Re: security header is not present in the incoming message



Hello Dominick.
Thank you for your help! I manage to give ASPNET access to privet key file
with WseCertificate3.exe tool. After this change I still couldn’t run my
service, but when I recreated my policy it all works fine (even if my
wse3policyCache.config file looked exactly the same as before (strange – I
thought that all policy setups where in those files). I still have one
problem. All that works if I run my ASP.NET client on ASP.NET Development
Server. But if I change this client to run in IIS (custom server) I get this
exception.

----- WSEservice 2 Exception --------
WSE2013: X509TokenProvider is unable to provide an X.509 token. There are no
certificates in the certificate store that match the find value of
'CN=WSE2QuickStartServer'.

at
Microsoft.Web.Services3.Design.X509TokenProvider.CreateToken(StoreLocation
location, StoreName storeName, String findValue, X509FindType findType)
at Microsoft.Web.Services3.Design.X509TokenProvider.GetToken()
at
Microsoft.Web.Services3.Design.MutualCertificate11Assertion.ClientOutputFilter..ctor(MutualCertificate11Assertion assertion)
at
Microsoft.Web.Services3.Design.MutualCertificate11Assertion.CreateClientOutputFilter(FilterCreationContext context)
at
Microsoft.Web.Services3.Design.Policy.CreateClientPipeline(PipelineCreationContext context)
at Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(Policy
policy)
at Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(String
policyName)
at _Default.Button1_Click(Object sender, EventArgs e) in
S:\Security\WSEbasic\WSEbasic8\WebSite8\Default.aspx.vb:line 10


Is there any more stuff I can do to make completely on IIS? By the way – I
use WinXP 32 and IIS5.0


"Dominick Baier [DevelopMentor]" wrote:

