Archive

Posts Tagged ‘Biztalk’

Biztalk 2016 wants to disable private key protection

Biztalk 2016 failed to receive AS/2 messages with this error:

The MIME encoder failed to sign the message because the certificate has private key protection turned on or the private key does not exist. Please disable private key protection to allow BizTalk to use a certificate for signing.

Sounds straightforward except that private key protection was disabled already. And the user profile for the Biztalk user was loaded, nothing wrong there. I went through the documentation several times, nothing wrong. Finally I found that it was the cryptographic provider.

Basically the problem is that Biztalk 2016 still relies on the ancient .NET 3.5, which lacks support for KSP. Check the certificate:


certutil -p password cert.pfx

If it says “Provider = Microsoft Software Key Storage Provider” then Biztalk will fail and complain about private key protection. Fix it with openssl:


openssl pkcs12 -in my-original-cert.pfx -out temp.pem
openssl pkcs12 -export -in temp.pem -out my-fixed-cert.pfx

Import my-fixed-cert.pfx to the personal certificate store (and if self-signed also import as CA key). Update Biztalk to use the updated certificate and hopefully the problem should be solved. If you are starting from scratch, specify the old provider instead:


New-SelfSignedCertificate -Provider "Microsoft Strong Cryptographic Provider" ...
Advertisements
Categories: Windows

Install .NET 3.5 on Windows Server 2016 for Biztalk

Why would Windows Server 2016 need .NET 3.5? Well, ask Microsoft as it is needed for Biztalk 2016, a product that also requires an old SQL Server version (will not install on 2017) with Windows authentication. Anyway, put that aside. We need it and it should be a simple thing to add the feature. Unfortunately it is not. The wizard complains that it can’t find the files.

After some digging I managed to get it to work. First of all, open the group policy editor (gpedit). Navigate to Local Computer Policy -> Computer Configuration -> Administrative templates -> System -> Specify settings for optional component installation and component repair. Change the option to Enabled with “Download repair content…” on. Exit the application and run in a command prompt as administrator:


dism /online /enable-feature /featurename:NetFX3 /all /LimitAccess

Hopefully that should do the job. Phew!

Categories: Windows