Re: WSE2005: Protection requirements in MutualCertificate11Asserti

I guess this means that the service is not using the same algorithm as my
client? Could it also be that they are using WSE2 (they told me WSE3, but
you never know).

Where are the settings located that determine the service's security
requirements? The solution will be to make my client match the service since
I know the customer will not adjust.

Thanks again

"Pablo Cibraro" wrote:

Yes, but you have to restart the application because WSE keeps the policy in
a cache.

Now, you are having another problem.

Exception thrown: WSE2005: Protection
requirements in MutualCertificate11Assertion are not satisfied.">

The Web service is using different security requeriments. (It is not signing
or encrypting some header).

Regards,
Pablo Cibraro.

"Chris Fink" <ChrisFink@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1BEBC7E1-FD10-46B0-B32C-7BE644C639CA@xxxxxxxxxxxxxxxx
I can change the wse3policyCache.config directly without recompiling the
app,
right?


"Chris Fink" wrote:

Pablo,

I made the change to the policy file as noted, did an IISRESET for kicks,
and reran my client - still the same error (attached below). The odd
thing
is notice this faultstring in the trace file:
<faultstring>Server unavailable, please try later</faultstring>. When I
run
my client (which is a webservice), the response page is a browser page
with
the following text, no reference to any kind
of HTTP status code.... Your solution makes perfect sense, I am not sure
why it is not working for me? Is it a possible firewall problem?

=====WEB PAGE RESPONSE ======
Microsoft.Web.Services3.ResponseProcessingException: WSE910: An error
happened during the processing of a response message, and you can find
the
error in the inner exception. You can also find the response message in
the
Response property. ---> Microsoft.Web.Services3.Security.SecurityFault:
WSE2005: Protection requirements in MutualCertificate11Assertion are not
satisfied.
at
Microsoft.Web.Services3.Design.MutualCertificate11Assertion.ClientInputFilter.ValidateMessageSecurity(SoapEnvelope
envelope, Security security, MessageProtectionRequirements response)
at
Microsoft.Web.Services3.Security.SecureConversationClientReceiveSecurityFilter.ValidateMessageSecurity(SoapEnvelope
envelope, Security security)
at
Microsoft.Web.Services3.Security.ReceiveSecurityFilter.ProcessMessage(SoapEnvelope
envelope)
at Microsoft.Web.Services3.Pipeline.ProcessInputMessage(SoapEnvelope
envelope)
at
Microsoft.Web.Services3.Xml.SoapEnvelopeReaderWrapper..ctor(SoapClientMessage
message, String messageContentType)
--- End of inner exception stack trace ---
at
Microsoft.Web.Services3.Xml.SoapEnvelopeReaderWrapper..ctor(SoapClientMessage
message, String messageContentType)
at
Microsoft.Web.Services3.WebServicesClientProtocol.GetReaderForMessage(SoapClientMessage
message, Int32 bufferSize)
at
System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage
message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String
methodName, Object[] parameters)
at ApplicationMessagingWS.Dispatch(String messageType, String
correlationId, String messageBody, String userName, String
applicationName,
String instance, String postBackUrl)
at ConsumeDellMSS.Dispatch(String messageType, String correlationId,
String messageBody, String userName, String applicationName, String
instance,
String postBackUrl)


======POLICY FILE==============
<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy";>
<extensions>
<extension name="mutualCertificate11Security"
type="Microsoft.Web.Services3.Design.MutualCertificate11Assertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<extension name="x509"
type="Microsoft.Web.Services3.Design.X509TokenProvider,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<extension name="requireActionHeader"
type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
</extensions>
<policy name="DellPolicy">
<mutualCertificate11Security establishSecurityContext="false"
renewExpiredSecurityContext="true" requireSignatureConfirmation="false"
messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true"
ttlInSeconds="300">
<clientToken>
<x509 storeLocation="LocalMachine" storeName="My"
findValue="CN=DellHBTClient" findType="FindBySubjectDistinguishedName" />
</clientToken>
<serviceToken>
<x509 storeLocation="LocalMachine" storeName="AddressBook"
findValue="E=webfarm@xxxxxxxx, CN=MSS Spore, OU=Information Technology,
O=Dell Inc., L=Austin, S=TX, C=US"
findType="FindBySubjectDistinguishedName"
/>
</serviceToken>
<protection>
<request signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
<response signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
<fault signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="false" />
</protection>
</mutualCertificate11Security>
<requireActionHeader />
</policy>
</policies>

=======Trace================
<?xml version="1.0" encoding="utf-8"?>
<log>
<inputMessage utc="7/11/2006 7:59:07 PM">
<processingStep description="Unprocessed message">
<soap:Envelope
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing";
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
<soap:Header>

<wsa:Action>http://schemas.xmlsoap.org/ws/2004/03/addressing/fault</wsa:Action>

<wsa:MessageID>uuid:e66736ab-9f7c-4922-8a5d-b35370631a16</wsa:MessageID>

<wsa:RelatesTo>uuid:ead7386e-e527-4185-9c06-725b9798b576</wsa:RelatesTo>

<wsa:To>http://schemas.xmlsoap.org/ws/2004/03/addressing/role/anonymous</wsa:To>
<wsse:Security>
<wsu:Timestamp
wsu:Id="Timestamp-e076efbe-3a08-41f2-9852-5ee6644fd9d8">
<wsu:Created>2006-07-11T20:00:45Z</wsu:Created>
<wsu:Expires>2006-07-11T20:05:45Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soap:Header>
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>Server unavailable, please try
later</faultstring>

<faultactor>http://ausicwfsit01.us.dell.com/mss/webservices/ApplicationMessagingWS.asmx</faultactor>
</soap:Fault>
</soap:Body>
</soap:Envelope>
</processingStep>
<processingStep description="Entering SOAP filter
Microsoft.Web.Services3.Design.MutualCertificate11Assertion+ClientInputFilter"
/>
<processingStep description="Exception thrown: WSE2005: Protection
requirements in MutualCertificate11Assertion are not satisfied."> at
Microsoft.Web.Services3.Design.MutualCertificate11Assertion.ClientInputFilter.ValidateMessageSecurity(SoapEnvelope
envelope, Security security, MessageProtectionRequirements response)
at
Microsoft.Web.Services3.Security.SecureConversationClientReceiveSecurityFilter.ValidateMessageSecurity(SoapEnvelope
envelope, Security security)
at
Microsoft.Web.Services3.Security.ReceiveSecurityFilter.ProcessMessage(SoapEnvelope
envelope)
at Microsoft.Web.Services3.Pipeline.ProcessInputMessage(SoapEnvelope
envelope)</processingStep>
</inputMessage>
</log>


"Pablo Cibraro" wrote:

Hi Chris,

I found the problem, it is related to the signature confirmation
feature.
Below is the error message,

processor="Microsoft.Web.Services3.Design.MutualCertificate11Assertion+ClientInputFilter"
description="Protection requirements not satisfied: signature
confirmation
is
not present or not protected properly" />

Your client application is expecting a signature confirmation but the
service is not sending it. You have to modify your client policy file
to
turn off the signature confirmation. (It must be
requireSignatureConfirmation="false")

Let me know if that helps

Regards,
Pablo Cibraro.




"Chris Fink" <ChrisFink@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1205D5C6-032C-4F07-94D6-C74894E33923@xxxxxxxxxxxxxxxx
Hi Pablo,

Again, I appreciate your help. Following are the trace files:

InputTrace.webinfo
<?xml version="1.0" encoding="utf-8"?>
<log>
<inputMessage utc="7/11/2006 2:44:52 PM">
<processingStep description="Unprocessed message">
<soap:Envelope
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing";
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
<soap:Header>

<wsa:Action>http://schemas.xmlsoap.org/ws/2004/03/addressing/fault</wsa:Action>

<wsa:MessageID>uuid:2772387a-eecc-4ed7-bffe-c582fc8299fe</wsa:MessageID>

<wsa:RelatesTo>uuid:d53e4ab6-386d-426d-96d6-1774a4c739f6</wsa:RelatesTo>

<wsa:To>http://schemas.xmlsoap.org/ws/2004/03/addressing/role/anonymous</wsa:To>
<wsse:Security>
<wsu:Timestamp
wsu:Id="Timestamp-6d2b27e9-fb3c-45a8-b169-fe1c529792a9">
<wsu:Created>2006-07-11T14:46:28Z</wsu:Created>
<wsu:Expires>2006-07-11T14:51:28Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soap:Header>
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>Server unavailable, please try
later</faultstring>

<faultactor>http://ausicwfsit01.us.dell.com/mss/webservices/ApplicationMessagingWS.asmx</faultactor>
</soap:Fault>
</soap:Body>
</soap:Envelope>
</processingStep>
<processingStep description="Entering SOAP filter
Microsoft.Web.Services3.Design.MutualCertificate11Assertion+ClientInputFilter"
/>
<processingStep
processor="Microsoft.Web.Services3.Design.MutualCertificate11Assertion+ClientInputFilter"
description="Protection requirements not satisfied: signature
confirmation
is
not present or not protected properly" />
<processingStep description="Exception thrown: WSE2005: Protection
requirements in MutualCertificate11Assertion are not satisfied.">
at
Microsoft.Web.Services3.Design.MutualCertificate11Assertion.ClientInputFilter.ValidateMessageSecurity(SoapEnvelope
envelope, Security security, MessageProtectionRequirements response)
at
Microsoft.Web.Services3.Security.SecureConversationClientReceiveSecurityFilter.ValidateMessageSecurity(SoapEnvelope
envelope, Security security)
at
Microsoft.Web.Services3.Security.ReceiveSecurityFilter.ProcessMessage(SoapEnvelope
envelope)
at
Microsoft.Web.Services3.Pipeline.ProcessInputMessage(SoapEnvelope
envelope)</processingStep>
</inputMessage>
</log>

OutputTrace.webinfo
<?xml version="1.0" encoding="utf-8"?>
<log>
<outputMessage utc="7/11/2006 2:44:51 PM"
messageId="urn:uuid:6e4a5893-db1a-47ef-aad2-1b2bae431280">
<processingStep description="Unprocessed message">
<soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";>
<soap:Body>
<Dispatch xmlns="http://mss.dell.com/webservices/";>
<messageType>test</messageType>
<correlationId>test</correlationId>
<messageBody>test</messageBody>
<userName>test</userName>
<applicationName>test</applicationName>
<instance>test</instance>
.

Relevant Pages

  • Re: WSE2005: Protection requirements in MutualCertificate11Asserti
    ... error when there is a algorithm mismatch between the client and the ... The Web service is using different security requeriments. ... my client, the response page is a browser page ... message, String messageContentType) ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: WSE2005: Protection requirements in MutualCertificate11Asserti
    ... Exception thrown: WSE2005: Protection ... The Web service is using different security requeriments. ... my client, the response page is a browser page ... message, String messageContentType) ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Modify exchange security descriptor
    ... You could use the security module in the SDK. ... > HttpWebRequest request = WebRequest.Create; ... > HttpWebResponse response = request.GetResponse; ... > string strStatus = response.StatusCode.ToString; ...
    (microsoft.public.exchange2000.development)
  • Re: WSE2005: Protection requirements in MutualCertificate11Asserti
    ... error when there is a algorithm mismatch between the client and the ... The Web service is using different security requeriments. ... my client, the response page is a browser page ... message, String messageContentType) ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • RE: Dropping carriage return characters from web service
    ... string data in soap response message. ... the SoapHttpClientProtocol(base class of client proxy)'s code, ... Microsoft MSDN Online Support Lead ...
    (microsoft.public.dotnet.framework.aspnet.webservices)