| Groups | Blog | Home |
dotnet web services enhancements : Authorization issues with WSE 3.0 running on IIS 5.0
on IIS. Every client application I create works fine if I run it under ASP.NET Development Server (it probably runs everything as admin) but as soon as I change this project to run under IIS I'll get the following exception: WSE2013: X509TokenProvider is unable to provide an X.509 token. There are no certificates in the certificate store that match the find value of 'CN=WSE2QuickStartServer'. at Microsoft.Web.Services3.Design.X509TokenProvider.CreateToken(StoreLocation location, StoreName storeName, String findValue, X509FindType findType) at Microsoft.Web.Services3.Design.X509TokenProvider.GetToken() at Microsoft.Web.Services3.Design.MutualCertificate11Assertion.ClientOutputFilter..ctor(MutualCertificate11Assertion assertion) at Microsoft.Web.Services3.Design.MutualCertificate11Assertion.CreateClientOutputFilter(FilterCreationContext context) at Microsoft.Web.Services3.Design.Policy.CreateClientPipeline(PipelineCreationContext context) at Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(Policy policy) at Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(String policyName) at _Default.Button1_Click(Object sender, EventArgs e) in S:\Security\WSEbasic\WSEbasic15\WebSite15\Default.aspx.vb:line 10 With WSE X.509 Certificate Tool I added ASPNET user to my certificate (I use WSE2QuickStartClient test certificate) under "Current User / Personal" and "Local Computer / Personal" stores. My Web Service works fine in IIS and on those credentials, but only if I run some client outside IIS. As soon as I change working client to using real Microsoft IIS 5.0 it all fails. My client code activation for this policy is: Dim proxy As New localhost.ServiceWse proxy.SetPolicy("ClientCertPolicy") TextBox1.Text = proxy.HelloWorld I get exception on SetPolicy. My policy file looks like that: <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy"> <extensions> <extension name="mutualCertificate11Security" type="Microsoft.Web.Services3.Design.MutualCertificate11Assertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <extension name="x509" type="Microsoft.Web.Services3.Design.X509TokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <extension name="requireActionHeader" type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </extensions> <policy name="ClientCertPolicy"> <mutualCertificate11Security establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="true" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300"> <clientToken> <x509 storeLocation="CurrentUser" storeName="My" findValue="CN=WSE2QuickStartClient" findType="FindBySubjectDistinguishedName" /> </clientToken> <serviceToken> <x509 storeLocation="CurrentUser" storeName="AddressBook" findValue="CN=WSE2QuickStartServer" findType="FindBySubjectDistinguishedName" /> </serviceToken> <protection> <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" /> </protection> </mutualCertificate11Security> <requireActionHeader /> </policy> </policies> I have tried to run and build this on other computers, with same bad resoults. To me it looks like IIS has some security issues with WSE. Could anybody give me a hint on where to look? Jack
The certificate is stored in your user profile, while the client application
runs on IIS 5.1 under the aspnet account, so the application is trying to find the cerificate in the "Current User / Personal" store, where Current User = aspnet (or which technical account you configured for running the ASP.net). Change the policy to look in the "Local Computer / Personal" store for the certificate. [quoted text, click to view] "jackm" wrote:
> I have a big problem with running ASP.NET client with WSE 3.0 directly > on IIS. Every client application I create works fine if I run it under > ASP.NET Development Server (it probably runs everything as admin) but > as soon as I change this project to run under IIS I'll get the > following exception: > > WSE2013: X509TokenProvider is unable to provide an X.509 token. There > are no certificates in the certificate store that match the find value > of 'CN=WSE2QuickStartServer'. > > at > Microsoft.Web.Services3.Design.X509TokenProvider.CreateToken(StoreLocation > location, StoreName storeName, String findValue, X509FindType findType) > at Microsoft.Web.Services3.Design.X509TokenProvider.GetToken() > at > Microsoft.Web.Services3.Design.MutualCertificate11Assertion.ClientOutputFilter..ctor(MutualCertificate11Assertion > assertion) > at > Microsoft.Web.Services3.Design.MutualCertificate11Assertion.CreateClientOutputFilter(FilterCreationContext > context) > at > Microsoft.Web.Services3.Design.Policy.CreateClientPipeline(PipelineCreationContext > context) > at > Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(Policy > policy) > at > Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(String > policyName) > at _Default.Button1_Click(Object sender, EventArgs e) in > S:\Security\WSEbasic\WSEbasic15\WebSite15\Default.aspx.vb:line 10 > > With WSE X.509 Certificate Tool I added ASPNET user to my certificate > (I use WSE2QuickStartClient test certificate) under "Current User / > Personal" and "Local Computer / Personal" stores. My Web Service > works fine in IIS and on those credentials, but only if I run some > client outside IIS. As soon as I change working client to using real > Microsoft IIS 5.0 it all fails. > My client code activation for this policy is: > Dim proxy As New localhost.ServiceWse > proxy.SetPolicy("ClientCertPolicy") > TextBox1.Text = proxy.HelloWorld > > I get exception on SetPolicy. > My policy file looks like that: > > <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy"> > <extensions> > <extension name="mutualCertificate11Security" > type="Microsoft.Web.Services3.Design.MutualCertificate11Assertion, > Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, > PublicKeyToken=31bf3856ad364e35" /> > <extension name="x509" > type="Microsoft.Web.Services3.Design.X509TokenProvider, > Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, > PublicKeyToken=31bf3856ad364e35" /> > <extension name="requireActionHeader" > type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, > Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, > PublicKeyToken=31bf3856ad364e35" /> > </extensions> > <policy name="ClientCertPolicy"> > <mutualCertificate11Security establishSecurityContext="false" > renewExpiredSecurityContext="true" requireSignatureConfirmation="true" > messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" > ttlInSeconds="300"> > <clientToken> > <x509 storeLocation="CurrentUser" storeName="My" > findValue="CN=WSE2QuickStartClient" > findType="FindBySubjectDistinguishedName" /> > </clientToken> > <serviceToken> > <x509 storeLocation="CurrentUser" storeName="AddressBook" > findValue="CN=WSE2QuickStartServer" > findType="FindBySubjectDistinguishedName" /> > </serviceToken> > <protection> > <request signatureOptions="IncludeAddressing, IncludeTimestamp, > IncludeSoapBody" encryptBody="true" /> > <response signatureOptions="IncludeAddressing, > IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> > <fault signatureOptions="IncludeAddressing, IncludeTimestamp, > IncludeSoapBody" encryptBody="false" /> > </protection> > </mutualCertificate11Security> > <requireActionHeader /> > </policy> > </policies> > > > I have tried to run and build this on other computers, with same bad > resoults. To me it looks like IIS has some security issues with WSE. > Could anybody give me a hint on where to look? > > Jack >
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |