 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / April 2006Why am I getting WSE2008: KerberosToken is expected but not present in the security header of the incoming message.
I'm working with a WSE3 client and WSE3 server. I'm getting the above error when my client tries to call a Web Service method on the server. Debugging the problem, I tried using the QuickStart WSSecurityKerberos Policy sample. When I use the QuickStart sample everything works just fine (both client and server applications are running on the same Windows 2003 R2 Server machine -- a 64-bit machine w/ 4 Intel Xeon 2.8GHz processors, w/ 4GB of RAM). However, when I take the identical wse3policy.config settings from client and server (each) and put them into a 2nd application on that same machine (also with client app and server app running on same box), the output processing of the client includes Wse2PiplelinePolicy+LegacyFilterWrapper. I'm thinking that this is the crux of the problem, but I do not know how to fix it. When turn detailed tracing on and look at the client-side OutputTrace.webinfo in my application, indeed I do *not* see any Kerberos info. Here is a partial paste of that trace: <outputMessage utc="4/17/2006 1:24:46 PM" messageId="urn:uuid:3daeb0fb-49f3-4c17-bb87-4bfca210c00b"> <processingStep description="Unprocessed message"> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <ImagingFolioStore xmlns="urn:digimarc.com:ImageServer:WebServices"> <folio xmlns="urn:digimarc.com:imaging"> ... </folio> </ImagingFolioStore> </soap:Body> </soap:Envelope> </processingStep> <processingStep description="Entering SOAP filter Microsoft.Web.Services3.Security.Wse2PipelinePolicy+LegacyFilterWrapper" /> <processingStep description="Exited SOAP filter Microsoft.Web.Services3.Security.Wse2PipelinePolicy+LegacyFilterWrapper" /> <processingStep description="Entering SOAP filter Microsoft.Web.Services3.Security.Wse2PipelinePolicy+LegacyFilterWrapper" /> <processingStep description="Exited SOAP filter Microsoft.Web.Services3.Security.Wse2PipelinePolicy+LegacyFilterWrapper" /> <processingStep description="Processed message"> On the other hand, here is the OutputTrace.webinfo from the WSSecurityKerberos Policy sample. Note that it contains Kerberos processing: <outputMessage utc="4/14/2006 9:10:54 PM" messageId="urn:uuid:e3e4d2ca-e4fe-4362-87a5-11d5898886c6"> <processingStep description="Unprocessed message"> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <StockQuoteRequest xmlns="http://stockservice.contoso.com/wse/samples/2005/10"> <symbols> <Symbol>FABRIKAM</Symbol> <Symbol>CONTOSO</Symbol> </symbols> </StockQuoteRequest> </soap:Body> </soap:Envelope> </processingStep> <processingStep description="Entering SOAP filter Microsoft.Web.Services3.Design.KerberosAssertion+ClientOutputFilter" /> <processingStep description="Exited SOAP filter Microsoft.Web.Services3.Design.KerberosAssertion+ClientOutputFilter" /> <processingStep description="Processed message"> Why the differences? How do I fix? Howard Hoffman Hi Howard, Did you configure the Web service and the proxy to use the WSE policy (Kerberos) ?. (Calling the method setPolicy or using the attribute "Policy"). Regards, Pablo Cibraro http://weblogs.asp.net/cibrax > I'm working with a WSE3 client and WSE3 server. I'm getting the above > error when my client tries to call a Web Service method on the server. [quoted text clipped - 77 lines] > > Howard Hoffman Pablo -- I'm using the Policy attribute on both Client and Server. Here's my client code: [Microsoft.Web.Services3.Policy("AuthorizationPolicy")] partial class ImageServiceWse : Microsoft.Web.Services3.WebServicesClientProtocol { } and policy config: <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy"> <extensions> <extension name="kerberosSecurity" type="Microsoft.Web.Services3.Design.KerberosAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <extension name="kerberos" type="Microsoft.Web.Services3.Design.KerberosTokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <extension name="requireActionHeader" type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </extensions> <policy name="AuthorizationPolicy"> <kerberosSecurity establishSecurityContext="false" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="false" ttlInSeconds="300"> <token> <!-- By default this sample does not work until you have changed the TargetMachineName value --> <!-- Change the TargetMachineName value to the machine name with the Web Service e.g. targetPrincipal="host/server1" --> <kerberos targetPrincipal="host/PAISDEV2" impersonationLevel="Identification" /> </token> <protection> <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" /> </protection> </kerberosSecurity> <requireActionHeader /> </policy> </policies> Here's my server policy config: <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy"> <extensions> <extension name="kerberosSecurity" type="Microsoft.Web.Services3.Design.KerberosAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <extension name="requireActionHeader" type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </extensions> <policy name="AuthorizationPolicy"> <kerberosSecurity establishSecurityContext="false" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="false" ttlInSeconds="300"> <protection> <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" /> </protection> </kerberosSecurity> <requireActionHeader /> </policy> </policies> Thanks in advance, Howard > Hi Howard, > [quoted text clipped - 90 lines] >> >> Howard Hoffman Hi Howard, From the trace log from the client-side, it seems the kerberos policy assertion is not applied on the application. Though you've used the PolicyAttribute in the client-side proxy's partial class file to apply the PolicyAssertion, I would still suggest you try using code to apply the Polcy on the WSE client proxy class, (using the SetPolicy method instead of attribute) to see whether it helps. I remember that the WSE kerberos example's client proxy always use code to programmatically apply the policy assertion. Regards, Steven Cheng Microsoft Online Community Support ================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. I was skeptical that your suggestion could be the answer ... but it works! I changed my WSE client to not extend the generated partial class with the Policy[] attribute, and instead to call the SetPolicy() method on the generated proxy. I'm much happier now! Just for completeness, I'm wondering if I've hit a WSE3 defect -- not being able to use a Policy attribute on an extension to the generated proxy? Thank you very much, Howard Hoffman > Hi Howard, > [quoted text clipped - 23 lines] > This posting is provided "AS IS" with no warranties, and confers no > rights. Thank you for the response Howard, I'm also happy that you got it worked , at least through the programmatic approach. Actually, this suggestion just used to makesure there is nothing else incorrect and only the policy configuration issue. And based on my test, we can certainly use the "PolicyAttribute" for client proxy class as long as we make sure that our partial class's fullname (namespace + classname ) is identical to the designer generated class. e.g: ========deisigner generated one========= namespace WSE3Client.WSE3Service { ........................ public partial class ServiceWse : Microsoft.Web.Services3.WebServicesClientProtocol { .............. ============================= =======my custom partial class file======== namespace WSE3Client.WSE3Service { [Microsoft.Web.Services3.Policy("ClientPolicy")] public partial class ServiceWse { } } ====================== This did work. So I think you can have a further check on this class's name and namespace, also, make sure your partial class's accessor is "public" so as to make it also idenitcal to the deisgner generated one. Hope this helps. Regards, Steven Cheng Microsoft Online Community Support ================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. Hi Howard, Have you tried the further things in my last reply or have you finally got the declartive approach work? If there is still anything else we can help, please feel free to post here. Regards, Steven Cheng Microsoft Online Community Support ================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights.  SignatureGet Secure! www.microsoft.com/security (This posting is provided "AS IS", with no warranties, and confers no rights.) Steve - Changing to the imperitive approach worked! I apologize for not replying sooner. After that worked, I re-examined my declarative code and found that my partial class was in the wrong namespace. A C# goof on my part. I fixed up the namespace issuen, and now the declarative approach works as well. Thank you for helping me find my problem. SignatureHoward Hoffman > Hi Howard, > [quoted text clipped - 19 lines] > (This posting is provided "AS IS", with no warranties, and confers no > rights Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.