On this page.... RSS 2.0 | Atom 1.0 | CDF
# Tuesday, June 28, 2005

I want to put this out here for anyone else who might run into this problem playing with the Quickstart samples for Microsoft's recently-released WSE 3.0.   To get the WSSecurityUsernamePolicyService sample solution (from the hands-on lab) going, you need to run the CreateSampleVdir.vbs in the solution directory.  Then you'll need to follow the instructions in the "Detailed Instructions," which is linked obscurely towards the end of the certificate setup section.  It links to \Program Files\Microsoft WSE\v3.0\Samples\Sample Test Certificates\readme.htm on my installation. 

When installing the server certificate, be sure to change the drop-down to pick the WSE2QuickStartServer.pfx file; it will let you just install the .cer file (*.cer is the default selection in the certificate importer file type drop down).  Put it in the Local Computer - Personal store.  You will also need to import the WSE2QuickStartServer.cer (that's right, the .cer) file into the Current User 'Other People' store.  To do this, I had to open IE and go to Tools - Internet Options - Content - Certificates - Other People tab because the store wasn't showing up in the MMC add-in.  I later found that it showed up after I added it via IE.

Now, according to the docs, that's all you need to do, but there is one more step that you need to do; otherwise, you will likely get a cryptographic exception saying "bad key," which is so far off the mark as to be funny (if you don't have to waste hours tracking down the real problem).  The problem is that your ASP.NET process identity doesn't have permission to read the server key by default. 

To fix this, you can either go find the file in explorer (on my machine, it is in \Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys) and grant the Users group Read on that directory, which is actually probably the best approach if you're dealing with potentially multiple certificates.  Or you can use the WSE X.509 Certificate Tool, which is part of the WSE SDK to find the cert and then click on the View Private Key File Properties... button to bring up the specific cert's key file perms and grant Users the Read right.  Note this applies on XP and 2000, for 2003, you'll want to grant the IIS_WPG group these perms.

After doing this, I was able to finally run the username with server certificate sample.  It seems almost sad that so much trouble is involved in running a simple sample, but my experience has been that whenever you involve X.509 certificates, the trouble and complications go through the roof.  Microsoft REALLY NEEDS TO WORK ON USABILITY with X.509 certs, especially now that they're becoming the almost de facto approach for securing Web services.  Nearly every time I've dealt with them has been problematic, and one time I actually had to resort to calling PSS, which is unusual for me.  Maybe this is because I'm not an X.509 expert, but then again, most of us aren't...

Updated: If you go through the Hands-on Lab, you'll note they cover these issues above.  This lab would be a good place to start; unfortunately, I didn't start there. :)  But I'd still suggest granting the groups (Users on XP/2000, IIS_WPG on 2003) access to this directory and not the users; this way if you change your service's process identity, you won't have to re-grant permissions for it to see those certs.  And I'd still think that granting these groups read to the directory would be best, so they can see any other such certs you might install.

Tuesday, June 28, 2005 10:49:35 AM (Eastern Daylight Time, UTC-04:00)  #    Disclaimer  |  Comments [0]  | 
Comments are closed.

Disclaimer
The opinions expressed herein are solely my own personal opinions, founded or unfounded, rational or not, and you can quote me on that.

Thanks to the good folks at dasBlog!

Copyright © 2019 J. Ambrose Little