> Hello JackMadeja,
>
> this document also mentions that you have to set the right ACLs for the worker
> process account - they use the X509Certificate tool that ships with WSE
>
> the account (most probably NETWORK SERVICE) needs read access to the private
> key file.
>
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > Hi Dominic. Thank you for you answers. I did import all certificates
> > according to instruction in those documents. One certificate "Client
> > Private.pfx" to Certificates - Current User, Personal, Certificates.
> > One certificate "Server Private.pfx" to Certificates - Current User,
> > Other People, Certificates and the third one "Server Public.cer" to
> > Certificates (Local Computer), Personal, Certificates. I really don't
> > know any other stores. I have tried to load "Server Public.cer" in
> > other stores (Service accounts for different ASP.NET services) but
> > without any luck. Still, as far as I know "My user account" should be
> > used for both pfx-files and "Computer Account" for this public
> > cer-file. And this goes for services run in IIS och in ASP.NET
> > Development Server. As now they work fine in ASP.NET Development, but
> > not in IIS. Could you please explain to me any other way to install
> > those certificates to make my service work under real IIS?
> >
> > "Dominick Baier [DevelopMentor]" wrote:
> >
> >> Hello JackMadeja,
> >>
> >> ok - you have to import the certificate in the store of the account
> >> running the service - i guess thats NETWORK SERVICE
> >>
> >> Look at the Security Hands on Lab for WSE3 - the steps are detailed
> >> there.
> >>
> >> http://www.microsoft.com/downloads/details.aspx?familyid=9acd1f8e-97e
> >> 2-43e2-b484-a74a014a8206&displaylang=en
> >>
> >> ---------------------------------------
> >> Dominick Baier - DevelopMentor
> >> http://www.leastprivilege.com
> >>> Iisreset - I have tried it with no results. [Policy] and SetPolicy
> >>> are called correctly - my service application works fine with server
> >>> and client running under ASP.NET Development Server, but not with
> >>> server in IIS. Similar problem appears when I run my client directly
> >>> under IIS instead of under ASP.NET Development Server. In IIS 'mode'
> >>> I get this policy error:
> >>>
> >>> ----- WSEservice 2 Exception --------
> >>> WSE2013: X509TokenProvider is unable to provide an X.509 token.
> >>> There
> >>> are no
> >>> certificates in the certificate store that match the find value of
> >>> 'CN=WSE2QuickStartServer'.
> >>> at
> >>> Microsoft.Web.Services3.Design.X509TokenProvider.CreateToken(StoreLo
> >>> ca
> >>> tion
> >>> location, StoreName storeName, String findValue, X509FindType
> >>> findType)
> >>> at Microsoft.Web.Services3.Design.X509TokenProvider.GetToken()
> >>> at
> >>> Microsoft.Web.Services3.Design.MutualCertificate11Assertion.ClientOu
> >>> tp
> >>> utFilter..ctor(MutualCertificate11Assertion assertion)
> >>> at
> >>> Microsoft.Web.Services3.Design.MutualCertificate11Assertion.CreateCl
> >>> ie
> >>> ntOutputFilter(FilterCreationContext context)
> >>> at
> >>> Microsoft.Web.Services3.Design.Policy.CreateClientPipeline(PipelineC
> >>> re
> >>> ationContext context)
> >>> at
> >>> Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(Policy
> >>> policy)
> >>> at
> >>> Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(String
> >>> policyName)
> >>> at _Default.Button1_Click(Object sender, EventArgs e) in
> >>> S:\Security\WSEbasic\WSEbasic6\WebSite6\Default.aspx.vb:line 10
> >>> -------------------------------
> >>> Jack Madeja
> >>> "Dominick Baier [DevelopMentor]" wrote:
> >>>> Hello JackMadeja,
> >>>>
> >>>> from experience - a iisreset does help sometimes...
> >>>>
> >>>> [Policy] and SetPolicy are called correctly on client/server ?
> >>>>
> >>>> ---------------------------------------
> >>>> Dominick Baier - DevelopMentor
> >>>> http://www.leastprivilege.com
> >>>>> Security requirements are not satisfied because the security
> >>>>> header is not present in the incoming message
> >>>>>
> >>>>> I get this exception every time I run my service thru ordinary IIS
> >>>>> instead of Default IIS in VS.NET Studio. My service is a simple
> >>>>> 'Hello World with certificate policy. My client is simple ASP.NET
> >>>>> Web Site with one button and textbox. I use Certificate Policy
> >>>>> (mutualCertificate11Security) on both server and client. (I have
> >>>>> tried this with anonymousForCertificateSecurity and got same bad
> >>>>> result). Everything works fine if my service and webclient is in
> >>>>> same solution and I run everything thru VS.NET studio build in
> >>>>> IIS. But If I create a virtual directory in my computer IIS, run
> >>>>> my service there, change my web reference to this service I get
> >>>>> this exception:
> >>>>>
> >>>>> WSE910: An error happened during the processing of a response
> >>>>> message, and you can find the error in the inner exception. You
> >>>>> can also find the response message in the Response property.
> >>>>>
> >>>>> at
> >>>>> Microsoft.Web.Services3.Xml.SoapEnvelopeReaderWrapper..ctor(SoapCl
> >>>>> ie
> >>>>> nt
> >>>>> Message
> >>>>> message, String messageContentType)
> >>>>> at
> >>>>> Microsoft.Web.Services3.WebServicesClientProtocol.GetReaderForMess
> >>>>> ag
> >>>>> e(
> >>>>> SoapClientMessage message, Int32 bufferSize)
> >>>>> at
> >>>>> System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(
> >>>>> So
> >>>>> ap
> >>>>> ClientMessage message, WebResponse response, Stream
> >>>>> responseStream,
> >>>>> Boolean asyncCall)
> >>>>> at
> >>>>> System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String
> >>>>> methodName, Object[] parameters)
> >>>>> at localhost.ServiceWse.HelloWorld() in
> >>>>> e:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET
> >>>>> Files\website10\b15bc141\c8235faa\App_WebReferences.qqc4zbev.0.cs:
> >>>>> li
> >>>>> ne
> >>>>> 46
> >>>>> at _Default.Button1_Click(Object sender, EventArgs e) in
> >>>>> S:\Security\WSEbasic\WSEbasic10\WebSite10\Default.aspx.vb:line 11
