Re: security header is not present in the incoming message



Hello Dominick.
Thank you for your help! I manage to give ASPNET access to privet key file
with WseCertificate3.exe tool. After this change I still couldn’t run my
service, but when I recreated my policy it all works fine (even if my
wse3policyCache.config file looked exactly the same as before (strange – I
thought that all policy setups where in those files). I still have one
problem. All that works if I run my ASP.NET client on ASP.NET Development
Server. But if I change this client to run in IIS (custom server) I get this
exception.

----- WSEservice 2 Exception --------
WSE2013: X509TokenProvider is unable to provide an X.509 token. There are no
certificates in the certificate store that match the find value of
'CN=WSE2QuickStartServer'.

at
Microsoft.Web.Services3.Design.X509TokenProvider.CreateToken(StoreLocation
location, StoreName storeName, String findValue, X509FindType findType)
at Microsoft.Web.Services3.Design.X509TokenProvider.GetToken()
at
Microsoft.Web.Services3.Design.MutualCertificate11Assertion.ClientOutputFilter..ctor(MutualCertificate11Assertion assertion)
at
Microsoft.Web.Services3.Design.MutualCertificate11Assertion.CreateClientOutputFilter(FilterCreationContext context)
at
Microsoft.Web.Services3.Design.Policy.CreateClientPipeline(PipelineCreationContext context)
at Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(Policy
policy)
at Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(String
policyName)
at _Default.Button1_Click(Object sender, EventArgs e) in
S:\Security\WSEbasic\WSEbasic8\WebSite8\Default.aspx.vb:line 10


Is there any more stuff I can do to make completely on IIS? By the way – I
use WinXP 32 and IIS5.0


"Dominick Baier [DevelopMentor]" wrote:

> Hello JackMadeja,
>
> this document also mentions that you have to set the right ACLs for the worker
> process account - they use the X509Certificate tool that ships with WSE
>
> the account (most probably NETWORK SERVICE) needs read access to the private
> key file.
>
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > Hi Dominic. Thank you for you answers. I did import all certificates
> > according to instruction in those documents. One certificate "Client
> > Private.pfx" to Certificates - Current User, Personal, Certificates.
> > One certificate "Server Private.pfx" to Certificates - Current User,
> > Other People, Certificates and the third one "Server Public.cer" to
> > Certificates (Local Computer), Personal, Certificates. I really don't
> > know any other stores. I have tried to load "Server Public.cer" in
> > other stores (Service accounts for different ASP.NET services) but
> > without any luck. Still, as far as I know "My user account" should be
> > used for both pfx-files and "Computer Account" for this public
> > cer-file. And this goes for services run in IIS och in ASP.NET
> > Development Server. As now they work fine in ASP.NET Development, but
> > not in IIS. Could you please explain to me any other way to install
> > those certificates to make my service work under real IIS?
> >
> > "Dominick Baier [DevelopMentor]" wrote:
> >
> >> Hello JackMadeja,
> >>
> >> ok - you have to import the certificate in the store of the account
> >> running the service - i guess thats NETWORK SERVICE
> >>
> >> Look at the Security Hands on Lab for WSE3 - the steps are detailed
> >> there.
> >>
> >> http://www.microsoft.com/downloads/details.aspx?familyid=9acd1f8e-97e
> >> 2-43e2-b484-a74a014a8206&displaylang=en
> >>
> >> ---------------------------------------
> >> Dominick Baier - DevelopMentor
> >> http://www.leastprivilege.com
> >>> Iisreset - I have tried it with no results. [Policy] and SetPolicy
> >>> are called correctly - my service application works fine with server
> >>> and client running under ASP.NET Development Server, but not with
> >>> server in IIS. Similar problem appears when I run my client directly
> >>> under IIS instead of under ASP.NET Development Server. In IIS 'mode'
> >>> I get this policy error:
> >>>
> >>> ----- WSEservice 2 Exception --------
> >>> WSE2013: X509TokenProvider is unable to provide an X.509 token.
> >>> There
> >>> are no
> >>> certificates in the certificate store that match the find value of
> >>> 'CN=WSE2QuickStartServer'.
> >>> at
> >>> Microsoft.Web.Services3.Design.X509TokenProvider.CreateToken(StoreLo
> >>> ca
> >>> tion
> >>> location, StoreName storeName, String findValue, X509FindType
> >>> findType)
> >>> at Microsoft.Web.Services3.Design.X509TokenProvider.GetToken()
> >>> at
> >>> Microsoft.Web.Services3.Design.MutualCertificate11Assertion.ClientOu
> >>> tp
> >>> utFilter..ctor(MutualCertificate11Assertion assertion)
> >>> at
> >>> Microsoft.Web.Services3.Design.MutualCertificate11Assertion.CreateCl
> >>> ie
> >>> ntOutputFilter(FilterCreationContext context)
> >>> at
> >>> Microsoft.Web.Services3.Design.Policy.CreateClientPipeline(PipelineC
> >>> re
> >>> ationContext context)
> >>> at
> >>> Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(Policy
> >>> policy)
> >>> at
> >>> Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(String
> >>> policyName)
> >>> at _Default.Button1_Click(Object sender, EventArgs e) in
> >>> S:\Security\WSEbasic\WSEbasic6\WebSite6\Default.aspx.vb:line 10
> >>> -------------------------------
> >>> Jack Madeja
> >>> "Dominick Baier [DevelopMentor]" wrote:
> >>>> Hello JackMadeja,
> >>>>
> >>>> from experience - a iisreset does help sometimes...
> >>>>
> >>>> [Policy] and SetPolicy are called correctly on client/server ?
> >>>>
> >>>> ---------------------------------------
> >>>> Dominick Baier - DevelopMentor
> >>>> http://www.leastprivilege.com
> >>>>> Security requirements are not satisfied because the security
> >>>>> header is not present in the incoming message
> >>>>>
> >>>>> I get this exception every time I run my service thru ordinary IIS
> >>>>> instead of Default IIS in VS.NET Studio. My service is a simple
> >>>>> 'Hello World with certificate policy. My client is simple ASP.NET
> >>>>> Web Site with one button and textbox. I use Certificate Policy
> >>>>> (mutualCertificate11Security) on both server and client. (I have
> >>>>> tried this with anonymousForCertificateSecurity and got same bad
> >>>>> result). Everything works fine if my service and webclient is in
> >>>>> same solution and I run everything thru VS.NET studio build in
> >>>>> IIS. But If I create a virtual directory in my computer IIS, run
> >>>>> my service there, change my web reference to this service I get
> >>>>> this exception:
> >>>>>
> >>>>> WSE910: An error happened during the processing of a response
> >>>>> message, and you can find the error in the inner exception. You
> >>>>> can also find the response message in the Response property.
> >>>>>
> >>>>> at
> >>>>> Microsoft.Web.Services3.Xml.SoapEnvelopeReaderWrapper..ctor(SoapCl
> >>>>> ie
> >>>>> nt
> >>>>> Message
> >>>>> message, String messageContentType)
> >>>>> at
> >>>>> Microsoft.Web.Services3.WebServicesClientProtocol.GetReaderForMess
> >>>>> ag
> >>>>> e(
> >>>>> SoapClientMessage message, Int32 bufferSize)
> >>>>> at
> >>>>> System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(
> >>>>> So
> >>>>> ap
> >>>>> ClientMessage message, WebResponse response, Stream
> >>>>> responseStream,
> >>>>> Boolean asyncCall)
> >>>>> at
> >>>>> System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String
> >>>>> methodName, Object[] parameters)
> >>>>> at localhost.ServiceWse.HelloWorld() in
> >>>>> e:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET
> >>>>> Files\website10\b15bc141\c8235faa\App_WebReferences.qqc4zbev.0.cs:
> >>>>> li
> >>>>> ne
> >>>>> 46
> >>>>> at _Default.Button1_Click(Object sender, EventArgs e) in
> >>>>> S:\Security\WSEbasic\WSEbasic10\WebSite10\Default.aspx.vb:line 11
> >>>>> --------------Inner Exception ----------------------------
> >>>>> Security requirements are not satisfied because the security
> >>>>> header
> >>>>> is
> >>>>> not
> >>>>> present in the incoming message.
