Re: WSE405: A satisfactory subset of policy assertions that could be enforced for the outgoing message could not be found.

From: Dilip Krishnan (dkrishnan_at_NOSPAM.geniant.com)
Date: 12/20/04

• Next message: SQLAgentman: "Re: WSE405: A satisfactory subset of policy assertions that could be enforced for the outgoing message could not be found."
• Previous message: SQLAgentman: "WSE 2.0 Policy Sample, Problem with Certificate"
• In reply to: SQLAgentman: "Re: WSE405: A satisfactory subset of policy assertions that could be enforced for the outgoing message could not be found."
• Next in thread: SQLAgentman: "Re: WSE405: A satisfactory subset of policy assertions that could be enforced for the outgoing message could not be found."
• Reply: SQLAgentman: "Re: WSE405: A satisfactory subset of policy assertions that could be enforced for the outgoing message could not be found."
• Reply: Dilip Krishnan: "Re: WSE405: A satisfactory subset of policy assertions that could be enforced for the outgoing message could not be found."
• Messages sorted by: [ date ] [ thread ]

---

Date: Mon, 20 Dec 2004 15:09:14 -0800

Hello SQLAgentman,
     Could be one of 2 reasons. The error is coming from the response policy
(enforcement error). Either the policy could not be enforced because it couldnt
find the username token (the client din't send one!) Or most likely the case.
The key identifier doesnt match with the certificate.
<wssp:Integrity ....
...
 <wssp:Claims>
              <!--By specifying the SubjectName claim, the policy system
can look for a certificate with this subject name in the certificate store
indicated in the application's configuration, such as LocalMachine or CurrentUser.
The WSE X.509 Certificate Tool is useful for finding the correct values for
this field.-->
              <wssp:SubjectName MatchType="wssp:Exact">C=US,.....</wssp:SubjectName>
              <wssp:X509Extension OID="2.5.29.14" MatchType="wssp:Exact">Check
this!!</wssp:X509Extension>
            </wssp:Claims>
..

Open up the x509 certificate tool and copy the key identifier value from
the cert (in localcomputer) That should solve the problem
HTH
Regards,
Dilip Krishnan
MCAD, MCSD.net
dkrishnan at geniant dot com
http://www.geniant.com

> First: Thank you.
>
> Here is my policyCache.config on the client side: Then the Server
> Side, please see below.
> I am using Win XP with SP2, running both the client and the server on
> Localhost
> I had no idea that I have to add the token to both the client and the
> server side to the cach.!!??. I have hardcoded the username and
> password but no luck.
> I ran the sample HOL and it works just fine.
> <?xml version="1.0" encoding="utf-8"?>
> <policyDocument
> xmlns="http://schemas.microsoft.com/wse/2003/06/Policy">
> <mappings
> xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy">
> <!--The following policy describes the policy requirements for all
> services who do not have a mapping in this file.-->
> <defaultEndpoint>
> <defaultOperation>
> <request policy="#Sign-Username-Encrypt-X.509" />
> <response policy="#Sign-X.509-Encrypt-Username" />
> <fault policy="" />
> </defaultOperation>
> </defaultEndpoint>
> </mappings>
> <policies
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wss
> ecurity-utility-1.0.xsd"
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"
> xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext"
> xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy"
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-ws
> security-secext-1.0.xsd"
> xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing">
> <wsp:Policy wsu:Id="Sign-Username-Encrypt-X.509">
> <!--MessagePredicate is used to require headers. This assertion
> should be used along with the Integrity assertion when the presence of
> the signed element is required. NOTE: this assertion does not do
> anything for enforcement (send-side) policy.-->
> <wsp:MessagePredicate wsp:Usage="wsp:Required"
> Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
> wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID)
> wse:Timestamp()</wsp:MessagePredicate>
> <!--The Integrity assertion is used to ensure that the message is
> signed with Username. Many Web services will also use the token for
> authorization, such as by using the <wse:Role> claim or specific
> Username claims.-->
> <wssp:Integrity wsp:Usage="wsp:Required">
> <wssp:TokenInfo>
> <!--The SecurityToken element within the TokenInfo element
> describes which token type must be used for Signing.-->
> <wssp:SecurityToken>
> <wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
> wssp:TokenType>
> <wssp:Claims>
> <wse:Parent>
> <wssp:SecurityToken>
> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-ws
> s-username-token-profile-1.0#UsernameToken</wssp:TokenType>
>
> </wssp:SecurityToken>
>
> </wse:Parent>
>
> </wssp:Claims>
>
> </wssp:SecurityToken>
>
> </wssp:TokenInfo>
>
> <wssp:MessageParts
>
> Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
>
> wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From)
>
> wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo)
>
> wsp:Header(wsa:ReplyTo) wsp:Header(wsa:To)
>
> wse:Timestamp()</wssp:MessageParts>
>
> </wssp:Integrity>
>
> <!--The Confidentiality assertion is used to ensure that the SOAP
>
> Body is encrypted.-->
>
> <wssp:Confidentiality wsp:Usage="wsp:Required">
>
> <wssp:KeyInfo>
>
> <!--The SecurityToken element within the KeyInfo element
>
> describes which token type must be used for Encryption.-->
>
> <wssp:SecurityToken>
>
> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-ws
> s-x509-token-profile-1.0#X509v3</wssp:TokenType>
>
> <wssp:TokenIssuer>CN=Root Agency</wssp:TokenIssuer>
>
> <wssp:Claims>
>
> <!--By specifying the SubjectName claim, the policy
>
> system can look for a certificate with this subject name in the
>
> certificate store indicated in the application's configuration, such
> as
>
> LocalMachine or CurrentUser. The WSE X.509 Certificate Tool is useful
>
> for finding the correct values for this field.-->
>
> <wssp:SubjectName
>
> MatchType="wssp:Exact">CN=WSE2QuickStartServer</wssp:SubjectName>
>
> <wssp:X509Extension OID="2.5.29.14"
>
> MatchType="wssp:Exact">bBwPfItvKp3b6TNDq+14qs58VJQ=</wssp:X509Extensio
> n>
>
> </wssp:Claims>
>
> </wssp:SecurityToken>
>
> </wssp:KeyInfo>
>
> <wssp:MessageParts
>
> Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wss
> p:MessageParts>
>
> </wssp:Confidentiality>
>
> </wsp:Policy>
>
> <wsp:Policy wsu:Id="Sign-X.509-Encrypt-Username">
>
> <!--MessagePredicate is used to require headers. This assertion
>
> should be used along with the Integrity assertion when the presence of
>
> the signed element is required. NOTE: this assertion does not do
>
> anything for enforcement (send-side) policy.-->
>
> <wsp:MessagePredicate wsp:Usage="wsp:Required"
>
> Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
>
> wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID)
>
> wse:Timestamp()</wsp:MessagePredicate>
>
> <!--The Integrity assertion is used to ensure that the message is
>
> signed with X.509. Many Web services will also use the token for
>
> authorization, such as by using the <wse:Role> claim or specific X.509
>
> claims.-->
>
> <wssp:Integrity wsp:Usage="wsp:Required">
>
> <wssp:TokenInfo>
>
> <!--The SecurityToken element within the TokenInfo element
>
> describes which token type must be used for Signing.-->
>
> <wssp:SecurityToken>
>
> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-ws
> s-x509-token-profile-1.0#X509v3</wssp:TokenType>
>
> <wssp:TokenIssuer>CN=Root Agency</wssp:TokenIssuer>
>
> <wssp:Claims>
>
> <!--By specifying the SubjectName claim, the policy
>
> system can look for a certificate with this subject name in the
>
> certificate store indicated in the application's configuration, such
> as
>
> LocalMachine or CurrentUser. The WSE X.509 Certificate Tool is useful
>
> for finding the correct values for this field.-->
>
> <wssp:SubjectName
>
> MatchType="wssp:Exact">CN=WSE2QuickStartServer</wssp:SubjectName>
>
> <wssp:X509Extension OID="2.5.29.14"
>
> MatchType="wssp:Exact">bBwPfItvKp3b6TNDq+14qs58VJQ=</wssp:X509Extensio
> n>
>
> </wssp:Claims>
>
> </wssp:SecurityToken>
>
> </wssp:TokenInfo>
>
> <wssp:MessageParts
>
> Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
>
> wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From)
>
> wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo)
>
> wsp:Header(wsa:ReplyTo) wsp:Header(wsa:To)
>
> wse:Timestamp()</wssp:MessageParts>
>
> </wssp:Integrity>
>
> <!--The Confidentiality assertion is used to ensure that the SOAP
>
> Body is encrypted.-->
>
> <wssp:Confidentiality wsp:Usage="wsp:Required">
>
> <wssp:KeyInfo>
>
> <!--The SecurityToken element within the KeyInfo element
>
> describes which token type must be used for Encryption.-->
>
> <wssp:SecurityToken>
>
> <wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
> wssp:TokenType>
> <wssp:Claims>
> <wse:Parent>
> <wssp:SecurityToken>
> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-ws
> s-username-token-profile-1.0#UsernameToken</wssp:TokenType>
>
> </wssp:SecurityToken>
>
> </wse:Parent>
>
> </wssp:Claims>
>
> </wssp:SecurityToken>
>
> </wssp:KeyInfo>
>
> <wssp:MessageParts
>
> Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wss
> p:MessageParts>
>
> </wssp:Confidentiality>
>
> </wsp:Policy>
>
> </policies>
>
> </policyDocument>
>
> -----------------------------------Server Side
> policyCache.config--------------
> <?xml version="1.0" encoding="utf-8"?>
> <policyDocument
> xmlns="http://schemas.microsoft.com/wse/2003/06/Policy">
> <mappings
> xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy">
> <!--The following policy describes the policy requirements for the
> service: http://localhost/MyWebServices/MySecurity.asmx .-->
> <endpoint uri="http://localhost/MyWebServices/MySecurity.asmx">
> <defaultOperation>
> <request policy="#Sign-Username-Encrypt-X.509" />
> <response policy="#Sign-X.509-Encrypt-Username" />
> <fault policy="" />
> </defaultOperation>
> </endpoint>
> <endpoint uri="http://localhost/MyWebServices/MyWSXYZ.asmx">
> <defaultOperation>
> <request policy="#Sign-Username-Encrypt-X.509-1" />
> <response policy="#Sign-X.509-Encrypt-Username-1" />
> <fault policy="" />
> </defaultOperation>
> </endpoint>
> </mappings>
> <policies
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wss
> ecurity-utility-1.0.xsd"
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"
> xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext"
> xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy"
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-ws
> security-secext-1.0.xsd"
> xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing">
> <wsp:Policy wsu:Id="Sign-Username-Encrypt-X.509">
> <!--MessagePredicate is used to require headers. This assertion
> should be used along with the Integrity assertion when the presence of
> the signed element is required. NOTE: this assertion does not do
> anything for enforcement (send-side) policy.-->
> <wsp:MessagePredicate wsp:Usage="wsp:Required"
> Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
> wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID)
> wse:Timestamp()</wsp:MessagePredicate>
> <!--The Integrity assertion is used to ensure that the message is
> signed with Username. Many Web services will also use the token for
> authorization, such as by using the <wse:Role> claim or specific
> Username claims.-->
> <wssp:Integrity wsp:Usage="wsp:Required">
> <wssp:TokenInfo>
> <!--The SecurityToken element within the TokenInfo element
> describes which token type must be used for Signing.-->
> <wssp:SecurityToken>
> <wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
> wssp:TokenType>
> <wssp:Claims>
> <wse:Parent>
> <wssp:SecurityToken wse:IdentityToken="true">
> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-ws
> s-username-token-profile-1.0#UsernameToken</wssp:TokenType>
>
> <wssp:Claims>
>
> <!--By specifying the Role, the policy system can
>
