I had a requirement to restrict only one client certificate to able to invoke the schema or orchestration exposed WCF service.
To do this we can leverage the custom 509Validator class which will run every time a client access the WCF service and the certificate produce by the client will be passed as the input parameter to the validate method in the x509certificatevalidtor class.
You can read on more about certificateValidator class from here.

A sample Custom 509validatorclass that I have written for my scenario. I derived the X509CertificateValidator class and overrided the Validatemethod.

    public class CustomX509CertificateValidator: X509CertificateValidator
    {
        public override void
Validate(X509Certificate2 certificate)
        {
           // Only accept certificate of this particular thumbprint.
           if
(certificate.Thumbprint != "09c736b32459d83e1f6755d55cff2ce5eb4ae3ea")
                throw
new Exception("You are not authorized to invoke this Service");
        }
    }

Now, we will see how to configure in BizTalk, so that this validate method is called whenever a client tries to invoke the wcf service.
Since we will have to add service behavior for this service, use the WCF-customisolated adapter in the receive location.

In the configuration of customisolated adapter, select the binding that you want, I have selected basichttpbinding here, select the security mode as transport and client credential type to certificate.

Under the behavior tab, add the service behavior of type ServiceCredentials and under the traverse to the Authentication tab as shown below :

 

Now under the x509clientcertificateauthenicationelement, select the certificateValidationMode to Custom and in the CustomCertificateValidatorType give the above implemented class in the following format Namespace.Type,AssemblyName.

If you are placing the dll in the GAC give the fully qualified assembly name in the CustomCertificateValidatorType.

After this setup, only a client which submit the certificate whose thumbprint is 09c736b32459d83e1f6755d55cff2ce5eb4ae3ea will be able to invoke this service. Also the key usage for this certificate must have ClientAuthentication, only then the certificate will be used for Validation.
You
can modify the Validate method according to need, like restricting it certicates issue by CA etc.

This kind of a requirement is not common in BizTalk world, so thought of sharing it.

 Happy BizTalking!!

 

Written by
Shashidharan Krishnan

Reviewed by
Chirag Pavecha

Microsoft GTSC