Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / September 2006

Tip: Looking for answers? Try searching our database.

WSE 3.0 CertSrv Request

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Techno_Dex - 31 Aug 2006 19:57 GMT
I am having a problem creating the appropriate Certificates for mutual X509
security use our in house Cert Authority with teh CertSrv wizard.  I have
not found any good documentation on what type of certificates need to be
created and which parameters need to be set in the CertSrv.  I took a look
at Pablo's blog
http://weblogs.asp.net/cibrax/archive/2006/08/08/Creating-X509-Certificates-for-
WSE-or-WCF.aspx
but all that does is obscure the CertSrv Template that is used to create the
desired Certifcates instead of explaining which options need to be set.

So far I am using the Advanced request option in the CertSrv and using the
CA form option to populate the cert details.  I'm assuming that the Intended
Purpose is "Server Authentication Certificate" for the WS side and "Client
Authentication Certificate" for the Client side.  From Pablo's blog is
appears I need to set the CSP to "Microsoft Enhanced Cryptographic Provider
1.0".  I marked the Key Usage as Both (Exchange and Signature), set the Key
Size to 1024, checked Create new key set, Mark Keys as exportable.  I set
the Hash algorithm to SHA-1....  Can someone shed some light on what I'm
missing?
Reply to this Message
Pablo Cibraro [MVP] - 06 Sep 2006 15:11 GMT
Hi,

> I need to set the CSP to "Microsoft Enhanced Cryptographic Provider 1.0".
> I marked the Key Usage as Both (Exchange and Signature), set the Key Size
> to 1024, checked Create new key set, Mark Keys as exportable.  I set the
> Hash algorithm to SHA-1

All those settings are correct, so what error are you receiving from WSE
when you try to use those certificates ?

Regards,
Pablo Cibraro
http://weblogs.asp.net/cibrax

>I am having a problem creating the appropriate Certificates for mutual X509
>security use our in house Cert Authority with teh CertSrv wizard.  I have
[quoted text clipped - 14 lines]
> exportable.  I set the Hash algorithm to SHA-1....  Can someone shed some
> light on what I'm missing?
Reply to this Message
Techno_Dex - 06 Sep 2006 20:50 GMT
I'm mainly looking for information on what settings to use when requesting
Certificates to use with WSE 3.0 down the road for users and services.  From
what I can tell, it appears there are issues like setting up and configuring
Certificate Templates for "Client Authentication" "Service Authentication"
"Code Signing" that all need to be configured in the Certificate Authority,
before a certificate is ever requested.  No where in the documentation that
I have seen does it discuss what the certificate requirements are (granted
the how is not necessarily WSE's problem), the Encryption Provider to use,
the  Key formats that should be generated and exported etc.  I guess I was
mainly looking for some guidence into what types of certs to generate and
how.  I keep seing export the *.pfx certificate, but when certs are
generated, there is no option to of using a *.pfx, only a *.cer.  So far I
have hobbled my way through what I think is correct but was looking for some
confirmation.

Currently I have both a Client Authentication and Service Authentication
certificate installed on my test machine.  I exported the Service's Public
Key and imported that into the Certificates snap-in also.  I have hit
various exceptions but not sure what is helping and what is hurting when I
make changes.  Currently I'm getting the exception "Security requirements
are not satisfied because the security header is not present in the incoming
message."

> Hi,
>
[quoted text clipped - 29 lines]
>> Mark Keys as exportable.  I set the Hash algorithm to SHA-1....  Can
>> someone shed some light on what I'm missing?
Reply to this Message
Techno_Dex - 06 Sep 2006 22:12 GMT
The InputTrace from the Client has the following error message.  The
Client OutputTrace looks clean.  I am unable to get the Service to spit out
any logging info when using a VS ASP.NET Development Server.

- <soap:Fault>
 <faultcode>soap:MustUnderstand</faultcode>
 <faultstring>System.Web.Services.Protocols.SoapHeaderException: SOAP
header Security was not understood. at
System.Web.Services.Protocols.SoapHeaderHandling.SetHeaderMembers(SoapHeaderCollection
headers, Object target, SoapHeaderMapping[] mappings, SoapHeaderDirection
direction, Boolean client) at
System.Web.Services.Protocols.SoapServerProtocol.CreateServerInstance() at
System.Web.Services.Protocols.WebServiceHandler.Invoke() at
System.Web.Services.Protocols.WebServiceHandler.CoreProcessRequest()</faultstring>
 </soap:Fault>

> Hi,
>
[quoted text clipped - 29 lines]
>> Mark Keys as exportable.  I set the Hash algorithm to SHA-1....  Can
>> someone shed some light on what I'm missing?
Reply to this Message
Pablo Cibraro [MVP] - 07 Sep 2006 18:33 GMT
mmm, it seems that something is bad configured on the server side. Take a
look to the server trace to see if you can find any error there.

Regards,
pablo.

