domain name… After doing so, everything works like a charm.

    Atte

  2. Hi Nick,

    A very useful article. Just wanted to advise that I found it necessary to add the required certificates to the correct stores whilst logged onto the machine using the account that the send host runs under. If I tried to use the certificates snap-in as a service account, the send port fails to find the client certificate giving the error message “The client certificate is not found in the certificate store
    Parameter name: Certificate”.

    Cheers
    Mark

  3. After dozen of articles, hundreds of tries I’ve finally got it working.
    Here are the steps:
    1. Install public cert (.cer file) into Local Computer store under Other People. This will enable you to choose your certificate in SendPort properties window on the Certificate tab. You also need to copy your certificate footprint onto the Authentication tab of the Transport Type Properties window.
    2. Install public cert into your Current User Personal store(if you’re using different account than the corresponding Host Instance account). This will enable you to select your certificate on the Certificate tab of the Host Properties window)
    3. Login as the user of you Host Instance. Install your public cert into Current User Personal store. This will enable the Host Instance account to use the cert for encryption of outgoing messages.

    Note: the address of the send port should be exactly the same as the address that your cert is issued to. For example, if your cert is issued to yourserver.yourdomain.com then you cannot set localhost or IP for the send port address, even if you can access it like that.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s