Re: WSE - X.509 signed meesage- Multiple SoapExtensions

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Hervey Wilson [MSFT] (herveyw.nospam_at_nospam.microsoft.com)
Date: 09/26/04

  • Next message: John: "OT: Asp.net host" 
    Date: Sun, 26 Sep 2004 10:48:17 -0700

    Sachin Agarwal wrote:
    > Hi
    >
    > I have a WebService with multiple SoapExtensions registered to it in
    > web.config.
    >
    > If my client sends a SOAP message that is signed using a X.509 certificate,
    > the service is able to verify the message when only the
    > Microsoft.Web.Services2.WebServicesExtension is enabled. However if I enable
    > the other extension as well, the service is not able to verify the signature.
    >
    > I consistently get the following error
    > ________________________________-
    > "A first chance exception of type 'System.ComponentModel.Win32Exception'
    > occurred in microsoft.web.services2.dll
    > Additional information: Cannot find the certificate and private key for
    > decryption"
    > _________________________________
    >
    > Am I doing something that is not supported. Any pointers or help is
    > appreciated.
    >
    > thanks
    > -Sachin
    >

    Multiple SOAP extensions are generally supported at the service end
    under WSE2. The error above indicates that either the client or the
    server cannot locate the private key for a particular certificate or
    that it does not have permission to access the key.

    If the error occurs at the client and you are signing a message, ensure
    that the certificate is in the personal store for the current user and
    that the app.config file <x509> element points to the personal store.

    If the error occurs at the server and you have encrypted a message,
    ensure that the certificate is in the local machine store and that the
    web.config file <x509> elements points to the local machine store.

    Additionally, you should use the X509Certificate tool included in the
    product to verify the security permissions for the certificates key files. 

    -- 
This posting is provided "AS IS", with no warranties, and confers no rights.
  • Next message: John: "OT: Asp.net host"

    Relevant Pages

    • Re: Client Certificates
      ... I hope you are talking about exporting the pfx file on the CLIENT machine ... The way PKI certificate generation usually works is the following: ... - CA signs that information (i.e. encrypts the hash of that info with its own private key) ...
      (microsoft.public.security)
    • Re: LDAP and SASL
      ... Getting client certficates to work under ASP.NET is a bit of PITA because ... The private key needs to be ... What I would suggest doing would be to export the certificate and private ... >>> Dim searcherLdap As New DirectorySearcher ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Re: HttpWebRequest failure with TLS
      ... My guess is that you are going to want it in the machine store as the ... account your web service client is running under will eventually change to ... private key associated with it in the cert properties dialog. ... certificate should go in the personal store. ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Re: UsernameOverTransportSecurity+SSL Confusion, please help
      ... How come the authentication is not working there? ... you can buy a certificate in one of the well-know certificate ... I will have a private key on the server, and I will give the private key to ... The client will automatically get the public key and negotiate a key to ...
      (microsoft.public.dotnet.framework.webservices.enhancements)
    • Re: How to use certificates?
      ... I expect that server will know the client public key, ... > private key for that certificate. ...
      (microsoft.public.dotnet.framework.webservices.enhancements)