Re: security header is not present in the incoming message

Iisreset – I have tried it with no results. [Policy] and SetPolicy are called
correctly – my service application works fine with server and client running
under ASP.NET Development Server, but not with server in IIS. Similar problem
appears when I run my client directly under IIS instead of under ASP.NET
Development Server. In IIS ‘mode’ I get this policy error:

----- WSEservice 2 Exception --------
WSE2013: X509TokenProvider is unable to provide an X.509 token. There are no
certificates in the certificate store that match the find value of
'CN=WSE2QuickStartServer'.

at
Microsoft.Web.Services3.Design.X509TokenProvider.CreateToken(StoreLocation
location, StoreName storeName, String findValue, X509FindType findType)
at Microsoft.Web.Services3.Design.X509TokenProvider.GetToken()
at
Microsoft.Web.Services3.Design.MutualCertificate11Assertion.ClientOutputFilter..ctor(MutualCertificate11Assertion assertion)
at
Microsoft.Web.Services3.Design.MutualCertificate11Assertion.CreateClientOutputFilter(FilterCreationContext context)
at
Microsoft.Web.Services3.Design.Policy.CreateClientPipeline(PipelineCreationContext context)
at Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(Policy
policy)
at Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(String
policyName)
at _Default.Button1_Click(Object sender, EventArgs e) in
S:\Security\WSEbasic\WSEbasic6\WebSite6\Default.aspx.vb:line 10

-------------------------------
Jack Madeja



"Dominick Baier [DevelopMentor]" wrote:

> Hello JackMadeja,
>
> from experience - a iisreset does help sometimes...
>
> [Policy] and SetPolicy are called correctly on client/server ?
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > Security requirements are not satisfied because the security header is
> > not present in the incoming message
> >
> > I get this exception every time I run my service thru ordinary IIS
> > instead of Default IIS in VS.NET Studio. My service is a simple 'Hello
> > World with certificate policy. My client is simple ASP.NET Web Site
> > with one button and textbox. I use Certificate Policy
> > (mutualCertificate11Security) on both server and client. (I have tried
> > this with anonymousForCertificateSecurity and got same bad result).
> > Everything works fine if my service and webclient is in same solution
> > and I run everything thru VS.NET studio build in IIS. But If I create
> > a virtual directory in my computer IIS, run my service there, change
> > my web reference to this service I get this exception:
> >
> > WSE910: An error happened during the processing of a response message,
> > and you can find the error in the inner exception. You can also find
> > the response message in the Response property.
> >
> > at
> > Microsoft.Web.Services3.Xml.SoapEnvelopeReaderWrapper..ctor(SoapClient
> > Message
> > message, String messageContentType)
> > at
> > Microsoft.Web.Services3.WebServicesClientProtocol.GetReaderForMessage(
> > SoapClientMessage message, Int32 bufferSize)
> > at
> > System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(Soap
> > ClientMessage message, WebResponse response, Stream responseStream,
> > Boolean asyncCall)
> > at
> > System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String
> > methodName, Object[] parameters)
> > at localhost.ServiceWse.HelloWorld() in
> > e:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET
> > Files\website10\b15bc141\c8235faa\App_WebReferences.qqc4zbev.0.cs:line
> > 46
> > at _Default.Button1_Click(Object sender, EventArgs e) in
> > S:\Security\WSEbasic\WSEbasic10\WebSite10\Default.aspx.vb:line 11
> > --------------Inner Exception ----------------------------
> > Security requirements are not satisfied because the security header is
> > not
> > present in the incoming message.
> > at
> > Microsoft.Web.Services3.Security.SecureConversationClientReceiveSecuri
> > tyFilter.ValidateMessageSecurity(SoapEnvelope envelope, Security
> > security)
> > at
> > Microsoft.Web.Services3.Security.ReceiveSecurityFilter.ProcessMessage(
> > SoapEnvelope envelope)
> > at
> > Microsoft.Web.Services3.Pipeline.ProcessInputMessage(SoapEnvelope
> > envelope)
> > at
> > Microsoft.Web.Services3.Xml.SoapEnvelopeReaderWrapper..ctor(SoapClient
> > Message
> > message, String messageContentType)
> >
> > Here is my service code:
> >
> > Imports System.Web
> > Imports System.Web.Services
> > Imports System.Web.Services.Protocols
> > Imports System.Security.Principal
> > Imports Microsoft.Web.Services3
> > Imports Microsoft.Web.Services3.Design
> > <WebService(Namespace:="http://tempuri.org/";)> _
> > <WebServiceBinding(ConformsTo:=WsiProfiles.BasicProfile1_1)> _
> > <Global.Microsoft.VisualBasic.CompilerServices.DesignerGenerated()> _
> > <Policy("ServerCertPolicy")> _
> > Public Class xService
> > Inherits System.Web.Services.WebService
> > <WebMethod()> _
> > Public Function HelloWorld() As String
> > Return "Hello World from xWebService 5"
> > End Function
> > End Class
> >
> > My service web.config looks like that:
> >
> > <?xml version="1.0" encoding="utf-8"?>
> > <configuration
> > xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0";>
> > <configSections>
> > <section name="microsoft.web.services3"
> > type="Microsoft.Web.Services3.Configuration.WebServicesConfiguration,
> > Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
> > PublicKeyToken=31bf3856ad364e35" />
> > </configSections>
> > <appSettings />
> > <connectionStrings />
> > <system.web>
> > <compilation debug="true" strict="false" explicit="true">
> > <assemblies>
> > <add assembly="Microsoft.Web.Services3, Version=3.0.0.0,
> > Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
> > </assemblies>
> > </compilation>
> > <pages>
> > <namespaces>
> > <clear />
> > <add namespace="System" />
> > <add namespace="System.Collections" />
> > <add namespace="System.Collections.Specialized" />
> > <add namespace="System.Configuration" />
> > <add namespace="System.Text" />
> > <add namespace="System.Text.RegularExpressions" />
> > <add namespace="System.Web" />
> > <add namespace="System.Web.Caching" />
> > <add namespace="System.Web.SessionState" />
> > <add namespace="System.Web.Security" />
> > <add namespace="System.Web.Profile" />
> > <add namespace="System.Web.UI" />
> > <add namespace="System.Web.UI.WebControls" />
> > <add namespace="System.Web.UI.WebControls.WebParts" />
> > <add namespace="System.Web.UI.HtmlControls" />
> > </namespaces>
> > </pages>
> > <webServices>
> > <soapExtensionImporterTypes>
> > <add
> > type="Microsoft.Web.Services3.Description.WseExtensionImporter,
> > Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
> > PublicKeyToken=31bf3856ad364e35" />
> > </soapExtensionImporterTypes>
> > <soapServerProtocolFactory
> > type="Microsoft.Web.Services3.WseProtocolFactory,
> > Microsoft.Web.Services3,
> > Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
> > </webServices>
> > </system.web>
> > <microsoft.web.services3>
> > <security>
> > <x509 allowTestRoot="false" storeLocation="LocalMachine" />
