index > ASMX Web Services and XML Serialization > Configuring Certificates to be used with WSE 3.0

Configuring Certificates to be used with WSE 3.0

I have just create a simple WSE 3.0 test application which uses user name and password security. However I have a serios problems with configuring the digital certificates.

I get an exception with the following fault response,

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsa:Action>http://schemas.xmlsoap.org/ws/2004/08/addressing/fault</wsa:Action>
<wsa:MessageID>urn:uuid:ed228fee-e7ed-4565-941c-41afbea41f17</wsa:MessageID>
<wsa:RelatesTo>urn:uuid:68fe12b2-9b6a-4bbb-92d6-957eedfe0a63</wsa:RelatesTo>
<wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To>
</soap:Header>
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>
System.Web.Services.Protocols.SoapHeaderException: Server unavailable, please try later --->
System.ApplicationException: WSE841: An error occured processing an outgoing fault response. --->
System.Web.Services.Protocols.SoapException: System.Web.Services.Protocols.SoapException: Server was unable to process request. --->
System.Security.Cryptography.CryptographicException: WSE600: Unable to unwrap a symmetric key using the private key of an X.509 certificate. Please check if the account 'CL-RUWANW\ASPNET' has permissions to read the private key of certificate with subject name 'CN=WSE2QuickStartClient' and thumbprint 'CA7601381B4578502B62B8809825664F1E78DFA2'. ---> System.Security.Cryptography.CryptographicException: WSE593: Unable to decrypt the key. Please check if the process has the right permission to access the private key. ---> System.Security.Cryptography.CryptographicException: Error occurred while decoding OAEP padding.
at System.Security.Cryptography.Utils._DecryptPKWin2KEnh(SafeKeyHandle hPubKey, Byte[] key, Boolean fOAEP, Int32& hr)
at System.Security.Cryptography.RSACryptoServiceProvider.Decrypt(Byte[] rgb, Boolean fOAEP)
at Microsoft.Web.Services3.Security.Cryptography.RSAOAEPKeyExchangeFormatter.DecryptKey(Byte[] cipherKey)
--- End of inner exception stack trace ---
at Microsoft.Web.Services3.Security.Cryptography.RSAOAEPKeyExchangeFormatter.DecryptKey(Byte[] cipherKey)
at Microsoft.Web.Services3.Security.EncryptedKey.Decrypt()
--- End of inner exception stack trace ---
at Microsoft.Web.Services3.Security.EncryptedKey.Decrypt()
at Microsoft.Web.Services3.Security.Security.LoadXml(XmlElement element)
at Microsoft.Web.Services3.Security.Security.CreateFrom(SoapEnvelope envelope, String localActor, String serviceActor)
at Microsoft.Web.Services3.Security.ReceiveSecurityFilter.ProcessMessage(SoapEnvelope envelope)
at Microsoft.Web.Services3.Pipeline.ProcessInputMessage(SoapEnvelope envelope)
at Microsoft.Web.Services3.WseProtocol.FilterRequest(SoapEnvelope requestEnvelope)
at Microsoft.Web.Services3.WseProtocol.RouteRequest(SoapServerMessage message)
at System.Web.Services.Protocols.SoapServerProtocol.Initialize()
at System.Web.Services.Protocols.ServerProtocolFactory.Create(Type type, HttpContext context, HttpRequest request, HttpResponse response, Boolean& abortProcessing)
--- End of inner exception stack trace ---
--- End of inner exception stack trace ---
--- End of inner exception stack trace ---
</faultstring>
<faultactor>http://localhost/WSE3_Test/WebService1.asmx</faultactor>
</soap:Fault>
</soap:Body>
</soap:Envelope>

My code is as follows,

Service Code:

[WebService(Namespace = "http://tempuri.org/")]
[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
[Microsoft.Web.Services3.Policy("MyServerPolicy")]
public class WebService1 : System.Web.Services.WebService
{
    [WebMethod]
    public string HelloWorld()
    {
        return "Hello " + this.User.Identity.Name;
    }
}

My policy file is as follows,

</extensions>

</serviceToken>

</protection>

</usernameForCertificateSecurity>

</policy>

</policies>

Client Code:

        private void button1_Click(object sender, EventArgs e)
        {
            localhost.WebService1Wse ws = new localhost.WebService1Wse();
            ws.SetPolicy("MyClientPolicy");
            ws.SetClientCredential(new UsernameToken("saman", "abc123"));
            string msg = ws.HelloWorld();
            MessageBox.Show(msg);
        }

Policy File:

</extensions>

</serviceToken>

</protection>

</usernameForCertificateSecurity>

</policy>

</policies>

Can anybody help me to get this digital certificate configuration right.

