Re: WSE405: A satisfactory subset of policy assertions that could be enforced for the outgoing message could not be found.

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: SQLAgentman (sql_agentman_at_hotmail.com)
Date: 12/21/04

• Next message: SQLAgentman: "Re: WSE 2.0 Policy Sample, Problem with Certificate"
• Previous message: Dan Rogers: "Re: WSE 2.0 Policy Sample, Problem with Certificate"
• In reply to: Sami Vaaraniemi: "Re: WSE405: A satisfactory subset of policy assertions that could be enforced for the outgoing message could not be found."
• Next in thread: Dilip Krishnan: "Re: WSE405: A satisfactory subset of policy assertions that could be enforced for the outgoing message could not be found."
• Reply: Dilip Krishnan: "Re: WSE405: A satisfactory subset of policy assertions that could be enforced for the outgoing message could not be found."
• Messages sorted by: [ date ] [ thread ]

---

Date: 21 Dec 2004 13:31:06 -0800

Hi Sami,

You are right, I am using Policy
I am uing <x509.... /> tag in Config File

"From Client Config - Web Site "
<microsoft.web.services2>
<security>
<x509 storeLocation="CurrentUser" allowTestRoot="true" />
</security>
<diagnostics>
<policyTrace enabled="true" input="ReceivePolicy.webinfo"
output="SendPolicy.webinfo" />
</diagnostics>
<policy>
<cache name="policyCache.config" />
</policy>
<tokenIssuer>
<autoIssueSecurityContextToken enabled="true" />
</tokenIssuer>
</microsoft.web.services2>

Please correct me If I am wrong.
I used the WseCertificate2.exe tool to give ASPNET access ( ASP.NET
Machine account )
Read&Execute and Read

I am running XP is this the right account?

Is there anything I am missing here?

Still same WSE509 Error
How did you know that the problem is with the x.509 and not the
UsernameToken itself

I create the UsernameToken in my Client ( very simple Hello World
Webservice and Website Consumer)
Dim oToken As New UsernameToken("mike", "TechEd2004",
PasswordOption.SendPlainText)
PolicyEnforcementSecurityTokenCache.GlobalCache.Clear()
PolicyEnforcementSecurityTokenCache.GlobalCache.Add(oToken)

Thank you for your time

Sql

Sami Vaaraniemi wrote:
> "Sami Vaaraniemi" <samivanospam@pleasejippii.fi> wrote in message
> news:ubqa5o55EHA.1408@TK2MSFTNGP10.phx.gbl...
> > Looking at the trace it seems to me that the confidentiality (i.e.,

> > encryption) assertion fails because it cannot find the X.509 token.
Are
> > you adding the server certificate to the Context.Security.Tokens
container
> > before sending the message?
> >
>
> Correction - since you're using a policy based approach you are
probably
> adding the certificate using a config file, right (with the <x509
...> tag)?
> If so, then make sure that the server certificate is there and that
the
> account under which the web app is running has the permissions to
retrieve
> the certificate.
>
> Regards,
> Sami
>
> >
> > "SQLAgentman" <sql_agentman@hotmail.com> wrote in message
> > news:1103650645.850814.30180@c13g2000cwb.googlegroups.com...
> >> Dilip,
> >>
> >> After allowing the "everyone" group to write I got some trace
info.
> >> ( I don't Understand what it means, did not like the token???)
> >> SendPolicy.webinfo Contains:
> >>
> >> ************************************
> >> <log xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"
> >>
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> >> xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext"
> >>
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> >> xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy"
> >> xmlns:wset="http://schemas.microsoft.com/wse/2003/09/PolicyTrace">
> >> <wset:message
> >> action="http://localhost/ServerTest01/Service1/HelloWorld"
> >> messageId="uuid:ef7f03cf-3ee6-49bf-9ba3-d85e643b652c"
> >> appDomain="/LM/W3SVC/1/Root/ClientTest01-13-127481523577281354"
> >> time="2004-12-21T09:26:04.8845228-08:00">
> >> <wset:compile qname="wsp:Policy"
> >> wsu:Id="#Sign-Username-Encrypt-X.509-1" usage="Required"
> >> canEnforce="false">
> >> <wset:compile qname="wsp:MessagePredicate" usage="Required"
> >> canEnforce="true" />
> >> <wset:compile qname="wssp:Integrity" usage="Required"
> >> canEnforce="true">
> >> <wset:annotation>Looking for a satisfactory token in the
> >> current message's token collection...</wset:annotation>
> >> <wset:annotation>Looking for a satisfactory token in policy
> >> enforcement token cache...</wset:annotation>
> >> <wset:annotation>DerivedKeyTokenAssertion will never be
> >> satisfied with existing tokens during compilation or enforcement.
Not
> >> satisfied with this token:
> >> Id=SecurityToken-8f7cbff6-286e-41a2-98d4-ec075cf5c96d,
> >> Type=UsernameToken</wset:annotation>
> >>
> >>
<wset:annotation>ISecurityTokenManager.PermitsPolicyEnforcementTokenCaching
> >> is set to false in the token manager registered for this token
type. We
> >> will assume this assertion is enforceable. Failures will be
revealed
> >> during enforcement.</wset:annotation>
> >> </wset:compile>
> >> <wset:compile qname="wssp:Confidentiality" usage="Required"
> >> canEnforce="false">
> >>
> >>
<wset:annotation>ISecurityTokenManager.PermitsPolicyEnforcementTokenCaching
> >> is set to true in the token manager registered for this token
type. A
> >> token will be loaded from the token manager and cached for
subsequent
> >> message enforcement.</wset:annotation>
> >> <wset:annotation>Invoking
> >> ISecurityTokenManager.LoadTokenFromSecurityTokenAssertion from the
> >> token manager registered for this token type.</wset:annotation>
> >> <wset:annotation>Could not find a security
> >> token.</wset:annotation>
> >> <wset:annotation>Looking for a satisfactory token in the
> >> current message's token collection...</wset:annotation>
> >> <wset:annotation>Looking for a satisfactory token in policy
> >> enforcement token cache...</wset:annotation>
> >>
> >>
<wset:annotation>ISecurityTokenManager.PermitsPolicyEnforcementTokenCaching
> >> is set to true in the token manager registered for this token
type.
> >> Attempting to use the previously cached token...</wset:annotation>
> >> <wset:annotation>Invoking
> >> ISecurityTokenManager.LoadTokenFromSecurityTokenAssertion from the
> >> token manager registered for this token type.</wset:annotation>
> >> <wset:annotation>Could not find a security
> >> token.</wset:annotation>
> >> </wset:compile>
> >> </wset:compile>
> >> </wset:message>
> >> </log>
> >> ****************************************
> >>
> >> Thank you for your help..
> >>
> >> Sql
> >>
> >>
> >>
> >>
> >>
> >> SQLAgentman wrote:
> >>> Dilip,
> >>>
> >>> For some reason the diagnostics trace is not creating the files.
> >>> So it is not working for me. May be this is the main problem.
> >>> What can I do to get some diagnoistics.
> >>> I make sure that ASPNET can read and Write.
> >>> Is there any other trick that you know?
> >>>
> >>> Sql
> >>>
> >>>
> >>> Dilip Krishnan wrote:
> >>> > Hello SQLAgentman,
> >>> > Also try the dianostics option for tracing the request and
the
> >>> policy
> >>> >
> >>> > HTH
> >>> > Regards,
> >>> > Dilip Krishnan
> >>> > MCAD, MCSD.net
> >>> > dkrishnan at geniant dot com
> >>> > http://www.geniant.com
> >>> >
> >>> > > Dilip,
> >>> > >
> >>> > > 1. Subject Name is the same, Verified
> >>> > > 2. Yes allowTestRoot="true" storeLocation="LocalMachine"
> >>> > > allowRevocationUrlRetrieval="false"
> >>> > > although I used the Wizard and it did not add the last one.
> >>> > > I added everything manually also,
> >>> > > 3. Yes ASPNET has permissions to see the Certificate.
> >>> > > Still it does not work. Still getting WSE405 Error.
> >>> > >
> >>> > > I wonder if I can send you, or anyone the test projects that
I
> >>> have,
> >>> > > they are very very small to be tested on another machine. I
am
> >>> going
> >>> > > insane.
> >>> > >
> >>> > > Thank you for trying so hard, I really appreciate it
> >>> > > I recreated the test projects from scratch before
> >>> > > I might do it again, and see
> >>> > > I checked on both sides the client side (Web) and the Server
side
> >> (
> >>> > > Web Service)
> >>> > >
> >>> > > Thanks for all your help
> >>> > >
> >>> > > Sql
> >>> > >
> >>> > > Dilip Krishnan wrote:
> >>> > >
> >>> > >> Hello Dilip,
> >>> > >> Am out of ideas :) just a couple more things you could try
> >>> > >> 1. Check if the subject name is the same
> >>> > >> 2. Check in the web.config what your certificate store is
<x509
> >>> > > allowTestRoot="true"
> >>> > >
> >>> > >> storeLocation="LocalMachine"
allowRevocationUrlRetrieval="false"
> >>> />
> >>> > >>
> >>> > > Check
> >>> > >
> >>> > >> if it is in the same location as you expect.
> >>> > >> 3. Check if ASPNET user has permissions to read and see the
> >>> > > certificate
> >>> > >
> >>> > >> HTH
> >>> > >> Regards,
> >>> > >> Dilip Krishnan
> >>> > >> MCAD, MCSD.net
> >>> > >> dkrishnan at geniant dot com
> >>> > >> http://www.geniant.com
> >>> > >>> Hello SQLAgentman,
> >>> > >>> Could be one of 2 reasons. The error is coming from the
> >> response
> >>> > >>> policy
> >>> > >>> (enforcement error). Either the policy could not be
enforced
> >>> > > because
> >>> > >
> >>> > >>> it couldnt
> >>> > >>> find the username token (the client din't send one!) Or
most
> >>> likely
> >>> > >>> the case.
> >>> > >>> The key identifier doesnt match with the certificate.
> >>> > >>> <wssp:Integrity ....
> >>> > >>> ....
> >>> > >>> <wssp:Claims>
> >>> > >>> <!--By specifying the SubjectName claim, the policy
> >>> > >>> system
> >>> > >>> can look for a certificate with this subject name in the
> >>> > > certificate
> >>> > >
> >>> > >>> store
> >>> > >>> indicated in the application's configuration, such as
> >>> LocalMachine
> >>> > > or
> >>> > >
> >>> > >>> CurrentUser.
> >>> > >>> The WSE X.509 Certificate Tool is useful for finding the
> >> correct
> >>> > >>> values for
> >>> > >>> this field.-->
> >>> > >>> <wssp:SubjectName
> >>> > >>> MatchType="wssp:Exact">C=US,.....</wssp:SubjectName>
> >>> > >>> <wssp:X509Extension OID="2.5.29.14"
> >>> > >>> MatchType="wssp:Exact">Check
> >>> > >>> this!!</wssp:X509Extension>
> >>> > >>> </wssp:Claims>
> >>> > >>> ...
> >>> > >>> Open up the x509 certificate tool and copy the key
identifier
> >>> value
> >>> > >>> from
> >>> > >>> the cert (in localcomputer) That should solve the problem
> >>> > >>> HTH
> >>> > >>> Regards,
> >>> > >>> Dilip Krishnan
> >>> > >>> MCAD, MCSD.net
> >>> > >>> dkrishnan at geniant dot com
> >>> > >>> http://www.geniant.com
> >>> > >>>> First: Thank you.
> >>> > >>>>
> >>> > >>>> Here is my policyCache.config on the client side: Then
the
> >>> Server
> >>> > >>>> Side, please see below.
> >>> > >>>> I am using Win XP with SP2, running both the client and
the
> >>> server
> >>> > > on
> >>> > >
> >>> > >>>> Localhost
> >>> > >>>> I had no idea that I have to add the token to both the
client
> >>> and
> >>> > > the
> >>> > >
> >>> > >>>> server side to the cach.!!??. I have hardcoded the
username
> >> and
> >>> > >>>> password but no luck.
> >>> > >>>> I ran the sample HOL and it works just fine.
> >>> > >>>> <?xml version="1.0" encoding="utf-8"?>
> >>> > >>>> <policyDocument
> >>> > >>>> xmlns="http://schemas.microsoft.com/wse/2003/06/Policy">
> >>> > >>>> <mappings
> >>> > >>>>
xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy">
> >>> > >>>> <!--The following policy describes the policy requirements
for
> >>> all
> >>> > >>>> services who do not have a mapping in this file.-->
> >>> > >>>> <defaultEndpoint>
> >>> > >>>> <defaultOperation>
> >>> > >>>> <request policy="#Sign-Username-Encrypt-X.509" />
> >>> > >>>> <response policy="#Sign-X.509-Encrypt-Username" />
> >>> > >>>> <fault policy="" />
> >>> > >>>> </defaultOperation>
> >>> > >>>> </defaultEndpoint>
> >>> > >>>> </mappings>
> >>> > >>>> <policies
> >>> > >
> >>>
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-ws
> >>> > >
> >>> > >>>> s
> >>> > >>>> ecurity-utility-1.0.xsd"
> >>> > >>>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"
> >>> > >>>> xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext"
> >>> > >>>>
xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy"
> >>> > >
> >>>
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-w
> >>> > >
> >>> > >>>> s
> >>> > >>>> security-secext-1.0.xsd"
> >>> > >>>>
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing">
> >>> > >>>> <wsp:Policy wsu:Id="Sign-Username-Encrypt-X.509">
> >>> > >>>> <!--MessagePredicate is used to require headers. This
> >> assertion
> >>> > >>>> should be used along with the Integrity assertion when the
> >>> > > presence
> >>> > >
> >>> > >>>> of
> >>> > >>>> the signed element is required. NOTE: this assertion does
not
> >> do
> >>> > >>>> anything for enforcement (send-side) policy.-->
> >>> > >>>> <wsp:MessagePredicate wsp:Usage="wsp:Required"
> >>> > >>>>
> >>> Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
> >>> > >>>> wsp:Header(wsa:To) wsp:Header(wsa:Action)
> >>> > > wsp:Header(wsa:MessageID)
> >>> > >
> >>> > >>>> wse:Timestamp()</wsp:MessagePredicate>
> >>> > >>>> <!--The Integrity assertion is used to ensure that the
message
> >>> is
> >>> > >>>> signed with Username. Many Web services will also use the
> >> token
> >>> > > for
> >>> > >
> >>> > >>>> authorization, such as by using the <wse:Role> claim or
> >> specific
> >>> > >>>> Username claims.-->
> >>> > >>>> <wssp:Integrity wsp:Usage="wsp:Required">
> >>> > >>>> <wssp:TokenInfo>
> >>> > >>>> <!--The SecurityToken element within the TokenInfo element
> >>> > >>>> describes which token type must be used for Signing.-->
> >>> > >>>> <wssp:SecurityToken>
> >>> > >
> >>>
<wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk<
> >>> > >
> >>> > >>>> /
> >>> > >>>> wssp:TokenType>
> >>> > >>>> <wssp:Claims>
> >>> > >>>> <wse:Parent>
> >>> > >>>> <wssp:SecurityToken>
> >>> > >
> >>>
<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-w
> >>> > >
> >>> > >>>> s
s-username-token-profile-1.0#UsernameToken</wssp:TokenType>
> >>> > >>>> </wssp:SecurityToken>
> >>> > >>>>
> >>> > >>>> </wse:Parent>
> >>> > >>>>
> >>> > >>>> </wssp:Claims>
> >>> > >>>>
> >>> > >>>> </wssp:SecurityToken>
> >>> > >>>>
> >>> > >>>> </wssp:TokenInfo>
> >>> > >>>>
> >>> > >>>> <wssp:MessageParts
> >>> > >>>>
> >>> > >>>>
> >>> Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
> >>> > >>>>
> >>> > >>>> wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo)
> >>> > >>>>
> >>> > > wsp:Header(wsa:From)
> >>> > >
> >>> > >>>> wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo)
> >>> > >>>>
> >>> > >>>> wsp:Header(wsa:ReplyTo) wsp:Header(wsa:To)
> >>> > >>>>
> >>> > >>>> wse:Timestamp()</wssp:MessageParts>
> >>> > >>>>
> >>> > >>>> </wssp:Integrity>
> >>> > >>>>
> >>> > >>>> <!--The Confidentiality assertion is used to ensure that
the
> >>> SOAP
> >>> > >>>>
> >>> > >>>> Body is encrypted.-->
> >>> > >>>>
> >>> > >>>> <wssp:Confidentiality wsp:Usage="wsp:Required">
> >>> > >>>>
> >>> > >>>> <wssp:KeyInfo>
> >>> > >>>>
> >>> > >>>> <!--The SecurityToken element within the KeyInfo element
> >>> > >>>>
> >>> > >>>> describes which token type must be used for Encryption.-->
> >>> > >>>>
> >>> > >>>> <wssp:SecurityToken>
> >>> > >>>>
> >>> > >
> >>>
<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-w
> >>> > >
> >>> > >>>> s s-x509-token-profile-1.0#X509v3</wssp:TokenType>
> >>> > >>>>
> >>> > >>>> <wssp:TokenIssuer>CN=Root Agency</wssp:TokenIssuer>
> >>> > >>>>
> >>> > >>>> <wssp:Claims>
> >>> > >>>>
> >>> > >>>> <!--By specifying the SubjectName claim, the policy
> >>> > >>>>
> >>> > >>>> system can look for a certificate with this subject name
in
> >> the
> >>> > >>>>
> >>> > >>>> certificate store indicated in the application's
> >> configuration,
> >>> > >>>>
> >>> > > such
> >>> > >
> >>> > >>>> as
> >>> > >>>>
> >>> > >>>> LocalMachine or CurrentUser. The WSE X.509 Certificate
Tool is
> >>> > >>>>
> >>> > > useful
> >>> > >
> >>> > >>>> for finding the correct values for this field.-->
> >>> > >>>>
> >>> > >>>> <wssp:SubjectName
> >>> > >>>>
> >>> > >>>>
> >>> MatchType="wssp:Exact">CN=WSE2QuickStartServer</wssp:SubjectName>
> >>> > >>>>
> >>> > >>>> <wssp:X509Extension OID="2.5.29.14"
> >>> > >>>>
> >>> > >
> >>>
MatchType="wssp:Exact">bBwPfItvKp3b6TNDq+14qs58VJQ=</wssp:X509Extensi
> >>> > >
> >>> > >>>> o n>
> >>> > >>>>
> >>> > >>>> </wssp:Claims>
> >>> > >>>>
> >>> > >>>> </wssp:SecurityToken>
> >>> > >>>>
> >>> > >>>> </wssp:KeyInfo>
> >>> > >>>>
> >>> > >>>> <wssp:MessageParts
> >>> > >>>>
> >>> > >
> >>>
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</ws
> >>> > >
> >>> > >>>> s p:MessageParts>
> >>> > >>>>
> >>> > >>>> </wssp:Confidentiality>
> >>> > >>>>
> >>> > >>>> </wsp:Policy>
> >>> > >>>>
> >>> > >>>> <wsp:Policy wsu:Id="Sign-X.509-Encrypt-Username">
> >>> > >>>>
> >>> > >>>> <!--MessagePredicate is used to require headers. This
> >> assertion
> >>> > >>>>
> >>> > >>>> should be used along with the Integrity assertion when the
> >>> > >>>>
> >>> > > presence
> >>> > >
> >>> > >>>> of
> >>> > >>>>
> >>> > >>>> the signed element is required. NOTE: this assertion does
not
> >> do
> >>> > >>>>
