| Groups | Blog | Home |
dotnet security : security header is not present in the incoming message
present in the incoming message I get this exception every time I run my service thru ordinary IIS instead of Default IIS in VS.NET Studio. My service is a simple ‘Hello World with certificate policy. My client is simple ASP.NET Web Site with one button and textbox. I use Certificate Policy (mutualCertificate11Security) on both server and client. (I have tried this with anonymousForCertificateSecurity and got same bad result). Everything works fine if my service and webclient is in same solution and I run everything thru VS.NET studio build in IIS. But If I create a virtual directory in my computer IIS, run my service there, change my web reference to this service I get this exception: WSE910: An error happened during the processing of a response message, and you can find the error in the inner exception. You can also find the response message in the Response property. at Microsoft.Web.Services3.Xml.SoapEnvelopeReaderWrapper..ctor(SoapClientMessage message, String messageContentType) at Microsoft.Web.Services3.WebServicesClientProtocol.GetReaderForMessage(SoapClientMessage message, Int32 bufferSize) at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall) at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) at localhost.ServiceWse.HelloWorld() in e:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\website10\b15bc141\c8235faa\App_WebReferences.qqc4zbev.0.cs:line 46 at _Default.Button1_Click(Object sender, EventArgs e) in S:\Security\WSEbasic\WSEbasic10\WebSite10\Default.aspx.vb:line 11 --------------Inner Exception ---------------------------- Security requirements are not satisfied because the security header is not present in the incoming message. at Microsoft.Web.Services3.Security.SecureConversationClientReceiveSecurityFilter.ValidateMessageSecurity(SoapEnvelope envelope, Security security) at Microsoft.Web.Services3.Security.ReceiveSecurityFilter.ProcessMessage(SoapEnvelope envelope) at Microsoft.Web.Services3.Pipeline.ProcessInputMessage(SoapEnvelope envelope) at Microsoft.Web.Services3.Xml.SoapEnvelopeReaderWrapper..ctor(SoapClientMessage message, String messageContentType) Here is my service code: Imports System.Web Imports System.Web.Services Imports System.Web.Services.Protocols Imports System.Security.Principal Imports Microsoft.Web.Services3 Imports Microsoft.Web.Services3.Design <WebService(Namespace:="http://tempuri.org/")> _ <WebServiceBinding(ConformsTo:=WsiProfiles.BasicProfile1_1)> _ <Global.Microsoft.VisualBasic.CompilerServices.DesignerGenerated()> _ <Policy("ServerCertPolicy")> _ Public Class xService Inherits System.Web.Services.WebService <WebMethod()> _ Public Function HelloWorld() As String Return "Hello World from xWebService 5" End Function End Class My service web.config looks like that: <?xml version="1.0" encoding="utf-8"?> <configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0"> <configSections> <section name="microsoft.web.services3" type="Microsoft.Web.Services3.Configuration.WebServicesConfiguration, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </configSections> <appSettings /> <connectionStrings /> <system.web> <compilation debug="true" strict="false" explicit="true"> <assemblies> <add assembly="Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" /> </assemblies> </compilation> <pages> <namespaces> <clear /> <add namespace="System" /> <add namespace="System.Collections" /> <add namespace="System.Collections.Specialized" /> <add namespace="System.Configuration" /> <add namespace="System.Text" /> <add namespace="System.Text.RegularExpressions" /> <add namespace="System.Web" /> <add namespace="System.Web.Caching" /> <add namespace="System.Web.SessionState" /> <add namespace="System.Web.Security" /> <add namespace="System.Web.Profile" /> <add namespace="System.Web.UI" /> <add namespace="System.Web.UI.WebControls" /> <add namespace="System.Web.UI.WebControls.WebParts" /> <add namespace="System.Web.UI.HtmlControls" /> </namespaces> </pages> <webServices> <soapExtensionImporterTypes> <add type="Microsoft.Web.Services3.Description.WseExtensionImporter, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </soapExtensionImporterTypes> <soapServerProtocolFactory type="Microsoft.Web.Services3.WseProtocolFactory, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </webServices> </system.web> <microsoft.web.services3> <security> <x509 allowTestRoot="false" storeLocation="LocalMachine" /> </security> <policy fileName="wse3policyCache.config" /> <diagnostics> <trace enabled="true" input="logs\InputTrace.webinfo" output="logs\OutputTrace.webinfo" /> </diagnostics> </microsoft.web.services3> </configuration> … and my service policy looks like that: <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy"> <extensions> <extension name="mutualCertificate11Security" type="Microsoft.Web.Services3.Design.MutualCertificate11Assertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <extension name="x509" type="Microsoft.Web.Services3.Design.X509TokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <extension name="requireActionHeader" type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </extensions> <policy name="ServerCertPolicy"> <mutualCertificate11Security establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="true" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300"> <serviceToken> <x509 storeLocation="LocalMachine" storeName="My" findValue="CN=WSE2QuickStartServer" findType="FindBySubjectDistinguishedName" /> </serviceToken> <protection> <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <response signatureOptions="IncludeAddressing, IncludeTimestamp,
Hello JackMadeja,
from experience - a iisreset does help sometimes... [Policy] and SetPolicy are called correctly on client/server ? --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com [quoted text, click to view] > Security requirements are not satisfied because the security header is
> not present in the incoming message > > I get this exception every time I run my service thru ordinary IIS > instead of Default IIS in VS.NET Studio. My service is a simple 'Hello > World with certificate policy. My client is simple ASP.NET Web Site > with one button and textbox. I use Certificate Policy > (mutualCertificate11Security) on both server and client. (I have tried > this with anonymousForCertificateSecurity and got same bad result). > Everything works fine if my service and webclient is in same solution > and I run everything thru VS.NET studio build in IIS. But If I create > a virtual directory in my computer IIS, run my service there, change > my web reference to this service I get this exception: > > WSE910: An error happened during the processing of a response message, > and you can find the error in the inner exception. You can also find > the response message in the Response property. > > at > Microsoft.Web.Services3.Xml.SoapEnvelopeReaderWrapper..ctor(SoapClient > Message > message, String messageContentType) > at > Microsoft.Web.Services3.WebServicesClientProtocol.GetReaderForMessage( > SoapClientMessage message, Int32 bufferSize) > at > System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(Soap > ClientMessage message, WebResponse response, Stream responseStream, > Boolean asyncCall) > at > System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String > methodName, Object[] parameters) > at localhost.ServiceWse.HelloWorld() in > e:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET > Files\website10\b15bc141\c8235faa\App_WebReferences.qqc4zbev.0.cs:line > 46 > at _Default.Button1_Click(Object sender, EventArgs e) in > S:\Security\WSEbasic\WSEbasic10\WebSite10\Default.aspx.vb:line 11 > --------------Inner Exception ---------------------------- > Security requirements are not satisfied because the security header is > not > present in the incoming message. > at > Microsoft.Web.Services3.Security.SecureConversationClientReceiveSecuri > tyFilter.ValidateMessageSecurity(SoapEnvelope envelope, Security > security) > at > Microsoft.Web.Services3.Security.ReceiveSecurityFilter.ProcessMessage( > SoapEnvelope envelope) > at > Microsoft.Web.Services3.Pipeline.ProcessInputMessage(SoapEnvelope > envelope) > at > Microsoft.Web.Services3.Xml.SoapEnvelopeReaderWrapper..ctor(SoapClient > Message > message, String messageContentType) > > Here is my service code: > > Imports System.Web > Imports System.Web.Services > Imports System.Web.Services.Protocols > Imports System.Security.Principal > Imports Microsoft.Web.Services3 > Imports Microsoft.Web.Services3.Design > <WebService(Namespace:="http://tempuri.org/")> _ > <WebServiceBinding(ConformsTo:=WsiProfiles.BasicProfile1_1)> _ > <Global.Microsoft.VisualBasic.CompilerServices.DesignerGenerated()> _ > <Policy("ServerCertPolicy")> _ > Public Class xService > Inherits System.Web.Services.WebService > <WebMethod()> _ > Public Function HelloWorld() As String > Return "Hello World from xWebService 5" > End Function > End Class > > My service web.config looks like that: > > <?xml version="1.0" encoding="utf-8"?> > <configuration > xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0"> > <configSections> > <section name="microsoft.web.services3" > type="Microsoft.Web.Services3.Configuration.WebServicesConfiguration, > Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, > PublicKeyToken=31bf3856ad364e35" /> > </configSections> > <appSettings /> > <connectionStrings /> > <system.web> > <compilation debug="true" strict="false" explicit="true"> > <assemblies> > <add assembly="Microsoft.Web.Services3, Version=3.0.0.0, > Culture=neutral, PublicKeyToken=31BF3856AD364E35" /> > </assemblies> > </compilation> > <pages> > <namespaces> > <clear /> > <add namespace="System" /> > <add namespace="System.Collections" /> > <add namespace="System.Collections.Specialized" /> > <add namespace="System.Configuration" /> > <add namespace="System.Text" /> > <add namespace="System.Text.RegularExpressions" /> > <add namespace="System.Web" /> > <add namespace="System.Web.Caching" /> > <add namespace="System.Web.SessionState" /> > <add namespace="System.Web.Security" /> > <add namespace="System.Web.Profile" /> > <add namespace="System.Web.UI" /> > <add namespace="System.Web.UI.WebControls" /> > <add namespace="System.Web.UI.WebControls.WebParts" /> > <add namespace="System.Web.UI.HtmlControls" /> > </namespaces> > </pages> > <webServices> > <soapExtensionImporterTypes> > <add > type="Microsoft.Web.Services3.Description.WseExtensionImporter, > Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, > PublicKeyToken=31bf3856ad364e35" /> > </soapExtensionImporterTypes> > <soapServerProtocolFactory > type="Microsoft.Web.Services3.WseProtocolFactory, > Microsoft.Web.Services3, > Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> > </webServices> > </system.web> > <microsoft.web.services3> > <security> > <x509 allowTestRoot="false" storeLocation="LocalMachine" /> > </security> > <policy fileName="wse3policyCache.config" /> > <diagnostics> > <trace enabled="true" input="logs\InputTrace.webinfo" > output="logs\OutputTrace.webinfo" /> > </diagnostics> > </microsoft.web.services3> > </configuration> > . and my service policy looks like that: > > <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy"> > <extensions> > <extension name="mutualCertificate11Security" > type="Microsoft.Web.Services3.Design.MutualCertificate11Assertion, > Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, > PublicKeyToken=31bf3856ad364e35" /> > <extension name="x509" > type="Microsoft.Web.Services3.Design.X509TokenProvider, > Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, > PublicKeyToken=31bf3856ad364e35" /> > <extension name="requireActionHeader" > type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, > Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, > PublicKeyToken=31bf3856ad364e35" /> > </extensions> > <policy name="ServerCertPolicy"> > <mutualCertificate11Security establishSecurityContext="false" > renewExpiredSecurityContext="true" requireSignatureConfirmation="true" > messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" > ttlInSeconds="300"> > <serviceToken> > <x509 storeLocation="LocalMachine" storeName="My" > findValue="CN=WSE2QuickStartServer" > findType="FindBySubjectDistinguishedName" > /> > </serviceToken> > <protection>
Iisreset – I have tried it with no results. [Policy] and SetPolicy are called
correctly – my service application works fine with server and client running under ASP.NET Development Server, but not with server in IIS. Similar problem appears when I run my client directly under IIS instead of under ASP.NET Development Server. In IIS ‘mode’ I get this policy error: ----- WSEservice 2 Exception -------- WSE2013: X509TokenProvider is unable to provide an X.509 token. There are no certificates in the certificate store that match the find value of 'CN=WSE2QuickStartServer'. at Microsoft.Web.Services3.Design.X509TokenProvider.CreateToken(StoreLocation location, StoreName storeName, String findValue, X509FindType findType) at Microsoft.Web.Services3.Design.X509TokenProvider.GetToken() at Microsoft.Web.Services3.Design.MutualCertificate11Assertion.ClientOutputFilter..ctor(MutualCertificate11Assertion assertion) at Microsoft.Web.Services3.Design.MutualCertificate11Assertion.CreateClientOutputFilter(FilterCreationContext context) at Microsoft.Web.Services3.Design.Policy.CreateClientPipeline(PipelineCreationContext context) at Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(Policy policy) at Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(String policyName) at _Default.Button1_Click(Object sender, EventArgs e) in S:\Security\WSEbasic\WSEbasic6\WebSite6\Default.aspx.vb:line 10 ------------------------------- Jack Madeja [quoted text, click to view] "Dominick Baier [DevelopMentor]" wrote:
> Hello JackMadeja, > > from experience - a iisreset does help sometimes... > > [Policy] and SetPolicy are called correctly on client/server ? > > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > > > Security requirements are not satisfied because the security header is > > not present in the incoming message > > > > I get this exception every time I run my service thru ordinary IIS > > instead of Default IIS in VS.NET Studio. My service is a simple 'Hello > > World with certificate policy. My client is simple ASP.NET Web Site > > with one button and textbox. I use Certificate Policy > > (mutualCertificate11Security) on both server and client. (I have tried > > this with anonymousForCertificateSecurity and got same bad result). > > Everything works fine if my service and webclient is in same solution > > and I run everything thru VS.NET studio build in IIS. But If I create > > a virtual directory in my computer IIS, run my service there, change > > my web reference to this service I get this exception: > > > > WSE910: An error happened during the processing of a response message, > > and you can find the error in the inner exception. You can also find > > the response message in the Response property. > > > > at > > Microsoft.Web.Services3.Xml.SoapEnvelopeReaderWrapper..ctor(SoapClient > > Message > > message, String messageContentType) > > at > > Microsoft.Web.Services3.WebServicesClientProtocol.GetReaderForMessage( > > SoapClientMessage message, Int32 bufferSize) > > at > > System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(Soap > > ClientMessage message, WebResponse response, Stream responseStream, > > Boolean asyncCall) > > at > > System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String > > methodName, Object[] parameters) > > at localhost.ServiceWse.HelloWorld() in > > e:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET > > Files\website10\b15bc141\c8235faa\App_WebReferences.qqc4zbev.0.cs:line > > 46 > > at _Default.Button1_Click(Object sender, EventArgs e) in > > S:\Security\WSEbasic\WSEbasic10\WebSite10\Default.aspx.vb:line 11 > > --------------Inner Exception ---------------------------- > > Security requirements are not satisfied because the security header is > > not > > present in the incoming message. > > at > > Microsoft.Web.Services3.Security.SecureConversationClientReceiveSecuri > > tyFilter.ValidateMessageSecurity(SoapEnvelope envelope, Security > > security) > > at > > Microsoft.Web.Services3.Security.ReceiveSecurityFilter.ProcessMessage( > > SoapEnvelope envelope) > > at > > Microsoft.Web.Services3.Pipeline.ProcessInputMessage(SoapEnvelope > > envelope) > > at > > Microsoft.Web.Services3.Xml.SoapEnvelopeReaderWrapper..ctor(SoapClient > > Message > > message, String messageContentType) > > > > Here is my service code: > > > > Imports System.Web > > Imports System.Web.Services > > Imports System.Web.Services.Protocols > > Imports System.Security.Principal > > Imports Microsoft.Web.Services3 > > Imports Microsoft.Web.Services3.Design > > <WebService(Namespace:="http://tempuri.org/")> _ > > <WebServiceBinding(ConformsTo:=WsiProfiles.BasicProfile1_1)> _ > > <Global.Microsoft.VisualBasic.CompilerServices.DesignerGenerated()> _ > > <Policy("ServerCertPolicy")> _ > > Public Class xService > > Inherits System.Web.Services.WebService > > <WebMethod()> _ > > Public Function HelloWorld() As String > > Return "Hello World from xWebService 5" > > End Function > > End Class > > > > My service web.config looks like that: > > > > <?xml version="1.0" encoding="utf-8"?> > > <configuration > > xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0"> > > <configSections> > > <section name="microsoft.web.services3" > > type="Microsoft.Web.Services3.Configuration.WebServicesConfiguration, > > Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, > > PublicKeyToken=31bf3856ad364e35" /> > > </configSections> > > <appSettings /> > > <connectionStrings /> > > <system.web> > > <compilation debug="true" strict="false" explicit="true"> > > <assemblies> > > <add assembly="Microsoft.Web.Services3, Version=3.0.0.0, > > Culture=neutral, PublicKeyToken=31BF3856AD364E35" /> > > </assemblies> > > </compilation> > > <pages> > > <namespaces> > > <clear /> > > <add namespace="System" /> > > <add namespace="System.Collections" /> > > <add namespace="System.Collections.Specialized" /> > > <add namespace="System.Configuration" /> > > <add namespace="System.Text" /> > > <add namespace="System.Text.RegularExpressions" /> > > <add namespace="System.Web" /> > > <add namespace="System.Web.Caching" /> > > <add namespace="System.Web.SessionState" /> > > <add namespace="System.Web.Security" /> > > <add namespace="System.Web.Profile" /> > > <add namespace="System.Web.UI" /> > > <add namespace="System.Web.UI.WebControls" /> > > <add namespace="System.Web.UI.WebControls.WebParts" /> > > <add namespace="System.Web.UI.HtmlControls" /> > > </namespaces> > > </pages> > > <webServices> > > <soapExtensionImporterTypes> > > <add > > type="Microsoft.Web.Services3.Description.WseExtensionImporter, > > Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, > > PublicKeyToken=31bf3856ad364e35" />
Hello JackMadeja,
ok - you have to import the certificate in the store of the account running the service - i guess thats NETWORK SERVICE Look at the Security Hands on Lab for WSE3 - the steps are detailed there. http://www.microsoft.com/downloads/details.aspx?familyid=9acd1f8e-97e2-43e2-b484-a74a014a8206&displaylang=en --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com [quoted text, click to view] > Iisreset - I have tried it with no results. [Policy] and SetPolicy are
> called correctly - my service application works fine with server and > client running under ASP.NET Development Server, but not with server > in IIS. Similar problem appears when I run my client directly under > IIS instead of under ASP.NET Development Server. In IIS 'mode' I get > this policy error: > > ----- WSEservice 2 Exception -------- > WSE2013: X509TokenProvider is unable to provide an X.509 token. There > are no > certificates in the certificate store that match the find value of > 'CN=WSE2QuickStartServer'. > at > Microsoft.Web.Services3.Design.X509TokenProvider.CreateToken(StoreLoca > tion > location, StoreName storeName, String findValue, X509FindType > findType) > at Microsoft.Web.Services3.Design.X509TokenProvider.GetToken() > at > Microsoft.Web.Services3.Design.MutualCertificate11Assertion.ClientOutp > utFilter..ctor(MutualCertificate11Assertion assertion) > at > Microsoft.Web.Services3.Design.MutualCertificate11Assertion.CreateClie > ntOutputFilter(FilterCreationContext context) > at > Microsoft.Web.Services3.Design.Policy.CreateClientPipeline(PipelineCre > ationContext context) > at > Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(Policy > policy) > at > Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(String > policyName) > at _Default.Button1_Click(Object sender, EventArgs e) in > S:\Security\WSEbasic\WSEbasic6\WebSite6\Default.aspx.vb:line 10 > ------------------------------- > Jack Madeja > "Dominick Baier [DevelopMentor]" wrote: > >> Hello JackMadeja, >> >> from experience - a iisreset does help sometimes... >> >> [Policy] and SetPolicy are called correctly on client/server ? >> >> --------------------------------------- >> Dominick Baier - DevelopMentor >> http://www.leastprivilege.com >>> Security requirements are not satisfied because the security header >>> is not present in the incoming message >>> >>> I get this exception every time I run my service thru ordinary IIS >>> instead of Default IIS in VS.NET Studio. My service is a simple >>> 'Hello World with certificate policy. My client is simple ASP.NET >>> Web Site with one button and textbox. I use Certificate Policy >>> (mutualCertificate11Security) on both server and client. (I have >>> tried this with anonymousForCertificateSecurity and got same bad >>> result). Everything works fine if my service and webclient is in >>> same solution and I run everything thru VS.NET studio build in IIS. >>> But If I create a virtual directory in my computer IIS, run my >>> service there, change my web reference to this service I get this >>> exception: >>> >>> WSE910: An error happened during the processing of a response >>> message, and you can find the error in the inner exception. You can >>> also find the response message in the Response property. >>> >>> at >>> Microsoft.Web.Services3.Xml.SoapEnvelopeReaderWrapper..ctor(SoapClie >>> nt >>> Message >>> message, String messageContentType) >>> at >>> Microsoft.Web.Services3.WebServicesClientProtocol.GetReaderForMessag >>> e( >>> SoapClientMessage message, Int32 bufferSize) >>> at >>> System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(So >>> ap >>> ClientMessage message, WebResponse response, Stream responseStream, >>> Boolean asyncCall) >>> at >>> System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String >>> methodName, Object[] parameters) >>> at localhost.ServiceWse.HelloWorld() in >>> e:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET >>> Files\website10\b15bc141\c8235faa\App_WebReferences.qqc4zbev.0.cs:li >>> ne >>> 46 >>> at _Default.Button1_Click(Object sender, EventArgs e) in >>> S:\Security\WSEbasic\WSEbasic10\WebSite10\Default.aspx.vb:line 11 >>> --------------Inner Exception ---------------------------- >>> Security requirements are not satisfied because the security header >>> is >>> not >>> present in the incoming message. >>> at >>> Microsoft.Web.Services3.Security.SecureConversationClientReceiveSecu >>> ri >>> tyFilter.ValidateMessageSecurity(SoapEnvelope envelope, Security >>> security) >>> at >>> Microsoft.Web.Services3.Security.ReceiveSecurityFilter.ProcessMessag >>> e( >>> SoapEnvelope envelope) >>> at >>> Microsoft.Web.Services3.Pipeline.ProcessInputMessage(SoapEnvelope >>> envelope) >>> at >>> Microsoft.Web.Services3.Xml.SoapEnvelopeReaderWrapper..ctor(SoapClie >>> nt >>> Message >>> message, String messageContentType) >>> Here is my service code: >>> >>> Imports System.Web >>> Imports System.Web.Services >>> Imports System.Web.Services.Protocols >>> Imports System.Security.Principal >>> Imports Microsoft.Web.Services3 >>> Imports Microsoft.Web.Services3.Design >>> <WebService(Namespace:="http://tempuri.org/")> _ >>> <WebServiceBinding(ConformsTo:=WsiProfiles.BasicProfile1_1)> _ >>> <Global.Microsoft.VisualBasic.CompilerServices.DesignerGenerated()> >>> _ >>> <Policy("ServerCertPolicy")> _ >>> Public Class xService >>> Inherits System.Web.Services.WebService >>> <WebMethod()> _ >>> Public Function HelloWorld() As String >>> Return "Hello World from xWebService 5" >>> End Function >>> End Class >>> My service web.config looks like that: >>> >>> <?xml version="1.0" encoding="utf-8"?> >>> <configuration >>> xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0"> >>> <configSections> >>> <section name="microsoft.web.services3" >>> type="Microsoft.Web.Services3.Configuration.WebServicesConfiguration >>> , >>> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, >>> PublicKeyToken=31bf3856ad364e35" /> >>> </configSections> >>> <appSettings /> >>> <connectionStrings /> >>> <system.web> >>> <compilation debug="true" strict="false" explicit="true"> >>> <assemblies> >>> <add assembly="Microsoft.Web.Services3, Version=3.0.0.0, >>> Culture=neutral, PublicKeyToken=31BF3856AD364E35" /> >>> </assemblies> >>> </compilation> >>> <pages> >>> <namespaces> >>> <clear /> >>> <add namespace="System" /> >>> <add namespace="System.Collections" /> >>> <add namespace="System.Collections.Specialized" /> >>> <add namespace="System.Configuration" /> >>> <add namespace="System.Text" /> >>> <add namespace="System.Text.RegularExpressions" /> >>> <add namespace="System.Web" /> >>> <add namespace="System.Web.Caching" /> >>> <add namespace="System.Web.SessionState" /> >>> <add namespace="System.Web.Security" />
Hi Dominic. Thank you for you answers. I did import all certificates
according to instruction in those documents. One certificate “Client Private.pfx†to Certificates – Current User, Personal, Certificates. One certificate “Server Private.pfx†to Certificates – Current User, Other People, Certificates and the third one “Server Public.cer†to Certificates (Local Computer), Personal, Certificates. I really don’t know any other stores. I have tried to load “Server Public.cer†in other stores (Service accounts for different ASP.NET services) but without any luck. Still, as far as I know “My user account†should be used for both pfx-files and “Computer Account†for this public cer-file. And this goes for services run in IIS och in ASP.NET Development Server. As now they work fine in ASP.NET Development, but not in IIS. Could you please explain to me any other way to install those certificates to make my service work under real IIS? [quoted text, click to view] "Dominick Baier [DevelopMentor]" wrote:
> Hello JackMadeja, > > ok - you have to import the certificate in the store of the account running > the service - i guess thats NETWORK SERVICE > > Look at the Security Hands on Lab for WSE3 - the steps are detailed there. > > http://www.microsoft.com/downloads/details.aspx?familyid=9acd1f8e-97e2-43e2-b484-a74a014a8206&displaylang=en > > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > > > Iisreset - I have tried it with no results. [Policy] and SetPolicy are > > called correctly - my service application works fine with server and > > client running under ASP.NET Development Server, but not with server > > in IIS. Similar problem appears when I run my client directly under > > IIS instead of under ASP.NET Development Server. In IIS 'mode' I get > > this policy error: > > > > ----- WSEservice 2 Exception -------- > > WSE2013: X509TokenProvider is unable to provide an X.509 token. There > > are no > > certificates in the certificate store that match the find value of > > 'CN=WSE2QuickStartServer'. > > at > > Microsoft.Web.Services3.Design.X509TokenProvider.CreateToken(StoreLoca > > tion > > location, StoreName storeName, String findValue, X509FindType > > findType) > > at Microsoft.Web.Services3.Design.X509TokenProvider.GetToken() > > at > > Microsoft.Web.Services3.Design.MutualCertificate11Assertion.ClientOutp > > utFilter..ctor(MutualCertificate11Assertion assertion) > > at > > Microsoft.Web.Services3.Design.MutualCertificate11Assertion.CreateClie > > ntOutputFilter(FilterCreationContext context) > > at > > Microsoft.Web.Services3.Design.Policy.CreateClientPipeline(PipelineCre > > ationContext context) > > at > > Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(Policy > > policy) > > at > > Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(String > > policyName) > > at _Default.Button1_Click(Object sender, EventArgs e) in > > S:\Security\WSEbasic\WSEbasic6\WebSite6\Default.aspx.vb:line 10 > > ------------------------------- > > Jack Madeja > > "Dominick Baier [DevelopMentor]" wrote: > > > >> Hello JackMadeja, > >> > >> from experience - a iisreset does help sometimes... > >> > >> [Policy] and SetPolicy are called correctly on client/server ? > >> > >> --------------------------------------- > >> Dominick Baier - DevelopMentor > >> http://www.leastprivilege.com > >>> Security requirements are not satisfied because the security header > >>> is not present in the incoming message > >>> > >>> I get this exception every time I run my service thru ordinary IIS > >>> instead of Default IIS in VS.NET Studio. My service is a simple > >>> 'Hello World with certificate policy. My client is simple ASP.NET > >>> Web Site with one button and textbox. I use Certificate Policy > >>> (mutualCertificate11Security) on both server and client. (I have > >>> tried this with anonymousForCertificateSecurity and got same bad > >>> result). Everything works fine if my service and webclient is in > >>> same solution and I run everything thru VS.NET studio build in IIS. > >>> But If I create a virtual directory in my computer IIS, run my > >>> service there, change my web reference to this service I get this > >>> exception: > >>> > >>> WSE910: An error happened during the processing of a response > >>> message, and you can find the error in the inner exception. You can > >>> also find the response message in the Response property. > >>> > >>> at > >>> Microsoft.Web.Services3.Xml.SoapEnvelopeReaderWrapper..ctor(SoapClie > >>> nt > >>> Message > >>> message, String messageContentType) > >>> at > >>> Microsoft.Web.Services3.WebServicesClientProtocol.GetReaderForMessag > >>> e( > >>> SoapClientMessage message, Int32 bufferSize) > >>> at > >>> System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(So > >>> ap > >>> ClientMessage message, WebResponse response, Stream responseStream, > >>> Boolean asyncCall) > >>> at > >>> System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String > >>> methodName, Object[] parameters) > >>> at localhost.ServiceWse.HelloWorld() in > >>> e:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET > >>> Files\website10\b15bc141\c8235faa\App_WebReferences.qqc4zbev.0.cs:li > >>> ne > >>> 46 > >>> at _Default.Button1_Click(Object sender, EventArgs e) in > >>> S:\Security\WSEbasic\WSEbasic10\WebSite10\Default.aspx.vb:line 11 > >>> --------------Inner Exception ---------------------------- > >>> Security requirements are not satisfied because the security header > >>> is > >>> not > >>> present in the incoming message. > >>> at > >>> Microsoft.Web.Services3.Security.SecureConversationClientReceiveSecu > >>> ri > >>> tyFilter.ValidateMessageSecurity(SoapEnvelope envelope, Security > >>> security) > >>> at > >>> Microsoft.Web.Services3.Security.ReceiveSecurityFilter.ProcessMessag > >>> e( > >>> SoapEnvelope envelope) > >>> at > >>> Microsoft.Web.Services3.Pipeline.ProcessInputMessage(SoapEnvelope > >>> envelope) > >>> at > >>> Microsoft.Web.Services3.Xml.SoapEnvelopeReaderWrapper..ctor(SoapClie > >>> nt > >>> Message > >>> message, String messageContentType) > >>> Here is my service code: > >>> > >>> Imports System.Web > >>> Imports System.Web.Services > >>> Imports System.Web.Services.Protocols > >>> Imports System.Security.Principal > >>> Imports Microsoft.Web.Services3 > >>> Imports Microsoft.Web.Services3.Design > >>> <WebService(Namespace:="http://tempuri.org/")> _ > >>> <WebServiceBinding(ConformsTo:=WsiProfiles.BasicProfile1_1)> _ > >>> <Global.Microsoft.VisualBasic.CompilerServices.DesignerGenerated()> > >>> _ > >>> <Policy("ServerCertPolicy")> _ > >>> Public Class xService > >>> Inherits System.Web.Services.WebService > >>> <WebMethod()> _
Hello JackMadeja,
this document also mentions that you have to set the right ACLs for the worker process account - they use the X509Certificate tool that ships with WSE the account (most probably NETWORK SERVICE) needs read access to the private key file. --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com [quoted text, click to view] > Hi Dominic. Thank you for you answers. I did import all certificates
> according to instruction in those documents. One certificate "Client > Private.pfx" to Certificates - Current User, Personal, Certificates. > One certificate "Server Private.pfx" to Certificates - Current User, > Other People, Certificates and the third one "Server Public.cer" to > Certificates (Local Computer), Personal, Certificates. I really don't > know any other stores. I have tried to load "Server Public.cer" in > other stores (Service accounts for different ASP.NET services) but > without any luck. Still, as far as I know "My user account" should be > used for both pfx-files and "Computer Account" for this public > cer-file. And this goes for services run in IIS och in ASP.NET > Development Server. As now they work fine in ASP.NET Development, but > not in IIS. Could you please explain to me any other way to install > those certificates to make my service work under real IIS? > > "Dominick Baier [DevelopMentor]" wrote: > >> Hello JackMadeja, >> >> ok - you have to import the certificate in the store of the account >> running the service - i guess thats NETWORK SERVICE >> >> Look at the Security Hands on Lab for WSE3 - the steps are detailed >> there. >> >> http://www.microsoft.com/downloads/details.aspx?familyid=9acd1f8e-97e >> 2-43e2-b484-a74a014a8206&displaylang=en >> >> --------------------------------------- >> Dominick Baier - DevelopMentor >> http://www.leastprivilege.com >>> Iisreset - I have tried it with no results. [Policy] and SetPolicy >>> are called correctly - my service application works fine with server >>> and client running under ASP.NET Development Server, but not with >>> server in IIS. Similar problem appears when I run my client directly >>> under IIS instead of under ASP.NET Development Server. In IIS 'mode' >>> I get this policy error: >>> >>> ----- WSEservice 2 Exception -------- >>> WSE2013: X509TokenProvider is unable to provide an X.509 token. >>> There >>> are no >>> certificates in the certificate store that match the find value of >>> 'CN=WSE2QuickStartServer'. >>> at >>> Microsoft.Web.Services3.Design.X509TokenProvider.CreateToken(StoreLo >>> ca >>> tion >>> location, StoreName storeName, String findValue, X509FindType >>> findType) >>> at Microsoft.Web.Services3.Design.X509TokenProvider.GetToken() >>> at >>> Microsoft.Web.Services3.Design.MutualCertificate11Assertion.ClientOu >>> tp >>> utFilter..ctor(MutualCertificate11Assertion assertion) >>> at >>> Microsoft.Web.Services3.Design.MutualCertificate11Assertion.CreateCl >>> ie >>> ntOutputFilter(FilterCreationContext context) >>> at >>> Microsoft.Web.Services3.Design.Policy.CreateClientPipeline(PipelineC >>> re >>> ationContext context) >>> at >>> Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(Policy >>> policy) >>> at >>> Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(String >>> policyName) >>> at _Default.Button1_Click(Object sender, EventArgs e) in >>> S:\Security\WSEbasic\WSEbasic6\WebSite6\Default.aspx.vb:line 10 >>> ------------------------------- >>> Jack Madeja >>> "Dominick Baier [DevelopMentor]" wrote: >>>> Hello JackMadeja, >>>> >>>> from experience - a iisreset does help sometimes... >>>> >>>> [Policy] and SetPolicy are called correctly on client/server ? >>>> >>>> --------------------------------------- >>>> Dominick Baier - DevelopMentor >>>> http://www.leastprivilege.com >>>>> Security requirements are not satisfied because the security >>>>> header is not present in the incoming message >>>>> >>>>> I get this exception every time I run my service thru ordinary IIS >>>>> instead of Default IIS in VS.NET Studio. My service is a simple >>>>> 'Hello World with certificate policy. My client is simple ASP.NET >>>>> Web Site with one button and textbox. I use Certificate Policy >>>>> (mutualCertificate11Security) on both server and client. (I have >>>>> tried this with anonymousForCertificateSecurity and got same bad >>>>> result). Everything works fine if my service and webclient is in >>>>> same solution and I run everything thru VS.NET studio build in >>>>> IIS. But If I create a virtual directory in my computer IIS, run >>>>> my service there, change my web reference to this service I get >>>>> this exception: >>>>> >>>>> WSE910: An error happened during the processing of a response >>>>> message, and you can find the error in the inner exception. You >>>>> can also find the response message in the Response property. >>>>> >>>>> at >>>>> Microsoft.Web.Services3.Xml.SoapEnvelopeReaderWrapper..ctor(SoapCl >>>>> ie >>>>> nt >>>>> Message >>>>> message, String messageContentType) >>>>> at >>>>> Microsoft.Web.Services3.WebServicesClientProtocol.GetReaderForMess >>>>> ag >>>>> e( >>>>> SoapClientMessage message, Int32 bufferSize) >>>>> at >>>>> System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse( >>>>> So >>>>> ap >>>>> ClientMessage message, WebResponse response, Stream >>>>> responseStream, >>>>> Boolean asyncCall) >>>>> at >>>>> System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String >>>>> methodName, Object[] parameters) >>>>> at localhost.ServiceWse.HelloWorld() in >>>>> e:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET >>>>> Files\website10\b15bc141\c8235faa\App_WebReferences.qqc4zbev.0.cs: >>>>> li >>>>> ne >>>>> 46 >>>>> at _Default.Button1_Click(Object sender, EventArgs e) in >>>>> S:\Security\WSEbasic\WSEbasic10\WebSite10\Default.aspx.vb:line 11 >>>>> --------------Inner Exception ---------------------------- >>>>> Security requirements are not satisfied because the security >>>>> header >>>>> is >>>>> not >>>>> present in the incoming message. >>>>> at >>>>> Microsoft.Web.Services3.Security.SecureConversationClientReceiveSe >>>>> cu >>>>> ri >>>>> tyFilter.ValidateMessageSecurity(SoapEnvelope envelope, Security >>>>> security) >>>>> at >>>>> Microsoft.Web.Services3.Security.ReceiveSecurityFilter.ProcessMess >>>>> ag >>>>> e( >>>>> SoapEnvelope envelope) >>>>> at >>>>> Microsoft.Web.Services3.Pipeline.ProcessInputMessage(SoapEnvelope >>>>> envelope) >>>>> at >>>>> Microsoft.Web.Services3.Xml.SoapEnvelopeReaderWrapper..ctor(SoapCl >>>>> ie >>>>> nt >>>>> Message >>>>> message, String messageContentType) >>>>> Here is my service code: >>>>> Imports System.Web >>>>> Imports System.Web.Services >>>>> Imports System.Web.Services.Protocols >>>>> Imports System.Security.Principal
Hello Dominick.
Thank you for your help! I manage to give ASPNET access to privet key file with WseCertificate3.exe tool. After this change I still couldn’t run my service, but when I recreated my policy it all works fine (even if my wse3policyCache.config file looked exactly the same as before (strange – I thought that all policy setups where in those files). I still have one problem. All that works if I run my ASP.NET client on ASP.NET Development Server. But if I change this client to run in IIS (custom server) I get this exception. ----- WSEservice 2 Exception -------- WSE2013: X509TokenProvider is unable to provide an X.509 token. There are no certificates in the certificate store that match the find value of 'CN=WSE2QuickStartServer'. at Microsoft.Web.Services3.Design.X509TokenProvider.CreateToken(StoreLocation location, StoreName storeName, String findValue, X509FindType findType) at Microsoft.Web.Services3.Design.X509TokenProvider.GetToken() at Microsoft.Web.Services3.Design.MutualCertificate11Assertion.ClientOutputFilter..ctor(MutualCertificate11Assertion assertion) at Microsoft.Web.Services3.Design.MutualCertificate11Assertion.CreateClientOutputFilter(FilterCreationContext context) at Microsoft.Web.Services3.Design.Policy.CreateClientPipeline(PipelineCreationContext context) at Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(Policy policy) at Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(String policyName) at _Default.Button1_Click(Object sender, EventArgs e) in S:\Security\WSEbasic\WSEbasic8\WebSite8\Default.aspx.vb:line 10 Is there any more stuff I can do to make completely on IIS? By the way – I use WinXP 32 and IIS5.0 [quoted text, click to view] "Dominick Baier [DevelopMentor]" wrote:
> Hello JackMadeja, > > this document also mentions that you have to set the right ACLs for the worker > process account - they use the X509Certificate tool that ships with WSE > > the account (most probably NETWORK SERVICE) needs read access to the private > key file. > > > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > > > Hi Dominic. Thank you for you answers. I did import all certificates > > according to instruction in those documents. One certificate "Client > > Private.pfx" to Certificates - Current User, Personal, Certificates. > > One certificate "Server Private.pfx" to Certificates - Current User, > > Other People, Certificates and the third one "Server Public.cer" to > > Certificates (Local Computer), Personal, Certificates. I really don't > > know any other stores. I have tried to load "Server Public.cer" in > > other stores (Service accounts for different ASP.NET services) but > > without any luck. Still, as far as I know "My user account" should be > > used for both pfx-files and "Computer Account" for this public > > cer-file. And this goes for services run in IIS och in ASP.NET > > Development Server. As now they work fine in ASP.NET Development, but > > not in IIS. Could you please explain to me any other way to install > > those certificates to make my service work under real IIS? > > > > "Dominick Baier [DevelopMentor]" wrote: > > > >> Hello JackMadeja, > >> > >> ok - you have to import the certificate in the store of the account > >> running the service - i guess thats NETWORK SERVICE > >> > >> Look at the Security Hands on Lab for WSE3 - the steps are detailed > >> there. > >> > >> http://www.microsoft.com/downloads/details.aspx?familyid=9acd1f8e-97e > >> 2-43e2-b484-a74a014a8206&displaylang=en > >> > >> --------------------------------------- > >> Dominick Baier - DevelopMentor > >> http://www.leastprivilege.com > >>> Iisreset - I have tried it with no results. [Policy] and SetPolicy > >>> are called correctly - my service application works fine with server > >>> and client running under ASP.NET Development Server, but not with > >>> server in IIS. Similar problem appears when I run my client directly > >>> under IIS instead of under ASP.NET Development Server. In IIS 'mode' > >>> I get this policy error: > >>> > >>> ----- WSEservice 2 Exception -------- > >>> WSE2013: X509TokenProvider is unable to provide an X.509 token. > >>> There > >>> are no > >>> certificates in the certificate store that match the find value of > >>> 'CN=WSE2QuickStartServer'. > >>> at > >>> Microsoft.Web.Services3.Design.X509TokenProvider.CreateToken(StoreLo > >>> ca > >>> tion > >>> location, StoreName storeName, String findValue, X509FindType > >>> findType) > >>> at Microsoft.Web.Services3.Design.X509TokenProvider.GetToken() > >>> at > >>> Microsoft.Web.Services3.Design.MutualCertificate11Assertion.ClientOu > >>> tp > >>> utFilter..ctor(MutualCertificate11Assertion assertion) > >>> at > >>> Microsoft.Web.Services3.Design.MutualCertificate11Assertion.CreateCl > >>> ie > >>> ntOutputFilter(FilterCreationContext context) > >>> at > >>> Microsoft.Web.Services3.Design.Policy.CreateClientPipeline(PipelineC > >>> re > >>> ationContext context) > >>> at > >>> Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(Policy > >>> policy) > >>> at > >>> Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(String > >>> policyName) > >>> at _Default.Button1_Click(Object sender, EventArgs e) in > >>> S:\Security\WSEbasic\WSEbasic6\WebSite6\Default.aspx.vb:line 10 > >>> ------------------------------- > >>> Jack Madeja > >>> "Dominick Baier [DevelopMentor]" wrote: > >>>> Hello JackMadeja, > >>>> > >>>> from experience - a iisreset does help sometimes... > >>>> > >>>> [Policy] and SetPolicy are called correctly on client/server ? > >>>> > >>>> --------------------------------------- > >>>> Dominick Baier - DevelopMentor > >>>> http://www.leastprivilege.com > >>>>> Security requirements are not satisfied because the security > >>>>> header is not present in the incoming message > >>>>> > >>>>> I get this exception every time I run my service thru ordinary IIS > >>>>> instead of Default IIS in VS.NET Studio. My service is a simple > >>>>> 'Hello World with certificate policy. My client is simple ASP.NET > >>>>> Web Site with one button and textbox. I use Certificate Policy > >>>>> (mutualCertificate11Security) on both server and client. (I have > >>>>> tried this with anonymousForCertificateSecurity and got same bad > >>>>> result). Everything works fine if my service and webclient is in > >>>>> same solution and I run everything thru VS.NET studio build in > >>>>> IIS. But If I create a virtual directory in my computer IIS, run > >>>>> my service there, change my web reference to this service I get > >>>>> this exception: > >>>>> > >>>>> WSE910: An error happened during the processing of a response > >>>>> message, and you can find the error in the inner exception. You
Hello JackMadeja,
sure - i guess you run the dev web server as admin - that always works :)) i am not sure what the problem is if you followed closely the HOL instructions and can't get it to work... --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com [quoted text, click to view] > Hello Dominick. Thank you for your help! I manage to give ASPNET
> access to privet key file with WseCertificate3.exe tool. After this > change I still couldn't run my service, but when I recreated my policy > it all works fine (even if my wse3policyCache.config file looked > exactly the same as before (strange - I thought that all policy setups > where in those files). I still have one problem. All that works if I > run my ASP.NET client on ASP.NET Development Server. But if I change > this client to run in IIS (custom server) I get this exception. > > ----- WSEservice 2 Exception -------- > WSE2013: X509TokenProvider is unable to provide an X.509 token. There > are no > certificates in the certificate store that match the find value of > 'CN=WSE2QuickStartServer'. > at > Microsoft.Web.Services3.Design.X509TokenProvider.CreateToken(StoreLoca > tion > location, StoreName storeName, String findValue, X509FindType > findType) > at Microsoft.Web.Services3.Design.X509TokenProvider.GetToken() > at > Microsoft.Web.Services3.Design.MutualCertificate11Assertion.ClientOutp > utFilter..ctor(MutualCertificate11Assertion assertion) > at > Microsoft.Web.Services3.Design.MutualCertificate11Assertion.CreateClie > ntOutputFilter(FilterCreationContext context) > at > Microsoft.Web.Services3.Design.Policy.CreateClientPipeline(PipelineCre > ationContext context) > at > Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(Policy > policy) > at > Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(String > policyName) > at _Default.Button1_Click(Object sender, EventArgs e) in > S:\Security\WSEbasic\WSEbasic8\WebSite8\Default.aspx.vb:line 10 > Is there any more stuff I can do to make completely on IIS? By the way > - I use WinXP 32 and IIS5.0 > > "Dominick Baier [DevelopMentor]" wrote: > >> Hello JackMadeja, >> >> this document also mentions that you have to set the right ACLs for >> the worker process account - they use the X509Certificate tool that >> ships with WSE >> >> the account (most probably NETWORK SERVICE) needs read access to the >> private key file. >> >> --------------------------------------- >> Dominick Baier - DevelopMentor >> http://www.leastprivilege.com >>> Hi Dominic. Thank you for you answers. I did import all certificates >>> according to instruction in those documents. One certificate "Client >>> Private.pfx" to Certificates - Current User, Personal, >>> Certificates. One certificate "Server Private.pfx" to Certificates - >>> Current User, Other People, Certificates and the third one "Server >>> Public.cer" to Certificates (Local Computer), Personal, >>> Certificates. I really don't know any other stores. I have tried to >>> load "Server Public.cer" in other stores (Service accounts for >>> different ASP.NET services) but without any luck. Still, as far as I >>> know "My user account" should be used for both pfx-files and >>> "Computer Account" for this public cer-file. And this goes for >>> services run in IIS och in ASP.NET Development Server. As now they >>> work fine in ASP.NET Development, but not in IIS. Could you please >>> explain to me any other way to install those certificates to make my >>> service work under real IIS? >>> >>> "Dominick Baier [DevelopMentor]" wrote: >>> >>>> Hello JackMadeja, >>>> >>>> ok - you have to import the certificate in the store of the account >>>> running the service - i guess thats NETWORK SERVICE >>>> >>>> Look at the Security Hands on Lab for WSE3 - the steps are detailed >>>> there. >>>> >>>> http://www.microsoft.com/downloads/details.aspx?familyid=9acd1f8e-9 >>>> 7e 2-43e2-b484-a74a014a8206&displaylang=en >>>> >>>> --------------------------------------- >>>> Dominick Baier - DevelopMentor >>>> http://www.leastprivilege.com >>>>> Iisreset - I have tried it with no results. [Policy] and SetPolicy >>>>> are called correctly - my service application works fine with >>>>> server and client running under ASP.NET Development Server, but >>>>> not with server in IIS. Similar problem appears when I run my >>>>> client directly under IIS instead of under ASP.NET Development >>>>> Server. In IIS 'mode' I get this policy error: >>>>> >>>>> ----- WSEservice 2 Exception -------- >>>>> WSE2013: X509TokenProvider is unable to provide an X.509 token. >>>>> There >>>>> are no >>>>> certificates in the certificate store that match the find value of >>>>> 'CN=WSE2QuickStartServer'. >>>>> at >>>>> Microsoft.Web.Services3.Design.X509TokenProvider.CreateToken(Store >>>>> Lo >>>>> ca >>>>> tion >>>>> location, StoreName storeName, String findValue, X509FindType >>>>> findType) >>>>> at Microsoft.Web.Services3.Design.X509TokenProvider.GetToken() >>>>> at >>>>> Microsoft.Web.Services3.Design.MutualCertificate11Assertion.Client >>>>> Ou >>>>> tp >>>>> utFilter..ctor(MutualCertificate11Assertion assertion) >>>>> at >>>>> Microsoft.Web.Services3.Design.MutualCertificate11Assertion.Create >>>>> Cl >>>>> ie >>>>> ntOutputFilter(FilterCreationContext context) >>>>> at >>>>> Microsoft.Web.Services3.Design.Policy.CreateClientPipeline(Pipelin >>>>> eC >>>>> re >>>>> ationContext context) >>>>> at >>>>> Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(Policy >>>>> policy) >>>>> at >>>>> Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(String >>>>> policyName) >>>>> at _Default.Button1_Click(Object sender, EventArgs e) in >>>>> S:\Security\WSEbasic\WSEbasic6\WebSite6\Default.aspx.vb:line 10 >>>>> ------------------------------- >>>>> Jack Madeja >>>>> "Dominick Baier [DevelopMentor]" wrote: >>>>>> Hello JackMadeja, >>>>>> >>>>>> from experience - a iisreset does help sometimes... >>>>>> >>>>>> [Policy] and SetPolicy are called correctly on client/server ? >>>>>> >>>>>> --------------------------------------- >>>>>> Dominick Baier - DevelopMentor >>>>>> http://www.leastprivilege.com >>>>>>> Security requirements are not satisfied because the security >>>>>>> header is not present in the incoming message >>>>>>> >>>>>>> I get this exception every time I run my service thru ordinary >>>>>>> IIS instead of Default IIS in VS.NET Studio. My service is a >>>>>>> simple 'Hello World with certificate policy. My client is simple >>>>>>> ASP.NET Web Site with one button and textbox. I use Certificate >>>>>>> Policy (mutualCertificate11Security) on both server and client. >>>>>>> (I have tried this with anonymousForCertificateSecurity and got >>>>>>> same bad result). Everything works fine if my service and
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
| home · blog · groups | Questions? Comments? Contact the dn |