 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / October 2006Unable to unwrap a symmetric key using the private key of an X.509
I have walked through all of the WSE 3 Hands on Labs and got everything working fine. When I create my own certificate and install it in the stores, my client application that is consuming my WSE enabled webservice receives the following error (noted at the very bottom of this post). My objective here is to create and secure a service application (webservice) using an x509 test cert that requests a client certificate; and to create a test client to consume this service. Following the makecert command that I used: makecert -pe -n "CN=DecisionOne Corporation" -ss root -sr localmachine DecisionOneEBSServices.cer I installed this cert along with the embedded private key to the following stores: Current User - personal, trusted root, and other people stores Local Computer - personal, trusted root, and other people stores Using the WSE 3.0 certificates tool, I gave FULL access to Everyone and the ASPNET user for all the 6 stores. I enabled allow test roots in my WSE 3.0 settings>security for BOTH the client and the webservice. Following is the policy file for my client: <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy"> <extensions> <extension name="usernameForCertificateSecurity" type="Microsoft.Web.Services3.Design.UsernameForCertificateAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <extension name="mutualCertificate11Security" type="Microsoft.Web.Services3.Design.MutualCertificate11Assertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <extension name="x509" type="Microsoft.Web.Services3.Design.X509TokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <extension name="requireActionHeader" type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </extensions> <policy name="DellCertPolicy"> <mutualCertificate11Security establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="true" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300"> <clientToken> <x509 storeLocation="CurrentUser" storeName="My" findValue="CN=DecisionOne Corporation" findType="FindBySubjectDistinguishedName" /> </clientToken> <serviceToken> <x509 storeLocation="LocalMachine" storeName="AddressBook" findValue="CN=DecisionOne Corporation" findType="FindBySubjectDistinguishedName" /> </serviceToken> <protection> <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" /> </protection> </mutualCertificate11Security> <requireActionHeader /> </policy> </policies> Following is the policy file for my webservice: <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy"> <extensions> <extension name="usernameForCertificateSecurity" type="Microsoft.Web.Services3.Design.UsernameForCertificateAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <extension name="mutualCertificate11Security" type="Microsoft.Web.Services3.Design.MutualCertificate11Assertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <extension name="x509" type="Microsoft.Web.Services3.Design.X509TokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <extension name="requireActionHeader" type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </extensions> <policy name="DellCertPolicy"> <mutualCertificate11Security establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="true" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300"> <serviceToken> <x509 storeLocation="LocalMachine" storeName="My" findValue="CN=DecisionOne Corporation" findType="FindBySubjectDistinguishedName" /> </serviceToken> <protection> <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" /> </protection> </mutualCertificate11Security> <requireActionHeader /> </policy> </policies> And finally, the ERROR from the event viewer. Event Type: Error Event Source: Microsoft WSE 3.0 Event Category: None Event ID: 0 Date: 6/12/2006 Time: 2:27:58 PM User: N/A Computer: WMDVFRA002 Description: System.ApplicationException: WSE841: An error occured processing an outgoing fault response. ---> System.Web.Services.Protocols.SoapException: System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> System.Security.Cryptography.CryptographicException: WSE600: Unable to unwrap a symmetric key using the private key of an X.509 certificate. Please check if the account 'WMDVFRA002\ASPNET' has permissions to read the private key of certificate with subject name 'CN=DecisionOne Corporation' and thumbprint '32213F525B6DD6A8FDCA2D1E0876B873F44C759B'. ---> System.Security.Cryptography.CryptographicException: WSE593: Unable to decrypt the key. Please check if the process has the right permission to access the private key. ---> System.Security.Cryptography.CryptographicException: Bad Key. at System.Security.Cryptography.CryptographicException.ThrowCryptogaphicException(Int32 hr) at System.Security.Cryptography.Utils._DecryptKey(SafeKeyHandle hPubKey, Byte[] key, Int32 dwFlags) at System.Security.Cryptography.RSACryptoServiceProvider.Decrypt(Byte[] rgb, Boolean fOAEP) at Microsoft.Web.Services3.Security.Cryptography.RSA15KeyExchangeFormatter.DecryptKey(Byte[] cipherKey) --- End of inner exception stack trace --- at Microsoft.Web.Services3.Security.Cryptography.RSA15KeyExchangeFormatter.DecryptKey(Byte[] cipherKey) at