Re: Cannot use usernameForCertificateSecurity with IIS application pool custom account
- From: "Martin Pes" <mpes@xxxxxxxxxxxxxxxx>
- Date: Fri, 1 Dec 2006 08:58:11 +0100
Hi Pablo,
Thanks a lot for hints. Unfortunately if it is a case of CryptoAPI bug I
cannot use your workaround - I do not call these functions, I believe WSE
3.0 does it. I also run IIS in 6.0 mode (using application pool) so I cannot
set the Application Protection to 'Low' (which I believe it is only possible
in IIS 5.0 isolation mode).
It still bugs me that the default NETWORK_SERVICE account runs fine and
other account does not.
Martin
"Pablo Cibraro [MVP]" <pcibraro@xxxxxxxxxxx> wrote in message
news:er4HhEJFHHA.1784@xxxxxxxxxxxxxxxxxxxxxxx
Hi Martin,
It seems to be a bug or problem in one of the CryptoAPI functions. (.NET
uses that functions to manage the X509 Certificates).
If you look for that problem in google, you will find many entries with
similar descriptions.
In IIS 5.0/6.0 to process the PFX file I use the CryptoAPI function
PFXImportCertStore, but RevertToSelf must be called prior to calling
PFXImportCertStore, and the virtual directory's Application Protection
option must be set to Low. Otherwise I receive the error "The system
cannot find the file specified".
However, I am not sure if this problem also applies for WSE.
Regards,
Pablo Cibraro.
"Martin Pes" <mpes@xxxxxxxxxxxxxxxx> wrote in message
news:OPRQV%23FFHHA.3932@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
I am using web service secured by the WSE 3.0
usernameForCertificateSecurity policy. The service is running on Windows
2003, IIS 6.0. Everything works fine if the IIS application pool uses
default NETWORK_SERVICE identity. If I change the identity to the custom
account I am getting the following error in server WSE 3.0 output trace:
<?xml version="1.0" encoding="utf-8"?>
<log>
<outputMessage utc="30/11/2006 08:43:18"
messageId="urn:uuid:993091ef-b795-4fc2-8707-03076e9107c4">
<processingStep description="Unprocessed message">
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";>
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>Server was unable to process request. ---> The system
cannot find the file specified.
</faultstring>
<detail />
</soap:Fault>
</soap:Body>
</soap:Envelope>
</processingStep>
<processingStep description="Entering SOAP filter
Microsoft.Web.Services3.Design.UsernameForCertificateAssertion+ServiceOutputFilter"
/>
<processingStep description="Exception thrown: Cannot secure outgoing
message from the service. The security context token cannot be retrieved
from the session state."> at
Microsoft.Web.Services3.Security.SecureConversationServiceSendSecurityFilter.SecureSecurityConversationMessage(SoapEnvelope
envelope, Security security, MessageProtectionRequirements response)
at
Microsoft.Web.Services3.Security.SecureConversationServiceSendSecurityFilter.SecureMessage(SoapEnvelope
envelope, Security security)
at
Microsoft.Web.Services3.Security.SendSecurityFilter.ProcessMessage(SoapEnvelope
envelope)
at Microsoft.Web.Services3.Pipeline.ProcessOutputMessage(SoapEnvelope
envelope)</processingStep>
</outputMessage>
</log>
Some extra information:
* If I change the usernameForCertificateSecurity policy to
usernameOverTransportSecurity it works. That suggests that the error has
something to do with the certificate.
* I have set access to the certifacate private key for the custom service
account (if I do not do that the error looks different anyway)
* The IIS application pool custom service account identity was created
using the instruction in
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGHT000009.asp
* It does not matter if the service account is local or domain. I am
getting the same error.
* The exact policy specification is bellow:
<policy name="OperatorClientPolicy">
<usernameForCertificateSecurity establishSecurityContext="true"
renewExpiredSecurityContext="true" requireSignatureConfirmation="false"
messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"
requireDerivedKeys="true" ttlInSeconds="300">
<serviceToken>
<x509 storeLocation="LocalMachine" storeName="My"
findValue="CN=EMSAppSever, CN=PES.CNCZ.CZ, CN=PES, O=CN Resources
International (CZ) a.s., C=Czech Republic"
findType="FindBySubjectDistinguishedName" />
</serviceToken>
<protection>
<request signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
<response signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
<fault signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="false" />
</protection>
</usernameForCertificateSecurity>
<requireActionHeader />
</policy>
Any help would be greatly appreciated.
Regards,
Martin
.
- References:
- Cannot use usernameForCertificateSecurity with IIS application pool custom account
- From: Martin Pes
- Re: Cannot use usernameForCertificateSecurity with IIS application pool custom account
- From: Pablo Cibraro [MVP]
- Cannot use usernameForCertificateSecurity with IIS application pool custom account
- Prev by Date: RE: WSE 3.0 and timeToleranceInSeconds element
- Next by Date: Re: help with message signing
- Previous by thread: Re: Cannot use usernameForCertificateSecurity with IIS application pool custom account
- Next by thread: Re: Cannot use usernameForCertificateSecurity with IIS application pool custom account
- Index(es):
Relevant Pages
|
|
