I’m doing a web application that utilizes an external web service. This external web service requires me to sign each of my requests. So I’m using WebServicesClientProtocol class and .NET 2.0 by first consuming the external web service and then manually edit the Reference.cs file and change the extended class from System.Web.Services.Protocols.SoapHttpClientProtocol to Microsoft.Web.Services2.WebServicesClientProtocol. Then in the Page_Load method I have the following code:
try { // Create the ws endpoint var uriServiceAddress = new Uri('urn:something-wse:something_NNNN'); var uribuilderViaRouter = new UriBuilder('http://xx.xxx.xx/SrvXXX_NNNN/Test.asmx'); var endpointReference = new EndpointReference(uriServiceAddress, uribuilderViaRouter.Uri); // Create the ws client var client = (WebServicesClientProtocol) new Test.Something(); client.Destination = endpointReference; // Read the certificate from MyStore on LocalMachine X509CertificateStore localStore = X509CertificateStore.LocalMachineStore(X509CertificateStore.MyStore); X509SecurityToken securityToken = null; if (!localStore.OpenRead()) throw new Exception('Unable to open localstore for read'); X509CertificateCollection certificateCollection = localStore.FindCertificateBySubjectString('email@subject.test'); if (certificateCollection.Count == 0) throw new Exception('Unable to obtain security token.'); securityToken = new X509SecurityToken(certificateCollection[0]); localStore.Close(); // Attach the security toekn to the client request client.RequestSoapContext.Security.Tokens.Add(securityToken); client.RequestSoapContext.Security.Elements.Add(new MessageSignature(securityToken)); // Set the timeouts client.RequestSoapContext.Security.Timestamp.TtlInSeconds = 2 * 60; client.Timeout = 60 * 10 * 1000; // 10 mínútur ættu að duga í flest. // Call the test function DataSet set = ((Test.Something)client).searchMethod('Parameter 1', 'Parameter 2'); Label1.Text = User.Identity.Name+ ' worked! ' + set.Tables.Count + ' tables!'; } catch (Exception exc) { Label1.Text = User.Identity.Name + ' exception: ' + exc.ToString(); } This works fine when I run this using the Visual Studio Development Server but when I change to IIS it stops working and I get the ugly Cryptography_CSP_NoPrivateKey exception.
1) I have already read the Certificate properly into LocalMachine/MyStore using MMC and then I change the private key permissions using WSE 2.0 SP3 so that Everyone has full access to it. You can see this from here:
alt text http://www1.ruedenet.is/files/CertError1.png
2) I also set the property so that the Visual Studio Development Server is used when I debug the application:
alt text http://www1.ruedenet.is/files/CertError2.png
3) Then I run it and get a nice result:
alt text http://www1.ruedenet.is/files/CertError3.png
4) However, when I change the property to use IIS (and have VS create the Virtual Directory) like this:
alt text http://www1.ruedenet.is/files/CertError4.png
5) I also change the authentication method in IIS so that I get logged on (no reason for this really):
alt text http://www1.ruedenet.is/files/CertError5.png
6) So I get asked for a windows logon:
alt text http://www1.ruedenet.is/files/CertError6.png
7) And then my page runs and produces the error:
alt text http://www1.ruedenet.is/files/CertError7.png
If you could help me with this I would surely appreciate it. I have already spent hours on it and I don’t want to spend more time if I’m making a fundamental error that you guys can see. BTW: I’m developing using Visual Studio 2008 on Windows Server 2008 with UAC turned off 🙂
Really looking forward to hearing from you guys. Thanks.
🙂
I have solved this issue in a couple of steps:
1) I changed the user of the
Default Application Poolto my username …alt text http://www1.ruedenet.is/files/ErrorFix1.png
… and that worked. I changed the user of the application pool back to
NETWORK SERVICEand it didn’t work again. This told me that the problem had something to do with theNETWORK SERVICEuser. So I went back to looking for what could be the problem with the permissions of this user.2) When browsing and reading the web I found Tim Jacobs’ blogpost App-V 4.5 Certificate Galore at http://timjacobs.blogspot.com/2008/11/app-v-45-certificate-galore.html. Well, there wasn’t anything new in it until at the end where he talks about the storage location of the private key on the disk. So I ran the FindPrivateKey.exe tool, …
… which tells me that the location of the private key is in the
C:\Users\alfred\...directory and theNETWORK SERVICEuser probably doesn’t have access in to this directory!!!3) I therefore followed Tim’s suggestion to use MMC to export the certificate & private key from the
Local Computer/Personal/Certificatesand then import it intoLocal Computer/Trusted Root Certificate Authorities/Certificates. After having exported, FindPrivateKey.exe reported, …… which tells me the export worked. After importing and copy pasting it back to
Local Computer/Personal/CertificatesI get……and now the private key is in a public place, the
C:\ProgramData\...directory. I then changed the private key permissions of theNETWORK SERVICEuser to Full Access using the X509 Certificate Tool as I had done before.And now it works!!!
I just can’t thank you enough for your blogpost Tim. Thank you.