Re: security header is not present in the incoming message
- From: Dominick Baier [DevelopMentor] <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 06 Dec 2005 04:59:26 -0800
Hello JackMadeja,
this document also mentions that you have to set the right ACLs for the worker process account - they use the X509Certificate tool that ships with WSE
the account (most probably NETWORK SERVICE) needs read access to the private key file.
--------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com
Hi Dominic. Thank you for you answers. I did import all certificates according to instruction in those documents. One certificate "Client Private.pfx" to Certificates - Current User, Personal, Certificates. One certificate "Server Private.pfx" to Certificates - Current User, Other People, Certificates and the third one "Server Public.cer" to Certificates (Local Computer), Personal, Certificates. I really don't know any other stores. I have tried to load "Server Public.cer" in other stores (Service accounts for different ASP.NET services) but without any luck. Still, as far as I know "My user account" should be used for both pfx-files and "Computer Account" for this public cer-file. And this goes for services run in IIS och in ASP.NET Development Server. As now they work fine in ASP.NET Development, but not in IIS. Could you please explain to me any other way to install those certificates to make my service work under real IIS?
"Dominick Baier [DevelopMentor]" wrote:
Hello JackMadeja,
ok - you have to import the certificate in the store of the account running the service - i guess thats NETWORK SERVICE
Look at the Security Hands on Lab for WSE3 - the steps are detailed there.
http://www.microsoft.com/downloads/details.aspx?familyid=9acd1f8e-97e 2-43e2-b484-a74a014a8206&displaylang=en
--------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.comIisreset - I have tried it with no results. [Policy] and SetPolicy are called correctly - my service application works fine with server and client running under ASP.NET Development Server, but not with server in IIS. Similar problem appears when I run my client directly under IIS instead of under ASP.NET Development Server. In IIS 'mode' I get this policy error:
----- WSEservice 2 Exception -------- WSE2013: X509TokenProvider is unable to provide an X.509 token. There are no certificates in the certificate store that match the find value of 'CN=WSE2QuickStartServer'. at Microsoft.Web.Services3.Design.X509TokenProvider.CreateToken(StoreLo ca tion location, StoreName storeName, String findValue, X509FindType findType) at Microsoft.Web.Services3.Design.X509TokenProvider.GetToken() at Microsoft.Web.Services3.Design.MutualCertificate11Assertion.ClientOu tp utFilter..ctor(MutualCertificate11Assertion assertion) at Microsoft.Web.Services3.Design.MutualCertificate11Assertion.CreateCl ie ntOutputFilter(FilterCreationContext context) at Microsoft.Web.Services3.Design.Policy.CreateClientPipeline(PipelineC re ationContext context) at Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(Policy policy) at Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(String policyName) at _Default.Button1_Click(Object sender, EventArgs e) in S:\Security\WSEbasic\WSEbasic6\WebSite6\Default.aspx.vb:line 10 ------------------------------- Jack Madeja "Dominick Baier [DevelopMentor]" wrote:Hello JackMadeja,
from experience - a iisreset does help sometimes...
[Policy] and SetPolicy are called correctly on client/server ?
--------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.comSecurity requirements are not satisfied because the security header is not present in the incoming message
I get this exception every time I run my service thru ordinary IIS instead of Default IIS in VS.NET Studio. My service is a simple 'Hello World with certificate policy. My client is simple ASP.NET Web Site with one button and textbox. I use Certificate Policy (mutualCertificate11Security) on both server and client. (I have tried this with anonymousForCertificateSecurity and got same bad result). Everything works fine if my service and webclient is in same solution and I run everything thru VS.NET studio build in IIS. But If I create a virtual directory in my computer IIS, run my service there, change my web reference to this service I get this exception:
WSE910: An error happened during the processing of a response message, and you can find the error in the inner exception. You can also find the response message in the Response property.