> >>>>> --------------Inner Exception ----------------------------
> >>>>> Security requirements are not satisfied because the security
> >>>>> header
> >>>>> is
> >>>>> not
> >>>>> present in the incoming message.
> >>>>> at
> >>>>> Microsoft.Web.Services3.Security.SecureConversationClientReceiveSe
> >>>>> cu
> >>>>> ri
> >>>>> tyFilter.ValidateMessageSecurity(SoapEnvelope envelope, Security
> >>>>> security)
> >>>>> at
> >>>>> Microsoft.Web.Services3.Security.ReceiveSecurityFilter.ProcessMess
> >>>>> ag
> >>>>> e(
> >>>>> SoapEnvelope envelope)
> >>>>> at
> >>>>> Microsoft.Web.Services3.Pipeline.ProcessInputMessage(SoapEnvelope
> >>>>> envelope)
> >>>>> at
> >>>>> Microsoft.Web.Services3.Xml.SoapEnvelopeReaderWrapper..ctor(SoapCl
> >>>>> ie
> >>>>> nt
> >>>>> Message
> >>>>> message, String messageContentType)
> >>>>> Here is my service code:
> >>>>> Imports System.Web
> >>>>> Imports System.Web.Services
> >>>>> Imports System.Web.Services.Protocols
> >>>>> Imports System.Security.Principal
> >>>>> Imports Microsoft.Web.Services3
> >>>>> Imports Microsoft.Web.Services3.Design
> >>>>> <WebService(Namespace:="http://tempuri.org/";)> _
> >>>>> <WebServiceBinding(ConformsTo:=WsiProfiles.BasicProfile1_1)> _
> >>>>> <Global.Microsoft.VisualBasic.CompilerServices.DesignerGenerated()
> >>>>> >
> >>>>> _
> >>>>> <Policy("ServerCertPolicy")> _
> >>>>> Public Class xService
> >>>>> Inherits System.Web.Services.WebService
> >>>>> <WebMethod()> _
> >>>>> Public Function HelloWorld() As String
> >>>>> Return "Hello World from xWebService 5"
> >>>>> End Function
> >>>>> End Class
> >>>>> My service web.config looks like that:
> >>>>> <?xml version="1.0" encoding="utf-8"?>
> >>>>> <configuration
> >>>>> xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0";>
> >>>>> <configSections>
> >>>>> <section name="microsoft.web.services3"
> >>>>> type="Microsoft.Web.Services3.Configuration.WebServicesConfigurati
> >>>>> on
> >>>>> ,
> >>>>> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
> >>>>> PublicKeyToken=31bf3856ad364e35" />
> >>>>> </configSections>
> >>>>> <appSettings />
> >>>>> <connectionStrings />
> >>>>> <system.web>
> >>>>> <compilation debug="true" strict="false" explicit="true">
> >>>>> <assemblies>
> >>>>> <add assembly="Microsoft.Web.Services3, Version=3.0.0.0,
> >>>>> Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
> >>>>> </assemblies>
> >>>>> </compilation>
> >>>>> <pages>
> >>>>> <namespaces>
> >>>>> <clear />
> >>>>> <add namespace="System" />
> >>>>> <add namespace="System.Collections" />
> >>>>> <add namespace="System.Collections.Specialized" />
> >>>>> <add namespace="System.Configuration" />
> >>>>> <add namespace="System.Text" />
> >>>>> <add namespace="System.Text.RegularExpressions" />
> >>>>> <add namespace="System.Web" />
> >>>>> <add namespace="System.Web.Caching" />
> >>>>> <add namespace="System.Web.SessionState" />
> >>>>> <add namespace="System.Web.Security" />
> >>>>> <add namespace="System.Web.Profile" />
> >>>>> <add namespace="System.Web.UI" />
> >>>>> <add namespace="System.Web.UI.WebControls" />
> >>>>> <add namespace="System.Web.UI.WebControls.WebParts" />
> >>>>> <add namespace="System.Web.UI.HtmlControls" />
> >>>>> </namespaces>
> >>>>> </pages>
> >>>>> <webServices>
> >>>>> <soapExtensionImporterTypes>
> >>>>> <add
> >>>>> type="Microsoft.Web.Services3.Description.WseExtensionImporter,
> >>>>> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
> >>>>> PublicKeyToken=31bf3856ad364e35" />
> >>>>> </soapExtensionImporterTypes>
> >>>>> <soapServerProtocolFactory
> >>>>> type="Microsoft.Web.Services3.WseProtocolFactory,
> >>>>> Microsoft.Web.Services3,
> >>>>> Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
> >>>>> />
> >>>>> </webServices>
> >>>>> </system.web>
> >>>>> <microsoft.web.services3>
> >>>>> <security>
> >>>>> <x509 allowTestRoot="false" storeLocation="LocalMachine" />
> >>>>> </security>
> >>>>> <policy fileName="wse3policyCache.config" />
> >>>>> <diagnostics>
> >>>>> <trace enabled="true" input="logs\InputTrace.webinfo"
> >>>>> output="logs\OutputTrace.webinfo" />
> >>>>> </diagnostics>
> >>>>> </microsoft.web.services3>
> >>>>> </configuration>
> >>>>> . and my service policy looks like that:
> >>>>> <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy";>
> >>>>> <extensions>
> >>>>> <extension name="mutualCertificate11Security"
> >>>>> type="Microsoft.Web.Services3.Design.MutualCertificate11Assertion,
> >>>>> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
> >>>>> PublicKeyToken=31bf3856ad364e35" />
> >>>>> <extension name="x509"
> >>>>> type="Microsoft.Web.Services3.Design.X509TokenProvider,
> >>>>> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
> >>>>> PublicKeyToken=31bf3856ad364e35" />
> >>>>> <extension name="requireActionHeader"
> >>>>> type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
> >>>>> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
> >>>>> PublicKeyToken=31bf3856ad364e35" />
> >>>>> </extensions>
> >>>>> <policy name="ServerCertPolicy">
> >>>>> <mutualCertificate11Security establishSecurityContext="false"
> >>>>> renewExpiredSecurityContext="true"
> >>>>> requireSignatureConfirmation="true"
> >>>>> messageProtectionOrder="SignBeforeEncrypt"
> >>>>> requireDerivedKeys="true"
> >>>>> ttlInSeconds="300">
> >>>>> <serviceToken>
> >>>>> <x509 storeLocation="LocalMachine" storeName="My"
> >>>>> findValue="CN=WSE2QuickStartServer"
> >>>>> findType="FindBySubjectDistinguishedName"
> >>>>> />
> >>>>> </serviceToken>
> >>>>> <protection>
> >>>>> <request signatureOptions="IncludeAddressing,
> >>>>> IncludeTimestamp,
> >>>>> IncludeSoapBody" encryptBody="true" />
> >>>>> <response signatureOptions="IncludeAddressing,
> >>>>> IncludeTimestamp,
> >>>>> IncludeSoapBody" encryptBody="true" />
> >>>>> <fault signatureOptions="IncludeAddressing, IncludeTimestamp,
> >>>>> IncludeSoapBody" encryptBody="false" />
> >>>>> </protection>
> >>>>> </mutualCertificate11Security>
> >>>>> <requireActionHeader />
> >>>>> </policy>
> >>>>> </policies>
> >>>>> My client looks like that:
.



