Solved

Problem with X509 certificate - WSE 2.0

Posted on 2006-11-15
2
718 Views
Last Modified: 2013-11-30
I’m trying to secure the message level communications of my system using WSE 2.0, signing with X.509 certificates.

We have a web server (WEB) hosting a web app and another server (WS) hosting a web service. Both machines have acquired a certificate from the domain controller. Each of these certificates has been exported to the other machine, without a private key. All of the certs are in the local machine store.

I’ve configure WSE to use a policy file at each end. The problem I’m having is with the sending of the original web service request – it isn’t getting any further yet. The tracing on the web server is telling me that it cannot find a security token to sign the message with.

I’ve tried the following:
* Checked and double checked the token issuer, subject name and X509Extension (OID) keys in the policyCache file (I’ve also commented out the extension key to simplify the check)
* Double checked the URL of the endpoint (I’m using the default operation element)
* Used the X509Cert tool to check permissions on the private key of the certificate
* Used winhttpcertcfg.exe to grant access to the certificate to ASPNET and IUSR accounts (this only worked for the cert with a private key)
* Tried altering the policy to specify either of the two available certs.

The only trace message I’m getting is “could not find a security token”. I’m aware that the ASPNET process doesn’t by default look in the localmachine store but I’ve been through the workaround / fix for this (see below) and now I’m a bit stuck. It seems to me that the APSNET (or IUSR) cannot see the certificates, but I’ve no idea why. I’ve had all of this working on my dev machine (with a windows app and with a web app), but only on the one machine and only with test certs, so my local setup doesn’t really compare with our test env.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetht13.asp

Any ideas much appreciated..!!!

Thanks
Alec
0
Comment
Question by:alecpotts
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 3

Author Comment

by:alecpotts
ID: 17964967
Cracked it.

The problem was mainly that the <tokenIssuer> key within the policy doesn't seem to work. No matter what I put in there - with spaces, without spaces, with commas, backwards (as specified by Microsoft).....everything I tried to make it match up to the Issued By field of the certificate....no joy. As soon as I removed the key completely....everything works fine.

The other thing was that you need to use the WseCertificate2.exe tool to set the access permission on the private key of each client cert - on Server 2000 you need to grant access to ASPNET, but on Server 2003 it's NETWORK SERVICE that needs access...

I've asked for a refund/PAQ....

ALec
0
 

Accepted Solution

by:
CetusMOD earned 0 total points
ID: 17969420
Closed, 500 points refunded.
CetusMOD
Community Support Moderator
0

Featured Post

The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Does your audience prefer people in photos or no people? How can you best highlight what you’re selling? What are your competitors doing, and what can you do that is different and unique from them?  Continue reading to learn how to make your images …
Although a lot of people devote their energy toward marketing for specific industries, there are some basic principles that can be applied to any sector imaginable. We’ll look at four steps to take and examine how those steps were put into action fo…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question