By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
432,481 Members | 1,001 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 432,481 IT Pros & Developers. It's quick & easy.

WSE600: Unable to unwrap a symmetric key using the private key of

P: n/a
Can someone help with the following problem. I am sending an encrypted SOAP
message to a .NET 2.0 + WSE 3.0 web service. When .NET attempts to decrypt
the message it cannot read the private key of the X509 token it requires (or
so it says). I have followed the instructions in the error message and given
the userid full access to the certificate. I have also tried running .NET
under my administrators userid which was used to create the self-signed
certificate using makecert and it still says it cant access it.

So, my belief is that the error message is misleading. Ive googled on it
and tried every suggestion I can see. Ive re-installed .NET and WSE 3 on
another machine and still get the same problem. Ive rebuilt the apps, given
access to all directories above the private key, tried several different
combinations of makecert options and still cant crack it.

I need to understand what I can do to debug the error. Is there internal
trace I can switch on?

Here is the stack trace I get back in my requesting application

System.Web.Services.Protocols.SoapException: Server was unable to process
request. ---System.Security.Cryptography.CryptographicExceptio n: WSE600:
Unable to unwrap a symmetric key using the private key of an X.509
certificate. Please check if the account 'TEST\admin' has permissions to read
the private key of certificate with subject name 'CN=MSFT9' and thumbprint
'BAF779D423F509BC5CD55E9AF0475AC8468521C9'. --->
System.Security.Cryptography.CryptographicExceptio n: WSE593: Unable to
decrypt the key. Please check if the process has the right permission to
access the private key. --->
System.Security.Cryptography.CryptographicExceptio n: Bad Key..... at
System.Security.Cryptography.CryptographicExceptio n.ThrowCryptogaphicException(Int32
hr).. at System.Security.Cryptography.Utils._DecryptKey(Saf eKeyHandle
hPubKey, Byte key, Int32 dwFlags).. at
System.Security.Cryptography.RSACryptoServiceProvi der.Decrypt(Byte rgb,
Boolean fOAEP).. at
Microsoft.Web.Services3.graphy.RSA15KeyExchangeFor matter.DecryptKey(Byte
cipherKey).. --- End of inner exception stack trace ---.. at
Microsoft.Web.Services3.Security.Cryptography.RSA1 5KeyExchangeFormatter.DecryptKey(Byte
cipherKey).. at Microsoft.Web.Services3.Security.EncryptedKey.Decr ypt().. ---
End of inner exception stack trace ---.. at
Microsoft.Web.Services3.Security.EncryptedKey.Decr ypt().. at
Microsoft.Web.Services3.Security.Security.LoadXml( XmlElement element).. at
Microsoft.Web.Services3.Security.SecurityInputFilt er.ProcessMessage(SoapEnvelope
envelope).. at
Microsoft.Web.Services3.Security.Wse2PipelinePolic y.LegacyFilterWrapper.ProcessMessage(SoapEnvelope
envelope).. at
Microsoft.Web.Services3.Pipeline.ProcessInputMessa ge(SoapEnvelope envelope)..
at Microsoft.Web.Services3.WseProtocol.FilterRequest( SoapEnvelope
requestEnvelope).. at
Microsoft.Web.Services3.WseProtocol.RouteRequest(S oapServerMessage message)..
at System.Web.Services.Protocols.SoapServerProtocol.I nitialize().. at
System.Web.Sevices.Protocols.ServerProtocolFactory .Create(Type type,
HttpContext context, HttpRequest request, HttpResponse response, Boolean&
abortProcessing).. --- End of inner exception stack trace ---</

I am using Windows XP with IIS 5.1, .NET 2 and WSE 3.0

Thanks, Dan
May 17 '07 #1
Share this Question
Share on Google+
8 Replies


P: n/a
Hi Dan,

As for the WSE private key accessing issue, based on the error message, it
does be likely that the user account doesn't have sufficient permission to
access the private key.

For the WSE 3.0 service application(client and server), are you using the
Visual Studio 2005's add-in wizard to create the security policy(sign and
encrypt the soap messages)?

Also, for modifying the certificate private key permission, are you using
the wsecertificate3.exe utility? For testing, you can manually use some
..net code to load the certificate and try viewing certificate privatekey
info to see whether it report error. e.g.

