 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / September 2006(401) Unauthorized Error
I am in the middle of migrating my test environment to a more realistic senario, but am having some issues that I'm not sure how to resolve (It doesn't help that our IT is migrating our domain at the same time). Basically I'm using mutualSecurity11. I published the WebService to an IIS 6.0 (Win2K3) box. I installed the Service's Public/Private Key into the Current User\My (as I can't install it into the Local Machine\My for some reason) CertStore and used the winhttpcertcfg to grant the "NETWORK SERVICE" account access to the Service Cert. I redirected my Client app to point to the new URI of the webservice and can pull up the WSDL page just fine. First problem is InnerException Error: The remote server returned an error: (401) Unauthorized. Server stack trace: at System.Net.HttpWebRequest.GetResponse() at Microsoft.Web.Services3.Messaging.SoapHttpTransport.Send(SoapEnvelope message, EndpointReference destination, SoapHttpChannelOptions options) at Microsoft.Web.Services3.Messaging.SoapHttpOutputChannel.Send(SoapEnvelope message) at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Int32 methodPtr, Boolean fExecuteInContext, Object[]& outArgs) at System.Runtime.Remoting.Messaging.StackBuilderSink.PrivateProcessMessage(RuntimeMethodHandle md, Object[] args, Object server, Int32 methodPtr, Boolean fExecuteInContext, Object[]& outArgs) at System.Runtime.Remoting.Messaging.StackBuilderSink.AsyncProcessMessage(IMessage msg, IMessageSink replySink) From there I went to check the Trace Log files, but they could not be found on the Server. I figured this was a Write Access issue with the NETWORK SERVICE account so I opened up with the Folder of the Virtual Directory in Explorer and granted the NETWORK SERVICE account Full Access, but still no log files after I reran. The Client Trace Output contains <processingStep description="Entering SOAP filter Microsoft.Web.Services3.Design.MutualCertificate11Assertion+ClientOutputFilter" /> <processingStep description="Exception thrown: WSE101: An asynchronous operation raised an exception.">at Microsoft.Web.Services3.AsyncResult.End(IAsyncResult result) at Microsoft.Web.Services3.Messaging.SoapClient.SendRequestResponse(String methodname, SoapEnvelope envelope) at Microsoft.Web.Services3.Security.SecurityTokenServiceClient.RequestSecurityToken(SecurityTokenMessage request, String methodName) at Microsoft.Web.Services3.Security.SecurityContextTokenServiceClient.RequestSecurityContextToken(AppliesTo appliesTo) at Microsoft.Web.Services3.Security.SecurityContextTokenServiceClient.IssueSecurityContextToken(AppliesTo appliesTo) at Microsoft.Web.Services3.Security.Tokens.SecurityContextTokenManager.RequestTokenFromIssuer(EndpointReference tokenIssuer, String tokenType, AppliesTo appliesTo, Policy policy, SoapProtocolVersion soapVersion, StateManager messageState, StateManager operationState, StateManager sessionState) at Microsoft.Web.Services3.Security.SecureConversationClientSendSecurityFilter.EstablishSecureConversation(SoapEnvelope envelope) at Microsoft.Web.Services3.Security.SecureConversationClientSendSecurityFilter.SecureMessage(SoapEnvelope envelope, Security security) at Microsoft.Web.Services3.Security.SendSecurityFilter.ProcessMessage(SoapEnvelope envelope) at Microsoft.Web.Services3.Pipeline.ProcessOutputMessage(SoapEnvelope envelope)</processingStep> I don't have any Authentication Set up with the web.config and the Virtual Directory is set to use Anonymous Access. Any ideas? Well at this point, I have republished by WebService to IIS6, removed the Server Cert and reinstalled it, set perms on the Cert for the NETWORK SERVICE account and also gave it access to read/write/modify the IIS directory in order to write the log files. Magically the log files are now being populated. The error I am getting at this point is: <processingStep description="Entering SOAP filter Microsoft.Web.Services3.Design.RequireSoapHeaderAssertion+RequireSoapHeaderFilter" /> <processingStep description="Exited SOAP filter Microsoft.Web.Services3.Design.RequireSoapHeaderAssertion+RequireSoapHeaderFilter" /> <processingStep description="Entering SOAP filter Microsoft.Web.Services3.Design.MutualCertificate11Assertion+ServiceInputFilter" /> ******> <processingStep description="Exception thrown: The security token could not be authenticated or authorized">at Microsoft.Web.Services3.Security.Tokens.SecurityTokenManager.LoadBinarySecurityToken(XmlElement