Common Error Messages
This section lists common WSE error messages categorized by feature area, the situations that may cause them, and possible remedies.
X.509 Certificates
| Error message | Cause | Remedy |
|---|---|---|
Certificate does not support Digital Signature |
The certificate does not support digital signature usage. |
Use a different certificate that supports digital signatures. |
No private key available for this certificate |
The private key is not available in WSE store location, which is the local computer by default. |
Add a private key to the configured store, and then change WSE store location (current user) to where the private key is stored. |
Keyset does not exist |
Private key access denied. |
Grant the account under which ASP.NET is running read permission to the private key. For more information about granting the Read permission, see the Required Permissions for WSE to Sign or Decrypt with an X.509 Certificate section of Managing X.509 Certificates. |
Keyset does not exist |
Private key not found. |
Make sure the private key for the certificate is installed. |
Clock Difference Between the Client and Web Service's Computers
| Error message | Cause | Remedy |
|---|---|---|
WSE2248: Expiry in the past is not allowed - or - WSE2249: Expiry before creation is not allowed. - or - WSE511: It is invalid to use the security token now because the token is either expired or postdated. |
There is a time difference between the client and Web service that makes a security token invalid to the recipient. In addition, the security token could legitimately be invalid too. |
To support a distributed environment where the computers for the client and Web service have time settings that are too far apart do one of the following:
|
Kerberos Tokens
| Error message | Cause | Remedy |
|---|---|---|
An invalid security token was provided. |
The application is running on Windows XP and the account under which the application is running (typically ASPNET) does not have the required high-security permissions to access the Kerberos ticket on Windows XP. |
Grant the high-security permission to the account under which the application is running by doing one of the following:
Note Kerberos tokens are not supported on computers that are running versions of Windows that are earlier than Windows Server 2003 or Windows XP with Service Pack 1. When you are running your application on Windows XP, the ASPNET account requires a high-security permission. |
The Kerberos ticket could not be retrieved. |
SOAP message sender's clock is not synchronized with the domain controller. |
Synchronize the clocks on the two computers. |
The network path is not found. |
The service principal name used to create the KerberosToken instance is registered in two different principals in Active Directory. |
Unregister one of the service principal names. |
There are currently no logon servers available to service the logon request. |
The identity associated with a KerberosToken security token is being used for constrained delegation and Domain Name Service (DNS) is not configured correctly for the network. |
Configure DNS correctly. To determine if this is the problem, ping the computer that is hosting the target Web service using its fully qualified DNS name. |
A specified logon session does not exist. It may already have been terminated. |
The identity associated with a KerberosToken security token is being used for constrained delegation, but constrained delegation is not configured correctly. |
Configure constrained delegation using the steps in the How to: Configure an Application to Use Constrained Delegation topic. |
Logon failure: Unknown user name or bad password. |
A KerberosToken security token is sent to a SoapReceiver that does not have a service principal name configured for it. |
Configure a service principal name for the SoapReceiver using the SetSpn.exe tool. For details about registering service principal names, see SetSpn.exe. The following example maps the DomainMain\AccountName domain account to the TcpService/Contoso service principal name.
|
Logon failure: Unknown user name or bad password. |
The identity associated with a KerberosToken security token is being used for constrained delegation and the target principal name used to create the KerberosToken security token instance is incorrect. |
Use the correct target principal name. For more details, see the constructors for KerberosToken. When the target Web service is created using a SoapReceiver class, this cannot be in the format HOST/ServerName. |
Logon failure: Unknown user name or bad password. |
The KerberosToken security token is obtained for a computer different than the computer to which the SOAP message that contains KerberosToken security token is sent to. |
Obtain a KerberosToken security token for the computer to which the SOAP message is sent. |
Logon failure: Unknown user name or bad password. |
The KerberosToken security token is used for more than one security operation. |
KerberosToken security tokens are unlike other security tokens, in that you must create a new instance of the security token for every SOAP message that you want to sign and/or encrypt with the security token. |
Note
Error messages associated with KerberosToken security tokens may not contain the full HRESULT that is returned from the AcceptSecurityContext API. To get the full HRESULT, prepend the value 80090. That is, the full HRESULT value for the following error message is 80090317 (80090 + 317): WSE594: AcceptSecurityContext call failed with the following error message: WSE595: Failed to convert the error code 317.
