WCF-Custom Send Port MutualSSL with WS-Security

I had to define a WCF send port connecting to a service that used mutual SSL and Web Service Security. I had to use a WCF-Custom send port because the service was using Soap 1.1, not Soap 1.2. In the latter case I could have used a WCF-wsHttp binding.

Before creating the BizTalk send port, make sure the following prerequisites are set:
– The client certificate (with private key, i.e. pfx certificate) is installed in the LocalMachine / Personal Store.
– Right click the certificate. Select All Tasks / Manage Private Keys. Add te BizTalk Application Users group and give them full control rights. If you don’t perform this step, you might run into an error: System.ServiceModel.Security.SecurityNegotiationException: Could not establish secure channel for SSL/TLS with authority ‘’. —> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
– The server certificate (with public key, i.e. cer/crt certificate) is installed in the LocalMachine / Trusted People Store.

Now create a BizTalk sendport and select WCF-Custom.

Configure the WCF-Custom adapter:

General tab:

  • Address: https://…
  • BtsActionMapping: (in this case we only have one operation)
    <BtsActionMapping xmlns:xsi=”” xmlns:xsd=””>
    <Operation Name=”SndWRVEenLk01″ Action=”″ />

Binding tab:

  • Select Binding Type: customBinding
    Add the following extensions (in the prescribed order):

    • textMessageEncoding
    • security
      AuthenticationMode: UserNameOverTransport
      DefaultAlgoritmSuite: Default
      MessageProtectionOrder: SignBeforeEncryptAndEncryptSignature
      IncludeTimeStamp = False
    • httpsTransport

Behavior tab:

  • Add EndpointBehavior ClientCredentials
    • ClientCertificate
    • Service certificate / Default certificate

Credentials tab:

  • Do not use single sign-on
    Enter the credentials as provided by the service provider