| Groups | Blog | Home |
dotnet web services enhancements : Why am I getting WSE2008: KerberosToken is expected but not present in the security header of the incoming message.
when my client tries to call a Web Service method on the server. Debugging the problem, I tried using the QuickStart WSSecurityKerberos Policy sample. When I use the QuickStart sample everything works just fine (both client and server applications are running on the same Windows 2003 R2 Server machine -- a 64-bit machine w/ 4 Intel Xeon 2.8GHz processors, w/ 4GB of RAM). However, when I take the identical wse3policy.config settings from client and server (each) and put them into a 2nd application on that same machine (also with client app and server app running on same box), the output processing of the client includes Wse2PiplelinePolicy+LegacyFilterWrapper. I'm thinking that this is the crux of the problem, but I do not know how to fix it. When turn detailed tracing on and look at the client-side OutputTrace.webinfo in my application, indeed I do *not* see any Kerberos info. Here is a partial paste of that trace: <outputMessage utc="4/17/2006 1:24:46 PM" messageId="urn:uuid:3daeb0fb-49f3-4c17-bb87-4bfca210c00b"> <processingStep description="Unprocessed message"> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <ImagingFolioStore xmlns="urn:digimarc.com:ImageServer:WebServices"> <folio xmlns="urn:digimarc.com:imaging"> ... </folio> </ImagingFolioStore> </soap:Body> </soap:Envelope> </processingStep> <processingStep description="Entering SOAP filter Microsoft.Web.Services3.Security.Wse2PipelinePolicy+LegacyFilterWrapper" /> <processingStep description="Exited SOAP filter Microsoft.Web.Services3.Security.Wse2PipelinePolicy+LegacyFilterWrapper" /> <processingStep description="Entering SOAP filter Microsoft.Web.Services3.Security.Wse2PipelinePolicy+LegacyFilterWrapper" /> <processingStep description="Exited SOAP filter Microsoft.Web.Services3.Security.Wse2PipelinePolicy+LegacyFilterWrapper" /> <processingStep description="Processed message"> On the other hand, here is the OutputTrace.webinfo from the WSSecurityKerberos Policy sample. Note that it contains Kerberos processing: <outputMessage utc="4/14/2006 9:10:54 PM" messageId="urn:uuid:e3e4d2ca-e4fe-4362-87a5-11d5898886c6"> <processingStep description="Unprocessed message"> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <StockQuoteRequest xmlns="http://stockservice.contoso.com/wse/samples/2005/10"> <symbols> <Symbol>FABRIKAM</Symbol> <Symbol>CONTOSO</Symbol> </symbols> </StockQuoteRequest> </soap:Body> </soap:Envelope> </processingStep> <processingStep description="Entering SOAP filter Microsoft.Web.Services3.Design.KerberosAssertion+ClientOutputFilter" /> <processingStep description="Exited SOAP filter Microsoft.Web.Services3.Design.KerberosAssertion+ClientOutputFilter" /> <processingStep description="Processed message"> Why the differences? How do I fix? Howard Hoffman
Hi Howard,
Did you configure the Web service and the proxy to use the WSE policy (Kerberos) ?. (Calling the method setPolicy or using the attribute "Policy"). Regards, Pablo Cibraro http://weblogs.asp.net/cibrax [quoted text, click to view] "Howard Hoffman" <HowardH@community.nospam> wrote in message news:edr03liYGHA.3832@TK2MSFTNGP04.phx.gbl... > I'm working with a WSE3 client and WSE3 server. I'm getting the above > error when my client tries to call a Web Service method on the server. > > Debugging the problem, I tried using the QuickStart WSSecurityKerberos > Policy sample. When I use the QuickStart sample everything works just fine > (both client and server applications are running on the same Windows 2003 > R2 Server machine -- a 64-bit machine w/ 4 Intel Xeon 2.8GHz processors, > w/ 4GB of RAM). > > However, when I take the identical wse3policy.config settings from client > and server (each) and put them into a 2nd application on that same machine > (also with client app and server app running on same box), the output > processing of the client includes Wse2PiplelinePolicy+LegacyFilterWrapper. > > I'm thinking that this is the crux of the problem, but I do not know how > to fix it. > > When turn detailed tracing on and look at the client-side > OutputTrace.webinfo in my application, indeed I do *not* see any Kerberos > info. Here is a partial paste of that trace: > > <outputMessage utc="4/17/2006 1:24:46 PM" > messageId="urn:uuid:3daeb0fb-49f3-4c17-bb87-4bfca210c00b"> > <processingStep description="Unprocessed message"> > <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > xmlns:xsd="http://www.w3.org/2001/XMLSchema"> > <soap:Body> > <ImagingFolioStore > xmlns="urn:digimarc.com:ImageServer:WebServices"> > <folio xmlns="urn:digimarc.com:imaging"> > ... > </folio> > </ImagingFolioStore> > </soap:Body> > </soap:Envelope> > </processingStep> > <processingStep description="Entering SOAP filter > Microsoft.Web.Services3.Security.Wse2PipelinePolicy+LegacyFilterWrapper" > /> > <processingStep description="Exited SOAP filter > Microsoft.Web.Services3.Security.Wse2PipelinePolicy+LegacyFilterWrapper" > /> > <processingStep description="Entering SOAP filter > Microsoft.Web.Services3.Security.Wse2PipelinePolicy+LegacyFilterWrapper" > /> > <processingStep description="Exited SOAP filter > Microsoft.Web.Services3.Security.Wse2PipelinePolicy+LegacyFilterWrapper" > /> > <processingStep description="Processed message"> > > On the other hand, here is the OutputTrace.webinfo from the > WSSecurityKerberos Policy sample. Note that it contains Kerberos > processing: > > <outputMessage utc="4/14/2006 9:10:54 PM" > messageId="urn:uuid:e3e4d2ca-e4fe-4362-87a5-11d5898886c6"> > <processingStep description="Unprocessed message"> > <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > xmlns:xsd="http://www.w3.org/2001/XMLSchema"> > <soap:Body> > <StockQuoteRequest > xmlns="http://stockservice.contoso.com/wse/samples/2005/10"> > <symbols> > <Symbol>FABRIKAM</Symbol> > <Symbol>CONTOSO</Symbol> > </symbols> > </StockQuoteRequest> > </soap:Body> > </soap:Envelope> > </processingStep> > <processingStep description="Entering SOAP filter > Microsoft.Web.Services3.Design.KerberosAssertion+ClientOutputFilter" /> > <processingStep description="Exited SOAP filter > Microsoft.Web.Services3.Design.KerberosAssertion+ClientOutputFilter" /> > <processingStep description="Processed message"> > > Why the differences? How do I fix? > > Howard Hoffman > > >
Pablo --
I'm using the Policy attribute on both Client and Server. Here's my client code: [Microsoft.Web.Services3.Policy("AuthorizationPolicy")] partial class ImageServiceWse : Microsoft.Web.Services3.WebServicesClientProtocol { } and policy config: <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy"> <extensions> <extension name="kerberosSecurity" type="Microsoft.Web.Services3.Design.KerberosAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <extension name="kerberos" type="Microsoft.Web.Services3.Design.KerberosTokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <extension name="requireActionHeader" type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </extensions> <policy name="AuthorizationPolicy"> <kerberosSecurity establishSecurityContext="false" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="false" ttlInSeconds="300"> <token> <!-- By default this sample does not work until you have changed the TargetMachineName value --> <!-- Change the TargetMachineName value to the machine name with the Web Service e.g. targetPrincipal="host/server1" --> <kerberos targetPrincipal="host/PAISDEV2" impersonationLevel="Identification" /> </token> <protection> <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" /> </protection> </kerberosSecurity> <requireActionHeader /> </policy> </policies> Here's my server policy config: <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy"> <extensions> <extension name="kerberosSecurity" type="Microsoft.Web.Services3.Design.KerberosAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <extension name="requireActionHeader" type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </extensions> <policy name="AuthorizationPolicy"> <kerberosSecurity establishSecurityContext="false" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="false" ttlInSeconds="300"> <protection> <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" /> </protection> </kerberosSecurity> <requireActionHeader /> </policy> </policies> Thanks in advance, Howard [quoted text, click to view] "Pablo Cibraro" <pcibraro@hotmail.com> wrote in message