> >>> > >>>> anything for enforcement (send-side) policy.-->
> >>> > >>>>
> >>> > >>>> <wsp:MessagePredicate wsp:Usage="wsp:Required"
> >>> > >>>>
> >>> > >>>>
> >>> Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
> >>> > >>>>
> >>> > >>>> wsp:Header(wsa:To) wsp:Header(wsa:Action)
> >>> > >>>>
> >>> > > wsp:Header(wsa:MessageID)
> >>> > >
> >>> > >>>> wse:Timestamp()</wsp:MessagePredicate>
> >>> > >>>>
> >>> > >>>> <!--The Integrity assertion is used to ensure that the
message
> >>> is
> >>> > >>>>
> >>> > >>>> signed with X.509. Many Web services will also use the
token
> >> for
> >>> > >>>>
> >>> > >>>> authorization, such as by using the <wse:Role> claim or
> >> specific
> >>> > >>>> X.509
> >>> > >>>>
> >>> > >>>> claims.-->
> >>> > >>>>
> >>> > >>>> <wssp:Integrity wsp:Usage="wsp:Required">
> >>> > >>>>
> >>> > >>>> <wssp:TokenInfo>
> >>> > >>>>
> >>> > >>>> <!--The SecurityToken element within the TokenInfo element
> >>> > >>>>
> >>> > >>>> describes which token type must be used for Signing.-->
> >>> > >>>>
> >>> > >>>> <wssp:SecurityToken>
> >>> > >>>>
> >>> > >
> >>>
<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-w
> >>> > >
> >>> > >>>> s s-x509-token-profile-1.0#X509v3</wssp:TokenType>
> >>> > >>>>
> >>> > >>>> <wssp:TokenIssuer>CN=Root Agency</wssp:TokenIssuer>
> >>> > >>>>
> >>> > >>>> <wssp:Claims>
> >>> > >>>>
> >>> > >>>> <!--By specifying the SubjectName claim, the policy
> >>> > >>>>
> >>> > >>>> system can look for a certificate with this subject name
in
> >> the
> >>> > >>>>
> >>> > >>>> certificate store indicated in the application's
> >> configuration,
> >>> > >>>>
> >>> > > such
> >>> > >
> >>> > >>>> as
> >>> > >>>>
> >>> > >>>> LocalMachine or CurrentUser. The WSE X.509 Certificate
Tool is
> >>> > >>>>
> >>> > > useful
> >>> > >
> >>> > >>>> for finding the correct values for this field.-->
> >>> > >>>>
> >>> > >>>> <wssp:SubjectName
> >>> > >>>>
> >>> > >>>>
> >>> MatchType="wssp:Exact">CN=WSE2QuickStartServer</wssp:SubjectName>
> >>> > >>>>
> >>> > >>>> <wssp:X509Extension OID="2.5.29.14"
> >>> > >>>>
> >>> > >
> >>>
MatchType="wssp:Exact">bBwPfItvKp3b6TNDq+14qs58VJQ=</wssp:X509Extensi
> >>> > >
> >>> > >>>> o n>
> >>> > >>>>
> >>> > >>>> </wssp:Claims>
> >>> > >>>>
> >>> > >>>> </wssp:SecurityToken>
> >>> > >>>>
> >>> > >>>> </wssp:TokenInfo>
> >>> > >>>>
> >>> > >>>> <wssp:MessageParts
> >>> > >>>>
> >>> > >>>>
> >>> Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
> >>> > >>>>
> >>> > >>>> wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo)
> >>> > >>>>
> >>> > > wsp:Header(wsa:From)
> >>> > >
> >>> > >>>> wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo)
> >>> > >>>>
> >>> > >>>> wsp:Header(wsa:ReplyTo) wsp:Header(wsa:To)
> >>> > >>>>
> >>> > >>>> wse:Timestamp()</wssp:MessageParts>
> >>> > >>>>
> >>> > >>>> </wssp:Integrity>
> >>> > >>>>
> >>> > >>>> <!--The Confidentiality assertion is used to ensure that
the
> >>> SOAP
> >>> > >>>>
> >>> > >>>> Body is encrypted.-->
> >>> > >>>>
> >>> > >>>> <wssp:Confidentiality wsp:Usage="wsp:Required">
> >>> > >>>>
> >>> > >>>> <wssp:KeyInfo>
> >>> > >>>>
> >>> > >>>> <!--The SecurityToken element within the KeyInfo element
> >>> > >>>>
> >>> > >>>> describes which token type must be used for Encryption.-->
> >>> > >>>>
> >>> > >>>> <wssp:SecurityToken>
> >>> > >>>>
> >>> > >
> >>>
<wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk<
> >>> > >
> >>> > >>>> /
> >>> > >>>> wssp:TokenType>
> >>> > >>>> <wssp:Claims>
> >>> > >>>> <wse:Parent>
> >>> > >>>> <wssp:SecurityToken>
> >>> > >
> >>>
<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-w
> >>> > >
> >>> > >>>> s
s-username-token-profile-1.0#UsernameToken</wssp:TokenType>
> >>> > >>>> </wssp:SecurityToken>
> >>> > >>>>
> >>> > >>>> </wse:Parent>
> >>> > >>>>
> >>> > >>>> </wssp:Claims>
> >>> > >>>>
> >>> > >>>> </wssp:SecurityToken>
> >>> > >>>>
> >>> > >>>> </wssp:KeyInfo>
> >>> > >>>>
> >>> > >>>> <wssp:MessageParts
> >>> > >>>>
> >>> > >
> >>>
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</ws
> >>> > >
> >>> > >>>> s p:MessageParts>
> >>> > >>>>
> >>> > >>>> </wssp:Confidentiality>
> >>> > >>>>
> >>> > >>>> </wsp:Policy>
> >>> > >>>>
> >>> > >>>> </policies>
> >>> > >>>>
> >>> > >>>> </policyDocument>
> >>> > >>>>
> >>> > >>>> -----------------------------------Server Side
> >>> > >>>> policyCache.config--------------
> >>> > >>>> <?xml version="1.0" encoding="utf-8"?>
> >>> > >>>> <policyDocument
> >>> > >>>> xmlns="http://schemas.microsoft.com/wse/2003/06/Policy">
> >>> > >>>> <mappings
> >>> > >>>>
xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy">
> >>> > >>>> <!--The following policy describes the policy requirements
for
> >>> the
> >>> > >>>> service: http://localhost/MyWebServices/MySecurity.asmx
.-->
> >>> > >>>> <endpoint
> >> uri="http://localhost/MyWebServices/MySecurity.asmx">
> >>> > >>>> <defaultOperation>
> >>> > >>>> <request policy="#Sign-Username-Encrypt-X.509" />
> >>> > >>>> <response policy="#Sign-X.509-Encrypt-Username" />
> >>> > >>>> <fault policy="" />
> >>> > >>>> </defaultOperation>
> >>> > >>>> </endpoint>
> >>> > >>>> <endpoint
uri="http://localhost/MyWebServices/MyWSXYZ.asmx">
> >>> > >>>> <defaultOperation>
> >>> > >>>> <request policy="#Sign-Username-Encrypt-X.509-1" />
> >>> > >>>> <response policy="#Sign-X.509-Encrypt-Username-1" />
> >>> > >>>> <fault policy="" />
> >>> > >>>> </defaultOperation>
> >>> > >>>> </endpoint>
> >>> > >>>> </mappings>
> >>> > >>>> <policies
> >>> > >
> >>>
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-ws
> >>> > >
> >>> > >>>> s
> >>> > >>>> ecurity-utility-1.0.xsd"
> >>> > >>>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"
> >>> > >>>> xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext"
> >>> > >>>>
xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy"
> >>> > >
> >>>
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-w
> >>> > >
> >>> > >>>> s
> >>> > >>>> security-secext-1.0.xsd"
> >>> > >>>>
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing">
> >>> > >>>> <wsp:Policy wsu:Id="Sign-Username-Encrypt-X.509">
> >>> > >>>> <!--MessagePredicate is used to require headers. This
> >> assertion
> >>> > >>>> should be used along with the Integrity assertion when the
> >>> > > presence
> >>> > >
> >>> > >>>> of
> >>> > >>>> the signed element is required. NOTE: this assertion does
not
> >> do
> >>> > >>>> anything for enforcement (send-side) policy.-->
> >>> > >>>> <wsp:MessagePredicate wsp:Usage="wsp:Required"
> >>> > >>>>
> >>> Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
> >>> > >>>> wsp:Header(wsa:To) wsp:Header(wsa:Action)
> >>> > > wsp:Header(wsa:MessageID)
> >>> > >
> >>> > >>>> wse:Timestamp()</wsp:MessagePredicate>
> >>> > >>>> <!--The Integrity assertion is used to ensure that the
message
> >>> is
> >>> > >>>> signed with Username. Many Web services will also use the
> >> token
> >>> > > for
> >>> > >
> >>> > >>>> authorization, such as by using the <wse:Role> claim or
> >> specific
> >>> > >>>> Username claims.-->
> >>> > >>>> <wssp:Integrity wsp:Usage="wsp:Required">
> >>> > >>>> <wssp:TokenInfo>
> >>> > >>>> <!--The SecurityToken element within the TokenInfo element
> >>> > >>>> describes which token type must be used for Signing.-->
> >>> > >>>> <wssp:SecurityToken>
> >>> > >
> >>>
<wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk<
> >>> > >
> >>> > >>>> /
> >>> > >>>> wssp:TokenType>
> >>> > >>>> <wssp:Claims>
> >>> > >>>> <wse:Parent>
> >>> > >>>> <wssp:SecurityToken wse:IdentityToken="true">
> >>> > >
> >>>
<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-w
> >>> > >
> >>> > >>>> s
s-username-token-profile-1.0#UsernameToken</wssp:TokenType>
> >>> > >>>> <wssp:Claims>
> >>> > >>>>
> >>> > >>>> <!--By specifying the Role, the policy system can
> >>> > >>>>
> >>> > >>>> verify that the token contains a specific role, such as
> >> "Admin".
> >>> > >>>> Roles
> >>> > >>>>
> >>> > >>>> can be groups a user is a member of, or they can be
customized
> >>> for
> >>> > >>>> each
> >>> > >>>>
> >>> > >>>> token.-->
> >>> > >>>>
> >>> > >>>> <wse:Role value="CONTRACT6\User" />
> >>> > >>>>
> >>> > >>>> </wssp:Claims>
> >>> > >>>>
> >>> > >>>> </wssp:SecurityToken>
> >>> > >>>>
> >>> > >>>> </wse:Parent>
> >>> > >>>>
> >>> > >>>> </wssp:Claims>
> >>> > >>>>
> >>> > >>>> </wssp:SecurityToken>
> >>> > >>>>
> >>> > >>>> </wssp:TokenInfo>
> >>> > >>>>
> >>> > >>>> <wssp:MessageParts
> >>> > >>>>
> >>> > >>>>
> >>> Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
> >>> > >>>>
> >>> > >>>> wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo)
> >>> > >>>>
> >>> > > wsp:Header(wsa:From)
> >>> > >
> >>> > >>>> wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo)
> >>> > >>>>
> >>> > >>>> wsp:Header(wsa:ReplyTo) wsp:Header(wsa:To)
> >>> > >>>>
> >>> > >>>> wse:Timestamp()</wssp:MessageParts>
> >>> > >>>>
> >>> > >>>> </wssp:Integrity>
> >>> > >>>>
> >>> > >>>> <!--The Confidentiality assertion is used to ensure that
the
> >>> SOAP
> >>> > >>>>
> >>> > >>>> Body is encrypted.-->
> >>> > >>>>
> >>> > >>>> <wssp:Confidentiality wsp:Usage="wsp:Required">
> >>> > >>>>
> >>> > >>>> <wssp:KeyInfo>
> >>> > >>>>
> >>> > >>>> <!--The SecurityToken element within the KeyInfo element
> >>> > >>>>
> >>> > >>>> describes which token type must be used for Encryption.-->
> >>> > >>>>
> >>> > >>>> <wssp:SecurityToken>
> >>> > >>>>
> >>> > >
> >>>
<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-w
> >>> > >
> >>> > >>>> s s-x509-token-profile-1.0#X509v3</wssp:TokenType>
> >>> > >>>>
> >>> > >>>> <wssp:TokenIssuer>CN=Root Agency</wssp:TokenIssuer>
> >>> > >>>>
> >>> > >>>> <wssp:Claims>
> >>> > >>>>
> >>> > >>>> <!--By specifying the SubjectName claim, the policy
> >>> > >>>>
> >>> > >>>> system can look for a certificate with this subject name
in
> >> the
> >>> > >>>>
> >>> > >>>> certificate store indicated in the application's
> >> configuration,
> >>> > >>>>
> >>> > > such
> >>> > >
> >>> > >>>> as
> >>> > >>>>
> >>> > >>>> LocalMachine or CurrentUser. The WSE X.509 Certificate
Tool is
> >>> > >>>>
> >>> > > useful
> >>> > >
> >>> > >>>> for finding the correct values for this field.-->
> >>> > >>>>
> >>> > >>>> <wssp:SubjectName
> >>> > >>>>
> >>> > >>>>
> >>> MatchType="wssp:Exact">CN=WSE2QuickStartServer</wssp:SubjectName>
> >>> > >>>>
> >>> > >>>> <wssp:X509Extension OID="2.5.29.14"
> >>> > >>>>
> >>> > >
> >>>
MatchType="wssp:Exact">bBwPfItvKp3b6TNDq+14qs58VJQ=</wssp:X509Extensi
> >>> > >
> >>> > >>>> o n>
> >>> > >>>>
> >>> > >>>> </wssp:Claims>
> >>> > >>>>
> >>> > >>>> </wssp:SecurityToken>
> >>> > >>>>
> >>> > >>>> </wssp:KeyInfo>
> >>> > >>>>
> >>> > >>>> <wssp:MessageParts
> >>> > >>>>
> >>> > >
> >>>
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</ws
> >>> > >
> >>> > >>>> s p:MessageParts>
> >>> > >>>>
> >>> > >>>> </wssp:Confidentiality>
> >>> > >>>>
> >>> > >>>> </wsp:Policy>
> >>> > >>>>
> >>> > >>>> <wsp:Policy wsu:Id="Sign-X.509-Encrypt-Username">
> >>> > >>>>
> >>> > >>>> <!--MessagePredicate is used to require headers. This
> >> assertion
> >>> > >>>>
> >>> > >>>> should be used along with the Integrity assertion when the
> >>> > >>>>
> >>> > > presence
> >>> > >
> >>> > >>>> of
> >>> > >>>>
> >>> > >>>> the signed element is required. NOTE: this assertion does
not
> >> do
> >>> > >>>>
> >>> > >>>> anything for enforcement (send-side) policy.-->
> >>> > >>>>
> >>> > >>>> <wsp:MessagePredicate wsp:Usage="wsp:Required"
> >>> > >>>>
> >>> > >>>>
> >>> Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
> >>> > >>>>
> >>> > >>>> wsp:Header(wsa:To) wsp:Header(wsa:Action)
> >>> > >>>>
> >>> > > wsp:Header(wsa:MessageID)
> >>> > >
> >>> > >>>> wse:Timestamp()</wsp:MessagePredicate>
> >>> > >>>>
> >>> > >>>> <!--The Integrity assertion is used to ensure that the
message
> >>> is
> >>> > >>>>
> >>> > >>>> signed with X.509. Many Web services will also use the
token
> >> for
> >>> > >>>>
> >>> > >>>> authorization, such as by using the <wse:Role> claim or
> >> specific
> >>> > >>>> X.509
> >>> > >>>>
> >>> > >>>> claims.-->
> >>> > >>>>
> >>> > >>>> <wssp:Integrity wsp:Usage="wsp:Required">
> >>> > >>>>
> >>> > >>>> <wssp:TokenInfo>
> >>> > >>>>
> >>> > >>>> <!--The SecurityToken element within the TokenInfo element
> >>> > >>>>
> >>> > >>>> describes which token type must be used for Signing.-->
> >>> > >>>>
> >>> > >>>> <wssp:SecurityToken>
> >>> > >>>>
> >>> > >
> >>>
<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-w
> >>> > >
> >>> > >>>> s s-x509-token-profile-1.0#X509v3</wssp:TokenType>
> >>> > >>>>
> >>> > >>>> <wssp:TokenIssuer>CN=Root Agency</wssp:TokenIssuer>
> >>> > >>>>
> >>> > >>>> <wssp:Claims>
> >>> > >>>>
> >>> > >>>> <!--By specifying the SubjectName claim, the policy
> >>> > >>>>
> >>> > >>>> system can look for a certificate with this subject name
in
> >> the
> >>> > >>>>
> >>> > >>>> certificate store indicated in the application's
> >> configuration,
> >>> > >>>>
> >>> > > such
> >>> > >
> >>> > >>>> as
> >>> > >>>>
> >>> > >>>> LocalMachine or CurrentUser. The WSE X.509 Certificate
Tool is
> >>> > >>>>
> >>> > > useful
> >>> > >
> >>> > >>>> for finding the correct values for this field.-->
> >>> > >>>>
> >>> > >>>> <wssp:SubjectName
> >>> > >>>>
> >>> > >>>>
> >>> MatchType="wssp:Exact">CN=WSE2QuickStartServer</wssp:SubjectName>
> >>> > >>>>
> >>> > >>>> <wssp:X509Extension OID="2.5.29.14"
> >>> > >>>>
> >>> > >
> >>>
MatchType="wssp:Exact">bBwPfItvKp3b6TNDq+14qs58VJQ=</wssp:X509Extensi
> >>> > >
> >>> > >>>> o n>
> >>> > >>>>
> >>> > >>>> </wssp:Claims>
> >>> > >>>>
> >>> > >>>> </wssp:SecurityToken>
> >>> > >>>>
> >>> > >>>> </wssp:TokenInfo>
> >>> > >>>>
> >>> > >>>> <wssp:MessageParts
> >>> > >>>>
> >>> > >>>>
> >>> Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
> >>> > >>>>
> >>> > >>>> wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo)
> >>> > >>>>
> >>> > > wsp:Header(wsa:From)
> >>> > >
> >>> > >>>> wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo)
> >>> > >>>>
> >>> > >>>> wsp:Header(wsa:ReplyTo) wsp:Header(wsa:To)
> >>> > >>>>
> >>> > >>>> wse:Timestamp()</wssp:MessageParts>
> >>> > >>>>
> >>> > >>>> </wssp:Integrity>
> >>> > >>>>
> >>> > >>>> <!--The Confidentiality assertion is used to ensure that
the
> >>> SOAP
> >>> > >>>>
> >>> > >>>> Body is encrypted.-->
> >>> > >>>>
> >>> > >>>> <wssp:Confidentiality wsp:Usage="wsp:Required">
> >>> > >>>>
> >>> > >>>> <wssp:KeyInfo>
> >>> > >>>>
> >>> > >>>> <!--The SecurityToken element within the KeyInfo element
> >>> > >>>>
> >>> > >>>> describes which token type must be used for Encryption.-->
> >>> > >>>>
> >>> > >>>> <wssp:SecurityToken>
> >>> > >>>>
> >>> > >
> >>>
<wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk<
> >>> > >
> >>> > >>>> /
> >>> > >>>> wssp:TokenType>
> >>> > >>>> <wssp:Claims>
> >>> > >>>> <wse:Parent>
