Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / May 2005

Tip: Looking for answers? Try searching our database.

Referenced security token could not be retrieved

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
John Jenkins - 22 Apr 2005 22:07 GMT
Hi,
   I am in the process of trying to implement a simple x509 certificate
policy example. My policy file looks like below, this is on the server. I am
running client and server on the same machine for testing. I have installed
the private key Client Private.pfx and Server Public.cer on my
Certificates - Current User -> Personal -> Certificates and Public.cer in my
Certificates - Local Computer -> Personal -> Certificates. My understanding
was that this was the requirement to get certificates to work on a single
machine. I  get the error when I execute my code:

"Referenced security token could not be retrieved".

Am I missing something simple??

Thanks in advance.

<?xml version="1.0" encoding="utf-8"?>

<policyDocument xmlns="http://schemas.microsoft.com/wse/2003/06/Policy">

<mappings xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy">

<endpoint uri="http://localhost/StockTraderSecurePolicy/StockTrader.asmx">

<defaultOperation>

<request policy="#Encrypt-X.509" />

<response policy="" />

<fault policy="" />

</defaultOperation>

</endpoint>

</mappings>

<policies
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
y-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"
xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext"
xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
ty-secext-1.0.xsd"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing">

<!-- This policy ensures that the message is encrypted with an x.509
Certificate -->

<wsp:Policy wsu:Id="Encrypt-X.509">

<!-- The MessagePredicate indicates where to apply the polciy -->

<wsp:MessagePredicate wsp:Usage="wsp:Required"
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">

wsp:Body()

</wsp:MessagePredicate>

<!--The Confidentiality assertion is used to ensure that the SOAP Body is
encrypted.-->

<wssp:Confidentiality wsp:Usage="wsp:Required">

<wssp:KeyInfo>

<!--The SecurityToken element within the KeyInfo element describes which
token type must be used for Encryption.-->

<wssp:SecurityToken>

<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509
-token-profile-1.0#X509v3</wssp:TokenType>

<wssp:TokenIssuer>CN=Root Agency</wssp:TokenIssuer>

<wssp:Claims>

<!--By specifying the SubjectName claim, the policy system can look for a
certificate with this subject name in the certificate store indicated in the
application's configuration, such as LocalMachine or CurrentUser. The WSE
X.509 Certificate Tool is useful for finding the correct values for this
field.-->

<wssp:SubjectName
MatchType="wssp:Exact">CN=WSE2QuickStartServer</wssp:SubjectName>

<wssp:X509Extension OID="2.5.29.14"
MatchType="wssp:Exact">bBwPfItvKp3b6TNDq+14qs58VJQ=</wssp:X509Extension>

</wssp:Claims>

</wssp:SecurityToken>

</wssp:KeyInfo>

<wssp:MessageParts
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:Mess
ageParts>

</wssp:Confidentiality>

</wsp:Policy>

</policies>

</policyDocument>
Reply to this Message
alex bean - 22 Apr 2005 22:34 GMT
John,
It looks like you are trying to have the client sign and encrypt a message
and the service validate and decrypt it if I understand you correctly.  If
this is the case you need to put the Server Private.pfx in Certificates ->
Local Computer -> Personal -> Certificates.

Also, make sure that the account the web server is running under (usually
ASPNET) has full access to the folder the certs are in.
Reply to this Message
John Jenkins - 24 Apr 2005 22:45 GMT
Thanks Alex,
           I tried this and get the same result. Your assumption is right.
I want to sign and encrypt the message on the client and validate and dcrypt
on the server. Currently I have

Client:
Client Private.pfx
Server Public.cer

Server:
Server Private.pfx

I now get -- " The message does not conform to the policy it was mapped to."

Again any help appreciated.

> John,
> It looks like you are trying to have the client sign and encrypt a message
[quoted text clipped - 4 lines]
> Also, make sure that the account the web server is running under (usually
> ASPNET) has full access to the folder the certs are in.
Reply to this Message
John Jenkins - 25 Apr 2005 20:26 GMT
Sorry, I actually get the same error.

> Thanks Alex,
>             I tried this and get the same result. Your assumption is right.
[quoted text clipped - 20 lines]
> > Also, make sure that the account the web server is running under (usually
> > ASPNET) has full access to the folder the certs are in.
Reply to this Message
alex bean - 26 Apr 2005 03:46 GMT
> Sorry, I actually get the same error.

You mean the error from the first post? ( "Referenced security token could
not be retrieved". )

I ran into that problem when I first started.  Basically I deleted all the
certs/samples, reinstalled WSE and followed the instructions at this link:
http://pluralsight.com/blogs/aaron/archive/2004/07/13/1623.aspx

Also, you need to make sure that the permissions are set to the ASPNET user
on the folder containing the certs.  

One more thing, try to get some the code samples working first, that will
tell you if the certs are set up correctly.

Good luck
Reply to this Message
John Jenkins - 27 Apr 2005 18:20 GMT
Thanks to all. I will have a go and let you know.

> Sorry, I actually get the same error.
>
[quoted text clipped - 29 lines]
> (usually
> > > ASPNET) has full access to the folder the certs are in.
Reply to this Message
John Jenkins - 01 May 2005 19:40 GMT
Guys,
       I did as instructed and it worked.
Many thanks for the help.

> Thanks to all. I will have a go and let you know.
>
[quoted text clipped - 31 lines]
> > (usually
> > > > ASPNET) has full access to the folder the certs are in.
Reply to this Message
Dilip Krishnan - 26 Apr 2005 18:52 GMT
You'd also need the Client Public.cer to be installed int he server.
That should solve your problem

> Thanks Alex,
>             I tried this and get the same result. Your assumption is right.
[quoted text clipped - 20 lines]
>>Also, make sure that the account the web server is running under (usually
>>ASPNET) has full access to the folder the certs are in.

Signature

HTH
Regards,
Dilip Krishnan
MCAD, MCSD.net
dilip.krishnan AT apdiya DOT com

Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.