=======================
X509Store store = new X509Store(StoreName.My,StoreLocation.LocalMachine) ;
store.Open(OpenFlags.ReadOnly);

X509Certificate2Collection certs =
store.Certificates.Find(X509FindType.FindBySubject Name,
"WSE2QuickStartServer", false);

if (certs.Count 0)
{
Console.WriteLine(certs[0].PrivateKey.ToXmlString(true));
}
======================

If the above code can correctly access the private key info, we may have to
look for something else within the service or host environment.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

May 18 '07 #2

P: n/a
Hi Steven,

Thanks for responding so quickly. I tried your suggestion below. At first,
I was unable to print out the private key, but I realised that was because I
had it marked as not exportable, so I generated a new one and could print it.

I used the following makecert command to do this.

makecert -n -pe "CN=MSFTC" -ss TrustedPeople -sr localmachine -r -sky
exchange -e 01/01/2010 -b 01/01/2006 c:\msftc.cer

I thought to make the test as realistic as possible, I would do it in a .NET
webservice so I constructed a simple web service that returns a String and
got it to return the private key. Again this was successful.

- <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
- <soap:Body>
- <EchoResponse xmlns="http://tempuri.org/">

<EchoResult><RSAKeyValue><Modulus>3gAOOqX9JNLBLhg9 1CHxMCGej1vP1dt31jOCOUiZWKWb4SYsrIz9oHJRn9Ghmya+mY vji50D7M/sTdxI6JZg9d6HqV6977BqYHzDyAZzbzHBLmQel0Y2vCWyxihAV cfMyYCaraYd5qz9BMEqjnQMeNFigS4FC3UWNji4/le7Uuk=</Modulus><Exponent>AQAB</Exponent><P>+hAzUIQK3Dc11umolYAKzZutfxY72MgV46G05k 0STJeIg6/1TbHwpKSNc+YZVhXMhnto/bklqXKBjJEfXbZINQ==</P><Q>40VMIF0aVQwnzekjVI3x4fYD3JOnOj08x4Uwk3Ekp1vvB fWphQ2OCSY/ElYneQL5yddjomJciPhaqct+xoQ+ZQ==</Q><DP>0bKwNX7lVJJ/9b9v/h6n8I/ySDau7TWtFXzPpKlRBSW19yihfwwPDyJm9KAq8wPIxaXL/6k5qgU6GlTAhueLWQ==</DP><DQ>fVu66tsP7DthNUXUdA47jky5wpA7HHesr8z6h0lQU3P 1Os9PaxGX99n9zipxaWFH0Jqa3XXt3qtGrwOM8Qj+tQ==</DQ><InverseQ>VO8ehPPYW0nSsay4Ok3bzP+je3rmvoeD4zP2B hzcZ1z6Rm5ckgtsncm+vil7YuOP9u9jPzyH4DwnxC1ELB77BQ= =</InverseQ><D>KDqSWYZizR1z7EpwSdSsxDATb58Plo1iteo3mv HQ+ANqr+4fAlW6UCznJbLzOg5XU7PJ1C7r2yoChEl63MsDXrQo xvhXnkpUY2uGO+lZaNq2iE3T+COevKJ8XobBBZ0WMIgz+C/NV8Mi8pWbQW62yo4grnNY8oqmSnVLEBPFL0E=</D></RSAKeyValue></EchoResult>
</EchoResponse>
</soap:Body>
</soap:Envelope>
I then tried my client application using the newly generated key and the
secure .NET service still returns the same error:

System.Security.Cryptography.CryptographicExceptio n: WSE600: Unable to unwrap
a symmetric key using the private key of an X.509 certificate. Please check
if the account 'MACHINE\admin' has permissions to read the private key of
certificate with subject name 'CN=MSFTC' and thumbprint
'908DD2C1CD1105D88D03FE27470136670F8C19B8'. --
In answer to your other questions below, yes I did use the Visual Studio
2005 plugin to generate the service. I then tweaked the wse config to get it
how I wanted it.

Here is the config file

<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy">
<extensions>
<extension name="mutualCertificate10Security"
type="Microsoft.Web.Services3.Design.MutualCertifi cate10Assertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<extension name="x509"
type="Microsoft.Web.Services3.Design.X509TokenProv ider,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
</extensions>
<policy name="AppPolicy">
<mutualCertificate10Security establishSecurityContext="false"
renewExpiredSecurityContext="true" requireSignatureConfirmation="false"
messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="false"
ttlInSeconds="300">
<serviceToken>
<x509 storeLocation="LocalMachine" storeName="TrustedPeople"
findValue="CN=MSFTC" findType="FindBySubjectDistinguishedName" />
</serviceToken>
<protection>
<request signatureOptions="IncludeSoapBody" encryptBody="true" />
<response signatureOptions="IncludeSoapBody" encryptBody="true" />
<fault signatureOptions="IncludeSoapBody" encryptBody="false" />
</protection>
</mutualCertificate10Security>
</policy>
</policies>
For modifying the file permissions I am using WseCertificate3.exe

Thanks, Dan

"Steven Cheng[MSFT]" wrote:
Hi Dan,

As for the WSE private key accessing issue, based on the error message, it
does be likely that the user account doesn't have sufficient permission to
access the private key.

