Modifying WSE Policy Files in Production Apps

I learned this the hard way, as usual.

We had to change the X509 Certificate that we were using for our application. That meant that the policy config file on the client and the app had to have the certificate identity defined by the findValue parameter of the X509 node.

<serviceToken>
<x509 storeLocation=LocalMachine storeName=My findValue=CN=MyCertificateName findType=FindBySubjectDistinguishedName />
</
serviceToken>

I made all of the necessary changes and ran the client app. I received an error from the server:

“WSE2006: EncryptedKeyToken in the security header of the incoming message is encrypted with a different security token than expected.”

That’s telling me that the certificate on the client side doesn’t match the certificate on the server side. After triple checking my setup and configuration, I went to turn tracing on on the server side to see what the heck was going on. This meant modifying the web.config. Suddenly the app worked.

Editing web.config forces an app restart so this made me realize that the policy file must have been getting cached in the AppDomain and the restart forced the revised policy to be read. Mark Fussell confirmed that to be the case.

  Sign up for my newsletter so you don't miss my conference & Pluralsight course announcements!  

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.