I’m trying to secure the message level communications of my system using WSE 2.0, signing with X.509 certificates.
We have a web server (WEB) hosting a web app and another server (WS) hosting a web service. Both machines have acquired a certificate from the domain controller. Each of these certificates has been exported to the other machine, without a private key. All of the certs are in the local machine store.
I’ve configure WSE to use a policy file at each end. The problem I’m having is with the sending of the original web service request – it isn’t getting any further yet. The tracing on the web server is telling me that it cannot find a security token to sign the message with.
I’ve tried the following:
* Checked and double checked the token issuer, subject name and X509Extension (OID) keys in the policyCache file (I’ve also commented out the extension key to simplify the check)
* Double checked the URL of the endpoint (I’m using the default operation element)
* Used the X509Cert tool to check permissions on the private key of the certificate
* Used winhttpcertcfg.exe to grant access to the certificate to ASPNET and IUSR accounts (this only worked for the cert with a private key)
* Tried altering the policy to specify either of the two available certs.
The only trace message I’m getting is “could not find a security token”. I’m aware that the ASPNET process doesn’t by default look in the localmachine store but I’ve been through the workaround / fix for this (see below) and now I’m a bit stuck. It seems to me that the APSNET (or IUSR) cannot see the certificates, but I’ve no idea why. I’ve had all of this working on my dev machine (with a windows app and with a web app), but only on the one machine and only with test certs, so my local setup doesn’t really compare with our test env.
Any ideas much appreciated..!!!