Troubleshooting Certificates

Microsoft BizTalk Server 2006 can make use of public key infrastructure (PKI) digital certificates for purposes of document encryption and decryption, document signing and verification (non-repudiation) and for party resolution. This topic describes various certification usage scenarios and configuration options and provides some general guidelines for using digital certificates with BizTalk Server 2006.

Most problems that occur while using certificates with BizTalk Server 2006 are a result of incorrect or incomplete configuration. For example importing the correct certificate into the wrong certificate store, the incorrect certificate into the correct store, or failure to enter the appropriate information into the BizTalk Administration console will cause run-time errors to occur when using certificates.

Use the following table as a reference for the certificate usage scenarios and configuration options available in BizTalk Server 2006:

Certificate Usage User Context Certificate Store Location Certificate Type Pipeline Component Used Configuration Parameters in the BizTalk Administration Console

Encryption (Sending)

Account used by the host instance associated with the send handler

Log on to each computer running BizTalk Server 2006 that will host S/MIME encoder pipelines and import the encryption certificate into the Local Computer \ Other People store.

Trading partner public certificate

MIME/SMIME encoder

  • Specify values for the encryption certificate Common Name and Thumbprint on the Certificate page of the Send Port Properties dialog box.

  • Specify pipeline Encode options in the Configure Pipeline dialog box. The Configure Pipeline dialog box is displayed by clicking the button next to the Send pipeline drop-down list on the General page of the Send Port Properties dialog box.

Decryption (Receiving)

Account used by the host instance associated with the receive handler

Log on to each computer running BizTalk Server 2006 that will host S/MIME decoder pipelines as each host instance service account, and import the decryption certificate to the Current User \ Personal store.

Aa953654.note(en-us,BTS.20).gifNote
For pipeline decryption to succeed on an IIS 6.0 computer, ensure that the account for the IIS application pool and the account used by the host instance associated with the receive handler are the same and that this account is a member of the <machineName>\IIS_WPG group. For more information about setting IIS process identity for IIS 6.0 see Guidelines for Resolving IIS Permissions Problems. These processes must run under the same account to ensure that the account profile is loaded which in turns loads the registry keys required to perform decryption in the pipeline. For performance reasons, IIS 6.0 does not load the account profile when starting the associated w3wp.exe process so the BizTalk Server 2006 host instance must be configured with the same account so that BizTalk Server 2006 will load the account profile and registry keys.

Own private certificate

MIME/SMIME decoder

  • Specify values for the decryption certificate Common Name and Thumbprint on the Certificates page of each Host Properties dialog box.

  • Specify pipeline Decode options in the Configure Pipeline dialog box. The Configure Pipeline dialog box is displayed by clicking the button next to the Receive pipeline drop-down list on the General page of the Receive Location Properties dialog box.

Signature (Sending)

Account used by the host instance associated with the send handler

Log on to each computer running BizTalk Server 2006 that will host S/MIME encoder pipelines as each host instance service account, and import the signature certificate to the Current User \ Personal store.

Own private certificate

MIME/SMIME encoder

  • Specify values for the signature certificate Common Name and Thumbprint on the Certificate page of the BizTalk Group Properties dialog box.

    Aa953654.note(en-us,BTS.20).gifNote
    Only one signature certificate can be specified per each BizTalk Server 2006 group.

  • Specify pipeline Encode options in the Configure Pipeline dialog box. The Configure Pipeline dialog box is displayed by clicking the button next to the Send pipeline drop-down list on the General page of the Send Port Properties dialog box.

Signature Verification (Receiving)

Account used by the host instance associated with the receive handler

Log on to each computer running BizTalk Server 2006 that will host S/MIME decoder pipelines and import the signature certificate to the Local Computer \ Other People store.

Trading partner public certificate

MIME/SMIME decoder

  • Specify values for the verification certificate Common Name and Thumbprint on the Certificates page of each Party Properties dialog box.

  • Specify pipeline Decode options in the Configure Pipeline dialog box. The Configure Pipeline dialog box is displayed by clicking the button next to the Receive pipeline drop-down list on the General page of the Receive Location Properties dialog box.

    Aa953654.note(en-us,BTS.20).gifNote
    Configuration of the Decode option requires that a pipeline with the MIME/SMIME decoder component is deployed.

Party Resolution (Receiving)

Account used by the host instance associated with the receive handler

Log on to the BizTalk Server 2006 computer from which party resolution is being configured, and import the certificate into the Local Computer \ Other People store.

Trading partner public certificate

Party resolution

  • Specify values for the certificate Common Name and Thumbprint on the Certificates page of each Host Properties dialog box.

  • Specify ResolveParty options in the Configure Pipeline dialog box. The Configure Pipeline dialog box is displayed by clicking the button next to the Receive pipeline drop-down list on the General page of the Receive Location Properties dialog box.

    Aa953654.note(en-us,BTS.20).gifNote
    Configuration of this option requires the use of a pipeline that contains the Party resolution component. The XMLReceive pipeline contains the Party resolution component.

HTTPS (Sending)

Account used by the host instance associated with the send handler

SSL communication does not require a client certificate. Whether a client certificate is required is at the discretion of the destination Web server administrator. If the destination Web server requires a client certificate then follow these steps:

  • Obtain the public certificate from the trading partner.

  • Log on to each computer running BizTalk Server 2006 as the account used by the host instance associated with the send handler.

  • Import the certificate into the Current User \ Personal store.

For information about configuring an IIS 6.0 server to use SSL, see HOW TO: Install Imported Certificates on a Web Server in Windows Server 2003.

For information about how to obtain a certificate using Windows Server 2003 Certificate Services Web pages, see Use Windows Server 2003 Certificate Services Web Pages.

Trading partner public certificate

NA

  • HTTP Transport - Set the SSL client certificate thumbprint option on the Authentication tab of the HTTP Transport Properties dialog box. The HTTP Transport Properties dialog box is displayed by clicking the Configure button on the General page of the Send Port Properties dialog box.

  • SOAP Transport - Set the Client certificate thumbprint option on the General tab of the SOAP Transport Properties dialog box. The SOAP Transport Properties dialog box is displayed by clicking the Configure button on the General page of the Send Port Properties dialog box.

To display the Certificates Management Console interface for Local Computer and Current User

  1. Click Start, click Run, type MMC, and click OK to open the Microsoft Management Console.

  2. Click the File menu, and then click Add/Remove Snap-in to display the Add/Remove Snap-in dialog box.

  3. Click the Add button to display the Add Standalone Snap-in dialog box.

  4. Select Certificates from the list of snap-ins, and then click Add.

  5. Select Computer account, click Next, and then click Finish. This will add the Certificates Management Console interface for Local Computer.

  6. Ensure that Certificates is still selected from the list of snap-ins, and then click Add again.

  7. Select My user account, and then click Finish. This will add the Certificates Management Console interface for Current User.

    Aa953654.note(en-us,BTS.20).gifNote
    This displays the Certificates Management Console for the account that you are currently logged on as. If you need to import certificates into the Personal store for a service account then you should log on with the service account credentials first.

  8. Click the Close button on the Standalone Snap-in dialog box.

  9. Click the OK button on the Add/Remove Snap-in dialog box.

  • Ensure that the imported certificate is being used for its intended purpose: To do this, double-click the certificate in the Certificates Management Console interface and then click the Details tab of the Certificate dialog box. Then click the All option for the Show drop-down list and then click to select the Key Usage and/or Enhanced Key Usage fields to verify the intended purpose. If BizTalk Server 2006 attempts to use a certificate for other than its intended purpose a runtime error will occur.

  • Test your connection to the target Web site: If you are using SSL, ensure that you can connect to the target Web site with Internet Explorer before attempting to connect to the target Web site with the HTTP or SOAP transports. Verify that no dialog boxes are displayed in Internet Explorer when you connect to the target Web site. BizTalk Server 2006 has no mechanism for interfacing with any dialog boxes that might be displayed when connecting to the target web site. A dialog box may be displayed by Internet Explorer if the target web site name does not match the name specified for the web site in the SSL certificate or if the Root Certificate Authority for the SSL certificate is not in the appropriate Trusted Root Certification Authorities store.

  • Use the SSL Diagnostics tool to analyze SSL connection issues: The SSL Diagnostics tool is an optional component of the IIS Diagnostics Toolkit. Download the IIS Diagnostics Toolkit from Internet Information Services Diagnostic Tools.

Community Additions

ADD
Show: