I was pushing a new WSE 3.0 web service to a test web server. Whenever I tried to authenticate I was getting “Security Token could not be retrieved” from the server.
WSE590: Failed to resolve the following Key Info …..
I knew the sample x509 server certificate was installed. I knew I had assigned read permissions to Network Service with the Certificate tool that comes with WSE.
It took me quite a while before I realized I had installed the certificate that came with WSE2 which is different than the certificates I had created with the WSE3 Setup in the Samples.
The data that made me finally realize it was that in the error message, it referred to the SHA-1 key identifier that the client had sent to the server to look for. But that was not the id of the server certificate.
So I uninstalled the wrong certificate and installed the correct one.
Now, as a test, I did not give permission to the Network Service account to access the certificate.
The message was very different:
WSE600: Unable to unwrap a symmetric key using the private key of an X.509 certificate. Please check if the account ‘NT AUTHORITY\NETOWRK SERVICE’ has permissions to read the private key of certificate with subject name ‘CN=WSE2QuickStatServer’ and the thumbprint…..
Now how specific is that? So I am now more confident that “security token could not be retrieved” is literally about FINDING the token, not using it, which can save me a lot of time if I make that mistake again!
Another thing that messed me up was that I had originally installed the certificate into the Current User’s store but I wanted it in Local Machine. You need to export and import certificates to make them work properly. But I didn’t know this and just dragged and dropped it to the Local Computer’s Personal Store instead. That was a no-no. The documentation (see the note in “How to: Make X.509 Certificates Accessible to WSE”) explains that when you do this, even if you use the certificate tool (or other means) to apply the ASPNET or NETWORK SERVICE perms, it won’t work. That is because the file associated to the certificate (and it is the file that is getting the permissions) does not get moved along with the certificate.
Don’t Forget: www.acehaid.org
Sign up for my newsletter so you don't miss my conference & Pluralsight course announcements!