Cannot use usernameForCertificateSecurity with IIS application pool custom account

Hi,

I am using web service secured by the WSE 3.0 usernameForCertificateSecurity
policy. The service is running on Windows 2003, IIS 6.0. Everything works
fine if the IIS application pool uses default NETWORK_SERVICE identity. If I
change the identity to the custom account I am getting the following error
in server WSE 3.0 output trace:

<?xml version="1.0" encoding="utf-8"?>

<log>

<outputMessage utc="30/11/2006 08:43:18"
messageId="urn:uuid:993091ef-b795-4fc2-8707-03076e9107c4">

<processingStep description="Unprocessed message">

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";>

<soap:Body>

<soap:Fault>

<faultcode>soap:Server</faultcode>

<faultstring>Server was unable to process request. ---&gt; The system cannot
find the file specified.

</faultstring>

<detail />

</soap:Fault>

</soap:Body>

</soap:Envelope>

</processingStep>

<processingStep description="Entering SOAP filter
Microsoft.Web.Services3.Design.UsernameForCertificateAssertion+ServiceOutputFilter"
/>

<processingStep description="Exception thrown: Cannot secure outgoing
message from the service. The security context token cannot be retrieved
from the session state."> at
Microsoft.Web.Services3.Security.SecureConversationServiceSendSecurityFilter.SecureSecurityConversationMessage(SoapEnvelope
envelope, Security security, MessageProtectionRequirements response)

at
Microsoft.Web.Services3.Security.SecureConversationServiceSendSecurityFilter.SecureMessage(SoapEnvelope
envelope, Security security)

at
Microsoft.Web.Services3.Security.SendSecurityFilter.ProcessMessage(SoapEnvelope
envelope)

at Microsoft.Web.Services3.Pipeline.ProcessOutputMessage(SoapEnvelope
envelope)</processingStep>

</outputMessage>

</log>


Some extra information:
* If I change the usernameForCertificateSecurity policy to
usernameOverTransportSecurity it works. That suggests that the error has
something to do with the certificate.
* I have set access to the certifacate private key for the custom service
account (if I do not do that the error looks different anyway)
* The IIS application pool custom service account identity was created using
the instruction in
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGHT000009.asp
* It does not matter if the service account is local or domain. I am getting
the same error.
* The exact policy specification is bellow:

<policy name="OperatorClientPolicy">
<usernameForCertificateSecurity establishSecurityContext="true"
renewExpiredSecurityContext="true" requireSignatureConfirmation="false"
messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"
requireDerivedKeys="true" ttlInSeconds="300">

<serviceToken>

<x509 storeLocation="LocalMachine" storeName="My" findValue="CN=EMSAppSever,
CN=PES.CNCZ.CZ, CN=PES, O=CN Resources International (CZ) a.s., C=Czech
Republic" findType="FindBySubjectDistinguishedName" />

</serviceToken>

<protection>

<request signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />

<response signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />

<fault signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="false" />

</protection>

</usernameForCertificateSecurity>

<requireActionHeader />

</policy>

Any help would be greatly appreciated.

Regards,

Martin




.

Relevant Pages

  • Re: How to limit number of failed FTP logins?
    ... There is no such Group Policy setting. ... also want to post in the IIS security newsgroup to see if someone there has ... >> set an account lookout policy for user accounts in Local Security Policy ...
    (microsoft.public.win2000.security)
  • Fwd: Oh Dear, Where to start?!
    ... It seems to me you need two things: an organizational policy, ... finish college and break into the real world of computer security. ... experience in the field of network security and policy ... updates, driver updates, and recommended updates. ...
    (Security-Basics)
  • RE: [fw-wiz] PIX vs Checkpoint vs Sonicwall vs Netscreen - comme nts?
    ... All NetScreen appliances rely on custom-designed ASICs (Application ... Specific Integrated Circuits) for security policy enforcement. ... supports a finite number of "rules" or "policies". ...
    (Firewall-Wizards)
  • RE: Cant set Local Security policies. They fail to save
    ... predefined Security Template on SBS 2003 to restore security groups ... run "gpupdate.exe /force" under command prompt to force the policy ... reboot the Server to test. ... and then logon to client computer to test if user can save system logs. ...
    (microsoft.public.windows.server.sbs)
  • Re: GPO Update Problem (SYSVOL access via UNC)
    ... Server Security and Auditing Policy ... This list only includes links in the domain of the GPO. ... The settings in this GPO can only apply to the following groups, users, ...
    (microsoft.public.win2000.group_policy)