stackoom
  简体   繁体   中英

Problem in Hosting WCF Service using wsHttpBinding in IIS

 原文  2010-07-27 19:11:22       wcf/ wcf-binding/ wcf-security

Question

I am trying to host my service using following configuration. 

<system.serviceModel>
    <services>
        <service name="Test.MyService" behaviorConfiguration="MyServiceBehavior">
            <!--         Service Endpoints -->
            <endpoint address="MyTestService" binding="wsHttpBinding" bindingConfiguration="WebserviceHttpBinding" contract="Test.IMyService"/>
            <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
        </service>
    </services>
    <bindings>
        <wsHttpBinding>
            <binding name="WebserviceHttpBinding">
                <security mode="Message">
                    <message clientCredentialType="UserName" negotiateServiceCredential="false"/>
                </security>
            </binding>
        </wsHttpBinding>
    </bindings>
    <behaviors>
        <serviceBehaviors>
            <behavior name="MyServiceBehavior">
                <serviceCredentials>
                    <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="Test.CredentialValidator, Test"/>
                    <serviceCertificate findValue="RPKey" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
                </serviceCredentials>
                <!--           To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
                <serviceMetadata httpGetEnabled="true"/>
                <!--           To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
                <serviceDebug includeExceptionDetailInFaults="true"/>
            </behavior>
        </serviceBehaviors>
    </behaviors>
</system.serviceModel>

When I debug this service, I am having no problem. I hosted this service in IIS using Website. When I browse this service from IIS I am getting following exception.

Server Error in '/MyTestService' Application.

Keyset does not exist

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Security.Cryptography.CryptographicException: Keyset does not exist

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[CryptographicException: Keyset does not exist ] System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) +369 System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) +151 System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() +85 System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize) +280 System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey() +468 System.ServiceModel.Security.SecurityUtils.EnsureCertificateCanDoKeyExchange(X509Certificate2 certificate) +85

[ArgumentException: The certificate 'CN=RPKey' must have a private key that is capable of key exchange. The process must have access rights for the private key.] System.ServiceModel.Security.SecurityUtils.EnsureCertificateCanDoKeyExchange(X509Certificate2 certificate) +15832031 System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateServerX509TokenProvider() +45 System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateLocalSecurityTokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement) +73 System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateSecurityTokenProvider(SecurityTokenRequirement requirement) +65 System.ServiceModel.Security.SessionRenewSecurityTokenManager.CreateSecurityTokenProvider(SecurityTokenRequirement requirement) +14 System.ServiceModel.Security.SymmetricSecurityProtocolFactory.OnOpen(TimeSpan timeout) +15334232 System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) +23 System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +563 System.Serv iceModel.Security.SecurityListenerSettingsLifetimeManager.Open(TimeSpan timeout) +101 System.ServiceModel.Channels.SecurityChannelListener 1.OnOpen(TimeSpan timeout) +203 System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +563 System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout) +87 System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +563 System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout) +110 System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +563 System.ServiceModel.Security.SecuritySessionSecurityTokenAuthenticator.OnOpen(TimeSpan timeout) +149 System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) +23 System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +563 System.ServiceModel.Security.SecurityUtils.OpenCommunicationObject(ICommunicationObject obj, TimeSpan timeout) +24 System.ServiceModel.Security.SecuritySessionServerSettings.OnOpen(TimeSpan timeout) +878 System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) +23 System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +563 System.ServiceModel.Security.SecurityListenerSettingsLifetimeManager.Open(TimeSpan timeout) +153 System.ServiceModel.Channels.SecurityChannelListener 1.OnOpen(TimeSpan timeout) +203 System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +563 System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout) +87 System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +563 System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout) +110 System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +563 System.ServiceModel.Security.SecuritySessionSecurityTokenAuthenticator.OnOpen(TimeSpan timeout) +149 System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) +23 System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +563 System.ServiceModel.Security.SecurityUtils.OpenCommunicationObject(ICommunicationObject obj, TimeSpan timeout) +24 System.ServiceModel.Security.SecuritySessionServerSettings.OnOpen(TimeSpan timeout) +878 System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) +23 System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +563 System.ServiceModel.Security.SecurityListenerSettingsLifetimeManager.Open(TimeSpan timeout) +153 System.ServiceModel.Channels.SecurityChannelListener 1.OnOpen(TimeSpan timeout) +203 System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +563 System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout) +87 System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +563 System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout) +110 System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +563 System.ServiceModel.HostingManager.ActivateService(String normalizedVirtualPath) +135 System.ServiceModel.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath) +654

[ServiceActivationException: The service '/AtlasServices/Service.svc' cannot be activated due to an exception during compilation. The exception message is: The certificate 'CN=RPKey' must have a private key that is capable of key exchange. The process must have access rights for the private key..] System.ServiceModel.AsyncResult.End(IAsyncResult result) +15700960 System.ServiceModel.Activation.HostedHttpRequestAsyncResult.End(IAsyncResult result) +15623609 System.ServiceModel.Activation.HostedHttpRequestAsyncResult.ExecuteSynchronous(HttpApplication context, Boolean flowContext) +265 System.ServiceModel.Activation.HttpModule.ProcessRequest(Object sender, EventArgs e) +227 System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +171

4 answers

solution1
 4 ACCPTED  2010-07-27 19:22:15

This is propabely because on the IIS the account settings are different from the account that you are using to run a local server.

are you working with an X.509 certificate? If so, are you sure you gave read acces privileges to the account that is running the process (that is running IIS) for the file containing the private key?

So if IIS is running under the account Saghar, does Saghar have read privilesges for the key file ?

@update

ArgumentException: The certificate 'CN=RPKey' must have a private key that is capable of key exchange. The process must have access rights for the private key.

this tells me that your IIS account doesn't have permissions to your private key

solution2
 1  2010-07-27 20:44:58

Based on the exception report, it sounds like one of two things may be happening. The certificate you are referencing was either installed into the keystore with only the public key, or the installed certificate is restricted and the account your application pool is running under does not have permission to access the key.

The former case is very easy to run into if the x.509 certificate was not exported as a .pfx, but instead as a .cer. To exchange certificates that contain a private key, the .cer format is insufficient, as it can only contain a DER encoded x.509 public key certificate. You must export your certificate from a certificate server (or from a store that has both keys) as a .pfx file, and make sure you include the private key.

If it is the latter case, then you need to make sure the account of the application pool your service is running under in IIS has permission to access the certificate store the keys are contained within. This article may be helpful: Make X.509 Certificates Accessible to WCF

solution3
 1  2010-11-02 16:40:41

IIS application pool identity does not have access to certificate

  1. Set application pool identity to NETWORK SERVICE
  2. install rktools
  3. run "c:\\Program Files (x86)\\Windows Resource Kits\\Tools\\winhttpcertcfg.exe" -g -c LOCAL_MACHINE\\My -s WSE2QuickStartServer -a "NETWORK SERVICE"

solution4
 0  2010-07-27 19:27:12

If you do not require wshttpbinding, just try changing to basichttpbinding and your issue will probably go away.

We had trouble with this in the past when the client was connecting from a site outside our network. Since the connection was over vpn we had the option of abandoning security for the binding.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Problem hosting WCF service in IIS Express I Cannot deploy my WCF service on IIS using WSHttpBinding wsHttpBinding to WCF Service hosted in IIS throughput issue Configuration of WCF Service using wsHttpBinding Hosting WCF service in IIS WCF service hosting on IIS 6 Hosting WCF service on IIS Hosting WCF Service on IIS WCF wsHttpBinding with IIS WCF REST - problem in hosting on IIS 6
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM