BizTalk 2013R2 SB-Messaging: The X.509 certificate CN=servicebus.windows.net is not in the trusted people store.

The Problem:

After configuring a brand new BizTalk 2013R2 production environment and requesting the needed firewall exclusions to the security department, we were unable to send messages to Azure ServiceBus using the SB-Messaging adapter in BizTalk 2013R2 (using ACS authentication). We found the following warning in the EventLog:

The adapter “SB-Messaging” raised an error message. Details “System.ServiceModel.EndpointNotFoundException: The X.509 certificate CN=servicebus.windows.net is not in the trusted people store. The X.509 certificate CN=servicebus.windows.net chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain could not be built to a trusted root authority.

2016-04-08 17_19_28-2

 

The Solution:

Thanks to this post on StackOverflow I was able to fix the problem by “auto installing” the missing certificate.

The following steps solved our problem:

  1. Configure the company web proxy needed for internet connectivity on the server used by BizTalk for ServiceBus connectivity
  2. Use a .NET console test application to send/receive a dummy message to an Azure ServiceBus test queue
  3. Remove the web proxy config
  4. Repeat on every server
  5. Test using the BizTalk SB-Messaging Adapter

 

After using the console test application, we got the following info message in the eventlog:

2016-04-08 17_15_10-1

 

Small sidenote regarding the .NET console test application, make sure you use the “AutoDetect” connectivity mode:

1
ServiceBusEnvironment.SystemConnectivity.Mode = ConnectivityMode.AutoDetect;
  • Alex Turner

    Hi Jeroen,

    I am having exactly the same issue. Can you please identify which firewall ports exclusions is required? I would highly appreciate your response at your earliest?

    Regards,

    Alex

    • Hi Alex,

      You can find a nice overview here: https://blogs.msdn.microsoft.com/brunoterkaly/2012/02/07/azure-ports/
      TCP: 9350, 9351, 9352, 9353, 9354
      HTTP: 80
      HTTPS: 443

      Regards,
      Jeroen

      • Alex Turner

        Hi Jeroen,

        Thank you so much for your prompt response. I have opened all these ports( 9350, 9351, 9352, 9353, 9354,443,80) in my firewall but could not get through. If i run same environment in my developer Virtual Machine, it works perfectly but in the integration environment it fails.
        Microsoft suggested to open Ephemeral ports, which is unacceptable solution to my security teams.
        http://www.ncftp.com/ncftpd/doc/misc/ephemeral_ports.html

        I have created .NET application client, which works fine as well in the integration environment and it uses https 443 port, but while trying to establish the connection in the integration environment from BizTalk inbound traffic is coming through a different set of dynamic ports (Ephemeral ports).

        Do you know any reason inbound traffic is coming through a different set of dynamic ports?

        Thank You,

        Alex