WCF-NetTcp Transport Properties Dialog Box, Receive, Security Tab
Use the Security tab to define the security capabilities of the WCF-NetTcp receive adapter.
| Use this | To do this |
|---|---|
| Security mode | Specify the type of security that is used. Valid values include the following: - None: Messages are not secured during transfer. - Transport: Transport security is provided using TLS over TCP or SPNego. It is possible to control the protection level with this mode. If you select None or Certificate for the Transport client credential type property in this security mode, you must supply the service certificate for this receive location through the Service certificate - Thumbprint property. - Message: Security is provided using SOAP message security. By default, the SOAP Body is encrypted and signed. This mode offers a variety of features, such as whether the service credentials are available at the client out of band, and the algorithm suite to use. If you select None, UserName, or Certificate for the Message client credential type property in this security mode, you must supply the service certificate for this receive location through the Service certificate - Thumbprint property. - TransportWithMessageCredential: Transport security is coupled with message security. Transport security is provided by TLS over TCP or SPNego and ensures integrity, confidentiality, and server authentication. If you select Windows, UserName, or Certificate for the Message client credential type property in this security mode, you must supply the service certificate for this receive location through the Service certificate - Thumbprint property. Note: This security mode cannot be used with the Transport client credential type property, None. The default is Transport. |
| Transport client credential type | Specify the type of credential to be used when performing the client authentication. Valid values include the following: - None: No authentication occurs at the transport level. This credential type supports only EncryptAndSign for the Transport protection level property. - Windows: Windows integrated authentication of the client using SP Negotiation (Kerberos negotiation). You must create the domain or local user accounts corresponding to client credentials. In addition, the client's userPrincipalName element must be configured with the user account name running this receive handler. - Certificate: Client authentication using client certificates. To authenticate the client certificates, the CA certificate chain for the client certificates must be installed in the Trusted Root Certification Authorities certificate store of this computer. This credential type supports only EncryptAndSign for the Transport protection level property. The default is Windows. |
| Transport protection level | Define security at the level of the TCP transport. Signing messages mitigates the risk of a third party tampering with the message while it is being transferred. Encryption provides data-level privacy during transport. Valid values include the following: - None: No protection. - Sign: Messages are signed. - EncryptAndSign: Messages are encrypted and signed. The default value is EncryptAndSign. |
| Message client credential type | Specify the type of credential to be used when performing client authentication using message-based security. Valid values include the following: - None: This allows the service to interact with anonymous clients. This indicates that this client does not provide any client credential. - Windows: Allow the SOAP exchanges to be under the authenticated context of a Windows credential. The client credential is passed through the SOAP Header element using the WSS SOAP Message Security Kerberos Token Profile 1.0 protocol. You must create the domain or local user accounts corresponding to client credentials. In addition, the client's userPrincipalName element must be configured with the user account name running this receive handler. - UserName: Clients are authenticated to this receive location with a UserName credential. The credential is passed through the SOAP Header element using the WSS SOAP Message Security UsernameToken Profile 1.0 protocol. You must create the domain or local user accounts corresponding to client credentials. - Certificate: Clients are authenticated to this receive location using the client certificate specified through the Service certificate - Thumbprint property. The credential is passed through the SOAP Header element using the WSS SOAP Message Security X509 Token Profile 1.0 protocol. To authenticate the client certificates, the CA certificate chain for the client certificates must be installed in the Trusted Root Certification Authorities certificate store of this computer. In addition, you must provide the service certificate for this location through the Service certificate - Thumbprint property. The default is Windows. |
| Algorithm suite | Specify the message encryption and key-wrap algorithms. These algorithms map to those specified in the Security Policy Language (WS-SecurityPolicy) specification. Possible values are: - Basic128: Use Aes128 encryption, Sha1 for message digest, and Rsa-oaep-mgf1p for key wrap. - Basic128Rsa15: Use Aes128 for message encryption, Sha1 for message digest, and Rsa15 for key wrap. - Basic128Sha256: Use Aes256 for message encryption, Sha256 for message digest, and Rsa-oaep-mgf1p for key wrap. - Basic128Sha256Rsa15: Use Aes128 for message encryption, Sha256 for message digest, and Rsa15 for key wrap. - Basic192: Use Aes192 encryption, Sha1 for message digest, and Rsa-oaep-mgf1p for key wrap. - Basic192Rsa15: Use Aes192 for message encryption, Sha1 for message digest, and Rsa15 for key wrap. - Basic192Sha256: Use Aes192 for message encryption, Sha256 for message digest, and Rsa-oaep-mgf1p for key wrap. - Basic192Sha256Rsa15: Use Aes192 for message encryption, Sha256 for message digest, and Rsa15 for key wrap. - Basic256: Use Aes256 encryption, Sha1 for message digest, and Rsa-oaep-mgf1p for key wrap. - Basic256Rsa15: Use Aes256 for message encryption, Sha1 for message digest, and Rsa15 for key wrap. - Basic256Sha256: Use Aes256 for message encryption, Sha256 for message digest, and Rsa-oaep-mgf1p for key wrap. - Basic256Sha256Rsa15: Use Aes256 for message encryption, Sha256 for message digest, and Rsa15 for key wrap. - TripleDes: Use TripleDes encryption, Sha1 for message digest, Rsa-oaep-mgf1p for key wrap. - TripleDesRsa15: Use TripleDes encryption, Sha1 for message digest, and Rsa15 for key wrap. - TripleDesSha256: Use TripleDes for message encryption, Sha256 for message digest, and Rsa-oaep-mgf1p for key wrap. - TripleDesSha256Rsa15: Use TripleDes for message encryption, Sha256 for message digest, and Rsa15 for key wrap. The default value is Basic256. |
| Service certificate -Thumbprint | Specify the thumbprint of the X.509 certificate for this receive location that the clients use to authenticate the service. The thumbprint can be selected by navigating the My store in the Current User location with the Browse button. Note: You must install the service certificate into the Current User location of the user account for the receive handler hosting this receive location. Minimum length: 0 Maximum length: 40 The default is an empty string. |
| Use Single Sign-On | Specify whether to use Single Sign-On to retrieve client credentials to issue an SSO ticket. This option is valid only for the security configurations listed in the following section, "Enterprise Single Sign-On Supportability for the WCF -NetTcp Receive Adapter." The default value is cleared. |
Enterprise Single Sign-On Supportability for the WCF-NetTcp Receive Adapter.
The WCF-NetTcp receive adapter can issue an SSO ticket from the SSO server only in the security configurations shown in the following table.
| Security mode | Transport client credential type | Message client credential type |
|---|---|---|
| Transport | Windows | N/A |
| Message | N/A | Windows |
| Message | N/A | UserName |
| TransportWithMessageCredential | N/A | Windows |
| TransportWithMessageCredential | N/A | UserName |
See Also
Managing BizTalk Hosts and Host Instances
How to Change Service Accounts and Passwords
How to Configure a WCF-NetTcp Receive Location
Installing Certificates for the WCF Adapters
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for