Re: Cannot use usernameForCertificateSecurity with IIS application pool custom account

I have finally sorted out this.

The trick is when you create a new windows account for the new IIS
application pool you have to log in into this account interactively first
(e.g. using Remote Desktop).

My theory is (and I was inspired by another slightly unrelated posting) that
WSE uses user scope data area (some directory in C:\Documents and
Settings\<user>\....). I guess if you create a new windows login this user
scope data area is not created until you actually login into this account in
a normal user interactive session. And if the area does not exists the WSE
fails with error "The system cannot find the file specified."

I don't know if this theory is right but it works.


"Martin Pes" <mpes@xxxxxxxxxxxxxxxx> wrote in message
news:OPRQV%23FFHHA.3932@xxxxxxxxxxxxxxxxxxxxxxx
Hi,

I am using web service secured by the WSE 3.0
usernameForCertificateSecurity policy. The service is running on Windows
2003, IIS 6.0. Everything works fine if the IIS application pool uses
default NETWORK_SERVICE identity. If I change the identity to the custom
account I am getting the following error in server WSE 3.0 output trace:

<?xml version="1.0" encoding="utf-8"?>

<log>

<outputMessage utc="30/11/2006 08:43:18"
messageId="urn:uuid:993091ef-b795-4fc2-8707-03076e9107c4">

<processingStep description="Unprocessed message">

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";>

<soap:Body>

<soap:Fault>

<faultcode>soap:Server</faultcode>

<faultstring>Server was unable to process request. ---&gt; The system
cannot find the file specified.

</faultstring>

<detail />

</soap:Fault>

</soap:Body>

</soap:Envelope>

</processingStep>

<processingStep description="Entering SOAP filter
Microsoft.Web.Services3.Design.UsernameForCertificateAssertion+ServiceOutputFilter"
/>

<processingStep description="Exception thrown: Cannot secure outgoing
message from the service. The security context token cannot be retrieved
from the session state."> at
Microsoft.Web.Services3.Security.SecureConversationServiceSendSecurityFilter.SecureSecurityConversationMessage(SoapEnvelope
envelope, Security security, MessageProtectionRequirements response)

at
Microsoft.Web.Services3.Security.SecureConversationServiceSendSecurityFilter.SecureMessage(SoapEnvelope
envelope, Security security)

at
Microsoft.Web.Services3.Security.SendSecurityFilter.ProcessMessage(SoapEnvelope
envelope)

at Microsoft.Web.Services3.Pipeline.ProcessOutputMessage(SoapEnvelope
envelope)</processingStep>

</outputMessage>

</log>


Some extra information:
* If I change the usernameForCertificateSecurity policy to
usernameOverTransportSecurity it works. That suggests that the error has
something to do with the certificate.
* I have set access to the certifacate private key for the custom service
account (if I do not do that the error looks different anyway)
* The IIS application pool custom service account identity was created
using the instruction in
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGHT000009.asp
* It does not matter if the service account is local or domain. I am
getting the same error.
* The exact policy specification is bellow:

<policy name="OperatorClientPolicy">
<usernameForCertificateSecurity establishSecurityContext="true"
renewExpiredSecurityContext="true" requireSignatureConfirmation="false"
messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"
requireDerivedKeys="true" ttlInSeconds="300">

<serviceToken>

<x509 storeLocation="LocalMachine" storeName="My"
findValue="CN=EMSAppSever, CN=PES.CNCZ.CZ, CN=PES, O=CN Resources
International (CZ) a.s., C=Czech Republic"
findType="FindBySubjectDistinguishedName" />

</serviceToken>

<protection>

<request signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />

<response signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />

<fault signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="false" />

</protection>

</usernameForCertificateSecurity>

<requireActionHeader />

</policy>

Any help would be greatly appreciated.

Regards,

Martin






.

Relevant Pages

  • Re: DCOM calls fails - access denied
    ... That's exactly how I understood the ASP.NET security. ... But why does one configuration work but not the other? ... should get the token from IIS. ... If you set there a domain account, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: sharepoint - service not available
    ... resolved the issue by restarting the IIS service under the ... This issue may occur if the application pool for the virtual server is ... * The application pool account uses an incorrect password. ...
    (microsoft.public.sharepoint.portalserver)
  • Re: sql server and asp.net problem
    ... it does mention IIS 6 on Windows 2003 Server and how ... > The application pool setting can help speicify an asp.net web application ... > SERVICE account which is in the IIS_WPG group. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Cannot use usernameForCertificateSecurity with IIS application pool custom account
    ... other account does not. ... It seems to be a bug or problem in one of the CryptoAPI functions. ... In IIS 5.0/6.0 to process the PFX file I use the CryptoAPI function ... The security context token cannot be retrieved ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: DCOM calls fails - access denied
    ... IIS security. ... That means the worker ... If you set there a domain account, ...
    (microsoft.public.dotnet.framework.aspnet.security)