> verify that the token contains a specific role, such as "Admin". Roles
>
> can be groups a user is a member of, or they can be customized for
> each
>
> token.-->
>
> <wse:Role value="CONTRACT6\User" />
>
> </wssp:Claims>
>
> </wssp:SecurityToken>
>
> </wse:Parent>
>
> </wssp:Claims>
>
> </wssp:SecurityToken>
>
> </wssp:TokenInfo>
>
> <wssp:MessageParts
>
> Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
>
> wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From)
>
> wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo)
>
> wsp:Header(wsa:ReplyTo) wsp:Header(wsa:To)
>
> wse:Timestamp()</wssp:MessageParts>
>
> </wssp:Integrity>
>
> <!--The Confidentiality assertion is used to ensure that the SOAP
>
> Body is encrypted.-->
>
> <wssp:Confidentiality wsp:Usage="wsp:Required">
>
> <wssp:KeyInfo>
>
> <!--The SecurityToken element within the KeyInfo element
>
> describes which token type must be used for Encryption.-->
>
> <wssp:SecurityToken>
>
> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-ws
> s-x509-token-profile-1.0#X509v3</wssp:TokenType>
>
> <wssp:TokenIssuer>CN=Root Agency</wssp:TokenIssuer>
>
> <wssp:Claims>
>
> <!--By specifying the SubjectName claim, the policy
>
> system can look for a certificate with this subject name in the
>
> certificate store indicated in the application's configuration, such
> as
>
> LocalMachine or CurrentUser. The WSE X.509 Certificate Tool is useful
>
> for finding the correct values for this field.-->
>
> <wssp:SubjectName
>
> MatchType="wssp:Exact">CN=WSE2QuickStartServer</wssp:SubjectName>
>
> <wssp:X509Extension OID="2.5.29.14"
>
> MatchType="wssp:Exact">bBwPfItvKp3b6TNDq+14qs58VJQ=</wssp:X509Extensio
> n>
>
> </wssp:Claims>
>
> </wssp:SecurityToken>
>
> </wssp:KeyInfo>
>
> <wssp:MessageParts
>
> Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wss
> p:MessageParts>
>
> </wssp:Confidentiality>
>
> </wsp:Policy>
>
> <wsp:Policy wsu:Id="Sign-X.509-Encrypt-Username">
>
> <!--MessagePredicate is used to require headers. This assertion
>
> should be used along with the Integrity assertion when the presence of
>
> the signed element is required. NOTE: this assertion does not do
>
> anything for enforcement (send-side) policy.-->
>
> <wsp:MessagePredicate wsp:Usage="wsp:Required"
>
> Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
>
> wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID)
>
> wse:Timestamp()</wsp:MessagePredicate>
>
> <!--The Integrity assertion is used to ensure that the message is
>
> signed with X.509. Many Web services will also use the token for
>
> authorization, such as by using the <wse:Role> claim or specific X.509
>
> claims.-->
>
> <wssp:Integrity wsp:Usage="wsp:Required">
>
> <wssp:TokenInfo>
>
> <!--The SecurityToken element within the TokenInfo element
>
> describes which token type must be used for Signing.-->
>
> <wssp:SecurityToken>
>
> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-ws
> s-x509-token-profile-1.0#X509v3</wssp:TokenType>
>
> <wssp:TokenIssuer>CN=Root Agency</wssp:TokenIssuer>
>
> <wssp:Claims>
>
> <!--By specifying the SubjectName claim, the policy
>
> system can look for a certificate with this subject name in the
>
> certificate store indicated in the application's configuration, such
> as
>
> LocalMachine or CurrentUser. The WSE X.509 Certificate Tool is useful
>
> for finding the correct values for this field.-->
>
> <wssp:SubjectName
>
> MatchType="wssp:Exact">CN=WSE2QuickStartServer</wssp:SubjectName>
>
> <wssp:X509Extension OID="2.5.29.14"
>
> MatchType="wssp:Exact">bBwPfItvKp3b6TNDq+14qs58VJQ=</wssp:X509Extensio
> n>
>
> </wssp:Claims>
>
> </wssp:SecurityToken>
>
> </wssp:TokenInfo>
>
> <wssp:MessageParts
>
> Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
>
> wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From)
>
> wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo)
>
> wsp:Header(wsa:ReplyTo) wsp:Header(wsa:To)
>
> wse:Timestamp()</wssp:MessageParts>
>
> </wssp:Integrity>
>
> <!--The Confidentiality assertion is used to ensure that the SOAP
