I spent several hours last week banging my head against the proverbial brick wall while trying to identify the correct certificate store to be used for authentication by the HTTP Send Adapter – as the answer is a little obscure on the interweb, I’m posting the information here to help any weary BizTalk traveller in the future….
First, the obligatory background: The HTTP Send Adapter can use a public key certificate to identify itself as part of a two-factor authentication process when accessing a website (two-factor authentication ensures you are who you say you are by asking for information you know (i.e. username/password) and something you have (i.e. a RSA SecureID Token or a public key certificate)). The certificate it uses to perform this authentication is identified by the ‘SSL Client Certificate Thumbprint’ value of the Authentication tab on the adapter config dialog box, as shown to the left:
The adapter looks in the Personal Certificate Store of the user under which the BizTalk Windows Service is running, as detailed in the HTTP Send Adapter page on MSDN. Note that this is different to certificates used on the Send and Receive Ports and on Hosts, the settings for these can be found on MSDN at Certificate Stores that BizTalk Server 2006 Uses (which annoyingly doesn’t document the HTTP adapter).
More information on using two-factor authentication can be found at WindowsSecurity.com, however this article focuses on an end-to-end solution for securing a corporate web-site and is not very BizTalk specific; probably a good excuse to write a post on it in the future!
Hi,
I had this similar error message and tried all of the things you suggested. It did not work.
DNS services were not enabled in the server I was running and I was accessing the remote website using ip-address. The Certificate was of course issued to the full domain name of the remote server. So I added the name of the server to my servers hosts file and changed the address of the http-port to use that domain name… After doing so, everything works like a charm.
Atte
Hi Nick,
A very useful article. Just wanted to advise that I found it necessary to add the required certificates to the correct stores whilst logged onto the machine using the account that the send host runs under. If I tried to use the certificates snap-in as a service account, the send port fails to find the client certificate giving the error message “The client certificate is not found in the certificate store
Parameter name: Certificate”.
Cheers
Mark
Thanks for the feedback Mark, much appreciated.