>    The InputTrace from the Client has the following error message.  The
> Client OutputTrace looks clean.  I am unable to get the Service to spit
[quoted text clipped - 45 lines]
>>> Mark Keys as exportable.  I set the Hash algorithm to SHA-1....  Can
>>> someone shed some light on what I'm missing?
Reply to this Message
Techno_Dex - 07 Sep 2006 19:35 GMT
I finally stumbled across the Service log files (was looking to deep in the
directory structure).  The only thing I have in that log file is an error
from yesterday before I started changing params trying to find a resolution
to the problem.  That appeared to be an authentication issue, but I don't
have anything since then, so I'm pretty sure the Client proxy call isn't
getting to the Service at all.  Could it have something to do with the
ASP.NET Development Server caching info like IIS would if it were running
under IIS?  My understanding is that the ASP.NET Development Server runs
under the current user's credentials so it should have access to the Cert
Store.  I'm still stuck.  I've looked over the WSE Labs for Mutual11Security
and everything appears to be configured the same (except for the Virtual
Directories in IIS) from what I can tell.  Any other thoughts??

> mmm, it seems that something is bad configured on the server side. Take a
> look to the server trace to see if you can find any error there.
[quoted text clipped - 51 lines]
>>>> Mark Keys as exportable.  I set the Hash algorithm to SHA-1....  Can
>>>> someone shed some light on what I'm missing?
Reply to this Message
Techno_Dex - 07 Sep 2006 19:42 GMT
What would cause the security header not to be present in the message being
sent from the client???? My InputLog from the client contains
"Security requirements are not satisfied because the security header is not
present in the incoming message."

> mmm, it seems that something is bad configured on the server side. Take a
> look to the server trace to see if you can find any error there.
[quoted text clipped - 51 lines]
>>>> Mark Keys as exportable.  I set the Hash algorithm to SHA-1....  Can
>>>> someone shed some light on what I'm missing?
Reply to this Message
Techno_Dex - 07 Sep 2006 19:58 GMT
The output trace has the following....
   <processingStep description="Entering SOAP filter
Microsoft.Web.Services3.Design.MutualCertificate11Assertion+ClientOutputFilter"
/>
   <processingStep description="Exception thrown: WSE910: An error happened
during the processing of a response message, and you can find the error in
the inner exception.  You can also find the response message in the Response
property.">   at
Microsoft.Web.Services3.Messaging.SoapClient.SendRequestResponse(String
methodname, SoapEnvelope envelope)
  at
Microsoft.Web.Services3.Security.SecurityTokenServiceClient.RequestSecurityToken(SecurityTokenMessage
request, String methodName)
  at
Microsoft.Web.Services3.Security.SecurityContextTokenServiceClient.RequestSecurityContextToken(AppliesTo
appliesTo)
  at
Microsoft.Web.Services3.Security.SecurityContextTokenServiceClient.IssueSecurityContextToken(AppliesTo
appliesTo)
  at
Microsoft.Web.Services3.Security.Tokens.SecurityContextTokenManager.RequestTokenFromIssuer(EndpointReference
tokenIssuer, String tokenType, AppliesTo appliesTo, Policy policy,
SoapProtocolVersion soapVersion, StateManager messageState, StateManager
operationState, StateManager sessionState)
  at
Microsoft.Web.Services3.Security.SecureConversationClientSendSecurityFilter.EstablishSecureConversation(SoapEnvelope
envelope)
  at
Microsoft.Web.Services3.Security.SecureConversationClientSendSecurityFilter.SecureMessage(SoapEnvelope
envelope, Security security)
  at
Microsoft.Web.Services3.Security.SendSecurityFilter.ProcessMessage(SoapEnvelope
envelope)
  at Microsoft.Web.Services3.Pipeline.ProcessOutputMessage(SoapEnvelope
envelope)</processingStep>

> mmm, it seems that something is bad configured on the server side. Take a
> look to the server trace to see if you can find any error there.
[quoted text clipped - 51 lines]
>>>> Mark Keys as exportable.  I set the Hash algorithm to SHA-1....  Can
>>>> someone shed some light on what I'm missing?
Reply to this Message
Techno_Dex - 07 Sep 2006 21:54 GMT
After Looking closer at the Exception Stack Trace I went back and added in
an extra line to the web.config file that I found a reference to at
http://objectsharp.com/blogs/bruce/archive/2005/11/21/3617.aspx
Apparently the RTM of WSE 3.0 (which I'm pretty sure I am using) doesn't add
the following line to the config file.
<soapServerProtocolFactory type="Microsoft.Web.Services3.WseProtocolFactory,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
Which was preventing me from communicating with the WebService.  Once I was
able to get through to the WS, I ran into some certificate problems when I
have temporarly resolved by adding the Client's Public Key Cert into the
Trusted People section of the Local Machine Store.  I believe the
Authentication of the Certificate could not be verified through the Trust,
which is odd since I have the Root CA's Public Key Cert installed in the
Trusted Root Certification Authorities of the Local Machine Store.  It looks
like I still have a little ways to go but getting closer.  If you have any
input about the Cert let me know, in the mean time it looks like I need to
download the newer version of WSE 3.0

> mmm, it seems that something is bad configured on the server side. Take a
> look to the server trace to see if you can find any error there.
[quoted text clipped - 51 lines]
>>>> Mark Keys as exportable.  I set the Hash algorithm to SHA-1....  Can
>>>> someone shed some light on what I'm missing?
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.