Hosting WCF Service in IIS ( X509 Keyset does not exist)

Hot Topic

Is it possible to diable sourcesafe ?
Package Load Key for MSSCCI provider
How do I Progmatically Select an Item in a TreeView?
CallBrowser Sample?
Really Frustrated With VS 2005
Office2007 runs my old smart document 1.1 but not 2.0
Crystal Reports for Visual Studio 2005 RTM Release?
Is InheritanceMapping implemented with a visual designer?
MIME type for .wba
How to execute actions after solution template was unfolded

Visual Studio

Crystal Reports XI R2, VS2005 and x64
Dynamic type loading
NAnt project to VS2003 solution - How do I do it?
Error while trying to serialize Cyclic Dependencies
Concepts behind the design of DSL tools
VB6 Integration Question with WCF. Hosting Service in VB6
Error Generating Client Proxy with FEB CTP
Expression trees and type inference
Can you model Aggregations in Class Designer?
Switch between Actionpanes

Hosting WCF Service in IIS ( X509 Keyset does not exist)

Hi,

I host my service in IIS ( machine running XP ) and try it :

http://localhost/RentSoftware/Rentsoftware.svc

I receive this error :

CryptographicException: Keyset does not exist
System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) +1460764
System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) +55
System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() +79
System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize) +291
System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey() +183
System.ServiceModel.Security.SecurityUtils.EnsureCertificateCanDoKeyExchange(X509Certificate2 certificate) +63

[ArgumentException: Please ensure that the certificate 'CN=Rentsoftware' has a private key that is capable of key exchange and that the process has access rights for the private key.]
System.ServiceModel.Security.SecurityUtils.EnsureCertificateCanDoKeyExchange(X509Certificate2 certificate) +2261452

To generate the certificate I did :

makecert.exe -sr LocalMachine -ss MY -a sha1 -n CN=Rentsoftware -sky exchange -pe Rentsoftware.cer


certmgr.exe -add -r LocalMachine -s My -c -n Rentsoftware -r LocalMachine -s TrustedPeople

My web.config :

<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
<services>
<service behaviorConfiguration="BehaviorWS" name="Rentsoftware.WCF.RentsoftwareServices">
<endpoint binding="wsHttpBinding" bindingConfiguration="TransactionalWS"
contract="Rentsoftware.WCF.Contracts.IBancoService" />
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="TransactionalWS" transactionFlow="true">
<reliableSession enabled="True"/>
<security mode="Message" >
<message clientCredentialType="UserName"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<!--For debugging purposes set the returnUnknownExceptionsAsFaults attribute to true-->
<behaviors>
<behavior
name="BehaviorWS"
returnUnknownExceptionsAsFaults="true" >
<serviceCredentials>
<serviceCertificate findValue="Rentsoftware" x509FindType="FindBySubjectName" />
</serviceCredentials>
</behavior>
</behaviors>
</system.serviceModel>

What's wrong

Thanks,
Alexnaldo Santos

Answer this question

Hosting WCF Service in IIS ( X509 Keyset does not exist)

  • Allen Clark MSFT

    I think what you are asking for is a tool that will run on Windows Server that does not require any additional software to "run", am I right Probably one that supports command line, silent config as well

    Perhaps you can elaborate briefly on the issues you had with running the SDK tool on your servers



  • Hostwap

    Check the documentation for the InfoCard sample in the SDK (under binding\WS). That sample includes scripts for authorizing access to your certificate by the appropriate accounts. I believe that the part of the error message that refers to "access rights" is the part that is putting its finger on the problem.

  • sergey.chub

    I agree with Craig. Make sure the IIS Worker Process account has access rights to the key (ASPNET on IIS 5.1, LOCAL SERVICE on IIS 6 and 7).

    Of course, if you've changed the process identity through Application Pool configuration you'll need to make sure that identity can access the certificate.

    HTH
    -steve


  • panosRS

    The account used by IIS for the anonymous case is a normal user accont like any other. Granting this account rights to access certain parts of this machine is a normal part of provisioning an IIS server in a production environment.

    The WinFX SDK isn't required to grant access rights to the IIS anonymous account.



  • lae_1980

    As far as I could find, granting access rights to a certificate could only be accomplished with the CertKeyFileTool.exe that comes with the WinFX SDK. I've been able to copy this tool over to the production environment and use it there (although doing this I'ved discovered other issues that are probably best discussed as the subject of another post), but I don't know how to accomplish the granting of access rights to a certificate without this tool.

  • Nqkoi

    You need the tool just to find out where the certs are stored. If you know where certs are stored on the production machine you can also grant access directly through the file explorer after navigating to the directory.

  • fender46

    "Also, make sure that the anonymous user account (as specified in that dialog) has access to the certificate and any other necessary resources."

    How do you make sure that the user account has access to the certificate (on a production machine that does not have the WinFX SDK installed on it, only the runtime components)

    Greg



  • coder99

    I tried the example from :

    ..\TechnologySamples\Basic\Binding\WS\MessageSecurity\Username\CS

    Run :

    setup.bat

    Now, I run the example and receive this error :

    The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM

    What's wrong if I am using the MS example without any changes

    I will try Infocard sample too.

    Thanks,
    Alexnaldo Santos

  • GPAustralia

    Oh, I figured out the issue that I was alluding to as well. The administrator group (and my user account) didn't have access to the keyset file, so I first had to take ownership of the keyset file. That then enabled me to access the keyset using the CertKeyFileTool.

  • cyberkid1043

    NOTE: certkeyfiletool.exe has been superceded with findprivatekey.exe

  • xfiles

    Thanks Michele,

    For me it was in:

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

    Then the other trick thing was to figure out which keyset was for the cert that NetworkService needed access to. This is a pretty cryptic activity. I think that CertKeyFileTool needs to be build in to Windows Server.

    Greg



  • CinfulGentleman

    Looks like you need to enable Anonymous authentication in IIS for the virtual directory that hosts your samples.

    Open up the IIS Manager MMC snap-in, navigate to the "ServiceModelSamples" virtual directory and open up its properties window. Click on the "Directory Security" and click the "Edit" button. Make sure the "enable Anonymous Access" box is checked.

    Also, make sure that the anonymous user account (as specified in that dialog) has access to the certificate and any other necessary resources.


  • Hosting WCF Service in IIS ( X509 Keyset does not exist)
Answer this question