news:%23XH6f4kYGHA.2208@TK2MSFTNGP03.phx.gbl... > Hi Howard, > > Did you configure the Web service and the proxy to use the WSE policy > (Kerberos) ?. (Calling the method setPolicy or using the attribute > "Policy"). > > Regards, > Pablo Cibraro > http://weblogs.asp.net/cibrax > > "Howard Hoffman" <HowardH@community.nospam> wrote in message > news:edr03liYGHA.3832@TK2MSFTNGP04.phx.gbl... >> I'm working with a WSE3 client and WSE3 server. I'm getting the above >> error when my client tries to call a Web Service method on the server. >> >> Debugging the problem, I tried using the QuickStart WSSecurityKerberos >> Policy sample. When I use the QuickStart sample everything works just >> fine (both client and server applications are running on the same Windows >> 2003 R2 Server machine -- a 64-bit machine w/ 4 Intel Xeon 2.8GHz >> processors, w/ 4GB of RAM). >> >> However, when I take the identical wse3policy.config settings from client >> and server (each) and put them into a 2nd application on that same >> machine (also with client app and server app running on same box), the >> output processing of the client includes >> Wse2PiplelinePolicy+LegacyFilterWrapper. >> >> I'm thinking that this is the crux of the problem, but I do not know how >> to fix it. >> >> When turn detailed tracing on and look at the client-side >> OutputTrace.webinfo in my application, indeed I do *not* see any Kerberos >> info. Here is a partial paste of that trace: >> >> <outputMessage utc="4/17/2006 1:24:46 PM" >> messageId="urn:uuid:3daeb0fb-49f3-4c17-bb87-4bfca210c00b"> >> <processingStep description="Unprocessed message"> >> <soap:Envelope >> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >> xmlns:xsd="http://www.w3.org/2001/XMLSchema"> >> <soap:Body> >> <ImagingFolioStore >> xmlns="urn:digimarc.com:ImageServer:WebServices"> >> <folio xmlns="urn:digimarc.com:imaging"> >> ... >> </folio> >> </ImagingFolioStore> >> </soap:Body> >> </soap:Envelope> >> </processingStep> >> <processingStep description="Entering SOAP filter >> Microsoft.Web.Services3.Security.Wse2PipelinePolicy+LegacyFilterWrapper" >> /> >> <processingStep description="Exited SOAP filter >> Microsoft.Web.Services3.Security.Wse2PipelinePolicy+LegacyFilterWrapper" >> /> >> <processingStep description="Entering SOAP filter >> Microsoft.Web.Services3.Security.Wse2PipelinePolicy+LegacyFilterWrapper" >> /> >> <processingStep description="Exited SOAP filter >> Microsoft.Web.Services3.Security.Wse2PipelinePolicy+LegacyFilterWrapper" >> /> >> <processingStep description="Processed message"> >> >> On the other hand, here is the OutputTrace.webinfo from the >> WSSecurityKerberos Policy sample. Note that it contains Kerberos >> processing: >> >> <outputMessage utc="4/14/2006 9:10:54 PM" >> messageId="urn:uuid:e3e4d2ca-e4fe-4362-87a5-11d5898886c6"> >> <processingStep description="Unprocessed message"> >> <soap:Envelope >> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >> xmlns:xsd="http://www.w3.org/2001/XMLSchema"> >> <soap:Body> >> <StockQuoteRequest >> xmlns="http://stockservice.contoso.com/wse/samples/2005/10"> >> <symbols> >> <Symbol>FABRIKAM</Symbol> >> <Symbol>CONTOSO</Symbol> >> </symbols> >> </StockQuoteRequest> >> </soap:Body> >> </soap:Envelope> >> </processingStep>
Hi Howard,
From the trace log from the client-side, it seems the kerberos policy assertion is not applied on the application. Though you've used the PolicyAttribute in the client-side proxy's partial class file to apply the PolicyAssertion, I would still suggest you try using code to apply the Polcy on the WSE client proxy class, (using the SetPolicy method instead of attribute) to see whether it helps. I remember that the WSE kerberos example's client proxy always use code to programmatically apply the policy assertion. Regards, Steven Cheng Microsoft Online Community Support ================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ==================================================
I was skeptical that your suggestion could be the answer ... but it works!
