客户端证书在 IIS 上的位置托管 WCF 服务与 BizTalk 2013r2 一起使用

Question

I have problem with a windows client certificate, on a system I have inherited from a developer who left without documenting his work. Basically, when I try to connect to an IIS hosted webservice using Postman, I am told in the event log that

Cannot find the X.509 certificate using the following search criteria: StoreName 'My', StoreLocation 'CurrentUser', FindType 'FindByThumbprint', FindValue ' THUMBPRINTVALUE '

Now I have installed the certificate into all the places I can think of.

Here is a more detailed description of what I've done.

I have a IIS hosted WCF service which is exposed to the internet via a firewall. The URL of the WCF service is bound to a receive location on BizTalk server 2013r2, the receive location is of Type WCF-WebHttp, and a client certificate has been set for the receive location.

I am using postman to connect to the above URL, having registered the client certificate with postman as the documentation describes, and I get the following error page returned

HTTP Error 500.0 - System.ServiceModel.ServiceActivationException

In the event log viewer I get the following entry:

 Sender Information: System.ServiceModel.ServiceHostingEnvironment+HostingManager/62476613
 Exception: System.ServiceModel.ServiceActivationException: The service '/HL7/ORU/R01/HTTPBasic/Service1.svc' cannot be activated due to an exception during compilation.  The exception message is: Cannot find the X.509 certificate using the following search criteria: StoreName 'My', StoreLocation 'CurrentUser', FindType 'FindByThumbprint', FindValue '*THUMBPRINTVALUE*'.. ---> System.InvalidOperationException: Cannot find the X.509 certificate using the following search criteria: StoreName 'My', StoreLocation 'CurrentUser', FindType 'FindByThumbprint', FindValue '*THUMBPRINTVALUE*'.
   at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStoreCore(StoreName storeName, StoreLocation storeLocation, X509FindType findType, Object findValue, EndpointAddress target, Boolean throwIfMultipleOrNoMatch)
   at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStore(StoreName storeName, StoreLocation storeLocation, X509FindType findType, Object findValue, EndpointAddress target)
   at System.ServiceModel.Security.X509CertificateRecipientServiceCredential.SetCertificate(StoreLocation storeLocation, StoreName storeName, X509FindType findType, Object findValue)
   at Microsoft.BizTalk.Adapter.Wcf.Runtime.BtsServiceHostBase.SetServiceCertificate()
   at Microsoft.BizTalk.Adapter.Wcf.Runtime.BtsServiceHostBase.InitializeRuntime()
   at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.ServiceHostingEnvironment.HostingManager.ActivateService(ServiceActivationInfo serviceActivationInfo, EventTraceActivity eventTraceActivity)
   at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath, EventTraceActivity eventTraceActivity)
   --- End of inner exception stack trace ---
   at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath, EventTraceActivity eventTraceActivity)
   at System.ServiceModel.ServiceHostingEnvironment.EnsureServiceAvailableFast(String relativeVirtualPath, EventTraceActivity eventTraceActivity)
 Process Name: w3wp
 Process ID: 7080

I know what this error means, that it can't find a certificate with a thumbprint THUMBPRINTVALUE in StoreName 'My', StoreLocation 'CurrentUser'.

In this case, who is CurrentUser, I have added the certificate thumbprint THUMBPRINTVALUE to the following users, who are all the ones I think of that are associated with the webservice.

• IIS Service Account
• BizTalk Service account
• The user associated with the application pool the IIS hosted WCF service

What am I missing?

Answer 1

HTTP 500 error typically indicates that there is something wrong with the server running state. It has none business with the client-side.
There is indeed a service that authenticates the client with a certificate. In that case, we need to provide a client certificate to invoke the service. However, from the error message, there is a problem with the WCF on the server-side. Before calling, please confirm whether the service is running normally. I suggest you visit the below URL page in the browser to check whether the service is running properly.

https://myserver/service1.svc

Result.

For the WCF hosted in IIS requires a service certificate, this is commonly accomplished by the site binding module in IIS.
https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-configure-an-iis-hosted-wcf-service-with-ssl
Feel free to let me know if there is anything I can help with.