Relevant Pages

  • Re: security header is not present in the incoming message
    ... One certificate "Client Private.pfx" to Certificates - Current User, Personal, Certificates. ... One certificate "Server Private.pfx" to Certificates - Current User, Other People, Certificates and the third one "Server Public.cer" to Certificates, Personal, Certificates. ... And this goes for services run in IIS och in ASP.NET Development Server. ...
    (microsoft.public.dotnet.security)
  • Re: Generation of certificate using openssl
    ... >>You could just use the Certificates Services that comes with Windows 2000. ... I'd hate to think that IIS and OpenSSL-created ... > The OP obviously has some business reason to use OpenSSL on his CA - perhaps ...
    (microsoft.public.inetserver.iis.security)
  • Re: does IIS log record any attempt to contact?
    ... Do you have IIS set to respond on 443 correctly? ... the certificates IIS does not automatically turn on 443. ... > try to connect to the site using https from another ... > my server logs would show requests for the site over port ...
    (microsoft.public.inetserver.iis.security)
  • RE: Generation of certificate using openssl
    ... >You could just use the Certificates Services that comes with Windows 2000. ... I'd hate to think that IIS and OpenSSL-created ... to insert Microsoft operating systems into the company. ...
    (microsoft.public.inetserver.iis.security)
  • Re: httpcertcfg for server 2008
    ... the machine key directory and then you can modify the permissions using the ... programmatically finds the machine key file and opens the Windows shell ... You can even make an educated guess on which file is the private key file if ... protected by client digital certificates. ...
    (microsoft.public.windows.server.security)