at Microsoft.Web.Services3.Xml.SoapEnvelopeReaderWrapper..ctor(SoapCl ie nt Message message, String messageContentType) at Microsoft.Web.Services3.WebServicesClientProtocol.GetReaderForMess ag e( SoapClientMessage message, Int32 bufferSize) at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse( So ap ClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall) at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) at localhost.ServiceWse.HelloWorld() in e:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\website10\b15bc141\c8235faa\App_WebReferences.qqc4zbev.0.cs: li ne 46 at _Default.Button1_Click(Object sender, EventArgs e) in S:\Security\WSEbasic\WSEbasic10\WebSite10\Default.aspx.vb:line 11 --------------Inner Exception ---------------------------- Security requirements are not satisfied because the security header is not present in the incoming message. at Microsoft.Web.Services3.Security.SecureConversationClientReceiveSe cu ri tyFilter.ValidateMessageSecurity(SoapEnvelope envelope, Security security) at Microsoft.Web.Services3.Security.ReceiveSecurityFilter.ProcessMess ag e( SoapEnvelope envelope) at Microsoft.Web.Services3.Pipeline.ProcessInputMessage(SoapEnvelope envelope) at Microsoft.Web.Services3.Xml.SoapEnvelopeReaderWrapper..ctor(SoapCl ie nt Message message, String messageContentType) Here is my service code: Imports System.Web Imports System.Web.Services Imports System.Web.Services.Protocols Imports System.Security.Principal Imports Microsoft.Web.Services3 Imports Microsoft.Web.Services3.Design <WebService(Namespace:="http://tempuri.org/";)> _ <WebServiceBinding(ConformsTo:=WsiProfiles.BasicProfile1_1)> _ <Global.Microsoft.VisualBasic.CompilerServices.DesignerGenerated() > _ <Policy("ServerCertPolicy")> _ Public Class xService Inherits System.Web.Services.WebService <WebMethod()> _ Public Function HelloWorld() As String Return "Hello World from xWebService 5" End Function End Class My service web.config looks like that: <?xml version="1.0" encoding="utf-8"?> <configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0";> <configSections> <section name="microsoft.web.services3" type="Microsoft.Web.Services3.Configuration.WebServicesConfigurati on , Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </configSections> <appSettings /> <connectionStrings /> <system.web> <compilation debug="true" strict="false" explicit="true"> <assemblies> <add assembly="Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" /> </assemblies> </compilation> <pages> <namespaces> <clear /> <add namespace="System" /> <add namespace="System.Collections" /> <add namespace="System.Collections.Specialized" /> <add namespace="System.Configuration" /> <add namespace="System.Text" /> <add namespace="System.Text.RegularExpressions" /> <add namespace="System.Web" /> <add namespace="System.Web.Caching" /> <add namespace="System.Web.SessionState" /> <add namespace="System.Web.Security" /> <add namespace="System.Web.Profile" /> <add namespace="System.Web.UI" /> <add namespace="System.Web.UI.WebControls" /> <add namespace="System.Web.UI.WebControls.WebParts" /> <add namespace="System.Web.UI.HtmlControls" /> </namespaces> </pages> <webServices> <soapExtensionImporterTypes> <add type="Microsoft.Web.Services3.Description.WseExtensionImporter, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </soapExtensionImporterTypes> <soapServerProtocolFactory type="Microsoft.Web.Services3.WseProtocolFactory, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </webServices> </system.web> <microsoft.web.services3> <security> <x509 allowTestRoot="false" storeLocation="LocalMachine" /> </security> <policy fileName="wse3policyCache.config" /> <diagnostics> <trace enabled="true" input="logs\InputTrace.webinfo" output="logs\OutputTrace.webinfo" /> </diagnostics> </microsoft.web.services3> </configuration> . and my service policy looks like that: <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy";> <extensions> <extension name="mutualCertificate11Security" type="Microsoft.Web.Services3.Design.MutualCertificate11Assertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <extension name="x509" type="Microsoft.Web.Services3.Design.X509TokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <extension name="requireActionHeader" type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </extensions> <policy name="ServerCertPolicy"> <mutualCertificate11Security establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="true" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300"> <serviceToken> <x509 storeLocation="LocalMachine" storeName="My" findValue="CN=WSE2QuickStartServer" findType="FindBySubjectDistinguishedName" /> </serviceToken> <protection> <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" /> </protection> </mutualCertificate11Security> <requireActionHeader /> </policy> </policies> My client looks like that: <%@ Page Language="VB" AutoEventWireup="false" CodeFile="Default.aspx.vb" Inherits="_Default" %> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";> <html xmlns="http://www.w3.org/1999/xhtml"; > <head runat="server"> <title>WebSite11</title> </head> <body> <form id="form1" runat="server"> <div> <asp:Button ID="Button1" runat="server" Text="WSEservice 2" Width="160px" /><asp:TextBox ID="TextBox1" runat="server" Height="440px" TextMode="MultiLine" Width="800px"></asp:TextBox> </div> </form> </body> </html> . and client code: Imports Microsoft.VisualBasic.ControlChars
Partial Class _Default Inherits System.Web.UI.Page Protected Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click Try TextBox1.Text = String.Empty Dim proxy As New localhost.ServiceWse proxy.SetPolicy("ClientCertPolicy") TextBox1.Text = proxy.HelloWorld Catch ex As Exception Dim strMsg As String = ex.Message & CrLf & CrLf & ex.StackTrace Dim exIn As Exception = ex Do exIn = exIn.InnerException If Not exIn Is Nothing Then strMsg += CrLf & "--------------Inner Exception ----------------------------" & CrLf strMsg += exIn.Message & CrLf & CrLf & exIn.StackTrace Else
.
- Follow-Ups:
- Re: security header is not present in the incoming message
- From: JackMadeja
- Re: security header is not present in the incoming message
- References:
- Re: security header is not present in the incoming message
- From: JackMadeja
- Re: security header is not present in the incoming message
- Prev by Date: Re: security header is not present in the incoming message
- Next by Date: Re: SecureString Useless??
- Previous by thread: Re: security header is not present in the incoming message
- Next by thread: Re: security header is not present in the incoming message
- Index(es):