> > </security>
> > <policy fileName="wse3policyCache.config" />
> > <diagnostics>
> > <trace enabled="true" input="logs\InputTrace.webinfo"
> > output="logs\OutputTrace.webinfo" />
> > </diagnostics>
> > </microsoft.web.services3>
> > </configuration>
> > . and my service policy looks like that:
> >
> > <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy";>
> > <extensions>
> > <extension name="mutualCertificate11Security"
> > type="Microsoft.Web.Services3.Design.MutualCertificate11Assertion,
> > Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
> > PublicKeyToken=31bf3856ad364e35" />
> > <extension name="x509"
> > type="Microsoft.Web.Services3.Design.X509TokenProvider,
> > Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
> > PublicKeyToken=31bf3856ad364e35" />
> > <extension name="requireActionHeader"
> > type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
> > Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
> > PublicKeyToken=31bf3856ad364e35" />
> > </extensions>
> > <policy name="ServerCertPolicy">
> > <mutualCertificate11Security establishSecurityContext="false"
> > renewExpiredSecurityContext="true" requireSignatureConfirmation="true"
> > messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true"
> > ttlInSeconds="300">
> > <serviceToken>
> > <x509 storeLocation="LocalMachine" storeName="My"
> > findValue="CN=WSE2QuickStartServer"
> > findType="FindBySubjectDistinguishedName"
> > />
> > </serviceToken>
> > <protection>
> > <request signatureOptions="IncludeAddressing,
> > IncludeTimestamp,
> > IncludeSoapBody" encryptBody="true" />
> > <response signatureOptions="IncludeAddressing,
> > IncludeTimestamp,
> > IncludeSoapBody" encryptBody="true" />
> > <fault signatureOptions="IncludeAddressing, IncludeTimestamp,
> > IncludeSoapBody" encryptBody="false" />
> > </protection>
> > </mutualCertificate11Security>
> > <requireActionHeader />
> > </policy>
> > </policies>
> > My client looks like that:
> >
> > <%@ Page Language="VB" AutoEventWireup="false"
> > CodeFile="Default.aspx.vb" Inherits="_Default" %>
> >
> > <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
> > "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
> >
> > <html xmlns="http://www.w3.org/1999/xhtml"; >
> > <head runat="server">
> > <title>WebSite11</title>
> > </head>
> > <body>
> > <form id="form1" runat="server">
> > <div>
> > <asp:Button ID="Button1" runat="server" Text="WSEservice 2"
> > Width="160px" /><asp:TextBox
> > ID="TextBox1" runat="server" Height="440px"
> > TextMode="MultiLine"
> > Width="800px"></asp:TextBox> </div>
> > </form>
> > </body>
> > </html>
> >
> > . and client code:
> >
> > Imports Microsoft.VisualBasic.ControlChars
> >
> > Partial Class _Default
> > Inherits System.Web.UI.Page
> > Protected Sub Button1_Click(ByVal sender As Object, ByVal e As
> > System.EventArgs) Handles Button1.Click
> > Try
> > TextBox1.Text = String.Empty
> > Dim proxy As New localhost.ServiceWse
> > proxy.SetPolicy("ClientCertPolicy")
> > TextBox1.Text = proxy.HelloWorld
> > Catch ex As Exception
> > Dim strMsg As String = ex.Message & CrLf & CrLf &
> > ex.StackTrace
> > Dim exIn As Exception = ex
> > Do
> > exIn = exIn.InnerException
> > If Not exIn Is Nothing Then
> > strMsg += CrLf & "--------------Inner Exception
> > ----------------------------" & CrLf
> > strMsg += exIn.Message & CrLf & CrLf &
> > exIn.StackTrace
> > Else
> > Exit Do
> > End If
> > Loop
> > TextBox1.Text = "----- WSEservice 2 Exception --------" &
> > CrLf &
> > strMsg
> > End Try
> > End Sub
> > End Class
> > .with client policy like this:
> >
> > <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy";>
> > <extensions>
> > <extension name="mutualCertificate11Security"
> > type="Microsoft.Web.Services3.Design.MutualCertificate11Assertion,
> > Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
> > PublicKeyToken=31bf3856ad364e35" />
> > <extension name="x509"
> > type="Microsoft.Web.Services3.Design.X509TokenProvider,
> > Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
> > PublicKeyToken=31bf3856ad364e35" />
> > <extension name="requireActionHeader"
> > type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
> > Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
> > PublicKeyToken=31bf3856ad364e35" />
> > </extensions>
> > <policy name="ClientCertPolicy">
> > <mutualCertificate11Security establishSecurityContext="false"
> > renewExpiredSecurityContext="true" requireSignatureConfirmation="true"
> > messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true"
> > ttlInSeconds="300">
> > <clientToken>
> > <x509 storeLocation="CurrentUser" storeName="My"
> > findValue="CN=WSE2QuickStartClient"
> > findType="FindBySubjectDistinguishedName"
> > />
> > </clientToken>
> > <serviceToken>
> > <x509 storeLocation="CurrentUser" storeName="AddressBook"
> > findValue="CN=WSE2QuickStartServer"
> > findType="FindBySubjectDistinguishedName"
> > />
> > </serviceToken>
> > <protection>
> > <request signatureOptions="IncludeAddressing,
> > IncludeTimestamp,
> > IncludeSoapBody" encryptBody="true" />
> > <response signatureOptions="IncludeAddressing,
> > IncludeTimestamp,
> > IncludeSoapBody" encryptBody="true" />
> > <fault signatureOptions="IncludeAddressing, IncludeTimestamp,
> > IncludeSoapBody" encryptBody="false" />
> > </protection>
> > </mutualCertificate11Security>
> > <requireActionHeader />
> > </policy>
> > </policies>
> > Authentications methods in IIS "Anonymous access" are on and
.