Re: security header is not present in the incoming message

Hi Dominic. Thank you for you answers. I did import all certificates
according to instruction in those documents. One certificate “Client
Private.pfx” to Certificates – Current User, Personal, Certificates. One
certificate “Server Private.pfx” to Certificates – Current User, Other
People, Certificates and the third one “Server Public.cer” to Certificates
(Local Computer), Personal, Certificates.
I really don’t know any other stores. I have tried to load “Server
Public.cer” in other stores (Service accounts for different ASP.NET services)
but without any luck. Still, as far as I know “My user account” should be
used for both pfx-files and “Computer Account” for this public cer-file. And
this goes for services run in IIS och in ASP.NET Development Server. As now
they work fine in ASP.NET Development, but not in IIS. Could you please
explain to me any other way to install those certificates to make my service
work under real IIS?


"Dominick Baier [DevelopMentor]" wrote:

> Hello JackMadeja,
>
> ok - you have to import the certificate in the store of the account running
> the service - i guess thats NETWORK SERVICE
>
> Look at the Security Hands on Lab for WSE3 - the steps are detailed there.
>
> http://www.microsoft.com/downloads/details.aspx?familyid=9acd1f8e-97e2-43e2-b484-a74a014a8206&displaylang=en
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > Iisreset - I have tried it with no results. [Policy] and SetPolicy are
> > called correctly - my service application works fine with server and
> > client running under ASP.NET Development Server, but not with server
> > in IIS. Similar problem appears when I run my client directly under
> > IIS instead of under ASP.NET Development Server. In IIS 'mode' I get
> > this policy error:
> >
> > ----- WSEservice 2 Exception --------
> > WSE2013: X509TokenProvider is unable to provide an X.509 token. There
> > are no
> > certificates in the certificate store that match the find value of
> > 'CN=WSE2QuickStartServer'.
> > at
> > Microsoft.Web.Services3.Design.X509TokenProvider.CreateToken(StoreLoca
> > tion
> > location, StoreName storeName, String findValue, X509FindType
> > findType)
> > at Microsoft.Web.Services3.Design.X509TokenProvider.GetToken()
> > at
> > Microsoft.Web.Services3.Design.MutualCertificate11Assertion.ClientOutp
> > utFilter..ctor(MutualCertificate11Assertion assertion)
> > at
> > Microsoft.Web.Services3.Design.MutualCertificate11Assertion.CreateClie
> > ntOutputFilter(FilterCreationContext context)
> > at
> > Microsoft.Web.Services3.Design.Policy.CreateClientPipeline(PipelineCre
> > ationContext context)
> > at
> > Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(Policy
> > policy)
> > at
> > Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(String
> > policyName)
> > at _Default.Button1_Click(Object sender, EventArgs e) in
> > S:\Security\WSEbasic\WSEbasic6\WebSite6\Default.aspx.vb:line 10
> > -------------------------------
> > Jack Madeja
> > "Dominick Baier [DevelopMentor]" wrote:
> >
> >> Hello JackMadeja,
> >>
> >> from experience - a iisreset does help sometimes...
> >>
> >> [Policy] and SetPolicy are called correctly on client/server ?
> >>
> >> ---------------------------------------
> >> Dominick Baier - DevelopMentor
> >> http://www.leastprivilege.com
> >>> Security requirements are not satisfied because the security header
> >>> is not present in the incoming message
> >>>
> >>> I get this exception every time I run my service thru ordinary IIS
> >>> instead of Default IIS in VS.NET Studio. My service is a simple
> >>> 'Hello World with certificate policy. My client is simple ASP.NET
> >>> Web Site with one button and textbox. I use Certificate Policy
> >>> (mutualCertificate11Security) on both server and client. (I have
> >>> tried this with anonymousForCertificateSecurity and got same bad
> >>> result). Everything works fine if my service and webclient is in
> >>> same solution and I run everything thru VS.NET studio build in IIS.
> >>> But If I create a virtual directory in my computer IIS, run my
> >>> service there, change my web reference to this service I get this
> >>> exception:
> >>>
> >>> WSE910: An error happened during the processing of a response
> >>> message, and you can find the error in the inner exception. You can
> >>> also find the response message in the Response property.