> >>> > >>>> <wssp:SecurityToken wse:IdentityToken="true">
> >>> > >
> >>>
<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-w
> >>> > >
> >>> > >>>> s
s-username-token-profile-1.0#UsernameToken</wssp:TokenType>
> >>> > >>>> </wssp:SecurityToken>
> >>> > >>>>
> >>> > >>>> </wse:Parent>
> >>> > >>>>
> >>> > >>>> </wssp:Claims>
> >>> > >>>>
> >>> > >>>> </wssp:SecurityToken>
> >>> > >>>>
> >>> > >>>> </wssp:KeyInfo>
> >>> > >>>>
> >>> > >>>> <wssp:MessageParts
> >>> > >>>>
> >>> > >
> >>>
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</ws
> >>> > >
> >>> > >>>> s p:MessageParts>
> >>> > >>>>
> >>> > >>>> </wssp:Confidentiality>
> >>> > >>>>
> >>> > >>>> </wsp:Policy>
> >>> > >>>>
> >>> > >>>> <wsp:Policy wsu:Id="Sign-Username-Encrypt-X.509-1">
> >>> > >>>>
> >>> > >>>> <!--MessagePredicate is used to require headers. This
> >> assertion
> >>> > >>>>
> >>> > >>>> should be used along with the Integrity assertion when the
> >>> > >>>>
> >>> > > presence
> >>> > >
> >>> > >>>> of
> >>> > >>>>
> >>> > >>>> the signed element is required. NOTE: this assertion does
not
> >> do
> >>> > >>>>
> >>> > >>>> anything for enforcement (send-side) policy.-->
> >>> > >>>>
> >>> > >>>> <wsp:MessagePredicate wsp:Usage="wsp:Required"
> >>> > >>>>
> >>> > >>>>
> >>> Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
> >>> > >>>>
> >>> > >>>> wsp:Header(wsa:To) wsp:Header(wsa:Action)
> >>> > >>>>
> >>> > > wsp:Header(wsa:MessageID)
> >>> > >
> >>> > >>>> wse:Timestamp()</wsp:MessagePredicate>
> >>> > >>>>
> >>> > >>>> <!--The Integrity assertion is used to ensure that the
message
> >>> is
> >>> > >>>>
> >>> > >>>> signed with Username. Many Web services will also use the
> >> token
> >>> > >>>>
> >>> > > for
> >>> > >
> >>> > >>>> authorization, such as by using the <wse:Role> claim or
> >> specific
> >>> > >>>>
> >>> > >>>> Username claims.-->
> >>> > >>>>
> >>> > >>>> <wssp:Integrity wsp:Usage="wsp:Required">
> >>> > >>>>
> >>> > >>>> <wssp:TokenInfo>
> >>> > >>>>
> >>> > >>>> <!--The SecurityToken element within the TokenInfo element
> >>> > >>>>
> >>> > >>>> describes which token type must be used for Signing.-->
> >>> > >>>>
> >>> > >>>> <wssp:SecurityToken>
> >>> > >>>>
> >>> > >
> >>>
<wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk<
> >>> > >
> >>> > >>>> /
> >>> > >>>> wssp:TokenType>
> >>> > >>>> <wssp:Claims>
> >>> > >>>> <wse:Parent>
> >>> > >>>> <wssp:SecurityToken wse:IdentityToken="true">
> >>> > >
> >>>
<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-w
> >>> > >
> >>> > >>>> s
s-username-token-profile-1.0#UsernameToken</wssp:TokenType>
> >>> > >>>> <wssp:Claims>
> >>> > >>>>
> >>> > >>>> <!--By specifying the Role, the policy system can
> >>> > >>>>
> >>> > >>>> verify that the token contains a specific role, such as
> >> "Admin".
> >>> > >>>> Roles
> >>> > >>>>
> >>> > >>>> can be groups a user is a member of, or they can be
customized
> >>> for
> >>> > >>>> each
> >>> > >>>>
> >>> > >>>> token.-->
> >>> > >>>>
> >>> > >>>> <wse:Role value="CONTRACT6\User" />
> >>> > >>>>
> >>> > >>>> </wssp:Claims>
> >>> > >>>>
> >>> > >>>> </wssp:SecurityToken>
> >>> > >>>>
> >>> > >>>> </wse:Parent>
> >>> > >>>>
> >>> > >>>> </wssp:Claims>
> >>> > >>>>
> >>> > >>>> </wssp:SecurityToken>
> >>> > >>>>
> >>> > >>>> </wssp:TokenInfo>
> >>> > >>>>
> >>> > >>>> <wssp:MessageParts
> >>> > >>>>
> >>> > >>>>
> >>> Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
> >>> > >>>>
> >>> > >>>> wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo)
> >>> > >>>>
> >>> > > wsp:Header(wsa:From)
> >>> > >
> >>> > >>>> wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo)
> >>> > >>>>
> >>> > >>>> wsp:Header(wsa:ReplyTo) wsp:Header(wsa:To)
> >>> > >>>>
> >>> > >>>> wse:Timestamp()</wssp:MessageParts>
> >>> > >>>>
> >>> > >>>> </wssp:Integrity>
> >>> > >>>>
> >>> > >>>> <!--The Confidentiality assertion is used to ensure that
the
> >>> SOAP
> >>> > >>>>
> >>> > >>>> Body is encrypted.-->
> >>> > >>>>
> >>> > >>>> <wssp:Confidentiality wsp:Usage="wsp:Required">
> >>> > >>>>
> >>> > >>>> <wssp:KeyInfo>
> >>> > >>>>
> >>> > >>>> <!--The SecurityToken element within the KeyInfo element
> >>> > >>>>
> >>> > >>>> describes which token type must be used for Encryption.-->
> >>> > >>>>
> >>> > >>>> <wssp:SecurityToken>
> >>> > >>>>
> >>> > >
> >>>
<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-w
> >>> > >
> >>> > >>>> s s-x509-token-profile-1.0#X509v3</wssp:TokenType>
> >>> > >>>>
> >>> > >>>> <wssp:TokenIssuer>CN=Root Agency</wssp:TokenIssuer>
> >>> > >>>>
> >>> > >>>> <wssp:Claims>
> >>> > >>>>
> >>> > >>>> <!--By specifying the SubjectName claim, the policy
> >>> > >>>>
> >>> > >>>> system can look for a certificate with this subject name
in
> >> the
> >>> > >>>>
> >>> > >>>> certificate store indicated in the application's
> >> configuration,
> >>> > >>>>
> >>> > > such
> >>> > >
> >>> > >>>> as
> >>> > >>>>
> >>> > >>>> LocalMachine or CurrentUser. The WSE X.509 Certificate
Tool is
> >>> > >>>>
> >>> > > useful
> >>> > >
> >>> > >>>> for finding the correct values for this field.-->
> >>> > >>>>
> >>> > >>>> <wssp:SubjectName
> >>> > >>>>
> >>> > >>>>
> >>> MatchType="wssp:Exact">CN=WSE2QuickStartServer</wssp:SubjectName>
> >>> > >>>>
> >>> > >>>> <wssp:X509Extension OID="2.5.29.14"
> >>> > >>>>
> >>> > >
> >>>
MatchType="wssp:Exact">bBwPfItvKp3b6TNDq+14qs58VJQ=</wssp:X509Extensi
> >>> > >
> >>> > >>>> o n>
> >>> > >>>>
> >>> > >>>> </wssp:Claims>
> >>> > >>>>
> >>> > >>>> </wssp:SecurityToken>
> >>> > >>>>
> >>> > >>>> </wssp:KeyInfo>
> >>> > >>>>
> >>> > >>>> <wssp:MessageParts
> >>> > >>>>
> >>> > >
> >>>
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</ws
> >>> > >
> >>> > >>>> s p:MessageParts>
> >>> > >>>>
> >>> > >>>> </wssp:Confidentiality>
> >>> > >>>>
> >>> > >>>> </wsp:Policy>
> >>> > >>>>
> >>> > >>>> <wsp:Policy wsu:Id="Sign-X.509-Encrypt-Username-1">
> >>> > >>>>
> >>> > >>>> <!--MessagePredicate is used to require headers. This
> >> assertion
> >>> > >>>>
> >>> > >>>> should be used along with the Integrity assertion when the
> >>> > >>>>
> >>> > > presence
> >>> > >
> >>> > >>>> of
> >>> > >>>>
> >>> > >>>> the signed element is required. NOTE: this assertion does
not
> >> do
> >>> > >>>>
> >>> > >>>> anything for enforcement (send-side) policy.-->
> >>> > >>>>
> >>> > >>>> <wsp:MessagePredicate wsp:Usage="wsp:Required"
> >>> > >>>>
> >>> > >>>>
> >>> Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
> >>> > >>>>
> >>> > >>>> wsp:Header(wsa:To) wsp:Header(wsa:Action)
> >>> > >>>>
> >>> > > wsp:Header(wsa:MessageID)
> >>> > >
> >>> > >>>> wse:Timestamp()</wsp:MessagePredicate>
> >>> > >>>>
> >>> > >>>> <!--The Integrity assertion is used to ensure that the
message
> >>> is
> >>> > >>>>
> >>> > >>>> signed with X.509. Many Web services will also use the
token
> >> for
> >>> > >>>>
> >>> > >>>> authorization, such as by using the <wse:Role> claim or
> >> specific
> >>> > >>>> X.509
> >>> > >>>>
> >>> > >>>> claims.-->
> >>> > >>>>
> >>> > >>>> <wssp:Integrity wsp:Usage="wsp:Required">
> >>> > >>>>
> >>> > >>>> <wssp:TokenInfo>
> >>> > >>>>
> >>> > >>>> <!--The SecurityToken element within the TokenInfo element
> >>> > >>>>
> >>> > >>>> describes which token type must be used for Signing.-->
> >>> > >>>>
> >>> > >>>> <wssp:SecurityToken>
> >>> > >>>>
> >>> > >
> >>>
<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-w
> >>> > >