I changed my WSE client to not extend the generated partial class with the Policy[] attribute, and instead to call the SetPolicy() method on the generated proxy. I'm much happier now! Just for completeness, I'm wondering if I've hit a WSE3 defect -- not being able to use a Policy attribute on an extension to the generated proxy? Thank you very much, Howard Hoffman [quoted text, click to view] "Steven Cheng[MSFT]" <stcheng@online.microsoft.com> wrote in message news:OtyZw8oYGHA.880@TK2MSFTNGXA01.phx.gbl... > Hi Howard, > > From the trace log from the client-side, it seems the kerberos policy > assertion is not applied on the application. Though you've used the > PolicyAttribute in the client-side proxy's partial class file to apply the > PolicyAssertion, I would still suggest you try using code to apply the > Polcy on the WSE client proxy class, (using the SetPolicy method instead > of > attribute) to see whether it helps. I remember that the WSE kerberos > example's client proxy always use code to programmatically apply the > policy > assertion. > > Regards, > > Steven Cheng > Microsoft Online Community Support > > > ================================================== > > When responding to posts, please "Reply to Group" via your newsreader so > that others may learn and benefit from your issue. > > ================================================== > > > This posting is provided "AS IS" with no warranties, and confers no > rights. > >
Thank you for the response Howard,
I'm also happy that you got it worked , at least through the programmatic approach. Actually, this suggestion just used to makesure there is nothing else incorrect and only the policy configuration issue. And based on my test, we can certainly use the "PolicyAttribute" for client proxy class as long as we make sure that our partial class's fullname (namespace + classname ) is identical to the designer generated class. e.g: ========deisigner generated one========= namespace WSE3Client.WSE3Service { ......................... public partial class ServiceWse : Microsoft.Web.Services3.WebServicesClientProtocol { ............... ============================= =======my custom partial class file======== namespace WSE3Client.WSE3Service { [Microsoft.Web.Services3.Policy("ClientPolicy")] public partial class ServiceWse { } } ====================== This did work. So I think you can have a further check on this class's name and namespace, also, make sure your partial class's accessor is "public" so as to make it also idenitcal to the deisgner generated one. Hope this helps. Regards, Steven Cheng Microsoft Online Community Support ================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ==================================================
Steve -
Changing to the imperitive approach worked! I apologize for not replying sooner. After that worked, I re-examined my declarative code and found that my partial class was in the wrong namespace. A C# goof on my part. I fixed up the namespace issuen, and now the declarative approach works as well. Thank you for helping me find my problem. -- Howard Hoffman [quoted text, click to view] "Steven Cheng[MSFT]" wrote:
> Hi Howard, > > Have you tried the further things in my last reply or have you finally got > the declartive approach work? If there is still anything else we can help, > please feel free to post here. > > Regards, > > Steven Cheng > Microsoft Online Community Support > > > ================================================== > > When responding to posts, please "Reply to Group" via your newsreader so > that others may learn and benefit from your issue. > > ================================================== > > > This posting is provided "AS IS" with no warranties, and confers no rights. > > > > Get Secure! www.microsoft.com/security > (This posting is provided "AS IS", with no warranties, and confers no
Hi Howard,
Have you tried the further things in my last reply or have you finally got the declartive approach work? If there is still anything else we can help, please feel free to post here. Regards, Steven Cheng Microsoft Online Community Support ================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. Get Secure! www.microsoft.com/security (This posting is provided "AS IS", with no warranties, and confers no
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |