Re: Cannot use usernameForCertificateSecurity with IIS application pool custom account
- From: "Pablo Cibraro [MVP]" <pcibraro@xxxxxxxxxxx>
- Date: Thu, 30 Nov 2006 10:06:33 -0500
Hi Martin,
It seems to be a bug or problem in one of the CryptoAPI functions. (.NET
uses that functions to manage the X509 Certificates).
If you look for that problem in google, you will find many entries with
similar descriptions.
In IIS 5.0/6.0 to process the PFX file I use the CryptoAPI function
PFXImportCertStore, but RevertToSelf must be called prior to calling
PFXImportCertStore, and the virtual directory's Application Protection
option must be set to Low. Otherwise I receive the error "The system cannot
find the file specified".
However, I am not sure if this problem also applies for WSE.
Regards,
Pablo Cibraro.
"Martin Pes" <mpes@xxxxxxxxxxxxxxxx> wrote in message
news:OPRQV%23FFHHA.3932@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
I am using web service secured by the WSE 3.0
usernameForCertificateSecurity policy. The service is running on Windows
2003, IIS 6.0. Everything works fine if the IIS application pool uses
default NETWORK_SERVICE identity. If I change the identity to the custom
account I am getting the following error in server WSE 3.0 output trace:
<?xml version="1.0" encoding="utf-8"?>
<log>
<outputMessage utc="30/11/2006 08:43:18"
messageId="urn:uuid:993091ef-b795-4fc2-8707-03076e9107c4">
<processingStep description="Unprocessed message">
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";>
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>Server was unable to process request. ---> The system
cannot find the file specified.
</faultstring>
<detail />
</soap:Fault>
</soap:Body>
</soap:Envelope>
</processingStep>
<processingStep description="Entering SOAP filter
Microsoft.Web.Services3.Design.UsernameForCertificateAssertion+ServiceOutputFilter"
/>
<processingStep description="Exception thrown: Cannot secure outgoing
message from the service. The security context token cannot be retrieved
from the session state."> at
Microsoft.Web.Services3.Security.SecureConversationServiceSendSecurityFilter.SecureSecurityConversationMessage(SoapEnvelope
envelope, Security security, MessageProtectionRequirements response)
at
Microsoft.Web.Services3.Security.SecureConversationServiceSendSecurityFilter.SecureMessage(SoapEnvelope
envelope, Security security)
at
Microsoft.Web.Services3.Security.SendSecurityFilter.ProcessMessage(SoapEnvelope
envelope)
at Microsoft.Web.Services3.Pipeline.ProcessOutputMessage(SoapEnvelope
envelope)</processingStep>
</outputMessage>
</log>
Some extra information:
* If I change the usernameForCertificateSecurity policy to
usernameOverTransportSecurity it works. That suggests that the error has
something to do with the certificate.
* I have set access to the certifacate private key for the custom service
account (if I do not do that the error looks different anyway)
* The IIS application pool custom service account identity was created
using the instruction in
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGHT000009.asp
* It does not matter if the service account is local or domain. I am
getting the same error.
* The exact policy specification is bellow:
<policy name="OperatorClientPolicy">
<usernameForCertificateSecurity establishSecurityContext="true"
renewExpiredSecurityContext="true" requireSignatureConfirmation="false"
messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"
requireDerivedKeys="true" ttlInSeconds="300">
<serviceToken>
<x509 storeLocation="LocalMachine" storeName="My"
findValue="CN=EMSAppSever, CN=PES.CNCZ.CZ, CN=PES, O=CN Resources
International (CZ) a.s., C=Czech Republic"
findType="FindBySubjectDistinguishedName" />
</serviceToken>
<protection>
<request signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
<response signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
<fault signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="false" />
</protection>
</usernameForCertificateSecurity>
<requireActionHeader />
</policy>
Any help would be greatly appreciated.
Regards,
Martin
.
- Follow-Ups:
- References:
- Prev by Date: Re: Custom UsernameTokenManager's AuthenticateToken method is not called.
- Next by Date: Re: Custom UsernameTokenManager's AuthenticateToken method is not called.
- Previous by thread: Cannot use usernameForCertificateSecurity with IIS application pool custom account
- Next by thread: Re: Cannot use usernameForCertificateSecurity with IIS application pool custom account
- Index(es):
Relevant Pages
|
Loading
