Exposing Biztalk Orchestration as a WCF Service over SSL
Well the very reason I am writing something on this is because of so many hours I was stuck doing this.
While many of us might not face issues implementing this , it should help those (and save time) who might be struggling to get this going.
To start with , recently we had a requirement of securing (exposing over SSL) a WCF Service with WsHttpBinding ,which I had developed exposing a Business Interface Orchestration. To secure the service means the
- The communication should be over https
- No Anonymous access should be disabled over the Virtual Directory.
For authentication scheme we would target Windows / Basic Authentication
Now coming back to the stuff - There are two parts to this :
- Enabling the Virtual Directory / Application in IIS to communicate over SSL.
-
- Hooking a certificate to the Root Web Site to meet the requirement for SSL
- Making the required changes in the associated web.config of the Virtual Directory.
- Configuring the BizTalk Receive Location to set the required Security Level to match that of the Virtual Directory.
The steps would be targeted towards BizTalk Server 2010 / IIS 7.0
Enabling the Virtual Directory / Application in IIS to communicate over SSL
Enabling SSL on IIS
This would be a pretty straight step that we might be doing for enabling communication over SSL for any other website on IIS 7.0 . For more info / help on this refer to https://learn.iis.net/page.aspx/144/how-to-set-up-ssl-on-iis-7/#IISManager
Adding User Account to BizTalk Appication Users
This is an important step and often missed by people.
Please do not forget to add the User Account (Under which your client is running. For e.g. AppPool user in case of a Web Application or Sharepoint hosted Application ) to the BizTalk Group - "Biztalk Application Users"
Modifying Web.Config
This is the most crucial part of the entire exercise and the one everyone seems to be missing on and face issues ( or at least I faced a lot)
To enable HTTPS following modifications need to be done in the web.config :
Open the web.config of the Virtual Directory
- Comment out the 'mex' binding so that finally it looks like this
<services>
<!-- Note: the service name must match the configuration name for the service implementation. -->
<service name="Microsoft.BizTalk.Adapter.Wcf.Runtime.BizTalkServiceInstance" behaviorConfiguration="ServiceBehaviorConfiguration">
<!--<endpoint name="HttpMexEndpoint" address="mex" binding="mexHttpBinding" bindingConfiguration="" contract="IMetadataExchange" />-->
<!--<endpoint name="HttpsMexEndpoint" address="mex" binding="mexHttpsBinding" bindingConfiguration="" contract="IMetadataExchange" />-->
</service>
</services>
If we don't comment out 'mex' binding we would get an error like this when we try to browse the service ( The one which killed most of my time)
Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service
2. Modify the Service Behaviour -> serviceMetadata section to enable https and disable http ( By Default it's like this httpsGetEnabled="false" httpGetEnabled ="true") so that post modification is should be like the following
<serviceBehaviors>
<behavior name="ServiceBehaviorConfiguration">
<serviceDebug httpsHelpPageEnabled="true" httpHelpPageEnabled="false" includeExceptionDetailInFaults="false" />
<serviceMetadata httpsGetEnabled="true" httpGetEnabled ="false"/>
</behavior>
</serviceBehavior>
With the default settings when we try to browse the service , we would probably be getting the followign error :
Could not find a base address that matches scheme http for the endpoint with binding WsHttpBinding. Registered base address schemes are [https]
Configuring the BizTalk Receive Location to set the required Security Level to match that of the Virtual Directory
Here , assuming that you would have created a Receive Location in your BizTalk Application using the BizTalk WCF Service Publishing Wizard while publishing the Orchestration as a Service , all we need to do is open the Receive Location - > properties and configure the WsHttpBinding Security settings as shown below .
While here I have selected the credential type as Windows , choice rests with you on what authentication scheme you want to keep , but always remember the fact that whatever scheme you keep here , the same should be set up on the IIS virtual Directory too.
Hope this helps...Till that time HAPPY BizTalkinggg....
Comments
- Anonymous
October 08, 2011
It helps a lot thanks for sharing. - Anonymous
October 13, 2011
Very useful. Thanks for sharing. - Anonymous
October 18, 2011
Very helpful post! - Anonymous
December 03, 2012
Thanks for solving my 'Anonymous Authentication' issue.