> >>>
> >>> at
> >>> Microsoft.Web.Services3.Xml.SoapEnvelopeReaderWrapper..ctor(SoapClie
> >>> nt
> >>> Message
> >>> message, String messageContentType)
> >>> at
> >>> Microsoft.Web.Services3.WebServicesClientProtocol.GetReaderForMessag
> >>> e(
> >>> SoapClientMessage message, Int32 bufferSize)
> >>> at
> >>> System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(So
> >>> ap
> >>> ClientMessage message, WebResponse response, Stream responseStream,
> >>> Boolean asyncCall)
> >>> at
> >>> System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String
> >>> methodName, Object[] parameters)
> >>> at localhost.ServiceWse.HelloWorld() in
> >>> e:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET
> >>> Files\website10\b15bc141\c8235faa\App_WebReferences.qqc4zbev.0.cs:li
> >>> ne
> >>> 46
> >>> at _Default.Button1_Click(Object sender, EventArgs e) in
> >>> S:\Security\WSEbasic\WSEbasic10\WebSite10\Default.aspx.vb:line 11
> >>> --------------Inner Exception ----------------------------
> >>> Security requirements are not satisfied because the security header
> >>> is
> >>> not
> >>> present in the incoming message.
> >>> at
> >>> Microsoft.Web.Services3.Security.SecureConversationClientReceiveSecu
> >>> ri
> >>> tyFilter.ValidateMessageSecurity(SoapEnvelope envelope, Security
> >>> security)
> >>> at
> >>> Microsoft.Web.Services3.Security.ReceiveSecurityFilter.ProcessMessag
> >>> e(
> >>> SoapEnvelope envelope)
> >>> at
> >>> Microsoft.Web.Services3.Pipeline.ProcessInputMessage(SoapEnvelope
> >>> envelope)
> >>> at
> >>> Microsoft.Web.Services3.Xml.SoapEnvelopeReaderWrapper..ctor(SoapClie
> >>> nt
> >>> Message
> >>> message, String messageContentType)
> >>> Here is my service code:
> >>>
> >>> Imports System.Web
> >>> Imports System.Web.Services
> >>> Imports System.Web.Services.Protocols
> >>> Imports System.Security.Principal
> >>> Imports Microsoft.Web.Services3
> >>> Imports Microsoft.Web.Services3.Design
> >>> <WebService(Namespace:="http://tempuri.org/";)> _
> >>> <WebServiceBinding(ConformsTo:=WsiProfiles.BasicProfile1_1)> _
> >>> <Global.Microsoft.VisualBasic.CompilerServices.DesignerGenerated()>
> >>> _
> >>> <Policy("ServerCertPolicy")> _
> >>> Public Class xService
> >>> Inherits System.Web.Services.WebService
> >>> <WebMethod()> _
> >>> Public Function HelloWorld() As String
> >>> Return "Hello World from xWebService 5"
> >>> End Function
> >>> End Class
> >>> My service web.config looks like that:
> >>>
> >>> <?xml version="1.0" encoding="utf-8"?>
> >>> <configuration
> >>> xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0";>
> >>> <configSections>
> >>> <section name="microsoft.web.services3"
> >>> type="Microsoft.Web.Services3.Configuration.WebServicesConfiguration
> >>> ,
> >>> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
> >>> PublicKeyToken=31bf3856ad364e35" />
> >>> </configSections>
> >>> <appSettings />
> >>> <connectionStrings />
> >>> <system.web>
> >>> <compilation debug="true" strict="false" explicit="true">
> >>> <assemblies>
> >>> <add assembly="Microsoft.Web.Services3, Version=3.0.0.0,
> >>> Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
> >>> </assemblies>
> >>> </compilation>
> >>> <pages>
> >>> <namespaces>
> >>> <clear />
> >>> <add namespace="System" />
> >>> <add namespace="System.Collections" />
> >>> <add namespace="System.Collections.Specialized" />
> >>> <add namespace="System.Configuration" />
> >>> <add namespace="System.Text" />
> >>> <add namespace="System.Text.RegularExpressions" />
> >>> <add namespace="System.Web" />
> >>> <add namespace="System.Web.Caching" />
> >>> <add namespace="System.Web.SessionState" />
> >>> <add namespace="System.Web.Security" />
> >>> <add namespace="System.Web.Profile" />
> >>> <add namespace="System.Web.UI" />
> >>> <add namespace="System.Web.UI.WebControls" />
> >>> <add namespace="System.Web.UI.WebControls.WebParts" />
> >>> <add namespace="System.Web.UI.HtmlControls" />
> >>> </namespaces>
> >>> </pages>
> >>> <webServices>
> >>> <soapExtensionImporterTypes>
> >>> <add
> >>> type="Microsoft.Web.Services3.Description.WseExtensionImporter,
> >>> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
> >>> PublicKeyToken=31bf3856ad364e35" />
> >>> </soapExtensionImporterTypes>
> >>> <soapServerProtocolFactory
> >>> type="Microsoft.Web.Services3.WseProtocolFactory,
> >>> Microsoft.Web.Services3,
> >>> Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
> >>> />
> >>> </webServices>
> >>> </system.web>
> >>> <microsoft.web.services3>
> >>> <security>
> >>> <x509 allowTestRoot="false" storeLocation="LocalMachine" />
> >>> </security>
> >>> <policy fileName="wse3policyCache.config" />
> >>> <diagnostics>
> >>> <trace enabled="true" input="logs\InputTrace.webinfo"
> >>> output="logs\OutputTrace.webinfo" />
> >>> </diagnostics>
> >>> </microsoft.web.services3>
> >>> </configuration>
> >>> . and my service policy looks like that:
> >>> <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy";>
> >>> <extensions>
> >>> <extension name="mutualCertificate11Security"
> >>> type="Microsoft.Web.Services3.Design.MutualCertificate11Assertion,
> >>> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
> >>> PublicKeyToken=31bf3856ad364e35" />
> >>> <extension name="x509"
> >>> type="Microsoft.Web.Services3.Design.X509TokenProvider,
> >>> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
> >>> PublicKeyToken=31bf3856ad364e35" />
> >>> <extension name="requireActionHeader"
> >>> type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
> >>> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
> >>> PublicKeyToken=31bf3856ad364e35" />
> >>> </extensions>
> >>> <policy name="ServerCertPolicy">
> >>> <mutualCertificate11Security establishSecurityContext="false"
> >>> renewExpiredSecurityContext="true"
> >>> requireSignatureConfirmation="true"
> >>> messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true"
> >>> ttlInSeconds="300">
> >>> <serviceToken>
> >>> <x509 storeLocation="LocalMachine" storeName="My"
> >>> findValue="CN=WSE2QuickStartServer"
> >>> findType="FindBySubjectDistinguishedName"
> >>> />
> >>> </serviceToken>
> >>> <protection>
> >>> <request signatureOptions="IncludeAddressing,
> >>> IncludeTimestamp,
> >>> IncludeSoapBody" encryptBody="true" />
> >>> <response signatureOptions="IncludeAddressing,
> >>> IncludeTimestamp,
> >>> IncludeSoapBody" encryptBody="true" />
> >>> <fault signatureOptions="IncludeAddressing, IncludeTimestamp,
> >>> IncludeSoapBody" encryptBody="false" />
> >>> </protection>
> >>> </mutualCertificate11Security>
> >>> <requireActionHeader />
> >>> </policy>
> >>> </policies>
> >>> My client looks like that:
> >>> <%@ Page Language="VB" AutoEventWireup="false"
> >>> CodeFile="Default.aspx.vb" Inherits="_Default" %>
> >>> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
> >>> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
> >>>
> >>> <html xmlns="http://www.w3.org/1999/xhtml"; >
> >>> <head runat="server">
> >>> <title>WebSite11</title>
> >>> </head>
> >>> <body>
> >>> <form id="form1" runat="server">
> >>> <div>
> >>> <asp:Button ID="Button1" runat="server" Text="WSEservice 2"
> >>> Width="160px" /><asp:TextBox
> >>> ID="TextBox1" runat="server" Height="440px"
> >>> TextMode="MultiLine"
> >>> Width="800px"></asp:TextBox> </div>
> >>> </form>
> >>> </body>
> >>> </html>
> >>> . and client code:
> >>>
> >>> Imports Microsoft.VisualBasic.ControlChars
> >>>
> >>> Partial Class _Default
> >>> Inherits System.Web.UI.Page
> >>> Protected Sub Button1_Click(ByVal sender As Object, ByVal e As
> >>> System.EventArgs) Handles Button1.Click
> >>> Try
> >>> TextBox1.Text = String.Empty
> >>> Dim proxy As New localhost.ServiceWse
> >>> proxy.SetPolicy("ClientCertPolicy")
> >>> TextBox1.Text = proxy.HelloWorld
> >>> Catch ex As Exception
> >>> Dim strMsg As String = ex.Message & CrLf & CrLf &
> >>> ex.StackTrace
> >>> Dim exIn As Exception = ex
> >>> Do
> >>> exIn = exIn.InnerException
> >>> If Not exIn Is Nothing Then
> >>> strMsg += CrLf & "--------------Inner Exception
> >>> ----------------------------" & CrLf
> >>> strMsg += exIn.Message & CrLf & CrLf &
> >>> exIn.StackTrace
> >>> Else
.