RE: Authorization issues with WSE 3.0 running on IIS 5.0

The certificate is stored in your user profile, while the client application
runs on IIS 5.1 under the aspnet account, so the application is trying to
find the cerificate in the "Current User / Personal" store, where Current
User = aspnet (or which technical account you configured for running the
ASP.net).
Change the policy to look in the "Local Computer / Personal" store for the
certificate.

"jackm" wrote:

> I have a big problem with running ASP.NET client with WSE 3.0 directly
> on IIS. Every client application I create works fine if I run it under
> ASP.NET Development Server (it probably runs everything as admin) but
> as soon as I change this project to run under IIS I'll get the
> following exception:
>
> WSE2013: X509TokenProvider is unable to provide an X.509 token. There
> are no certificates in the certificate store that match the find value
> of 'CN=WSE2QuickStartServer'.
>
> at
> Microsoft.Web.Services3.Design.X509TokenProvider.CreateToken(StoreLocation
> location, StoreName storeName, String findValue, X509FindType findType)
> at Microsoft.Web.Services3.Design.X509TokenProvider.GetToken()
> at
> Microsoft.Web.Services3.Design.MutualCertificate11Assertion.ClientOutputFilter..ctor(MutualCertificate11Assertion
> assertion)
> at
> Microsoft.Web.Services3.Design.MutualCertificate11Assertion.CreateClientOutputFilter(FilterCreationContext
> context)
> at
> Microsoft.Web.Services3.Design.Policy.CreateClientPipeline(PipelineCreationContext
> context)
> at
> Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(Policy
> policy)
> at
> Microsoft.Web.Services3.WebServicesClientProtocol.SetPolicy(String
> policyName)
> at _Default.Button1_Click(Object sender, EventArgs e) in
> S:\Security\WSEbasic\WSEbasic15\WebSite15\Default.aspx.vb:line 10
>
> With WSE X.509 Certificate Tool I added ASPNET user to my certificate
> (I use WSE2QuickStartClient test certificate) under "Current User /
> Personal" and "Local Computer / Personal" stores. My Web Service
> works fine in IIS and on those credentials, but only if I run some
> client outside IIS. As soon as I change working client to using real
> Microsoft IIS 5.0 it all fails.
> My client code activation for this policy is:
> Dim proxy As New localhost.ServiceWse
> proxy.SetPolicy("ClientCertPolicy")
> TextBox1.Text = proxy.HelloWorld
>
> I get exception on SetPolicy.
> My policy file looks like that:
>
> <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy";>
> <extensions>
> <extension name="mutualCertificate11Security"
> type="Microsoft.Web.Services3.Design.MutualCertificate11Assertion,
> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
> PublicKeyToken=31bf3856ad364e35" />
> <extension name="x509"
> type="Microsoft.Web.Services3.Design.X509TokenProvider,
> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
> PublicKeyToken=31bf3856ad364e35" />
> <extension name="requireActionHeader"
> type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
> PublicKeyToken=31bf3856ad364e35" />
> </extensions>
> <policy name="ClientCertPolicy">
> <mutualCertificate11Security establishSecurityContext="false"
> renewExpiredSecurityContext="true" requireSignatureConfirmation="true"
> messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true"
> ttlInSeconds="300">
> <clientToken>
> <x509 storeLocation="CurrentUser" storeName="My"
> findValue="CN=WSE2QuickStartClient"
> findType="FindBySubjectDistinguishedName" />
> </clientToken>
> <serviceToken>
> <x509 storeLocation="CurrentUser" storeName="AddressBook"
> findValue="CN=WSE2QuickStartServer"
> findType="FindBySubjectDistinguishedName" />
> </serviceToken>
> <protection>
> <request signatureOptions="IncludeAddressing, IncludeTimestamp,
> IncludeSoapBody" encryptBody="true" />
> <response signatureOptions="IncludeAddressing,
> IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
> <fault signatureOptions="IncludeAddressing, IncludeTimestamp,
> IncludeSoapBody" encryptBody="false" />
> </protection>
> </mutualCertificate11Security>
> <requireActionHeader />
> </policy>
> </policies>
>
>
> I have tried to run and build this on other computers, with same bad
> resoults. To me it looks like IIS has some security issues with WSE.
> Could anybody give me a hint on where to look?
>
> Jack
>
>
.