Re: security header is not present in the incoming message

Hello JackMadeja,

ok - you have to import the certificate in the store of the account running the service - i guess thats NETWORK SERVICE

Look at the Security Hands on Lab for WSE3 - the steps are detailed there.

http://www.microsoft.com/downloads/details.aspx?familyid=9acd1f8e-97e2-43e2-b484-a74a014a8206&displaylang=en

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Iisreset - I have tried it with no results. [Policy] and SetPolicy are
called correctly - my service application works fine with server and
client running under ASP.NET Development Server, but not with server
in IIS. Similar problem appears when I run my client directly under
IIS instead of under ASP.NET Development Server. In IIS 'mode' I get
this policy error:

----- WSEservice 2 Exception --------
WSE2013: X509TokenProvider is unable to provide an X.509 token. There
are no
certificates in the certificate store that match the find value of
'CN=WSE2QuickStartServer'.
at
Microsoft.Web.Services3.Design.X509TokenProvider.CreateToken(StoreLoca
tion
location, StoreName storeName, String findValue, X509FindType
findType)
at Microsoft.Web.Services3.Design.X509TokenProvider.GetToken()
at
Microsoft.Web.Services3.Design.MutualCertificate11Assertion.ClientOutp
utFilter..ctor(MutualCertificate11Assertion assertion)
at
Microsoft.Web.Services3.Design.MutualCertificate11Assertion.CreateClie
ntOutputFilter(FilterCreationContext context)
at
Microsoft.Web.Services3.Design.Policy.CreateClientPipeline(PipelineCre
ationContext context)
at
Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(Policy
policy)
at
Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(String
policyName)
at _Default.Button1_Click(Object sender, EventArgs e) in
S:\Security\WSEbasic\WSEbasic6\WebSite6\Default.aspx.vb:line 10
-------------------------------
Jack Madeja
"Dominick Baier [DevelopMentor]" wrote:

Hello JackMadeja,

from experience - a iisreset does help sometimes...

[Policy] and SetPolicy are called correctly on client/server ?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Security requirements are not satisfied because the security header
is not present in the incoming message

I get this exception every time I run my service thru ordinary IIS
instead of Default IIS in VS.NET Studio. My service is a simple
'Hello World with certificate policy. My client is simple ASP.NET
Web Site with one button and textbox. I use Certificate Policy
(mutualCertificate11Security) on both server and client. (I have
tried this with anonymousForCertificateSecurity and got same bad
result). Everything works fine if my service and webclient is in
same solution and I run everything thru VS.NET studio build in IIS.
But If I create a virtual directory in my computer IIS, run my
service there, change my web reference to this service I get this
exception:

WSE910: An error happened during the processing of a response
message, and you can find the error in the inner exception.  You can
also find the response message in the Response property.

at
Microsoft.Web.Services3.Xml.SoapEnvelopeReaderWrapper..ctor(SoapClie
nt
Message
message, String messageContentType)
at
Microsoft.Web.Services3.WebServicesClientProtocol.GetReaderForMessag
e(
SoapClientMessage message, Int32 bufferSize)
at
System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(So
ap
ClientMessage message, WebResponse response, Stream responseStream,
Boolean asyncCall)
at
System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String
methodName, Object[] parameters)
at localhost.ServiceWse.HelloWorld() in
e:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET
Files\website10\b15bc141\c8235faa\App_WebReferences.qqc4zbev.0.cs:li
ne
46
at _Default.Button1_Click(Object sender, EventArgs e) in
S:\Security\WSEbasic\WSEbasic10\WebSite10\Default.aspx.vb:line 11
--------------Inner Exception ----------------------------
Security requirements are not satisfied because the security header
is
not
present in the incoming message.
at
Microsoft.Web.Services3.Security.SecureConversationClientReceiveSecu
ri
tyFilter.ValidateMessageSecurity(SoapEnvelope envelope, Security
security)
at
Microsoft.Web.Services3.Security.ReceiveSecurityFilter.ProcessMessag
e(
SoapEnvelope envelope)
at
Microsoft.Web.Services3.Pipeline.ProcessInputMessage(SoapEnvelope
envelope)
at
Microsoft.Web.Services3.Xml.SoapEnvelopeReaderWrapper..ctor(SoapClie
nt
Message
message, String messageContentType)
Here is my service code:

Imports System.Web
Imports System.Web.Services
Imports System.Web.Services.Protocols
Imports System.Security.Principal
Imports Microsoft.Web.Services3
Imports Microsoft.Web.Services3.Design
<WebService(Namespace:="http://tempuri.org/";)> _
<WebServiceBinding(ConformsTo:=WsiProfiles.BasicProfile1_1)> _
<Global.Microsoft.VisualBasic.CompilerServices.DesignerGenerated()>
_
<Policy("ServerCertPolicy")> _
Public Class xService
Inherits System.Web.Services.WebService
<WebMethod()> _
Public Function HelloWorld() As String
Return "Hello World from xWebService 5"
End Function
End Class
My service web.config looks like that:

<?xml version="1.0" encoding="utf-8"?>
<configuration
xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0";>
<configSections>
<section name="microsoft.web.services3"
type="Microsoft.Web.Services3.Configuration.WebServicesConfiguration
,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
</configSections>
<appSettings />
<connectionStrings />
<system.web>
<compilation debug="true" strict="false" explicit="true">
<assemblies>
<add assembly="Microsoft.Web.Services3, Version=3.0.0.0,
Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
</assemblies>
</compilation>
<pages>
<namespaces>
<clear />
<add namespace="System" />
<add namespace="System.Collections" />
<add namespace="System.Collections.Specialized" />
<add namespace="System.Configuration" />
<add namespace="System.Text" />
<add namespace="System.Text.RegularExpressions" />
<add namespace="System.Web" />
<add namespace="System.Web.Caching" />
<add namespace="System.Web.SessionState" />
<add namespace="System.Web.Security" />
<add namespace="System.Web.Profile" />
<add namespace="System.Web.UI" />
<add namespace="System.Web.UI.WebControls" />
<add namespace="System.Web.UI.WebControls.WebParts" />
<add namespace="System.Web.UI.HtmlControls" />
</namespaces>
</pages>
<webServices>
<soapExtensionImporterTypes>
<add
type="Microsoft.Web.Services3.Description.WseExtensionImporter,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
</soapExtensionImporterTypes>
<soapServerProtocolFactory
type="Microsoft.Web.Services3.WseProtocolFactory,
Microsoft.Web.Services3,
Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
/>
</webServices>
</system.web>
<microsoft.web.services3>
<security>
<x509 allowTestRoot="false" storeLocation="LocalMachine" />
</security>
<policy fileName="wse3policyCache.config" />
<diagnostics>
<trace enabled="true" input="logs\InputTrace.webinfo"
output="logs\OutputTrace.webinfo" />
</diagnostics>
</microsoft.web.services3>
</configuration>
. and my service policy looks like that:
<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy";>
<extensions>
<extension name="mutualCertificate11Security"
type="Microsoft.Web.Services3.Design.MutualCertificate11Assertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<extension name="x509"
type="Microsoft.Web.Services3.Design.X509TokenProvider,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<extension name="requireActionHeader"
type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
</extensions>
<policy name="ServerCertPolicy">
<mutualCertificate11Security establishSecurityContext="false"
renewExpiredSecurityContext="true"
requireSignatureConfirmation="true"
messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true"
ttlInSeconds="300">
<serviceToken>
<x509 storeLocation="LocalMachine" storeName="My"
findValue="CN=WSE2QuickStartServer"
findType="FindBySubjectDistinguishedName"
/>
</serviceToken>
<protection>
<request signatureOptions="IncludeAddressing,
IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
<response signatureOptions="IncludeAddressing,
IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
<fault signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="false" />
</protection>
</mutualCertificate11Security>
<requireActionHeader />
</policy>
</policies>
My client looks like that:
<%@ Page Language="VB" AutoEventWireup="false"
CodeFile="Default.aspx.vb" Inherits="_Default" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>

<html xmlns="http://www.w3.org/1999/xhtml"; >
<head runat="server">
<title>WebSite11</title>
</head>
<body>
<form id="form1" runat="server">
<div>
<asp:Button ID="Button1" runat="server" Text="WSEservice 2"
Width="160px" /><asp:TextBox
ID="TextBox1" runat="server" Height="440px"
TextMode="MultiLine"
Width="800px"></asp:TextBox> </div>
</form>
</body>
</html>
. and client code:

Imports Microsoft.VisualBasic.ControlChars

Partial Class _Default
Inherits System.Web.UI.Page
Protected Sub Button1_Click(ByVal sender As Object, ByVal e As
System.EventArgs) Handles Button1.Click
Try
TextBox1.Text = String.Empty
Dim proxy As New localhost.ServiceWse
proxy.SetPolicy("ClientCertPolicy")
TextBox1.Text = proxy.HelloWorld
Catch ex As Exception
Dim strMsg As String = ex.Message & CrLf & CrLf &
ex.StackTrace
Dim exIn As Exception = ex
Do
exIn = exIn.InnerException
If Not exIn Is Nothing Then
strMsg += CrLf & "--------------Inner Exception
----------------------------" & CrLf
strMsg += exIn.Message & CrLf & CrLf &
exIn.StackTrace
Else
Exit Do
End If
Loop
TextBox1.Text = "----- WSEservice 2 Exception --------" &
CrLf &
strMsg
End Try
End Sub
End Class
.with client policy like this:
<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy";>
<extensions>
<extension name="mutualCertificate11Security"
type="Microsoft.Web.Services3.Design.MutualCertificate11Assertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<extension name="x509"
type="Microsoft.Web.Services3.Design.X509TokenProvider,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<extension name="requireActionHeader"
type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
</extensions>
<policy name="ClientCertPolicy">
<mutualCertificate11Security establishSecurityContext="false"
renewExpiredSecurityContext="true"
requireSignatureConfirmation="true"
messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true"
ttlInSeconds="300">
<clientToken>
<x509 storeLocation="CurrentUser" storeName="My"
findValue="CN=WSE2QuickStartClient"
findType="FindBySubjectDistinguishedName"
/>
</clientToken>
<serviceToken>
<x509 storeLocation="CurrentUser" storeName="AddressBook"
findValue="CN=WSE2QuickStartServer"
findType="FindBySubjectDistinguishedName"
/>
</serviceToken>
<protection>
<request signatureOptions="IncludeAddressing,
IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
<response signatureOptions="IncludeAddressing,
IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
<fault signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="false" />
</protection>
</mutualCertificate11Security>
<requireActionHeader />
</policy>
</policies>
Authentications methods in IIS "Anonymous access" are on and



.