BizTalk service with WS-Security

To create a WCF Receive Location with WS-Security (messagesecurity with clientcredentialtype=”UserName”), you must first use the WCF Publishing Wizard. The WCF Publishing Wizard creates a WCF service in IIS. This WCF service has minimal configuration. That’s because the WCF service is coupled to a WCF receive location.

In the WCF receive location the configuration is done. Because the service must be called from a Java client, we are forced to use a BasicHttp binding. We can’t use the wsHttp binding, because there’s no full standardization of the WS* specifications. Technical check. If you watch the request in raw view using SoapUI, you will only see a wsse security header when using basicHttp (not when using wsHttp).

Also note we can’t use message security, but a more secure security mode. Reason is that BizTalk doesn’t allow user credentials to be sent in clear text. TransportWithMessageCredential adds https to the picture.

To call the service from SoapUI, we have to set the Outgoing WS-Security Configurations. We don’t have to create a keystore, because we don’t have to specifiy a client certificate. Add an entry UserName. The properties Add Nonce and Add Created must not be selected, because they are not supported by BizTalk. Set Password Type to PasswordText.

Now specify Basic Authentication. If you don’t specify basic authentication you will receive an error “An error occurred when verifying security for the message”. For Outgoing WSS specify the Outgoing WS-Security Configuration created earlier. You can also specify username and password. Note that the domain is set to the Biztalk server, ie. biztalk01.connect.local. As a requirement, you must create a local user (or domain) account corresponding to the client credentials. In this case we created a local user account WONINGNET.WRB. If you try to log on to the service with another account, you will receive an error indicating there’s a security violation.