BizTalk Application Bindings Error Message: “This Certificate is not installed on the Local Machine”
I thought it would be worth mentioning an interesting (and in our case, a “lifesaving” :-)) feature of BizTalk binding files.
First of all though, I will briefly explain what a bindings file is and some caveats…
A bindings file is an XML file that is generated via the BizTalk administration console, by right clicking on an application and selecting “Export -> Bindings…”. This file contains configuration details for your application. For example, it will specify what host an orchestration will run in and also how logical ports, created in the orchestration designer, will bind to actual physical ports.
Binding files are important solution artefacts and should be under source control.
Now it is possible to modify a bindings file using your favourite text editor but I have found this to be a somewhat tedious and error prone exercise. You may wish to do this, for example, if you are creating another set of bindings from an existing set, specific to another environment. After modifying a bindings file, it is important to test (before any release) that the file can be parsed by BizTalk by importing your bindings into your target application (using the BizTalk admin console) and checking that the import operation itself works and also, after refreshing the admin console, that your artefacts are created as expected.
I recommend that instead of manually updating/creating separate bindings for each deployment environment, you instead maintain a single bindings file with configuration for each environment managed using the Deployment Framework for BizTalk (BTDF) (this is a project available for download from CodePlex here: http://biztalkdeployment.codeplex.com/).
Now back to the main point of this post…
The background to this issue concerned our deployment process which before installing a new version of an application, backs up existing assemblies and bindings. It also backs up any SSL certificates configured on send ports. However, our deployment failed since a few send ports were incorrectly configured with certificates that happened to not be installed in the servers certificate store.
This was relatively simple to resolve by conducting a search on the application bindings and locating each send port in error using the certificate thumbprint (the thumbprint associated with each misconfigured certificate was included in the exception message raised by the deployment script). It was then a matter of removing the certificate from each send port.
On locating a send port with a missing certificate, it was interesting to us to notice that the BizTalk bindings included this error in the “EncyptionCert” element:
So the export bindings function must check if the certificate exists in the servers certificate store, and if the certificate doesn’t exist, populate the “LongName” XML attribute with the error message indicated in the screenshot. An interesting feature and one that we may utilise to check from time to time that send ports have been configured correctly.
(Many thanks to my colleague Mike Howell for noticing this feature and bringing it to my attention).