> >>>>> at
> >>>>> Microsoft.Web.Services3.Security.SecureConversationClientReceiveSe
> >>>>> cu
> >>>>> ri
> >>>>> tyFilter.ValidateMessageSecurity(SoapEnvelope envelope, Security
> >>>>> security)
> >>>>> at
> >>>>> Microsoft.Web.Services3.Security.ReceiveSecurityFilter.ProcessMess
> >>>>> ag
> >>>>> e(
> >>>>> SoapEnvelope envelope)
> >>>>> at
> >>>>> Microsoft.Web.Services3.Pipeline.ProcessInputMessage(SoapEnvelope
> >>>>> envelope)
> >>>>> at
> >>>>> Microsoft.Web.Services3.Xml.SoapEnvelopeReaderWrapper..ctor(SoapCl
> >>>>> ie
> >>>>> nt
> >>>>> Message
> >>>>> message, String messageContentType)
> >>>>> Here is my service code:
> >>>>> Imports System.Web
> >>>>> Imports System.Web.Services
> >>>>> Imports System.Web.Services.Protocols
> >>>>> Imports System.Security.Principal
> >>>>> Imports Microsoft.Web.Services3
> >>>>> Imports Microsoft.Web.Services3.Design
> >>>>> <WebService(Namespace:="http://tempuri.org/";)> _
> >>>>> <WebServiceBinding(ConformsTo:=WsiProfiles.BasicProfile1_1)> _
> >>>>> <Global.Microsoft.VisualBasic.CompilerServices.DesignerGenerated()
> >>>>> >
> >>>>> _
> >>>>> <Policy("ServerCertPolicy")> _
> >>>>> Public Class xService
> >>>>> Inherits System.Web.Services.WebService
> >>>>> <WebMethod()> _
> >>>>> Public Function HelloWorld() As String
> >>>>> Return "Hello World from xWebService 5"
> >>>>> End Function
> >>>>> End Class
> >>>>> My service web.config looks like that:
> >>>>> <?xml version="1.0" encoding="utf-8"?>
> >>>>> <configuration
> >>>>> xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0";>
> >>>>> <configSections>
> >>>>> <section name="microsoft.web.services3"
> >>>>> type="Microsoft.Web.Services3.Configuration.WebServicesConfigurati
> >>>>> on
> >>>>> ,
> >>>>> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
> >>>>> PublicKeyToken=31bf3856ad364e35" />
> >>>>> </configSections>
> >>>>> <appSettings />
> >>>>> <connectionStrings />
> >>>>> <system.web>
> >>>>> <compilation debug="true" strict="false" explicit="true">
> >>>>> <assemblies>
> >>>>> <add assembly="Microsoft.Web.Services3, Version=3.0.0.0,
> >>>>> Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
> >>>>> </assemblies>
> >>>>> </compilation>
> >>>>> <pages>
> >>>>> <namespaces>
> >>>>> <clear />
> >>>>> <add namespace="System" />
> >>>>> <add namespace="System.Collections" />
> >>>>> <add namespace="System.Collections.Specialized" />
> >>>>> <add namespace="System.Configuration" />
> >>>>> <add namespace="System.Text" />
> >>>>> <add namespace="System.Text.RegularExpressions" />
> >>>>> <add namespace="System.Web" />
> >>>>> <add namespace="System.Web.Caching" />
> >>>>> <add namespace="System.Web.SessionState" />
> >>>>> <add namespace="System.Web.Security" />
> >>>>> <add namespace="System.Web.Profile" />
> >>>>> <add namespace="System.Web.UI" />
> >>>>> <add namespace="System.Web.UI.WebControls" />
> >>>>> <add namespace="System.Web.UI.WebControls.WebParts" />
