Messages stay in “Active” status for quite a long time without suspending or error when using a certificate to call external WCF service on BizTalk server


Messages stay in “Active” status for quite a long time without suspending or error when using a certificate to call external WCF service on BizTalk server

Symptom

Consider the following scenario:

  • You have a BizTalk send port setup to call a third party external WCF service.
  • You are using a certificate to call this WCF service.

In this scenario, you may encounter that there are messages stay in “Active” status for quite a long time without suspending or error. Therefore, corresponding orchestrations which are waiting for those messages become dehydrated:
 
 

Cause

We captured dump files for the BizTalk process which hosts the send port, and found the reason why the messages are in Active status without suspending should be, the function called ultimately lead to an actual Dialog being opened that requires user input. Since BTS is a service, the dialog will never be displayed so it will just hang here:

==================================================

0:058> kp

ChildEBP
RetAddr 

222ac17c 768c149d
ntdll!ZwWaitForSingleObject(void)+0x15

222ac1e8 76581194
KERNELBASE!WaitForSingleObjectEx(void * hHandle = 0x00002028, unsigned long
dwMilliseconds = 0xffffffff, int bAlertable = 0n0)+0x98

222ac200 76581148
kernel32!WaitForSingleObjectExImplementation(void * hHandle = 0x00002028,
unsigned long dwMilliseconds = 0xffffffff, int bAlertable = 0n0)+0x75

222ac214 6df67024
kernel32!WaitForSingleObject(void * hHandle = 0x00002028, unsigned long
dwMilliseconds = 0xffffffff)+0x12

222ac240 6df673dd
ncryptui!SKShowDialogWrapper(DialogType
DlgType = SKUseDialog (0n1), struct __PROMPT_PARAMS * pParams = 0x222ac278, int
* pnButton = 0x222ac274)+0x65

===================================================

Then we go ahead and check the ForceKeyProtection key on BizTalk server at : MACHINE\Software\Policies\Microsoft\Cryptography\ForceKeyProtection. The value of this registry key has been set as 1.

Setting
ForceKeyProtection=1 represents the strong private key protection was enabled, which means the user must use a password to protect their private key, thus there is a dialog being opened for user input as we observed in dump files. This setting can be set when you import a certificate: If you want to be able to use strong private key protection, select the Enable strong private key protection check box. For detailed information, please refer to: http://technet.microsoft.com/en-us/library/cc776889(v=ws.10).aspx .

Solution

Create a new certificate with strong private key protection disabled for calling external WCF service on BizTalk server.

 

Best regards,

Rachel Huang


Comments (1)

  1. Jamie says:

    Thanks for this information, we encountered the same problem with our X509 certificate.

    By default the 'Enable strong private key protection' check box was enabled when initially importing to the service account personal store, so by reimporting the certificate with this option disabled solved the problem.

    Also, to get the thread stack dump as above you need to run command !eestack from WinDbg

Skip to main content