WSE 2.0 error: Requested registry access is not allowed

From: Pierre Greborio (pierreANTI_SPAM_at_pierregreborio.it)
Date: 08/05/04 

Date: Thu, 5 Aug 2004 15:08:19 +0200

Hello,
I have client that consumes a web service which uses a Usernametoken for
authentication. I'm using WSE 2.0 sp1 on Windows XP machine (development pc)
either for web service and client (in two different vs.net solutions). When
I call the web method I get the following error message (client side):

 ex.Message "Microsoft.Web.Services2.Security.SecurityFault: The security
token could not be authenticated or authorized --->
System.Security.SecurityException: Requested registry access is not
allowed.\n at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean
writable)\n at System.Diagnostics.EventLog.FindSourceRegistration(String
source, String machineName, Boolean readOnly)\n at
System.Diagnostics.EventLog.SourceExists(String source, String
machineName)\n at System.Diagnostics.EventLog.SourceExists(String
source)\n at PEWay.Web.MyALM.Diagnostic.PublishException(Exception ex) in
D:\\Projects\\MyALM Service\\Utility.cs:line 113\n at
PEWay.Web.MyALM.PEWayUsernameTokenManager.AuthenticateToken(UsernameToken
token) in D:\\Projects\\MyALM Service\\Utility.cs:line 48\n at
Microsoft.Web.Services2.Security.Tokens.UsernameTokenManager.VerifyToken(Sec
urityToken securityToken)\n at
Microsoft.Web.Services2.Security.Tokens.SecurityTokenManager.LoadXmlSecurity
Token(XmlElement element)\n --- End of inner exception stack trace ---\n
at
Microsoft.Web.Services2.Security.Tokens.SecurityTokenManager.LoadXmlSecurity
Token(XmlElement element)\n at
Microsoft.Web.Services2.Security.Tokens.SecurityTokenManager.GetTokenFromXml
(XmlElement element)\n at
Microsoft.Web.Services2.Security.Security.LoadToken(XmlElement element,
SecurityConfiguration configuration, Int32& tokenCount)\n at
Microsoft.Web.Services2.Security.Security.LoadXml(XmlElement element)\n at
Microsoft.Web.Services2.Security.SecurityInputFilter.ProcessMessage(SoapEnve
lope envelope)\n at
Microsoft.Web.Services2.Pipeline.ProcessInputMessage(SoapEnvelope
envelope)\n at
Microsoft.Web.Services2.WebServicesExtension.BeforeDeserializeServer(SoapSer
verMessage message)" string

here is the client code I'm using

UsernameToken token = new UsernameToken(username, password,
PasswordOption.SendHashed);

// Add custom information

System.Xml.XmlDocument doc = new System.Xml.XmlDocument();

System.Xml.XmlElement el = doc.CreateElement("Applicant",
"http://webservices.peway.com/MyALM/2004/01");

el.SetAttribute("operatorCode", operatorCode);

doc.AppendChild(el);

token.AnyElements.Add(el);

ModelAssetProviderService service = new
ModelAssetProviderService(serviceURL);

// Add the signature element to a security section on the request

// to sign the request

service.RequestSoapContext.Security.Tokens.Add(token);

service.RequestSoapContext.Security.Elements.Add(new
MessageSignature(token));

// Set the TTL to one minute to prevent reply attacks

service.RequestSoapContext.Security.Timestamp.TtlInSeconds = 60;

// Call the operation and get back the list

.....

and here is the policy file (server side)

<?xml version="1.0" encoding="utf-8"?>

<policyDocument xmlns="http://schemas.microsoft.com/wse/2003/06/Policy">

<mappings>

<endpoint uri="http://localhost/myalm/ModelAssetProviderService.asmx">

<defaultOperation>

<request policy="#signed-body-username" />

<response policy="" />

<fault policy="" />

</defaultOperation>

</endpoint>

<endpoint uri="http://localhost/myalm/AnalysisService.asmx">

<defaultOperation>

<request policy="#signed-body-username" />

<response policy="" />

<fault policy="" />

</defaultOperation>

</endpoint>

<defaultEndpoint>

<defaultOperation>

<request policy="#message-age-60s" />

<response policy="" />

<fault policy="" />

</defaultOperation>

</defaultEndpoint>

</mappings>

<policies
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
y-utility-1.0.xsd"

xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
ty-secext-1.0.xsd"

xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy"

xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing"

xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext"

xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"

xmlns:wssc="http://schemas.xmlsoap.org/ws/2004/04/sc"

xmlns:rp="http://schemas.xmlsoap.org/rp">

<!--This policy ensures that messages are 60 seconds old or newer.-->

<wsp:Policy wsu:Id="message-age-60s">

<wssp:MessageAge wsp:Usage="wsp:Required" Age="60" />

</wsp:Policy>

<!--This policy ensures that the messages are signed using a
UsernameToken.-->

<wsp:Policy wsu:Id="signed-body-username">

<wssp:Integrity wsp:Usage="wsp:Required">

<wssp:TokenInfo>

<wssp:SecurityToken>

<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-user
name-token-profile-1.0#UsernameToken</wssp:TokenType>

</wssp:SecurityToken>

</wssp:TokenInfo>

<wssp:MessageParts xmlns:rp="http://schemas.xmlsoap.org/rp"
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
wse:Timestamp() wse:Addressing()</wssp:MessageParts>

</wssp:Integrity>

</wsp:Policy>

</policies>

</policyDocument>

and finally here is the web.config section

<microsoft.web.services2>

<security>

<securityTokenManager type="PEWay.Web.MyALM.PEWayUsernameTokenManager,
MyALM.Application"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
ty-secext-1.0.xsd" qname="wsse:UsernameToken" />

</security>

<policy>

<cache name="policyCache.xml" />

</policy>

<diagnostics />

</microsoft.web.services2>

The AuthenticateToken is never called (I placed a breakpoint) since te
exception is rised before.

Any idea ?

Thanks,
Pierre 

-- 
-------------------------------------------
Pierre Greborio
Microsoft .NET MVP
http://www.ugidotnet.org
http://www.amazon.com/infopath
-------------------------------------------

Relevant Pages

  • Re: a web service to log in to a image application server
    ... I don't know how it would be handled client side using PHP. ... You could also reuse a known authentication scheme. ... The image server is used to stored image documents requiring ... If I develop a web service to authenticate log in to ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • RE: Login to the WebService
    ... \par Hi Mike, ... As for forms authentication, I'd like to confirm the following things: ... \par have problem to use login to the web service. ... \par service that provides datas and files to the WinForm Client. ...
    (microsoft.public.dotnet.framework.webservices)
  • Security, WebServices
    ... We are implementing authentication and authorization in an n-tier ... created a security web service that wraps azman with a few methods such ... the client and the middle tier. ... Client sets credentials on and invokes BusinessLogicService ...
    (microsoft.public.dotnet.security)
  • Login to the WebService
    ... Im thinking about the web service that provides datas and files to the WinForm Client. ... with the Forms authentication and working on AspSqlMembershipProvider and with Role provider implemented too. ... public string GetCurrentUser() ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: Implementing a common SOAP Header across multiple Web Service Pages
    ... to set a client up to reference multiple Web ... the Web Service site would ... Your point about leaving the ASMX page as lean as possible and acting just ...
    (microsoft.public.dotnet.framework.webservices)