Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

CustomXmlSecurityToken > For WS-Trust Sampling

9 views
Skip to first unread message

Softwaremaker

unread,
Jun 15, 2004, 8:45:55 PM6/15/04
to
Hiya Fellows,

I am looking at CustomXmlSecurityToken code samples that came with WSE2RTM.
All worked fine. I noticed that the RST is NOT sent with an Entropy element
by default.

Then I replaced the Client X509Cert with a UsernameToken as the Base token
in the RST and I made all the necessary configuration changes such as the
UsernameTokenManager change and the *config file changes. This FAILED
miserably as the Server responds with a SoapFault with a "Server NOT
Available" exception ???. I changed it back to Client's X509 Cert and
everything worked well again !

I debug and made sure that all UsernameToken configs are all correct. I even
sent in an incorrect Password in the UsernameToken and the Token Issuer
responded with an all-too-familiar "The Security Token could not be
authenticated" message

Then I traced my own UsernameToken example and found that there is NO
Entropy element in the RST as well. I did a comparison of the SOAP Traces
with the examples of WS-SecureConversation that came with WSE2RTM and found
that there is a Entropy element in the RST of the WS-SecureConversation
example.

Is that the reason why UsernameToken tokens cannot be used as the base token
in the CustomXmlSecurityToken sample ? It needs an Entropy element in the
RST because it cannot do asymmetric encryption unlike X509s ? If that is so,
why does the default CustomXmlSecurityToken sample that signs the RST with
X509 as the base Token NOT contain an Entropy element as well ?

If the above is the case, how do I set up the Entropy Element in the above
sample in both UsernameToken and X509 Tokens ?

I think some form of realism has to be injected into these samples. I read
on some site (Gartner, I think) that no matter what, usernametokens are
still gonna be the main form of authentication tokens. This should be no
surprise as its impractical to expect all clients to have their own X509
Certificates.

So it will really help a lot if some of these samples come with more
UsernameToken samples, esp with WS-Trust, as this is a wonderful spec that
will drive adoption.

I need some help on this and appreciate any advice I get.

Thanks.

--
Thank you very much

Warmest Regards,
Softwaremaker
Architect | Evangelist | Consultant

+++++++++++++++++++++++++++++++++


Jag

unread,
Jun 16, 2004, 7:25:26 PM6/16/04
to
Hi Softwaremaker,

I am trying to get the CustomXmlSecurityToken sample to work. I keep
getting the exception "Server unavailable, please try later." when
sending the security RequestSecurityToken message. What am I missing?
Any help will be appreciated.

Regards
Jag


"Softwaremaker" <ms...@removethis.softwaremaker.net> wrote in message news:<evZenuzU...@tk2msftngp13.phx.gbl>...

Softwaremaker

unread,
Jun 16, 2004, 7:46:06 PM6/16/04
to
Are you using the sample right out of the box ? If you are, it should work
OK

The only thing I can think of if your addressing points are correct. You may
be sending to a wrong URI for token issuing or to the Web Service

There is a TokenIssuing Element in the *.config file. You may want to check
that out to make sure you are sending to the right address.

hth

--
Thank you very much

Warmest Regards,
Softwaremaker
Architect | Evangelist | Consultant

+++++++++++++++++++++++++++++++++

"Jag" <jagdeep...@hotmail.com> wrote in message
news:cff00821.04061...@posting.google.com...

Hervey Wilson [MSFT]

unread,
Jun 18, 2004, 12:46:03 AM6/18/04
to
>
> Then I replaced the Client X509Cert with a UsernameToken as the Base token
> in the RST and I made all the necessary configuration changes such as the
> UsernameTokenManager change and the *config file changes. This FAILED
> miserably as the Server responds with a SoapFault with a "Server NOT
> Available" exception ???. I changed it back to Client's X509 Cert and
> everything worked well again !
>

Try enabling ASP.NET customErrors and WSE's enableDetailedErrors in your web
config to get a full error message back from the server. See the wse.config
example file in the product installation directory for full documentation of
all the WSE config setttings.

--
This posting is provided "AS IS" with no warranties, and confers no rights.


Jag

unread,
Jun 20, 2004, 8:39:42 PM6/20/04
to
Hi Hervey,

Thanks for suggestion. It seems that it is a CryptographicException -
no private key found. The certificate that the sample is using is
WSE2QuickStartClient and this certificate has a private key.
The detailed error is as follows:

{"System.Web.Services.Protocols.SoapHeaderException: Server
unavailable, please try later --->
System.Security.Cryptography.CryptographicException:
Cryptography_CSP_NoPrivateKey\r\n at
Microsoft.Web.Services2.Security.Cryptography.RSACryptoServiceProvider.SignHash(Byte[]
rgbHash, String oidHash)\r\n at
Microsoft.Web.Services2.Security.Cryptography.RSASHA1SignatureFormatter.SignHash(Byte[]
rgbHash)\r\n at Microsoft.Web.Services2.Security.Cryptography.RSASHA1SignatureFormatter.Sign(Stream
data)\r\n at Microsoft.Web.Services2.Security.MessageSignature.ComputeAsymmetricSignature(AsymmetricKeyAlgorithm
key)\r\n at Microsoft.Web.Services2.Security.MessageSignature.ComputeSignature()\r\n
at Microsoft.Web.Services2.Security.Tokens.SecurityToken.GetSignedTokenXml(SecurityToken
signingToken)\r\n at
Microsoft.Web.Services2.Security.RequestedSecurityToken.GetXml(XmlDocument
document)\r\n at Microsoft.Web.Services2.Security.RequestSecurityTokenResponse.GetXml(XmlDocument
document)\r\n at Microsoft.Web.Services2.SoapEnvelope.SetBodyObject(Object
bodyObject, String defaultNamespace)\r\n at
Microsoft.Web.Services2.Messaging.SoapService.Receive(SoapEnvelope
request)\r\n at Microsoft.Web.Services2.Messaging.SoapReceiver.ProcessMessage(SoapEnvelope
message)\r\n --- End of inner exception stack trace ---" }


Regards
Jagdeep

"Hervey Wilson [MSFT]" <herveyw...@online.microsoft.com> wrote in message news:<OCBMN8OV...@tk2msftngp13.phx.gbl>...

Jag

unread,
Jun 20, 2004, 9:57:27 PM6/20/04
to
Hi Hervey,

What I have discovered is the fact that I do not have a other people folder
under the certificates -current user folder. I am running xp professional on
my laptop. How do I enable a other people folder under certificate - current
user folder ?

Regards
Jagdeep


"Jag" <jagdeep...@hotmail.com> wrote in message

news:cff00821.04062...@posting.google.com...

Dave Bettin

unread,
Jun 21, 2004, 8:47:27 AM6/21/04
to microsoft.public.dotnet.framework.webservices.enhancements
Jag,

Open Internet Explorer and navigate to Tools -> Internet Options -> Content. Press the certificates button. You will see an "Other People" tab. You can import the certificate here and then you can refresh your certificates listing in MMC and should see the "Other People" listed.

Dave Bettin

Blog: http://www.davebettin.com/me/

nntp://news.microsoft.com/microsoft.public.dotnet.framework.webservices.enhancements/<#nDveMzV...@TK2MSFTNGP09.phx.gbl>



[microsoft.public.dotnet.framework.webservices.enhancements]


Jag

unread,
Jun 23, 2004, 8:51:58 PM6/23/04
to
Hi Hervey,

The problem that I was having with the sample was:

The Virtual directory for the web service was executing under the ASPNET
User account and this account did not have permission to read the
"{drive}:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys" folder. and now the sample works.
This will be an issue to remember during deployment.

What I have been pondering over is the fact if one is using kerberos token
or username token with windows authentication. If the policy on the account
has the "password expired". WSE 2.0 throws up a exception "authentication
failed". Unless one has the security audit setup is there a way to pass the
correct account policy details?

Regards

Jagdeep

"Jag" <jagdeep...@hotmail.com> wrote in message
news:cff00821.04062...@posting.google.com...

> Hi Hervey,
>
> Thanks for suggestion. It seems that it is a CryptographicException -
> no private key found. The certificate that the sample is using is
> WSE2QuickStartClient and this certificate has a private key.
> The detailed error is as follows:
>
> {"System.Web.Services.Protocols.SoapHeaderException: Server
> unavailable, please try later --->
> System.Security.Cryptography.CryptographicException:
> Cryptography_CSP_NoPrivateKey\r\n at
>
Microsoft.Web.Services2.Security.Cryptography.RSACryptoServiceProvider.SignH
ash(Byte[]
> rgbHash, String oidHash)\r\n at
>

Microsoft.Web.Services2.Security.Cryptography.RSASHA1SignatureFormatter.Sign
Hash(Byte[]
> rgbHash)\r\n at
Microsoft.Web.Services2.Security.Cryptography.RSASHA1SignatureFormatter.Sign
(Stream
> data)\r\n at
Microsoft.Web.Services2.Security.MessageSignature.ComputeAsymmetricSignature
(AsymmetricKeyAlgorithm

jake...@gmail.com

unread,
Jul 13, 2014, 11:52:59 AM7/13/14
to
Just trying to find a recent thread. I don't know a lot about x509 without going into too many details I have a few simple questions.

How can I trust the network? If I have PKCS#10 installed is this enough proof that the network is being ran by someone with some sort of authority?

Basically I just want to know how to tell between someone that should have control and if any bad networks out there exist. Or at least someway to prove I'm not in some criminal network. It appears I don't have control over my certificates and I don't question why at this point.

Thanks
0 new messages