---
Sorry for the cross-post in ...aspnet.webservices, but just found this
group and it seems more appropriate
---

Hi all,

I'm trying to get the hang of WSE2, and am running into a problem.  I
wrote a simple web service, and a simple client that calls that web
service.  If I do not have a policy in effect for the web service,
everything works fine.  When I turn the policy on, I get:

Microsoft.Web.Services2.Policy­­.PolicyVerificationException: WSE402:

The message does not conform to the policy it was mapped to

Now, I *thought* I'm setting the policy right on the web service side
and adding the security credential correctly on the client side, but I
guess not.  I'm using the sample client and server certificates that
come with WSE2, and have "allow test roots" selected for the web
service.

My client code is (abbreviated):

private X509SecurityToken GetSecurityToken()
{
 X509SecurityToken token = null;

 X509CertificateStore store     X509CertificateStore.CurrentUs­­erStore
   (X509CertificateStore.MyStore)­­;

 string clientBase64KeyId = "gBfo0147lM6cKnTbbMSuMVvmFY4="­­;

 store.Open();
 X509CertificateCollection certs
store.FindCertificateByKeyIden­­tifier(Convert.FromBase64Stri­n­g
   (clientBase64KeyId));
 store.Close();
 store.Dispose();

 if (certs.Count > 0)
 {
   token = new X509SecurityToken((X509Certifi­­cate)certs[0]);
 }

 return token;
}

public override void CreditAccount(...)
{
 WebService.BillingWse webService = new WebService.BillingWse();

 X509SecurityToken token = GetSecurityToken();

 if (token != null)
 {
   webService.RequestSoapContext.­­Security.Tokens.Add(token);
   webService.RequestSoapContext.­­Security.Elements.Add(new
     MessageSignature(token));
 }
 webService.CreditAccount(...);
}

I think the client's certificate is entered correctly in the
policyCache.config file (created using the WSE2 Properties wizard):

   <wsp:Policy wsu:Id="Sign-X.509">
     <!--MessagePredicate is used to require headers. This assertion
should be used along with the Integrity assertion when the presence of
the signed element is required. NOTE: this assertion does not do
anything for enforcement (send-side) policy.-->
     <wsp:MessagePredicate wsp:Usage="wsp:Required"
Dialect="http://schemas.xmlsoap.org/200­­2/12/wsse#part">wsp:Body()
wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header wsa:MessageID)
wse:Timestamp()</wsp:MessagePr­­edicate>
     <!--The Integrity assertion is used to ensure that the message is
signed with X.509. Many Web services will also use the token for
authorization, such as by using the <wse:Role> claim or specific X.509
claims.-->
     <wssp:Integrity wsp:Usage="wsp:Required">
       <wssp:TokenInfo>
         <!--The SecurityToken element within the TokenInfo element
describes which token type must be used for Signing.-->
         <wssp:SecurityToken>
<wssp:TokenType>http://docs.oasis-open.org/wss­­/2004/01/oasis-200401-wss-x509­­-token-pr...</ws
sp:TokenType>

           <wssp:TokenIssuer>CN=Root Agency</wssp:TokenIssuer>
           <wssp:Claims>
             <!--By specifying the SubjectName claim, the policy
system can look for a certificate with this subject name in the
certificate store indicated in the application's configuration, such as
LocalMachine or CurrentUser. The WSE X.509 Certificate Tool is useful
for finding the correct values for this field.-->
             <wssp:SubjectName
MatchType="wssp:Exact">CN=WSE2­­QuickStartClient</wssp:Subjec­t­Name>

             <wssp:X509Extension OID="2.5.29.14"
MatchType="wssp:Exact">gBfo014­­7lM6cKnTbbMSuMVvmFY4=</wssp:X­5­09Extension>

           </wssp:Claims>
         </wssp:SecurityToken>
       </wssp:TokenInfo>
       <wssp:MessageParts
Dialect="http://schemas.xmlsoap.org/200­­2/12/wsse#part">wsp:Body()
wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From)
wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo)
wsp:Header(wsa:ReplyTo) wsp:Header(wsa:To)
wse:Timestamp()</wssp:MessageP­­arts>
     </wssp:Integrity>
   </wsp:Policy>

Anyone have any insight?

Thanks,

Eric