Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / October 2006

Tip: Looking for answers? Try searching our database.

X.509 Unwrap Woes

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Joel C. - 26 Feb 2006 05:08 GMT
I have created certificates with the following commands:

makecert -cy authority -r -n "CN=Foo.CA" -sr localmachine -ss "Trust"
makecert -cy end -n "CN=Foo.Server.1" -sky exchange -sk "Foo.Server.1 SK"
-ss "My" -sr localmachine -in "Foo.CA" -ir localmachine -is "Trust"
makecert -cy end -n "CN=Foo.Client.1" -sky exchange -sk "Foo.Client.1 SK"
-ss "My" -sr localmachine -in "Foo.CA" -ir localmachine -is "Trust"

I use the WSE3.0 wizards to enable the features on both the client and the
server.  At first I got trust errors, but in the interest of just seeing
things work, I unchecked "verify trust". Having gotten past that, now no
matter what I seem to try, I always get the following error:

System.ApplicationException: WSE841: An error occured processing an outgoing
fault response.
---> System.Web.Services.Protocols.SoapException:
System.Web.Services.Protocols.SoapException: Server was unable to process
request.
---> System.Security.Cryptography.CryptographicException: WSE600: Unable to
unwrap a symmetric key using the private key of an X.509 certificate. Please
check if the account '[machinename]\ASPNET' has permissions to read the
private key of certificate with subject name 'CN=Foo.Server.1' and thumbprint
'B4DF9BA97312A30FC113F802F9BD684901C1645D'.  
---> System.Security.Cryptography.CryptographicException: WSE593: Unable to
decrypt the key.  Please check if the process has the right permission to
access the private key.  
---> System.Security.Cryptography.CryptographicException: Error occurred
while decoding OAEP padding.
  at System.Security.Cryptography.Utils._DecryptPKWin2KEnh(SafeKeyHandle
hPubKey, Byte[] key, Boolean fOAEP, Int32& hr)
  at System.Security.Cryptography.RSACryptoServiceProvider.Decrypt(Byte[]
rgb, Boolean fOAEP)
  at
Microsoft.Web.Services3.Security.Cryptography.RSAOAEPKeyExchangeFormatter.DecryptKey(Byte[] cipherKey)
  --- End of inner exception stack trace ---
  at
Microsoft.Web.Services3.Security.Cryptography.RSAOAEPKeyExchangeFormatter.DecryptKey(Byte[] cipherKey)
  at Microsoft.Web.Services3.Security.EncryptedKey.Decrypt()
  --- End of inner exception stack trace ---
  at Microsoft.Web.Services3.Security.EncryptedKey.Decrypt()
  at Microsoft.Web.Services3.Security.Security.LoadXml(XmlElement element)
  at Microsoft.Web.Services3.Security.Security.CreateFrom(SoapEnvelope
envelope, String localActor, String serviceActor)
  at
Microsoft.Web.Services3.Security.ReceiveSecurityFilter.ProcessMessage(SoapEnvelope envelope)
  at Microsoft.Web.Services3.Pipeline.ProcessInputMessage(SoapEnvelope
envelope)
  at Microsoft.Web.Services3.WseProtocol.FilterRequest(SoapEnvelope
requestEnvelope)
  at Microsoft.Web.Services3.WseProtocol.RouteRequest(SoapServerMessage
message)
  at System.Web.Services.Protocols.SoapServerProtocol.Initialize()
  at System.Web.Services.Protocols.ServerProtocolFactory.Create(Type type,
HttpContext context, HttpRequest request, HttpResponse response, Boolean&
abortProcessing)
  --- End of inner exception stack trace ---
  --- End of inner exception stack trace ---

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Am I creating the certs incorrectly?  Is there something I need to do to
open up permissions for ASPNET for something it doesn't have already?  Any
help would be greatly appreciated!

Regards,
Joel
Reply to this Message
Pablo Cibraro - 27 Feb 2006 14:15 GMT
Hi Joel,

You need to give read permissions over the private keys to ASP.NET.
You can give those permissions using the Certificate tool provided by WSE or
using the tool "winhttpcertcfg.exe".

Regards,
Pablo Cibraro
http://weblogs.asp.net/cibrax

>I have created certificates with the following commands:
>
[quoted text clipped - 71 lines]
> Regards,
> Joel
Reply to this Message
Joel C. - 28 Feb 2006 03:41 GMT
That fixed the problem, but only after killing the aspnet_wp.exe process,
which is odd.  Of course, I completely butchered the permissions on that
entire directory structure trying things so now I should probably
reinstall...  doh!!

Thanks for the help, Pablo.

jc

> Hi Joel,
>
[quoted text clipped - 5 lines]
> Pablo Cibraro
> http://weblogs.asp.net/cibrax
Reply to this Message
rkersten@gmail.com - 06 Mar 2006 12:23 GMT
Hi Pablo,

I have the same problem as Joel C., only even after giving the required
permissions to ASP.Net it still doesn't work.
I even gave ASP.Net administrator rights to see whether it would do the
trick.

After each adjustment in rights I restarted IIS. I even restarted the
entire server, just to be sure there wasn't anything being cached.

Here:
http://www.webserviceshelp.org/wsh/Discussions/WSE/postings/WSE600+Unable+to+unw
rap+a+symmetric+key+using+the+private+key+of+5191B425B71B4208B004EC34E8CE3634mic
.htm
are some people who have the same problem, but unfortunately no
solution.

I hope you or someone else can help me.

Kind regards,
Ronald
Reply to this Message
Mamont - 04 Apr 2006 08:47 GMT
Hi all,

I had the same problem, but i fixed it!

Problem is using CA certificate.
If you use "Test Root" you must make certificates without signing.

For production system you must disable "Test Root" and setup CA service.
Reply to this Message
roger_27 - 14 Oct 2006 00:10 GMT
I HAVE DISCOVERED THE SOLUTION!!!

ms-help://MS.WSE30.1033/WSE3.0/html/b5a8bce9-31a2-444c-a762-86f5bf2abd96.htm

this was the correct URL, follow step #2 exactly.

once you try running it again it should work. it doesnt work you say ?

right click your solution and pick "Rebuild Solution" then run it.

the problem is that in microsofts tutorial it doesn't mention you need to
REBUILD the solution after you have given ASPNET right, not just build.  I'm
not 100% sure the reason, but I think it has to do with the changes done in
the <process model> node in the machine.config file.  these changes do not
reflect untill you rebuild the solution. this worked for me, and I tested it
on the machine next to me, then I tested it again on the machine next to me.
this has fixed the problem all 3 times. I am about 90% sure this will solve
the problem for you.

also, if ASPNET is not found in the list of accounts, (in the certificate
tool, after you have selected to view private key file properties, and then
clicked the "security" tab, then clicked "add"),  you need to click
"Locations", highlight your computer (which is usually the top most node)
then click "OK" then type "ASPNET" in the "Enter object names" box and click
OK. ASPNET should be added now. all you need to assign it is read/read &
execute rights.

hope this helps. I am the champion!
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.