Home/ Questions/Q 7175559
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T16:19:24+00:00

I’m trying to create web service with message security. Here is a config: <system.serviceModel>

  • 0

I’m trying to create web service with message security.

Here is a config:

  <system.serviceModel>
    <services>
      <service name="WCFMessage.Service1" behaviorConfiguration="behaviour1">
        <endpoint address="" contract="WCFMessage.IService1" binding="wsHttpBinding" bindingConfiguration="binding1" />
        <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
      </service>
    </services>
    <behaviors>
      <serviceBehaviors>
        <behavior name="behaviour1">
          <serviceDebug includeExceptionDetailInFaults="false" />
          <serviceMetadata  httpGetEnabled="true"/>
          <serviceCredentials>
            <serviceCertificate findValue="MyCert"
                                x509FindType="FindBySubjectName"
                                storeLocation="LocalMachine"
                                storeName="My"/>
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>

    </behaviors>
    <bindings>
      <wsHttpBinding>
        <binding name="binding1">
          <security mode="Message">
            <message  clientCredentialType="None" negotiateServiceCredential="false"/>
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
  </system.serviceModel>

it works well, on localhost, but on IIS, it gives me an error:

The system cannot find the file
specified.

Stack Trace:

It is likely that certificate
‘CN=MyCert’ may not have a private key
that is capable of key exchange or the
process may not have access rights for
the private key.

I’ve tried this method, but error still occurs.

Any help is appreciated.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I have been having a similar situation in the last few days. I found a workaround which was acceptable for me, so I will share it with you. The problem is in IIS Application Pool user account not having access to the service certificate private key file – or not having the private key in the location where it expects it to be at all!

    Note: I am going to assume you have your own Certification Authority running.

    To work around this issue, follow these steps:

    1. Create a new user account which you are going to use for IIS application pool.
    2. You can create a new app pool to use with this user identity, or assign this new user identity to DefaultAppPool or whichever application pool is used by your service (do this in IIS manager).
    3. Then open IE, navigate to http://yourserver/certsrv to request a new server authentication certificate. Use the same CN (“MyCert”) in your request.
    4. Open Certification Authority to issue the requested certificate.
    5. Go to http://yourserver/certsrv again, click “View the status of a pending certificate request”, then install the certificate.

    6. Now you need to make a change to your “serviceCertificate” web.config section, in a way that it looks like this:

        <serviceCredentials>   
    <serviceCertificate findValue="MyCert"   
                        x509FindType="FindBySubjectName"   
                        storeLocation="CurrentUser"   
                        storeName="My"/>   
  </serviceCredentials>

    7. Save, rebuild the service and test it, it should work fine.

    (it would be easier if this could be achieved using MMC export/import certificate function, but for some reason its behavior is not as we would expect it to be)

    • 0