Re: Encrypting the response
From: SA (informatica_at_freemail.nl)
Date: 09/20/04
- Next message: Hmd: "Ftp"
- Previous message: SA: "Re: WSE 2.0 vs Remoting !?!"
- In reply to: D.Mitchell: "Re: Encrypting the response"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 20 Sep 2004 12:33:02 -0500
The account ASP.NET normally runs under in Windows Server 2003 is indeed
NETWORK SERVICE, but that's a built-in account, so you won't find it. I am
not sure if NETWORK SERVICE has rights to access the machine store, but I
believe it does.
Try setting the identity under which your Application Pool for the web site
that is running the service to Local System. Do this for test purposes only,
as this is a very highly privileged account. If it works, then obviously
Network Service does not have sufficient rights. You should be able to fix
that using Local Security Policy, but I am not sure how.
HTH,
-- Sven "D.Mitchell" <DMitchell@discussions.microsoft.com> wrote in message news:79943F2C-6FDA-4470-901C-2CF05A39B075@microsoft.com... > I'm runnig the client and web service on separate machines now. Am using a > couple of test verisign certificates. Client picks up the imported server > public key to encrypt the request OK using my code. Server recieves the > request (am hooked into the ASPNET process in VS.Net) and says 'Cannot find > the certificate and private key for decryption'. Message is obviously thrown > before it gets to the first line of the WebMethod being called. Have > installed the server key in Local Computer>Personal store. Have set WSE > Settings 2.0>Security tab>Store location for the web service to LocalMachine. > > Am running the web service under Win XP Pro on a workstation. Not sure what > account WSE 2 is using to try to access the private key. The 'How to: Make > X.509 Certificates Accessible to WSE' implies that IIS 6 will use an account > called 'Network Service'. No such account exists. I did try giving ASPNET > local admin permissions temporarily and it had no affect. > > Any ideas? > > "Softwaremaker" wrote: > > > If [Server's] X509s are used, usually a key pair is generated. The Server > > keeps the Private Key [which usually says on the cert "you have a > > corresponding private key"] and the Public Key may be [but not necessarily > > be] distributed to all clients. In the HOL examples, we are assuming that > > the Public Key is distributed. > > > > Signing the [Server's] response is done with the [Server's] private key [if > > X509s are used]. > > > > Sven says: > > Just because of what you said: if the server was to encrypt the response > > with the token used to encrypt the request, it would be signing it with > > either > > a) it's own public key, which wouldn't work because the client doesn't have > > the server's private key to decrypt. > > b) it's own private key, which wouldn't work because everyone > > (theoretically) can have the server's public key to decrypt. > > > > When you sign a message, you have to sign it with your own private key (b). > > The objective is to let everyone [who has the Public Key Pair] verfiy that > > the message actually comes from you. > > > > hth. > > -- > > Thank you very much > > > > Warmest Regards, > > Softwaremaker > > Architect | Evangelist | Consultant > > http://softwaremaker.net/blogs/softwaremaker > > > > +++++++++++++++++++++++++++++++++ > > > > > > "D.Mitchell" <DMitchell@discussions.microsoft.com> wrote in message > > news:16C995AB-C0D7-4C69-8627-B91F2F34C072@microsoft.com... > > > Sven - If you look in the 'C:\Program Files\Microsoft > > > WSE\v2.0\Samples\VB\QuickStart\ResponseEncryption\Code' example I am sure > > > that the signing token of the request is used to encrypt the response. > > I've > > > tried it but can't get it to work. > > > > > > How about installing the client's certificate on the same server as the > > web > > > service. Pulling the token out of that and usnig that to encrypt the > > > response. I tried it and it didn't work. > > > > > > Anyone from Microsoft WSE team out there (X files theme tune plaing in > > > backround)? > > > > > >
- Next message: Hmd: "Ftp"
- Previous message: SA: "Re: WSE 2.0 vs Remoting !?!"
- In reply to: D.Mitchell: "Re: Encrypting the response"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