For the WSE 3.0 service application(client and server), are you using the
Visual Studio 2005's add-in wizard to create the security policy(sign and
encrypt the soap messages)?

Also, for modifying the certificate private key permission, are you using
the wsecertificate3.exe utility? For testing, you can manually use some
.net code to load the certificate and try viewing certificate privatekey
info to see whether it report error. e.g.

=======================
X509Store store = new X509Store(StoreName.My,StoreLocation.LocalMachine) ;
store.Open(OpenFlags.ReadOnly);

X509Certificate2Collection certs =
store.Certificates.Find(X509FindType.FindBySubject Name,
"WSE2QuickStartServer", false);

if (certs.Count 0)
{
Console.WriteLine(certs[0].PrivateKey.ToXmlString(true));
}
======================

If the above code can correctly access the private key info, we may have to
look for something else within the service or host environment.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

May 18 '07 #3

P: n/a
Thanks for your reply Dan,

So the problem is not quite specific to access permission since access to
the private key in non-webservice code work correctly. As you mentioned
that the certificate is generated through makecert.exe, then have you turn
on the "AllowTestRoot" setting for your WSE webservice?

=============
<microsoft.web.services3>
<security>
<x509 allowTestRoot="true" />
===============

this is required when you use test certificate that is hasn't a trusted
root.

BTW, if possible, I suggest you use a windows server (which has certificate
service installed), you can simulate a real world certificate (and trust
CA) scenario in this way.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.

May 22 '07 #4

P: n/a
Hi Steven,

I do have allowTestRoot set as well as several other options. Here is the
extract from my configuration

<microsoft.web.services3>
<policy fileName="wse3policyCache.config"/>
<security>
<x509 verifyTrust="true" allowTestRoot="true" revocationMode="Offline"
verificationMode="TrustedPeopleOrChain" storeLocation="LocalMachine"/>
<binarySecurityTokenManager>
<add
valueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
<keyAlgorithm name="RSA15"/>
</add>
</binarySecurityTokenManager>
</security>
<diagnostics>
<trace enabled="true" input="c:\InputTrace.webinfo"
output="c:\OutputTrace.webinfo"/>
<detailedErrors enabled="true"/>
</diagnostics>
</microsoft.web.services3>
Is there any way to turn on internal trace in .NET and WSE 3, to see why the
problem is occuring?

I will investigate the windows server option that you mentioned.

Thanks, Dan


"Steven Cheng[MSFT]" wrote:
Thanks for your reply Dan,

So the problem is not quite specific to access permission since access to
the private key in non-webservice code work correctly. As you mentioned
that the certificate is generated through makecert.exe, then have you turn
on the "AllowTestRoot" setting for your WSE webservice?

=============
<microsoft.web.services3>
<security>
<x509 allowTestRoot="true" />
===============

this is required when you use test certificate that is hasn't a trusted
root.

BTW, if possible, I suggest you use a windows server (which has certificate
service installed), you can simulate a real world certificate (and trust
CA) scenario in this way.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.

May 23 '07 #5

P: n/a
Hi Dan,

Have you got any further progress on this? Whether the windows certificate
service issued certificates work for your scenario? For WSE 3.0, so far
there is no other internal trace that can tracking the certificate
negotiate or processing. All the trace available is only the input/output
trace for SOAP messaging or processing.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.

May 28 '07 #6

P: n/a
Hi Dan,

Have you got any further progress on this issue? If there is still anything
we can help, please feel free to post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.

May 30 '07 #7

P: n/a
Hi Steven,

I havent made any progress. I did a clean install of Windows 2000 and tried
from that to see if I got a different result to Windows XP but the problem is
the same. For the time being, I have decided not to persue this any further
as it is taking too much time. I dont have access to a Windows 2003 server
so have not tried that approach.

Thanks for your help,
Dan
"Steven Cheng[MSFT]" wrote:
Hi Dan,

Have you got any further progress on this issue? If there is still anything
we can help, please feel free to post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.

Jun 5 '07 #8

P: n/a
Thanks for your followup Dan,

I'm sorry to hear that the problem still remains. Anyway, if you continue
to work on this issue later and need any help, please feel free to post
here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.

Jun 8 '07 #9

This discussion thread is closed

Replies have been disabled for this discussion.