Re: WSE2005: Protection requirements in MutualCertificate11Asserti

Hi Pablo,

Again, I appreciate your help. Following are the trace files:

InputTrace.webinfo
<?xml version="1.0" encoding="utf-8"?>
<log>
<inputMessage utc="7/11/2006 2:44:52 PM">
<processingStep description="Unprocessed message">
<soap:Envelope
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing";
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
<soap:Header>

<wsa:Action>http://schemas.xmlsoap.org/ws/2004/03/addressing/fault</wsa:Action>

<wsa:MessageID>uuid:2772387a-eecc-4ed7-bffe-c582fc8299fe</wsa:MessageID>

<wsa:RelatesTo>uuid:d53e4ab6-386d-426d-96d6-1774a4c739f6</wsa:RelatesTo>

<wsa:To>http://schemas.xmlsoap.org/ws/2004/03/addressing/role/anonymous</wsa:To>
<wsse:Security>
<wsu:Timestamp
wsu:Id="Timestamp-6d2b27e9-fb3c-45a8-b169-fe1c529792a9">
<wsu:Created>2006-07-11T14:46:28Z</wsu:Created>
<wsu:Expires>2006-07-11T14:51:28Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soap:Header>
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>Server unavailable, please try later</faultstring>

<faultactor>http://ausicwfsit01.us.dell.com/mss/webservices/ApplicationMessagingWS.asmx</faultactor>
</soap:Fault>
</soap:Body>
</soap:Envelope>
</processingStep>
<processingStep description="Entering SOAP filter
Microsoft.Web.Services3.Design.MutualCertificate11Assertion+ClientInputFilter" />
<processingStep
processor="Microsoft.Web.Services3.Design.MutualCertificate11Assertion+ClientInputFilter"
description="Protection requirements not satisfied: signature confirmation is
not present or not protected properly" />
<processingStep description="Exception thrown: WSE2005: Protection
requirements in MutualCertificate11Assertion are not satisfied."> at
Microsoft.Web.Services3.Design.MutualCertificate11Assertion.ClientInputFilter.ValidateMessageSecurity(SoapEnvelope
envelope, Security security, MessageProtectionRequirements response)
at
Microsoft.Web.Services3.Security.SecureConversationClientReceiveSecurityFilter.ValidateMessageSecurity(SoapEnvelope envelope, Security security)
at
Microsoft.Web.Services3.Security.ReceiveSecurityFilter.ProcessMessage(SoapEnvelope envelope)
at Microsoft.Web.Services3.Pipeline.ProcessInputMessage(SoapEnvelope
envelope)</processingStep>
</inputMessage>
</log>

OutputTrace.webinfo
<?xml version="1.0" encoding="utf-8"?>
<log>
<outputMessage utc="7/11/2006 2:44:51 PM"
messageId="urn:uuid:6e4a5893-db1a-47ef-aad2-1b2bae431280">
<processingStep description="Unprocessed message">
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";>
<soap:Body>
<Dispatch xmlns="http://mss.dell.com/webservices/";>
<messageType>test</messageType>
<correlationId>test</correlationId>
<messageBody>test</messageBody>
<userName>test</userName>
<applicationName>test</applicationName>
<instance>test</instance>
<postBackUrl>test</postBackUrl>
</Dispatch>
</soap:Body>
</soap:Envelope>
</processingStep>
<processingStep description="Entering SOAP filter
Microsoft.Web.Services3.Design.MutualCertificate11Assertion+ClientOutputFilter" />
<processingStep description="Exited SOAP filter
Microsoft.Web.Services3.Design.MutualCertificate11Assertion+ClientOutputFilter" />
<processingStep description="Processed message">
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing";
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
<soap:Header>
<wsa:Action
wsu:Id="Id-71145cba-ca5d-4781-be18-accf02bfc47e">http://mss.dell.com/webservices/Dispatch</wsa:Action>
<wsa:MessageID
wsu:Id="Id-f02a6698-e9ff-49da-bc70-c2268e051d70">urn:uuid:6e4a5893-db1a-47ef-aad2-1b2bae431280</wsa:MessageID>
<wsa:ReplyTo wsu:Id="Id-c7982cf4-5295-4808-948b-6677f5a147b2">

<wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
</wsa:ReplyTo>
<wsa:To
wsu:Id="Id-2a54d179-0597-4ec2-90ba-d96d07963d78">http://ausicwfsit01.us.dell.com/mss/webservices/ApplicationMessagingWS.asmx</wsa:To>
<wsse:Security soap:mustUnderstand="1">
<wsu:Timestamp
wsu:Id="Timestamp-b81bea48-77ff-4bcd-b3ba-0a2514952b9c">
<wsu:Created>2006-07-11T14:44:51Z</wsu:Created>
<wsu:Expires>2006-07-11T14:49:51Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="SecurityToken-b9447a41-eee1-4c8a-adc4-2db925fc6ed2">MIIBcTCCAR+gAwIBAgIQkTbqUU/PS5pI2eMxsHhYwzAJBgUrDgMCHQUAMBYxFDASBgNVBAMTC1Jvb3QgQWdlbmN5MB4XDTA2MDYyMjEzNTM1M1oXDTM5MTIzMTIzNTk1OVowGDEWMBQGA1UEAxMNRGVsbEhCVENsaWVudDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDbonpefL2fVkE+v/EApT+ZnpqD4iINrQNBkuQPr92nzy8X7wyaWb3elOj3jITQwK5Ponfg9v7asM0XmCF5NM6LAgMBAAGjSzBJMEcGA1UdAQRAMD6AEBLkCS0GHR1PAI1hIdwWZGOhGDAWMRQwEgYDVQQDEwtSb290IEFnZW5jeYIQBjdsAKoAZIoRz7jUqlw19DAJBgUrDgMCHQUAA0EAbrpSbv5fD/nuxJbODAkiQhjGZ8RCVs9isZaqHOPQTz4YfGiisjPsCj+bhB0ueBzoTrTU9xYN6i2QE2w4c6jTCA==</wsse:BinarySecurityToken>
<xenc:EncryptedKey
Id="SecurityToken-bd835689-3bda-498b-a2c8-5dfaefd7dc64"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"; />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier";
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";>rrRD87efOO5bpHFLxT+psuYqMKM=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</KeyInfo>
<xenc:CipherData>

<xenc:CipherValue>XveObAcsbfyGCoOQ+fdy5+V11IX5uh36PcRCLLuf6UPAUr/HS6BjPSvADdhxZebJa65IetRS1tzIwhwgNgARzXQjjtZ+m88tn0uvZ3uL7RstebM5Tvz90ia/OdM0jFroP6orlciFvg0nMvzstOIQ3qBtuXL42kn0NuMnUxjEEPA=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
<wssc:DerivedKeyToken
wsu:Id="SecurityToken-345a1a06-25a3-474b-a69e-6e6158aef775"
Algorithm="http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1";
xmlns:wssc="http://schemas.xmlsoap.org/ws/2005/02/sc";>
<wsse:SecurityTokenReference>
<wsse:Reference
URI="#SecurityToken-bd835689-3bda-498b-a2c8-5dfaefd7dc64"
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"; />
</wsse:SecurityTokenReference>
<wssc:Generation>0</wssc:Generation>
<wssc:Length>24</wssc:Length>

<wssc:Label>WS-SecureConversationWS-SecureConversation</wssc:Label>
<wssc:Nonce>UZB2rDnLoiJHTy8y6/C5QA==</wssc:Nonce>
</wssc:DerivedKeyToken>
<wssc:DerivedKeyToken
wsu:Id="SecurityToken-469ec85f-05da-49ac-9f4b-ffdf3bde8f00"
Algorithm="http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1";
xmlns:wssc="http://schemas.xmlsoap.org/ws/2005/02/sc";>
<wsse:SecurityTokenReference>
<wsse:Reference
URI="#SecurityToken-bd835689-3bda-498b-a2c8-5dfaefd7dc64"
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"; />
</wsse:SecurityTokenReference>
<wssc:Generation>0</wssc:Generation>
<wssc:Length>32</wssc:Length>

<wssc:Label>WS-SecureConversationWS-SecureConversation</wssc:Label>
<wssc:Nonce>mLDzDYkY7DgsKJNjyIafsQ==</wssc:Nonce>
</wssc:DerivedKeyToken>
<xenc:ReferenceList
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
<xenc:DataReference
URI="#Enc-c53ebbda-615c-4c94-ba6e-70470c6718af" />
</xenc:ReferenceList>
<Signature Id="Sig-42aab336-0bff-470c-9421-48d97f32ed1f"
xmlns="http://www.w3.org/2000/09/xmldsig#";>
<SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; />
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"; />
<Reference URI="#Id-71145cba-ca5d-4781-be18-accf02bfc47e">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<DigestValue>CMACidCbuDhXbKxPespy7IwJ/OA=</DigestValue>
</Reference>
<Reference URI="#Id-f02a6698-e9ff-49da-bc70-c2268e051d70">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<DigestValue>D9bieAXbf7yri4iy1i4KlU6166Q=</DigestValue>
</Reference>
<Reference URI="#Id-c7982cf4-5295-4808-948b-6677f5a147b2">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<DigestValue>Wtp12fAEHe6TaFxkBHGyi0WDEkQ=</DigestValue>
</Reference>
<Reference URI="#Id-2a54d179-0597-4ec2-90ba-d96d07963d78">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<DigestValue>ifOo3lXVHmTSpP5djThfgMw6siY=</DigestValue>
</Reference>
<Reference
URI="#Timestamp-b81bea48-77ff-4bcd-b3ba-0a2514952b9c">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<DigestValue>4N4T/mhUUkGAZ5NI/iGspPge7Tk=</DigestValue>
</Reference>
<Reference URI="#Id-29e03f8b-3fcc-47e5-a21d-11aae50bc8c4">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<DigestValue>kott46ElepLGkJfH6Leqq/3qJr8=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>djvZxPCSYd+nZ1tA8Px1pbqzy1o=</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference
URI="#SecurityToken-345a1a06-25a3-474b-a69e-6e6158aef775"
ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/dk"; />
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
<SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; />
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
<Reference URI="#Sig-42aab336-0bff-470c-9421-48d97f32ed1f">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<DigestValue>IQCG01euo0CfByAlaht5T65l+DI=</DigestValue>
</Reference>
</SignedInfo>

<SignatureValue>GqGMTF26KYlVs2czlaR5CGHXjqjwUg+bpkhr+U/8UqK6yRKXGQ4BLC+YToSbvtQtXC46CMqDPVXeJX8H/Qalqw==</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference
URI="#SecurityToken-b9447a41-eee1-4c8a-adc4-2db925fc6ed2"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"; />
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</soap:Header>
<soap:Body wsu:Id="Id-29e03f8b-3fcc-47e5-a21d-11aae50bc8c4">
<xenc:EncryptedData Id="Enc-c53ebbda-615c-4c94-ba6e-70470c6718af"
Type="http://www.w3.org/2001/04/xmlenc#Content";
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"; />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference>
<wsse:Reference
URI="#SecurityToken-469ec85f-05da-49ac-9f4b-ffdf3bde8f00"
ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/dk"; />
</wsse:SecurityTokenReference>
</KeyInfo>
<xenc:CipherData>

<xenc:CipherValue>9r8dsgr8AmUEUwBZJGBNHgk+kc3kzc5g2v8P/mKJn4YaW+QfVgRwAxv4AmONZ9k1Mmjc4ko5nVhxh0bDq44eDimkQwK4ke9z34qLPYTpZDUzCuL9zYoszIEyDlJcAKTGMTbVB8Su/tVw/wUe+scU0zhkzKD8pJkcFEIgb3rjeuvKpH0QmukOvS0V+uhY65rXJTzjgQ/GjWKXCce+Fsl/uMDIsD5cC+1EP16tf91LSd4RakuF+X70iMx4SUXSqk2pA1CP3EOSnozP+PkYNzA/yKWyLHB5LYRlILvEwKTopiCgo0Weq1c0V9UMdkNzeXLSihbnMe2v1jxiM2ewDxiVFi80uVLUpsvIq/t9Zd0QAen//qcjZBgXriSp/mLWE1We5GfVHloT+iqs6kcgDma6Qg==</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soap:Body>
</soap:Envelope>
</processingStep>
</outputMessage>
</log>

Policy File
<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy";>
<extensions>
<extension name="mutualCertificate11Security"
type="Microsoft.Web.Services3.Design.MutualCertificate11Assertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<extension name="x509"
type="Microsoft.Web.Services3.Design.X509TokenProvider,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<extension name="requireActionHeader"
type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
</extensions>
<policy name="DellPolicy">
<mutualCertificate11Security establishSecurityContext="false"
renewExpiredSecurityContext="true" requireSignatureConfirmation="true"
messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true"
ttlInSeconds="300">
<clientToken>
<x509 storeLocation="LocalMachine" storeName="My"
findValue="CN=DellHBTClient" findType="FindBySubjectDistinguishedName" />
</clientToken>
<serviceToken>
<x509 storeLocation="LocalMachine" storeName="AddressBook"
findValue="E=webfarm@xxxxxxxx, CN=MSS Spore, OU=Information Technology,
O=Dell Inc., L=Austin, S=TX, C=US" findType="FindBySubjectDistinguishedName"
/>
</serviceToken>
<protection>
<request signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
<response signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
<fault signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="false" />
</protection>
</mutualCertificate11Security>
<requireActionHeader />
</policy>
</policies>

Web.config
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<configSections>
<section name="microsoft.web.services3"
type="Microsoft.Web.Services3.Configuration.WebServicesConfiguration,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
</configSections>
<system.web>
<webServices>
<soapExtensionImporterTypes>
<add type="Microsoft.Web.Services3.Description.WseExtensionImporter,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
</soapExtensionImporterTypes>
</webServices>
<compilation debug="true">
<assemblies>
<add assembly="Microsoft.Web.Services3, Version=3.0.0.0,
Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
</assemblies>
</compilation>
</system.web>
<microsoft.web.services3>
<security>
<x509 allowTestRoot="true" />
<binarySecurityTokenManager>
<add
valueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";>
<keyAlgorithm name="RSA15" />
</add>
</binarySecurityTokenManager>
</security>
<diagnostics>
<trace enabled="true" input="InputTrace.webinfo"
output="OutputTrace.webinfo" />
</diagnostics>
<policy fileName="wse3policyCache.config" />
</microsoft.web.services3>
</configuration>

The event viewer logs are empty.

Thanks again

"Pablo Cibraro" wrote:

Hi Chris,

The algorithm can be a problem, but I am not sure about that . If the
service is using WSE 3.0, it is probably using RSA-OAEP because that is the
default algorith.
Did you take a look to the eventlog or the trace files ?. You will find more
information about the error there.
I will able to help you more if you give me the error description that you
find in those sources.

Regards,
Pablo Cibraro
http://weblogs.asp.net/cibrax
[MVP - Connected Systems Developer]

"Chris Fink" <ChrisFink@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ED825FA5-59BA-4D02-B18E-F3861F2998A1@xxxxxxxxxxxxxxxx
I am receiving the following error when trying to consume a secure WSE
webservice using client certificates:

WSE2005: Protection requirements in MutualCertificate11Assertion are not
satisfied.

The client is using Windows Server 2003.
I've placed my client cert (w/public + private key) in the Local Machine
Personal Store and granted it everyone FULL access using the certificates
tools.
I've placed the customers cert (w/public key only) in the Local Mach -
Other
Peoples store.
I've added the following to my client's web.config, as per the following
recommendation:
http://www.thedatafarm.com/blog/PermaLink,guid,0d461526-d79d-49ce-8c8e-30dbb4646b50.aspx


<security>
<x509 allowTestRoot="true" />
<binarySecurityTokenManager>
<add
valueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";>
<keyAlgorithm name="RSA15" />
</add>
</binarySecurityTokenManager>
</security>

Obviously, I have no control over the webservice that I am calling. Is it
possible that the problem is that the service is setup using a different
algorithm? Is this something I need to address on the service or client
side?

Thanks for your help!



.

Relevant Pages