> >>> > >>>> s s-x509-token-profile-1.0#X509v3</wssp:TokenType>
> >>> > >>>>
> >>> > >>>> <wssp:TokenIssuer>CN=Root Agency</wssp:TokenIssuer>
> >>> > >>>>
> >>> > >>>> <wssp:Claims>
> >>> > >>>>
> >>> > >>>> <!--By specifying the SubjectName claim, the policy
> >>> > >>>>
> >>> > >>>> system can look for a certificate with this subject name
in
> >> the
> >>> > >>>>
> >>> > >>>> certificate store indicated in the application's
> >> configuration,
> >>> > >>>>
> >>> > > such
> >>> > >
> >>> > >>>> as
> >>> > >>>>
> >>> > >>>> LocalMachine or CurrentUser. The WSE X.509 Certificate
Tool is
> >>> > >>>>
> >>> > > useful
> >>> > >
> >>> > >>>> for finding the correct values for this field.-->
> >>> > >>>>
> >>> > >>>> <wssp:SubjectName
> >>> > >>>>
> >>> > >>>>
> >>> MatchType="wssp:Exact">CN=WSE2QuickStartServer</wssp:SubjectName>
> >>> > >>>>
> >>> > >>>> <wssp:X509Extension OID="2.5.29.14"
> >>> > >>>>
> >>> > >
> >>>
MatchType="wssp:Exact">bBwPfItvKp3b6TNDq+14qs58VJQ=</wssp:X509Extensi
> >>> > >
> >>> > >>>> o n>
> >>> > >>>>
> >>> > >>>> </wssp:Claims>
> >>> > >>>>
> >>> > >>>> </wssp:SecurityToken>
> >>> > >>>>
> >>> > >>>> </wssp:TokenInfo>
> >>> > >>>>
> >>> > >>>> <wssp:MessageParts
> >>> > >>>>
> >>> > >>>>
> >>> Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
> >>> > >>>>
> >>> > >>>> wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo)
> >>> > >>>>
> >>> > > wsp:Header(wsa:From)
> >>> > >
> >>> > >>>> wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo)
> >>> > >>>>
> >>> > >>>> wsp:Header(wsa:ReplyTo) wsp:Header(wsa:To)
> >>> > >>>>
> >>> > >>>> wse:Timestamp()</wssp:MessageParts>
> >>> > >>>>
> >>> > >>>> </wssp:Integrity>
> >>> > >>>>
> >>> > >>>> <!--The Confidentiality assertion is used to ensure that
the
> >>> SOAP
> >>> > >>>>
> >>> > >>>> Body is encrypted.-->
> >>> > >>>>
> >>> > >>>> <wssp:Confidentiality wsp:Usage="wsp:Required">
> >>> > >>>>
> >>> > >>>> <wssp:KeyInfo>
> >>> > >>>>
> >>> > >>>> <!--The SecurityToken element within the KeyInfo element
> >>> > >>>>
> >>> > >>>> describes which token type must be used for Encryption.-->
> >>> > >>>>
> >>> > >>>> <wssp:SecurityToken>
> >>> > >>>>
> >>> > >
> >>>
<wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk<
> >>> > >
> >>> > >>>> /
> >>> > >>>> wssp:TokenType>
> >>> > >>>> <wssp:Claims>
> >>> > >>>> <wse:Parent>
> >>> > >>>> <wssp:SecurityToken wse:IdentityToken="true">
> >>> > >
> >>>
<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-w
> >>> > >
> >>> > >>>> s
s-username-token-profile-1.0#UsernameToken</wssp:TokenType>
> >>> > >>>> </wssp:SecurityToken>
> >>> > >>>>
> >>> > >>>> </wse:Parent>
> >>> > >>>>
> >>> > >>>> </wssp:Claims>
> >>> > >>>>
> >>> > >>>> </wssp:SecurityToken>
> >>> > >>>>
> >>> > >>>> </wssp:KeyInfo>
> >>> > >>>>
> >>> > >>>> <wssp:MessageParts
> >>> > >>>>
> >>> > >
> >>>
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</ws
> >>> > >
> >>> > >>>> s p:MessageParts>
> >>> > >>>>
> >>> > >>>> </wssp:Confidentiality>
> >>> > >>>>
> >>> > >>>> </wsp:Policy>
> >>> > >>>>
> >>> > >>>> </policies>
> >>> > >>>>
> >>> > >>>> </policyDocument>
> >>> > >>>>
> >>> > >>>> Dilip Krishnan wrote:
> >>> > >>>>
> >>> > >>>>> Hello SQLAgentman,
> >>> > >>>>> Could you post the policy xml fragment. My guess is that
on
> >> the
> >>> > >>>> server
> >>> > >>>>
> >>> > >>>>> side you have a policy to sign/encrypt using username
token.
> >> If
> >>> > >>>>>
> >>> > > you
> >>> > >
> >>> > >>>> do you
> >>> > >>>>
> >>> > >>>>> would need to add the username token to the policy
> >> enforcement
> >>> > >>>>> cache,
> >>> > >>>>>
> >>> > >>>> in
> >>> > >>>>
> >>> > >>>>> the global.asax ApplicationStart event handler, similar
to
> >> what
> >>> > >>>>>
> >>> > > you
> >>> > >
> >>> > >>>> did on
> >>> > >>>>
> >>> > >>>>> the client side, ... Quote
> >>> > >>>>> "
> >>> > >>>>>>>> Dim oToken As New
> >>> > >>>>>>>>
> >>> > >
> >>>
Microsoft.Web.Services2.Security.Tokens.UsernameToken(txtUserName.Tex
> >>> > >
> >>> > >>>> t
> >>> > >>>>
> >>> > >>>>>>>> ,
> >>> > >>>>>>>> txtPassword.Text, PasswordOption.SendPlainText)
> >>> > >>>>>>>>
PolicyEnforcementSecurityTokenCache.GlobalCache.Clear()
> >>> > >>>>>>>>
> >> PolicyEnforcementSecurityTokenCache.GlobalCache.Add(oToken)
> >>> > >>>>>>>> I have No idea what to do next.
> >>> > >>>>> "
> >>> > >>>>>
> >>> > >>>>> except add a config based/ hardcoded username and
password
> >> for
> >>> > >>>>>
> >>> > > hte
> >>> > >
> >>> > >>>> username
> >>> > >>>>
> >>> > >>>>> token.
> >>> > >>>>>
> >>> > >>>>> HTH
> >>> > >>>>> Regards,
> >>> > >>>>> Dilip Krishnan
> >>> > >>>>> MCAD, MCSD.net
> >>> > >>>>> dkrishnan at geniant dot com
> >>> > >>>>> http://www.geniant.com
> >>> > >>>>>> Sami,
> >>> > >>>>>>
> >>> > >>>>>> I attempted to use the trace, but I am not getting
anthing.
> >>> > >>>>>> You are right, this is a web application. How do I deal
> >> with
> >>> > >>>>>> permissions
> >>> > >>>>>> ( no trace files found anywhere, so they are not created
at
> >>> all
> >>> > >>>> ???)
> >>> > >>>>
> >>> > >>>>>> Dilip,
> >>> > >>>>>> I double checked that my endpoint matches exactly,
including
> >>> the
> >>> > >>>> case
> >>> > >>>>
> >>> > >>>>>> Thank you all for any help, I am still having the same
> >>> problem.
> >>> > >>>>>>
> >>> > >>>>>> Sql
> >>> > >>>>>>
> >>> > >>>>>> Dilip Krishnan wrote:
> >>> > >>>>>>
> >>> > >>>>>>> Hello SQLAgentman,
> >>> > >>>>>>> Check if the endpoint you're trying to hit matches the
one
> >> in
> >>> > >>>>>> policy,
> >>> > >>>>>>
> >>> > >>>>>>> even the case!
> >>> > >>>>>>>
> >>> > >>>>>>> HTH
> >>> > >>>>>>> Regards,
> >>> > >>>>>>> Dilip Krishnan
> >>> > >>>>>>> MCAD, MCSD.net
> >>> > >>>>>>> dkrishnan at geniant dot com
> >>> > >>>>>>> http://www.geniant.com
> >>> > >>>>>>>> Hello,
> >>> > >>>>>>>>
> >>> > >>>>>>>> I am trying to implement a Security Between my Web
Site
> >> and
> >>> my
> >>> > >>>>>>>>
> >>> > >>>> Web
> >>> > >>>>
> >>> > >>>>>>>> Service using WSE2.0 using Policy.
> >>> > >>>>>>>>
> >>> > >>>>>>>> I Followed the example in HOL-WSE02 and It works
greate.
> >>> > >>>>>>>>
> >>> > >>>>>>>> Now when I try to use the same exact Procedure/steps
on my
> >>> own
> >>> > >>>>>>>>
> >>> > >>>> web
> >>> > >>>>
> >>> > >>>>>> -
> >>> > >>>>>>
> >>> > >>>>>>>> webservice I keep on getting the following error.
> >>> > >>>>>>>>
> >>> > >>>>>>>> WSE405: A satisfactory subset of policy assertions
that
> >>> could
> >>> > >>>>>>>>
> >>> > > be
> >>> > >
> >>> > >>>>>>>> enforced for the outgoing message could not be found.
> >>> > >>>>>>>>
> >>> > >>>>>>>> I looked on Google etc.. and I can not find any thing
that
> >>> can
> >>> > >>>>>>>>
> >>> > >>>> help
> >>> > >>>>
> >>> > >>>>>>>> The only thing I found is to make sure I have the
> >> following
> >>> on
> >>> > >>>>>>>>
> >>> > >>>> the
> >>> > >>>>
> >>> > >>>>>>>> client side, and I do.
> >>> > >>>>>>>> Dim oToken As New
> >>> > >
> >>>
Microsoft.Web.Services2.Security.Tokens.UsernameToken(txtUserName.Tex
> >>> > >
> >>> > >>>> t
> >>> > >>>>
> >>> > >>>>>>>> ,
> >>> > >>>>>>>> txtPassword.Text, PasswordOption.SendPlainText)
> >>> > >>>>>>>>
PolicyEnforcementSecurityTokenCache.GlobalCache.Clear()
> >>> > >>>>>>>>
> >> PolicyEnforcementSecurityTokenCache.GlobalCache.Add(oToken)
> >>> > >>>>>>>> I have No idea what to do next.
> >>> > >>>>>>>> Can anyone please help
> >>> > >>>>>>>> Thank you,
> >>> > >>>>>>>> Sql
> >>
> >
> >

