How do SSL and Basic Auth on an Orchestration Published as a WCF WebService

In the BizTalk world, the person who publishes the orchestration usually creates a small client program to call the webservice and to test it. This is a good practice before going to another developer (either in your company or to a customer) and telling them the service is “working” when you haven’t even tested it yourself.


MyClient client = new MyClient(); //from WCF Service reference
client.ClientCredentials.UserName.UserName = "TestUser";
client.ClientCredentials.UserName.Password = "TestPass";

 Add New Windows User

From Computer Management, add a new user called “TestUser” with a password “TestPass”.
Depending on your policies, make sure “User must change password’ is unchecked, and “User cannot change pasword” and “Password never expires” are checked. Typically in a B2B scenario, you don’t expire the password, because that would break the business processes. Alternatively, you could add a Domain User account in active directory.

ComputerManagement_Add_New_User    ComputerManagement_Add_New_User2

IIS Changes

Enable Basic Authentication

At that point, you no longer want “Anonymous Authentication” enabled, so disable it.
Screen shots below are from IIS 7.5 on Windows 2008/R2.

BizTalk_WCF_Published_Orchestration_IIS_Authentication

Add Authorization Rule for “TestUser”

Click on “Authorization Rules”, then right-click and select ‘Add Allow Rule’, then add ‘TestUser’. Remove any other users you don’t want there.

BizTalk_WCF_Published_Orchestration_IIS_Authorization_Rules3

I’m not 100% sure if you have to restart your app pool or website in order for these changes to take effect. I would suggest doing so.

BizTalk Receive Location Changes

Go to the Receieve Location bound to your orchestration. Click “Configure” then the third tab over labeled “Security”.

Select “Basic” for the “Transport client credential type”.  This must match what we setup in IIS above.

BizTalk_WCF_Published_Orchestration_WCF-WSHTTP_Transport_Properties

Testing

Run your client with “TestUser” and the correct password, make sure it works.
Run your client with an invalid user or password, make sure if fails. When it fails, you should get this error:


System.ServiceModel.Security.MessageSecurityException: The HTTP
request is unauthorized with client authentication scheme 'Basic'. The authenti
cation header received from the server was 'Basic realm="mydomain.com"'. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
at System.Net.HttpWebRequest.GetResponse()
at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpC
hannelRequest.WaitForReply(TimeSpan timeout)

I hope to explain the SSL part in a separate blog.

Uncategorized  

Leave a Reply