WSE 3.0 CertSrv Request

WSE 3.0 CertSrv Request

Post by Techno_De » Sat, 02 Sep 2006 03:57:33


I am having a problem creating the appropriate Certificates for mutual X509
security use our in house Cert Authority with teh CertSrv wizard. I have
not found any good documentation on what type of certificates need to be
created and which parameters need to be set in the CertSrv. I took a look
at Pablo's blog
http://www.yqcomputer.com/
but all that does is obscure the CertSrv Template that is used to create the
desired Certifcates instead of explaining which options need to be set.

So far I am using the Advanced request option in the CertSrv and using the
CA form option to populate the cert details. I'm assuming that the Intended
Purpose is "Server Authentication Certificate" for the WS side and "Client
Authentication Certificate" for the Client side. From Pablo's blog is
appears I need to set the CSP to "Microsoft Enhanced Cryptographic Provider
1.0". I marked the Key Usage as Both (Exchange and Signature), set the Key
Size to 1024, checked Create new key set, Mark Keys as exportable. I set
the Hash algorithm to SHA-1.... Can someone shed some light on what I'm
missing?
 
 
 

WSE 3.0 CertSrv Request

Post by Pablo Cibr » Thu, 07 Sep 2006 23:11:56

Hi,


All those settings are correct, so what error are you receiving from WSE
when you try to use those certificates ?

Regards,
Pablo Cibraro
http://www.yqcomputer.com/

 
 
 

WSE 3.0 CertSrv Request

Post by Techno_De » Fri, 08 Sep 2006 04:50:16

'm mainly looking for information on what settings to use when requesting
Certificates to use with WSE 3.0 down the road for users and services. From
what I can tell, it appears there are issues like setting up and configuring
Certificate Templates for "Client Authentication" "Service Authentication"
"Code Signing" that all need to be configured in the Certificate Authority,
before a certificate is ever requested. No where in the documentation that
I have seen does it discuss what the certificate requirements are (granted
the how is not necessarily WSE's problem), the Encryption Provider to use,
the Key formats that should be generated and exported etc. I guess I was
mainly looking for some guidence into what types of certs to generate and
how. I keep seing export the *.pfx certificate, but when certs are
generated, there is no option to of using a *.pfx, only a *.cer. So far I
have hobbled my way through what I think is correct but was looking for some
confirmation.

Currently I have both a Client Authentication and Service Authentication
certificate installed on my test machine. I exported the Service's Public
Key and imported that into the Certificates snap-in also. I have hit
various exceptions but not sure what is helping and what is hurting when I
make changes. Currently I'm getting the exception "Security requirements
are not satisfied because the security header is not present in the incoming
message."


"Pablo Cibraro [MVP]" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...


 
 
 

WSE 3.0 CertSrv Request

Post by Techno_De » Fri, 08 Sep 2006 06:12:22


The InputTrace from the Client has the following error message. The
Client OutputTrace looks clean. I am unable to get the Service to spit out
any logging info when using a VS ASP.NET Development Server.

- <soap:Fault>
<faultcode>soap:MustUnderstand</faultcode>
<faultstring>System.Web.Services.Protocols.SoapHeaderException: SOAP
header Security was not understood. at
System.Web.Services.Protocols.SoapHeaderHandling.SetHeaderMembers(SoapHeaderCollection
headers, Object target, SoapHeaderMapping[] mappings, SoapHeaderDirection
direction, Boolean client) at
System.Web.Services.Protocols.SoapServerProtocol.CreateServerInstance() at
System.Web.Services.Protocols.WebServiceHandler.Invoke() at
System.Web.Services.Protocols.WebServiceHandler.CoreProcessRequest()</faultstring>
</soap:Fault>
 
 
 

WSE 3.0 CertSrv Request

Post by Pablo Cibr » Sat, 09 Sep 2006 02:33:27

mmm, it seems that something is bad configured on the server side. Take a
look to the server trace to see if you can find any error there.

Regards,
pablo.
 
 
 

WSE 3.0 CertSrv Request

Post by Techno_De » Sat, 09 Sep 2006 03:35:30

finally stumbled across the Service log files (was looking to deep in the
directory structure). The only thing I have in that log file is an error
from yesterday before I started changing params trying to find a resolution
to the problem. That appeared to be an authentication issue, but I don't
have anything since then, so I'm pretty sure the Client proxy call isn't
getting to the Service at all. Could it have something to do with the
ASP.NET Development Server caching info like IIS would if it were running
under IIS? My understanding is that the ASP.NET Development Server runs
under the current user's credentials so it should have access to the Cert
Store. I'm still stuck. I've looked over the WSE Labs for Mutual11Security
and everything appears to be configured the same (except for the Virtual
Directories in IIS) from what I can tell. Any other thoughts??


"Pablo Cibraro [MVP]" < XXXX@XXXXX.COM > wrote in message
news:% XXXX@XXXXX.COM ...


 
 
 

WSE 3.0 CertSrv Request

Post by Techno_De » Sat, 09 Sep 2006 03:42:02

hat would cause the security header not to be present in the message being
sent from the client???? My InputLog from the client contains
"Security requirements are not satisfied because the security header is not
present in the incoming message."

"Pablo Cibraro [MVP]" < XXXX@XXXXX.COM > wrote in message
news:% XXXX@XXXXX.COM ...


 
 
 

WSE 3.0 CertSrv Request

Post by Techno_De » Sat, 09 Sep 2006 03:58:55

he output trace has the following....
<processingStep description="Entering SOAP filter
Microsoft.Web.Services3.Design.MutualCertificate11Assertion+ClientOutputFilter"
/>
<processingStep description="Exception thrown: WSE910: An error happened
during the processing of a response message, and you can find the error in
the inner exception. You can also find the response message in the Response
property."> at
Microsoft.Web.Services3.Messaging.SoapClient.SendRequestResponse(String
methodname, SoapEnvelope envelope)
at
Microsoft.Web.Services3.Security.SecurityTokenServiceClient.RequestSecurityToken(SecurityTokenMessage
request, String methodName)
at
Microsoft.Web.Services3.Security.SecurityContextTokenServiceClient.RequestSecurityContextToken(AppliesTo
appliesTo)
at
Microsoft.Web.Services3.Security.SecurityContextTokenServiceClient.IssueSecurityContextToken(AppliesTo
appliesTo)
at
Microsoft.Web.Services3.Security.Tokens.SecurityContextTokenManager.RequestTokenFromIssuer(EndpointReference
tokenIssuer, String tokenType, AppliesTo appliesTo, Policy policy,
SoapProtocolVersion soapVersion, StateManager messageState, StateManager
operationState, StateManager sessionState)
at
Microsoft.Web.Services3.Security.SecureConversationClientSendSecurityFilter.EstablishSecureConversation(SoapEnvelope
envelope)
at
Microsoft.Web.Services3.Security.SecureConversationClientSendSecurityFilter.SecureMessage(SoapEnvelope
envelope, Security security)
at
Microsoft.Web.Services3.Security.SendSecurityFilter.ProcessMessage(SoapEnvelope
envelope)
at Microsoft.Web.Services3.Pipeline.ProcessOutputMessage(SoapEnvelope
envelope)</processingStep>

"Pablo Cibraro [MVP]" < XXXX@XXXXX.COM > wrote in message
news:% XXXX@XXXXX.COM ...


 
 
 

WSE 3.0 CertSrv Request

Post by Techno_De » Sat, 09 Sep 2006 05:54:02

fter Looking closer at the Exception Stack Trace I went back and added in
an extra line to the web.config file that I found a reference to at
http://objectsharp.com/blogs/bruce/archive/2005/11/21/3617.aspx
Apparently the RTM of WSE 3.0 (which I'm pretty sure I am using) doesn't add
the following line to the config file.
<soapServerProtocolFactory type="Microsoft.Web.Services3.WseProtocolFactory,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
Which was preventing me from communicating with the WebService. Once I was
able to get through to the WS, I ran into some certificate problems when I
have temporarly resolved by adding the Client's Public Key Cert into the
Trusted People section of the Local Machine Store. I believe the
Authentication of the Certificate could not be verified through the Trust,
which is odd since I have the Root CA's Public Key Cert installed in the
Trusted Root Certification Authorities of the Local Machine Store. It looks
like I still have a little ways to go but getting closer. If you have any
input about the Cert let me know, in the mean time it looks like I need to
download the newer version of WSE 3.0


"Pablo Cibraro [MVP]" < XXXX@XXXXX.COM > wrote in message
news:% XXXX@XXXXX.COM ...