---

• Next message: SQLAgentman: "Re: WSE 2.0 Policy Sample, Problem with Certificate"
• Previous message: Dan Rogers: "Re: WSE 2.0 Policy Sample, Problem with Certificate"
• In reply to: Sami Vaaraniemi: "Re: WSE405: A satisfactory subset of policy assertions that could be enforced for the outgoing message could not be found."
• Next in thread: Dilip Krishnan: "Re: WSE405: A satisfactory subset of policy assertions that could be enforced for the outgoing message could not be found."
• Reply: Dilip Krishnan: "Re: WSE405: A satisfactory subset of policy assertions that could be enforced for the outgoing message could not be found."
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Help with Setting Policy Programmatically in WSE 3.0 ... The service is setting the policy with the config file. ... The Client used to work when set with the config file. ... MutualCertificate11Assertion oMCA = new ... (microsoft.public.dotnet.framework.webservices.enhancements) Re: GPO causing client security logs to fill? ... a virus in play. ... settings to be applied on your client workstations. ... Group Policy is a complex and often misunderstood beast. ... I modified the account ... (microsoft.public.windows.server.sbs) Re: GPO causing client security logs to fill? ... titled "Client Logon Failure". ... This was done in the Group Policy ... So basically, the Account lockout threshold, account lockout duration ... When you do clean boot on the client computer, ... (microsoft.public.windows.server.sbs) Re: Group Policy access denided ... Group Policy processing aborted. ... DFS client to make a connection. ... File and Printer sharing, netbios, etc) and firewalled the external network ... NT or Windows 2000 to Windows 2003 Server. ... (microsoft.public.backoffice.smallbiz2000) Re: GPO causing client security logs to fill? ... titled "Client Logon Failure". ... This was done in the Group Policy ... So basically, the Account lockout threshold, account lockout duration ... of the client computer have several logon failures through a day. ... (microsoft.public.windows.server.sbs)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > DotNet  > microsoft.public.dotnet.framework.webservices.enhancements  > 2004-12