Microsoft.Web.Services3.Security.EncryptedKey.Decrypt() --- End of inner exception stack trace --- at Microsoft.Web.Services3.Security.EncryptedKey.Decrypt() at Microsoft.Web.Services3.Security.Security.LoadXml(XmlElement element) at Microsoft.Web.Services3.Security.Security.CreateFrom(SoapEnvelope envelope, String localActor, String serviceActor) at Microsoft.Web.Services3.Security.ReceiveSecurityFilter.ProcessMessage(SoapEnvelope envelope) at Microsoft.Web.Services3.Pipeline.ProcessInputMessage(SoapEnvelope envelope) at Microsoft.Web.Services3.WseProtocol.FilterRequest(SoapEnvelope requestEnvelope) at Microsoft.Web.Services3.WseProtocol.RouteRequest(SoapServerMessage message) at System.Web.Services.Protocols.SoapServerProtocol.Initialize() at System.Web.Services.Protocols.ServerProtocolFactory.Create(Type type, HttpContext context, HttpRequest request, HttpResponse response, Boolean& abortProcessing) --- End of inner exception stack trace --- --- End of inner exception stack trace --- Any help is appreciated, I am out of options. My thoughts are that I created the certificate or installed it incorrectly. Thanks very much! Hi, The problem is related to the certificate store on the web service side. You installed the certificate in "OtherPeople" store but the policy points to the store "My", which is the personal store.. 1. You should change the policy to use "AddressBook" or 2. You should install the certificate in the "Personal" store. Regards, Pablo Cibraro http://weblogs.asp.net/cibrax >I have walked through all of the WSE 3 Hands on Labs and got everything > working fine. When I create my own certificate and install it in the [quoted text clipped - 181 lines] > created the certificate or installed it incorrectly. > Thanks very much! Pablo, I appreciate your assistance, but your recommendation did not solve my problem; I am still receiving the same error. I modified my webservice's policy to point to AddressBook store instead of My, as follows: <!--<x509 storeLocation="LocalMachine" storeName="My" findValue="CN=DecisionOne Corporation" findType="FindBySubjectDistinguishedName" />--> <x509 storeLocation="LocalMachine" storeName="AddressBook" findValue="CN=DecisionOne Corporation" findType="FindBySubjectDistinguishedName" /> I recompiled the webservice and then updated the webreference from the client and the client still gets the same error. Unchanged from my previous post, the certificate (public and private key) is installed in the personal store of both local computer and current user and I have given proper permissions to everyone for all of the certs in all stores. Is it possible that my cert was not created properly with makecert? I can't seem to figure out why I was able to get the lab sample working, but not my own. Any help is appreciated! > Hi, > [quoted text clipped - 194 lines] > > created the certificate or installed it incorrectly. > > Thanks very much! I am having the same problem while using Hands on Lab doc. Plus the Hands on Doc seems to be poorly written since it is skipping few important steps. Does any one know of a reworked Hands on lab doc. > I have walked through all of the WSE 3 Hands on Labs and got everything > working fine. When I create my own certificate and install it in the stores, [quoted text clipped - 170 lines] > created the certificate or installed it incorrectly. > Thanks very much! > I have walked through all of the WSE 3 Hands on Labs and got everything > working fine. When I create my own certificate and install it in the stores, [quoted text clipped - 170 lines] > created the certificate or installed it incorrectly. > Thanks very much! hi did ur problem got solved?? im having the same issue. helpppppppppppppppppppp Posted from http://www.topxml.com/renntp using reNNTP: the website based NNTP reader. I HAVE DISCOVERED THE SOLUTION!!! ms-help://MS.WSE30.1033/WSE3.0/html/b5a8bce9-31a2-444c-a762-86f5bf2abd96.htm this was the correct URL, follow step #2 exactly. once you try running it again it should work. it doesnt work you say ? right click your solution and pick "Rebuild Solution" then run it. the problem is that in microsofts tutorial it doesn't mention you need to REBUILD the solution after you have given ASPNET right, not just build. I'm not 100% sure the reason, but I think it has to do with the changes done in the <process model> node in the machine.config file. these changes do not reflect untill you rebuild the solution. this worked for me, and I tested it on the machine next to me, then I tested it again on the machine next to me. this has fixed the problem all 3 times. I am about 90% sure this will solve the problem for you. also, if ASPNET is not found in the list of accounts, (in the certificate tool, after you have selected to view private key file properties, and then clicked the "security" tab, then clicked "add"), you need to click "Locations", highlight your computer (which is usually the top most node) then click "OK" then type "ASPNET" in the "Enter object names" box and click OK. ASPNET should be added now. all you need to assign it is read/read & execute rights. hope this helps. I am the champion! Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.