WSE 2.0 sample error : Referenced security token could not be retrieved
Aadil Abbas
I am using x.509 certificates to sign SOAP messages, and can
successfully verify them on the server's end, but when I try
asymmetric encryption of a SOAP message (AsymEncryptCodeService sample
in WSE 2.0), I get the following error while decrypting the message on
server's end:
"Referenced security token could not be retrieved"
I am encrypting the message using server's public key that I have
imported in "Current User\Personal\Certificates". The trace file also
shows that message is indeed encrypted. I presume that the problem
occurs when the SOAP message gets to the server, and SoapInputFilter
automatically attempts to decrypt the message using the private key in
the local machine's key store that is related to the x.509 tag in the
configuraion file on the receiving end.
<security>
<x509 storeLocation="LocalMachine" allowTestRoot="true"
allowRevocationUrlRetrieval="false" verifyTrust="false" />
</security>
I have the above web.config entry for x509 certificate. My certificate
with its associated private key is in
"LocalComputer\Personal\Certificates". I have created the certificate
using "makecert.exe" from Platform sdk v1.1 using following arguments:
makecert -ss My -sr LocalMachine -sk Signature -n "CN=chaudhry"
makecert -ss My -sr CurrentUser -sk Signature -n "CN=maac"
I have copied the complete error log and trace file below, please give
any suggestions to fix this problem.
ERROR LOG:
*** Exception Raised ***
SOAP-Fault code:
http://schemas.xmlsoap.org/ws/2002/12/secext:SecurityTokenUnava
ilable
System.Web.Services.Protocols.SoapHeaderException:
Microsoft.Web.Services.Securi
ty.SecurityFault: Referenced security token could not be retrieved
at
Microsoft.Web.Services.Security.EncryptedKey.ResolveDecryptionKey(String
a
lgorithmUri, KeyInfo keyInfo)
at Microsoft.Web.Services.Security.EncryptedKey.Decrypt()
at Microsoft.Web.Services.Security.Security.LoadXml(XmlElement
element)
at
Microsoft.Web.Services.Security.SecurityInputFilter.ProcessMessage(SoapEnv
elope envelope)
at Microsoft.Web.Services.Pipeline.ProcessInputMessage(SoapEnvelope
envelope)
at
Microsoft.Web.Services.WebServicesExtension.BeforeDeserializeServer(SoapSe
rverMessage message)
at
System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClie
ntMessage message, WebResponse response, Stream responseStream,
Boolean asyncCal
l)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String
methodN
ame, Object[] parameters)
at AsymEncryptClient.StockServiceWse.StockQuoteRequest(String[]
symbols) in C
:\Program Files\Microsoft
WSE\v2.0\Samples\CS\QuickStart\AsymmetricEncryption\Co
de\AsymEncryptCodeClient\AsymEncryptProxy.cs:line 47
at AsymEncryptClient.AsymEncryptClient.Run() in c:\program
files\microsoft ws
e\v2.0\samples\cs\quickstart\asymmetricencryption\code\asymencryptcodeclient
\asy
mencryptclient.cs:line 82
at AsymEncryptClient.AsymEncryptClient.Main(String[] args) in
c:\program file
s\microsoft
wse\v2.0\samples\cs\quickstart\asymmetricencryption\code\asymencrypt
codeclient\asymencryptclient.cs:line 45
INPUT TRACE:
<?xml version="1.0" encoding="utf-8" ?>
- <log>
- <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2003/03/addressing"
xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"
xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/12/secext">
- <soap:Header>
<wsa:Action>http://stockservice.contoso.com/wse/samples/2003/06/StockQuoteRe
quest</wsa:Action>
- <wsa:From>
<wsa:Address>http://schemas.xmlsoap.org/ws/2003/03/addressing/role/anonymous
</wsa:Address>
</wsa:From>
<wsa:MessageID>uuid:9fcddb8c-be67-4586-b7cc-aad8e3af00b2</wsa:MessageID>
<wsa:To>http://localhost/AsymEncryptCodeService/AsymEncryptService.asmx</wsa
:To>
- <wsu:Timestamp>
<wsu:Created>2003-07-22T18:04:46Z</wsu:Created>
<wsu:Expires>2003-07-22T18:09:46Z</wsu:Expires>
</wsu:Timestamp>
- <wsse:Security soap:mustUnderstand="1">
- <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
- <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
- <wsse:SecurityTokenReference>
<wsse:KeyIdentifier
ValueType="wsse:X509v3">XpHXa4rrGybarvgTs75Iqw2x5vE=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</KeyInfo>
- <xenc:CipherData>
<xenc:CipherValue>YQ/W9ttyVLpOrNSP6WnK6B5/NRZbApW0JjGbg2mXoz57chtfc0VsyO0EQM
T0vUGY8wX6MYf89F8T0IZMbS8KoENWU043pOwVHi7VoXswQ/IC4p1ZjoOrBuVSGJwdPJ+eL28plQ
RAiNJfoDWs0zrhTGBVF+6bGX/YUSzwrTd7K8U=</xenc:CipherValue>
</xenc:CipherData>
- <xenc:ReferenceList>
<xenc:DataReference
URI="#EncryptedContent-5fb409e3-47a9-4890-9441-5cc825ca1379" />
</xenc:ReferenceList>
</xenc:EncryptedKey>
</wsse:Security>
</soap:Header>
- <soap:Body>
- <xenc:EncryptedData
Id="EncryptedContent-5fb409e3-47a9-4890-9441-5cc825ca1379"
Type="http://www.w3.org/2001/04/xmlenc#Content"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
- <xenc:CipherData>
<xenc:CipherValue>XkKzWhQV62OxDKKqp5GKiVXRWo5kOKxyjCiCHAiO3bMVF46ZNEV6vWuxlJ
/IGOyFn2XEIWd960md0B93OF3khrJLdOg7zslX3eiAzPL27w93nlmgeejQchWxuUu3Pt+SBhu+NM
fq9F2UPnxKDQwspMaCGpLEmbdb24uHGD/EljQ3jITzzBtSKzxQu+glY9YbFqc1Q+rlyV7T5EbL23
jiUtmmmK2lldsgVd5DM7rnyTw=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soap:Body>
</soap:Envelope>
Drew Robbins
news:enns8PSV...@TK2MSFTNGP11.phx.gbl...
> I am running WSE 2.0 on .NET Framework 1.1, IIS 6.0 and Windows 2003.
> I am using x.509 certificates to sign SOAP messages, and can
> successfully verify them on the server's end, but when I try
> asymmetric encryption of a SOAP message (AsymEncryptCodeService sample
> in WSE 2.0), I get the following error while decrypting the message on
> server's end:
> "Referenced security token could not be retrieved"
Have you tried giving the process identity (ASPNET or Network Service in
Win2k3 by default) permission to read the private key file?
Here's the steps I followed for giving the process identity permission to
the private key...
1. Open the X509 Certificate Tool that is included with the WSE 2.0 TP.
2. Choose Certificate Location "Local Computer" and Store Name "Personal".
3. Click "Select Certificate from Store" and choose the approprate
certificate
4. Click "Open Private Key File Properties"
5. Select the Security tab and add the approprate account (ASPNET or Network
Service). The documentation says to give the account Full Control, but I've
found that Read permission is all that is needed.
Aadil Abbas
my asymmetric encryption problem , Actually certificates created with
makecert.exe were the cause of error. Surprisingly the statement below was
showing that certificate is fit for encryption and still it was generating
error on the server end.
bool result = certificate.SupportsDataEncryption;
Now using extended options of makecert.exe, I have been able to generate
certificates that work well for both digital signatures and encryption.
Thanks
Aadil
"Drew Robbins" <drewr at indepth-tech dot com> wrote in message
news:%23pYZeFT...@TK2MSFTNGP12.phx.gbl...
Vick Mukherjee [MSFT]
unacceptable performance loss for some security operations. This is
discussed in the sample README, but I want to just remind you.
Use a real certificate generated from a certificate service and you will
have no such problem.
--
This posting is provided "AS IS" with no warranties, and confers no rights
"Aadil Abbas" <ma...@cornell.edu> wrote in message
news:uXzVGeUV...@TK2MSFTNGP11.phx.gbl...