AS2 Configuration on BizTalk 2009 Group

Last week I was working on an AS2 configuration on BizTalk 2009.
The AS2 messages needed to be encrypted and signed.

Previously I went through an AS2 configuration upon BizTalk 2006 and as I expected everything looked familiar to me.
Setting up the encryption was an easy job. Nevertheless, the second requirement, message signing, wasn’t as straightforward as I hoped.

After configuring and enabling a certificate to sign the messages, I received the following error:

Error: The Signing Certificate has not been configured for AS2 party.”

I checked and double checked every known issue that i could bing. As there areā€¦

  • Install the certificate used for signing in the personal certificate store of the appropriate BizTalk host service account.

    This installation has to be done while you are logged on with this service account. Otherwise the certificate will be imported in the wrong personal store.

  • Avoid enabling strong private key protection in the certificate during import in the personal store.

    And be sure that the certificate has the private key included.


None of these well known problems solved my error. Searching for new inspiration I repeated the installation on a clean standalone development machine. And yes, here I got more success! The signing and encryption both worked. After comparing the two installations I didn’t find any difference in the configuration of the necessary certificates. So if my AS2 configuration is the same then what makes the difference?

An SQL Trace brought the answer. I asked the dba to capture the SQL activity while BizTalk was trying to send an AS2 message. In the trace we found the following sql-statement:

declare @p3 nvarchar(256)
set @p3=NULL
declare @p4 nvarchar(256)
set @p4=N”
exec admsvr_GetGroupSigningCert
@nvcGroupName=N’BizTalk Group’,@nvcHostName=N’BizTalkServerApplication’,
@nvcGroupSignCertName=@p3 output,
@nvcHostSignCertName=@p4 output
select @p3, @p4

This statement wouldn’t have looked wrong to me, if I wouldn’t have changed the name of the BizTalk group.
Because most of the time I maintain different biztalkgroups from one BizTalk administration console.
I rename the different BizTalk groups for easy recognition (Dev. group, Acc. Group and Prod. group).
In the above statement we see that the default groupname “BizTalk Group” is still being used. Hence, no certificate
can be found. On my clean development machine the installation succeeded because I didn’t changed the groupname.
After renaming the groupname back to “BizTalk Group” the problem was solved.

This means that the AS2 pipeline component is using the default groupname “BizTalk Group” hardcoded to search for the signing certificate.
And therefore you cannot rename the BizTalk groupname if you want to make use of AS2 with message signing enabled.