>
> Body is encrypted.-->
>
> <wssp:Confidentiality wsp:Usage="wsp:Required">
>
> <wssp:KeyInfo>
>
> <!--The SecurityToken element within the KeyInfo element
>
> describes which token type must be used for Encryption.-->
>
> <wssp:SecurityToken>
>
> <wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
> wssp:TokenType>
> <wssp:Claims>
> <wse:Parent>
> <wssp:SecurityToken wse:IdentityToken="true">
> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-ws
> s-username-token-profile-1.0#UsernameToken</wssp:TokenType>
>
> </wssp:SecurityToken>
>
> </wse:Parent>
>
> </wssp:Claims>
>
> </wssp:SecurityToken>
>
> </wssp:KeyInfo>
>
> <wssp:MessageParts
>
> Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wss
> p:MessageParts>
>
> </wssp:Confidentiality>
>
> </wsp:Policy>
>
> <wsp:Policy wsu:Id="Sign-Username-Encrypt-X.509-1">
>
> <!--MessagePredicate is used to require headers. This assertion
>
> should be used along with the Integrity assertion when the presence of
>
> the signed element is required. NOTE: this assertion does not do
>
> anything for enforcement (send-side) policy.-->
>
> <wsp:MessagePredicate wsp:Usage="wsp:Required"
>
> Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
>
> wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID)
>
> wse:Timestamp()</wsp:MessagePredicate>
>
> <!--The Integrity assertion is used to ensure that the message is
>
> signed with Username. Many Web services will also use the token for
>
> authorization, such as by using the <wse:Role> claim or specific
>
> Username claims.-->
>
> <wssp:Integrity wsp:Usage="wsp:Required">
>
> <wssp:TokenInfo>
>
> <!--The SecurityToken element within the TokenInfo element
>
> describes which token type must be used for Signing.-->
>
> <wssp:SecurityToken>
>
> <wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
> wssp:TokenType>
> <wssp:Claims>
> <wse:Parent>
> <wssp:SecurityToken wse:IdentityToken="true">
> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-ws
> s-username-token-profile-1.0#UsernameToken</wssp:TokenType>
>
> <wssp:Claims>
>
> <!--By specifying the Role, the policy system can
>
> verify that the token contains a specific role, such as "Admin". Roles
>
> can be groups a user is a member of, or they can be customized for
> each
>
> token.-->
>
> <wse:Role value="CONTRACT6\User" />
>
> </wssp:Claims>
>
> </wssp:SecurityToken>
>
> </wse:Parent>
>
> </wssp:Claims>
>
> </wssp:SecurityToken>
>
> </wssp:TokenInfo>
>
> <wssp:MessageParts
>
> Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
>
> wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From)
>
> wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo)
>
> wsp:Header(wsa:ReplyTo) wsp:Header(wsa:To)
>
> wse:Timestamp()</wssp:MessageParts>
>
> </wssp:Integrity>
>
> <!--The Confidentiality assertion is used to ensure that the SOAP
>
> Body is encrypted.-->
>
> <wssp:Confidentiality wsp:Usage="wsp:Required">
>
> <wssp:KeyInfo>
>
> <!--The SecurityToken element within the KeyInfo element
>
> describes which token type must be used for Encryption.-->
>
> <wssp:SecurityToken>
>
> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-ws
> s-x509-token-profile-1.0#X509v3</wssp:TokenType>
>
> <wssp:TokenIssuer>CN=Root Agency</wssp:TokenIssuer>
>
> <wssp:Claims>
>
> <!--By specifying the SubjectName claim, the policy
>
> system can look for a certificate with this subject name in the
>
> certificate store indicated in the application's configuration, such
> as
>
> LocalMachine or CurrentUser. The WSE X.509 Certificate Tool is useful
>
> for finding the correct values for this field.-->
>
> <wssp:SubjectName
>
> MatchType="wssp:Exact">CN=WSE2QuickStartServer</wssp:SubjectName>
>
> <wssp:X509Extension OID="2.5.29.14"
>
> MatchType="wssp:Exact">bBwPfItvKp3b6TNDq+14qs58VJQ=</wssp:X509Extensio
> n>
>
> </wssp:Claims>
>
> </wssp:SecurityToken>
>
> </wssp:KeyInfo>
>
> <wssp:MessageParts
>
> Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wss
> p:MessageParts>
>
> </wssp:Confidentiality>
>
> </wsp:Policy>
>
> <wsp:Policy wsu:Id="Sign-X.509-Encrypt-Username-1">
>
> <!--MessagePredicate is used to require headers. This assertion
>
> should be used along with the Integrity assertion when the presence of
>
> the signed element is required. NOTE: this assertion does not do
>
> anything for enforcement (send-side) policy.-->
>
> <wsp:MessagePredicate wsp:Usage="wsp:Required"
>
> Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
>
> wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID)
>
> wse:Timestamp()</wsp:MessagePredicate>
>
> <!--The Integrity assertion is used to ensure that the message is
>
> signed with X.509. Many Web services will also use the token for
>
> authorization, such as by using the <wse:Role> claim or specific X.509
>
> claims.-->
>
> <wssp:Integrity wsp:Usage="wsp:Required">
>
> <wssp:TokenInfo>
>
> <!--The SecurityToken element within the TokenInfo element
>
> describes which token type must be used for Signing.-->
>
> <wssp:SecurityToken>
>
> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-ws
> s-x509-token-profile-1.0#X509v3</wssp:TokenType>
>
> <wssp:TokenIssuer>CN=Root Agency</wssp:TokenIssuer>
>
> <wssp:Claims>
>
> <!--By specifying the SubjectName claim, the policy
>
> system can look for a certificate with this subject name in the
>
> certificate store indicated in the application's configuration, such
> as
>
> LocalMachine or CurrentUser. The WSE X.509 Certificate Tool is useful
>
> for finding the correct values for this field.-->
>
> <wssp:SubjectName
>
> MatchType="wssp:Exact">CN=WSE2QuickStartServer</wssp:SubjectName>
>
> <wssp:X509Extension OID="2.5.29.14"
>
> MatchType="wssp:Exact">bBwPfItvKp3b6TNDq+14qs58VJQ=</wssp:X509Extensio
> n>
>
> </wssp:Claims>
>
> </wssp:SecurityToken>
>
> </wssp:TokenInfo>
>
> <wssp:MessageParts
>
> Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
>
> wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From)
>
> wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo)
>
> wsp:Header(wsa:ReplyTo) wsp:Header(wsa:To)
>
> wse:Timestamp()</wssp:MessageParts>
>
> </wssp:Integrity>
>
> <!--The Confidentiality assertion is used to ensure that the SOAP
>
> Body is encrypted.-->
>
> <wssp:Confidentiality wsp:Usage="wsp:Required">
>
> <wssp:KeyInfo>
>
> <!--The SecurityToken element within the KeyInfo element
>
> describes which token type must be used for Encryption.-->
>
> <wssp:SecurityToken>
>
> <wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
> wssp:TokenType>
> <wssp:Claims>
> <wse:Parent>
> <wssp:SecurityToken wse:IdentityToken="true">
> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-ws
> s-username-token-profile-1.0#UsernameToken</wssp:TokenType>
>
> </wssp:SecurityToken>
>
> </wse:Parent>
>
> </wssp:Claims>
>
> </wssp:SecurityToken>
>
> </wssp:KeyInfo>
>
> <wssp:MessageParts
>
> Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wss
> p:MessageParts>
>
> </wssp:Confidentiality>
>
> </wsp:Policy>
>
> </policies>
>
> </policyDocument>
>
> Dilip Krishnan wrote:
>
>> Hello SQLAgentman,
>> Could you post the policy xml fragment. My guess is that on the
> server
>
>> side you have a policy to sign/encrypt using username token. If you
>>
> do you
>
>> would need to add the username token to the policy enforcement cache,
>>
> in
>
>> the global.asax ApplicationStart event handler, similar to what you
>>
> did on
>
>> the client side, ... Quote
>> "
>>>>> Dim oToken As New
>>>>>
> Microsoft.Web.Services2.Security.Tokens.UsernameToken(txtUserName.Text
>
>>>>> ,
>>>>> txtPassword.Text, PasswordOption.SendPlainText)
>>>>> PolicyEnforcementSecurityTokenCache.GlobalCache.Clear()
>>>>> PolicyEnforcementSecurityTokenCache.GlobalCache.Add(oToken)
>>>>> I have No idea what to do next.
>> "
>>
>> except add a config based/ hardcoded username and password for hte
>>
> username
>
>> token.
>>
>> HTH
>> Regards,
>> Dilip Krishnan
>> MCAD, MCSD.net
>> dkrishnan at geniant dot com
>> http://www.geniant.com
>>> Sami,
>>>
>>> I attempted to use the trace, but I am not getting anthing.
>>> You are right, this is a web application. How do I deal with
>>> permissions
>>> ( no trace files found anywhere, so they are not created at all
> ???)
>
>>> Dilip,
>>> I double checked that my endpoint matches exactly, including the
> case
>
>>> Thank you all for any help, I am still having the same problem.
>>>
>>> Sql
>>>
>>> Dilip Krishnan wrote:
>>>
>>>> Hello SQLAgentman,
>>>> Check if the endpoint you're trying to hit matches the one in
>>> policy,
>>>
>>>> even the case!
>>>>
>>>> HTH
>>>> Regards,
>>>> Dilip Krishnan
>>>> MCAD, MCSD.net
>>>> dkrishnan at geniant dot com
>>>> http://www.geniant.com
>>>>> Hello,
>>>>>
>>>>> I am trying to implement a Security Between my Web Site and my
>>>>>
> Web
>
>>>>> Service using WSE2.0 using Policy.
>>>>>
>>>>> I Followed the example in HOL-WSE02 and It works greate.
>>>>>
>>>>> Now when I try to use the same exact Procedure/steps on my own
>>>>>
> web
>
>>> -
>>>
>>>>> webservice I keep on getting the following error.
>>>>>
>>>>> WSE405: A satisfactory subset of policy assertions that could be
>>>>> enforced for the outgoing message could not be found.
>>>>>
>>>>> I looked on Google etc.. and I can not find any thing that can
>>>>>
> help
>
>>>>> The only thing I found is to make sure I have the following on
>>>>>
> the
>
>>>>> client side, and I do.
>>>>> Dim oToken As New
> Microsoft.Web.Services2.Security.Tokens.UsernameToken(txtUserName.Text
>
>>>>> ,
>>>>> txtPassword.Text, PasswordOption.SendPlainText)
>>>>> PolicyEnforcementSecurityTokenCache.GlobalCache.Clear()
>>>>> PolicyEnforcementSecurityTokenCache.GlobalCache.Add(oToken)
>>>>> I have No idea what to do next.
>>>>> Can anyone please help
>>>>> Thank you,
>>>>> Sql

---

• Next message: SQLAgentman: "Re: WSE405: A satisfactory subset of policy assertions that could be enforced for the outgoing message could not be found."
• Previous message: SQLAgentman: "WSE 2.0 Policy Sample, Problem with Certificate"
• In reply to: SQLAgentman: "Re: WSE405: A satisfactory subset of policy assertions that could be enforced for the outgoing message could not be found."
• Next in thread: SQLAgentman: "Re: WSE405: A satisfactory subset of policy assertions that could be enforced for the outgoing message could not be found."
• Reply: SQLAgentman: "Re: WSE405: A satisfactory subset of policy assertions that could be enforced for the outgoing message could not be found."
• Reply: Dilip Krishnan: "Re: WSE405: A satisfactory subset of policy assertions that could be enforced for the outgoing message could not be found."
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Trust for a (locally-issued) Certificate Authority ... I order to use SSL with web services I need to open the SSL connection ... in IE without any dialogs or warnings. ... We have created/issued our own Certificate and installed it under ... (microsoft.public.windows.server.security) WSE 2.0 -- SOAP Response with "Referenced security token could not be retrieved" ... I want my request and response to be signed and encrypted. ... it seems that the client cannot find the certificate ... Many Web services will also use the token for ... describes which token type must be used for Encryption.--> ... (microsoft.public.dotnet.security) Re: WSE405: A satisfactory subset of policy assertions that could be enforced for the outgoing messa ... <Store Name = Personal> ... > The key identifier doesnt match with the certificate. ... Many Web services will also use the token for ... >> certificate store indicated in the application's configuration, ... (microsoft.public.dotnet.framework.webservices.enhancements) Re: WSE405: A satisfactory subset of policy assertions that could be enforced for the outgoing messa ... Check in the web.config what your certificate store is <x509 allowTestRoot="true" ... Check if ASPNET user has permissions to read and see the certificate ... > Open up the x509 certificate tool and copy the key identifier value ... Many Web services will also use the token for ... (microsoft.public.dotnet.framework.webservices.enhancements)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > DotNet  > microsoft.public.dotnet.framework.webservices.enhancements  > 2004-12