> >>>>> <add namespace="System.Web.UI.HtmlControls" />
> >>>>> </namespaces>
> >>>>> </pages>
> >>>>> <webServices>
> >>>>> <soapExtensionImporterTypes>
> >>>>> <add
> >>>>> type="Microsoft.Web.Services3.Description.WseExtensionImporter,
> >>>>> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
> >>>>> PublicKeyToken=31bf3856ad364e35" />
> >>>>> </soapExtensionImporterTypes>
> >>>>> <soapServerProtocolFactory
> >>>>> type="Microsoft.Web.Services3.WseProtocolFactory,
> >>>>> Microsoft.Web.Services3,
> >>>>> Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
> >>>>> />
> >>>>> </webServices>
> >>>>> </system.web>
> >>>>> <microsoft.web.services3>
> >>>>> <security>
> >>>>> <x509 allowTestRoot="false" storeLocation="LocalMachine" />
> >>>>> </security>
> >>>>> <policy fileName="wse3policyCache.config" />
> >>>>> <diagnostics>
> >>>>> <trace enabled="true" input="logs\InputTrace.webinfo"
> >>>>> output="logs\OutputTrace.webinfo" />
> >>>>> </diagnostics>
> >>>>> </microsoft.web.services3>
> >>>>> </configuration>
> >>>>> . and my service policy looks like that:
> >>>>> <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy";>
> >>>>> <extensions>
> >>>>> <extension name="mutualCertificate11Security"
> >>>>> type="Microsoft.Web.Services3.Design.MutualCertificate11Assertion,
> >>>>> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
> >>>>> PublicKeyToken=31bf3856ad364e35" />
> >>>>> <extension name="x509"
> >>>>> type="Microsoft.Web.Services3.Design.X509TokenProvider,
> >>>>> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
> >>>>> PublicKeyToken=31bf3856ad364e35" />
> >>>>> <extension name="requireActionHeader"
> >>>>> type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
> >>>>> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
> >>>>> PublicKeyToken=31bf3856ad364e35" />
> >>>>> </extensions>
> >>>>> <policy name="ServerCertPolicy">
> >>>>> <mutualCertificate11Security establishSecurityContext="false"
> >>>>> renewExpiredSecurityContext="true"
> >>>>> requireSignatureConfirmation="true"
> >>>>> messageProtectionOrder="SignBeforeEncrypt"
> >>>>> requireDerivedKeys="true"
> >>>>> ttlInSeconds="300">
> >>>>> <serviceToken>
> >>>>> <x509 storeLocation="LocalMachine" storeName="My"
> >>>>> findValue="CN=WSE2QuickStartServer"
> >>>>> findType="FindBySubjectDistinguishedName"
> >>>>> />
> >>>>> </serviceToken>
> >>>>> <protection>
> >>>>> <request signatureOptions="IncludeAddressing,
> >>>>> IncludeTimestamp,
> >>>>> IncludeSoapBody" encryptBody="true" />
> >>>>> <response signatureOptions="IncludeAddressing,
> >>>>> IncludeTimestamp,
> >>>>> IncludeSoapBody" encryptBody="true" />
> >>>>> <fault signatureOptions="IncludeAddressing, IncludeTimestamp,
> >>>>> IncludeSoapBody" encryptBody="false" />
> >>>>> </protection>
> >>>>> </mutualCertificate11Security>
> >>>>> <requireActionHeader />
> >>>>> </policy>
> >>>>> </policies>
> >>>>> My client looks like that:
.