element) at Microsoft.Web.Services3.Security.Tokens.SecurityTokenManager.GetTokenFromXml(XmlElement element) at Microsoft.Web.Services3.Security.Security.LoadToken(XmlElement element, SecurityConfiguration configuration, Int32& tokenCount) at Microsoft.Web.Services3.Security.Security.LoadXml(XmlElement element) at Microsoft.Web.Services3.Security.Security.CreateFrom(SoapEnvelope envelope, String localActor, String serviceActor) at Microsoft.Web.Services3.Security.ReceiveSecurityFilter.ProcessMessage(SoapEnvelope envelope) at Microsoft.Web.Services3.Pipeline.ProcessInputMessage(SoapEnvelope envelope)</processingStep> </inputMessage> This surprises me, as I'm not using a Security Token that I know of. I just have mutualCertificate11Security configured with Certs to lock down the communication between the client and WS. Am I missing something here? Does mutualCertificate11Security require that I use an X509 SecurityToken above and beyond the Client and Service Tokens I already have configured in the policy file? I've based by code off of the WSSecurityCertificatePolicyService example posted by P&P. I've even commented out my manual code and reverted back to the simplistic example using the Policy in config files like they have. TIA >I am in the middle of migrating my test environment to a more realistic >senario, but am having some issues that I'm not sure how to resolve (It [quoted text clipped - 64 lines] > I don't have any Authentication Set up with the web.config and the Virtual > Directory is set to use Anonymous Access. Any ideas? Could this authentication / authorization issue in any way be related to the accessiblity of the Certificate Authority which issued the Certs? I don't think this is the problem as it worked fine on my machine when both client and service were together. This issue has only surfaced once I moved the WS to a server. Both Certificates where issued by the same Cert Authority and the root cert's public key is installed on both machines. > Well at this point, I have republished by WebService to IIS6, removed the > Server Cert and reinstalled it, set perms on the Cert for the NETWORK [quoted text clipped - 109 lines] >> I don't have any Authentication Set up with the web.config and the >> Virtual Directory is set to use Anonymous Access. Any ideas? Ok, so the Input log file has the following error which gives more detail but not sure what the cause is. I have my Service Cert installed in the Local_Machine\My store. It can resolve it's Cert Chain as there is no error triangle on the chain when the cert is opened up. I even installed the CA's public cert into the Local_Machine\Trusted Root Certification Authorities which didn't work so I removed it and tried installing it into the Local_Machine\Trusted People store which didn't resolve the issue either. Any ideas on which cert (Client or Service) the error is refering too? Any ideas what would cause the problem? - <soap:Fault> <faultcode xmlns:q0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xs d">q0:FailedAuthentication</faultcode> <faultstring>The security token could not be authenticated or authorized ---> WSE3003: The certificate's trust chain could not be verified. Please check if the certificate has been properly installed in the Trusted People Certificate store. Or you might want to set allowTestRoot configuration section to true if this is a test certificate.</faultstring> <faultactor>http://acme/DataBroker/DataBroker.asmx</faultactor> </soap:Fault> > Well at this point, I have republished by WebService to IIS6, removed the > Server Cert and reinstalled it, set perms on the Cert for the NETWORK [quoted text clipped - 109 lines] >> I don't have any Authentication Set up with the web.config and the >> Virtual Directory is set to use Anonymous Access. Any ideas? Ok, now I'm really miffed. I took the Client's public key cert and exported it to a file then imported it on the Server in the LocalMachine\TrustedPeople store and all is good. I thought that I read in the documentation that the Server hosting the WS didn't need the public key of the Client as it would be sent in the Message Request to the WS? Is this incorrect? > Well at this point, I have republished by WebService to IIS6, removed the > Server Cert and reinstalled it, set perms on the Cert for the NETWORK [quoted text clipped - 109 lines] >> I don't have any Authentication Set up with the web.config and the >> Virtual Directory is set to use Anonymous Access. Any ideas? Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.