Signature Verification
| Error message | Cause | Remedy |
|---|---|---|
An invalid security token was provided. |
A missing certificate chain at the configured WSE store location (local computer by default). |
Install a trusted root chain into the configured WSE store location. |
An invalid security token was provided. |
An untrusted certificate chain at the configured WSE store location (local computer by default). |
Use a different certificate that is issued by a trusted root. |
An invalid security token was provided. |
The certificate was revoked. |
Obtain a different certificate. |
An invalid security token was provided. |
The certificate has expired. |
Renew the certificate. |
An invalid security token was provided. |
The certificate is pending. |
Wait until the certificate is valid. |
The security token cannot be authenticated or authorized. |
The SOAP message was tampered with in transit or it is corrupt. |
Investigate source of the problem. |
An invalid security token was provided. |
The digital signature was signed by a certificate that does not support digital signatures. |
Sign the SOAP message with a certificate that supports digital signatures. |
Encryption
| Error message | Cause | Remedy |
|---|---|---|
Security token does not support Data Encryption. |
The Key Usage property of the certificate does not include Data Encipherment. |
Use a certificate with a Key Usage property that includes Data Encipherment. |
System.ComponentModel.Win32Exception: Bad Key. |
The Key Usage property of the X.509 certificate is set to Sign Only. |
Use a certificate with a Key Usage property that includes Data Encipherment. |
Decryption
| Error message | Cause | Remedy |
|---|---|---|
Keyset does not exist. |
The private key is not available in the configured WSE store location (local computer by default). |
Add the private key to the configured store, and then change WSE store location (current user) to the store that holds the private key. |
Keyset does not exist. |
The signature or encryption was invalid. |
Use a different certificate. |
Keyset does not exist. |
Permission is not granted to use the private key. |
Grant private key access permission to WSE Web application. By default, the private key access is granted only to the Administrator account and the account that installs the private key. For more information about granting the permission, see the Required Permissions for WSE to Sign or Decrypt with an X.509 Certificate section of Managing X.509 Certificates. |
An invalid security token was provided. |
The Key Usage property of the certificate does not include Data Encipherment. |
Use a certificate with a Key Usage property that includes Data Encipherment. |
Referenced security token could not be retrieved. |
Certificate not found. |
Install the certificate with its private key in the certificate store location specified in the configuration file. For more information about configuring the certificate store that WSE looks in, see <x509> Element. |
Referenced security token could not be retrieved. |
Certificate revoked. |
Use another certificate. |
Referenced security token could not be retrieved. |
Certificate is not trusted by the recipient. |
Use a certificate that is trusted by the recipient. |
An unsupported signature or encryption algorithm was used. |
An algorithm other than RSA was used for asymmetric encryption. |
The sender is using an algorithm that is not supported by WSE. |
An unsupported signature or encryption algorithm was used. |
An algorithm other than RSA was used for session key encryption. |
The sender is using an algorithm that is not supported by WSE. |
An unsupported signature or encryption algorithm was used. |
Algorithm other than Triple DES and Rihndael (AES128, AES192, AES256) was used for symmetric encryption. |
The sender is using an algorithm that is not supported by WSE. |
Referral Cache
| Error message | Cause | Remedy |
|---|---|---|
Endpoint Not Supported. |
The routing receiver does not support the URI scheme or it does not service the URI space (for example, Unicode characters that are not supported are used in the referral cache). |
Do not use an unsupported URI scheme or an unserviced portion of URI space (for example, Unicode characters in the referral cache file). |