I have a BizTalk messaging-only interchange that uses the legacy HTTP adapter running in an isolated host on the receive end, which routes directly to a send port using the WCF-OracleDB adapter. The Send port is configured to retrieve credentials from SSO. The HTTP adapter is configured to use SSO and issues an SSO ticket in the context of the isolated host user.
When the send port activates, it logs the following message to the event log and stops:
Validation of the ticket failed. The sender name must match that of the ticket issuer.
Application Name: (affiliate application name)
Ticket Issued By: (in-process account name)
Sender Name: (isolated host account name)
The affiliate configuration is correct according to all the documentation I can find:
- Both accounts are in the domain group specified as the affiliate's Application Users property
- Both accounts have mappings in the affiliate to the desired external credential. I've tried a user-based affiliate, which won't allow more than one mapping to the same external credential, with both accounts as the host credential one at a time, and a group-based affiliate, with both accounts with a mapping to the same external credential simultaneously.
I have found this documentation, that suggests that in order to use SSO tickets, the hosts must be trusted: https://msdn.microsoft.com/en-us/library/bb899011.aspx
I have done this, which makes no difference.
I have also unchecked the 'validate tickets' option in the SSO Administration console for this affiliate, which also makes no difference.
What do I have to do to make this work?