Thank you in advance.

Ruwan

Have you looked at the setup.bat file in the samples and read the samples readme.htm file. These decribe the setup stages needed to ensure that that certifcates are installed locally.

Also look at the event viewer using

Run -> eventvwr.msc /s

Look at the application log asthis gives you reasons for the failure.

BTW - The eventviewer is very useful for diagnosing failures on the service side with WSE and you should look at this often.

Typically this is because the process that the Web Service is running under does not have access to the private key for the cerficate in order to decrypt the message from the client. See point 2) at this url

ms-help://MS.WSE30.1033/WSE3.0/html/b5a8bce9-31a2-444c-a762-86f5bf2abd96.htm

Choose either NETWORK SERVICE (Windows Server 2003) or ASPNET (WinXP) depending on the OS that you are running the service on.

Thanks, Mark Fussell

Mark Fussell

Have you looked at the setup.bat file in the samples and read the samples readme.htm file. These decribe the setup stages needed to ensure that that certifcates are installed locally.

Also look at the event viewer using

Run -> eventvwr.msc /s

Look at the application log asthis gives you reasons for the failure.

BTW - The eventviewer is very useful for diagnosing failures on the service side with WSE and you should look at this often.

ms-help://MS.WSE30.1033/WSE3.0/html/b5a8bce9-31a2-444c-a762-86f5bf2abd96.htm

Choose either NETWORK SERVICE (Windows Server 2003) or ASPNET (WinXP) depending on the OS that you are running the service on.

Thanks, Mark Fussell

Mark Fussell

J had the same problem. The resolution was to restart IIS after granting permissions to Network Service.

Daniel Celeda

I have had problems similar to what i think your experiencing.. i was using WSE2 SP3 .. but this may be relevant...

The first thing to do is put additional tracing on.

In your web config... add the builtin .NET api trace switches - this will help you debug whats really happening. This excellent article will explain all http://blogs.msdn.com/dgorti/archive/2005/09/18/471003.aspxabout tracing. With these switches in place you will see a verbose output of the SSL loading and network streams.

The issue is probably because the certificate cannot be loaded by the user account you are running the IIS (W2000) service under or the application pool identity on W2003. If Win2003, i assume you have created a new user account to run the web site identity under and made this new account a member of the IIS_WPG and possibly Performance Monitor group.

Either case - browse to Documents & Settings\All Users\Application Data\Microsoft\Crypto\RSA and give the user account you are running the service under read permission to the'machine-keys' directory.

Hope this helps

Steve

PingCrosby

I HAVE DISCOVERED THE SOLUTION!!!

ms-help://MS.WSE30.1033/WSE3.0/html/b5a8bce9-31a2-444c-a762-86f5bf2abd96.htm

this was the correct URL, follow step #2 exactly.

once you try running it again it should work. it doesnt work you say ?

right click your solution and pick "Rebuild Solution" then run it.

the problem is that in microsofts tutorial it doesn't mention you need to REBUILD the solution after you have given ASPNET rights, not just build. I'm not 100% sure the reason, but I think it has to do with the changes done in the <process model> node in the machine.config file. these changes do not reflect untill you rebuild the solution. this worked for me, and I tested it on the machine next to me, then I tested it again on the machine next to that. this has fixed the problem all 3 times. I am about 90% sure this will solve the problem for you.

also, if ASPNET is not found in the list of accounts, (in the certificate tool, after you have selected to view private key file properties, and then clicked the "security" tab, then clicked "add"), you need to click "Locations", highlight your computer (which is usually the top most node) then click "OK" then type "ASPNET" in the "Enter object names" box and click OK. ASPNET should be added now. all you need to assign it is read/read & execute rights.

hope this helps. I am the champion!

roger_27

Rebuilding didn't work form me... actually I had a very tough time solving the same problem and the solution was to select the correct store location in the security tab in the WSE3 settings dialog.

krahd

You can use google to search for other answers

Custom Search

More Threads

• SoapExtension - web.config

• Unauthorized error when trying to send soap envelope

• Migration path from WSE 2.0 (SP3) to WCF

• SoapException: System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> System.Data.SqlClient.SqlException: Timeout expired

• What to do if, transfering data reaches up to 100 MB.

• VFP data on a Win2003Server not available for webservice

• XML web service,encryption

• Should webservice return custom entity or dataset (Consider performance)

• wcf using many client credentials on a service.

• Error in InfoPath with a WebService Method