Common Error Messages

This section lists common WSE error messages categorized by feature area, the situations that may cause them, and possible remedies.

X.509 Certificates

Error message Cause Remedy

Certificate does not support Digital Signature

The certificate does not support digital signature usage.

Use a different certificate that supports digital signatures.

No private key available for this certificate

The private key is not available in WSE store location, which is the local computer by default.

Add a private key to the configured store, and then change WSE store location (current user) to where the private key is stored.

Keyset does not exist

Private key access denied.

Grant the account under which ASP.NET is running read permission to the private key. For more information about granting the Read permission, see the Required Permissions for WSE to Sign or Decrypt with an X.509 Certificate section of Managing X.509 Certificates.

Keyset does not exist

Private key not found.

Make sure the private key for the certificate is installed.

Clock Difference Between the Client and Web Service's Computers

Error message Cause Remedy

WSE2248: Expiry in the past is not allowed

- or -

WSE2249: Expiry before creation is not allowed.

- or -

WSE511: It is invalid to use the security token now because the token is either expired or postdated.

There is a time difference between the client and Web service that makes a security token invalid to the recipient. In addition, the security token could legitimately be invalid too.

To support a distributed environment where the computers for the client and Web service have time settings that are too far apart do one of the following:

  • Synchronize the time settings.
  • Add <timeToleranceInSeconds> Element elements to the configuration files for the client and Web service to allow for the difference.

Kerberos Tokens

Error message Cause Remedy

An invalid security token was provided.

The application is running on Windows XP and the account under which the application is running (typically ASPNET) does not have the required high-security permissions to access the Kerberos ticket on Windows XP.

Grant the high-security permission to the account under which the application is running by doing one of the following:

  1. Grant the ASPNET account the Act as Part of the Operating System permission by using the Local Security Settings administrative tool, and then restart the system.
  2. Set the userName attribute of the <processModel> element in the Machine.config file to "system", and then reset IIS.

Note   Kerberos tokens are not supported on computers that are running versions of Windows that are earlier than Windows Server 2003 or Windows XP with Service Pack 1. When you are running your application on Windows XP, the ASPNET account requires a high-security permission.

The Kerberos ticket could not be retrieved.

SOAP message sender's clock is not synchronized with the domain controller.

Synchronize the clocks on the two computers.

The network path is not found.

The service principal name used to create the KerberosToken instance is registered in two different principals in Active Directory.

Unregister one of the service principal names.

There are currently no logon servers available to service the logon request.

The identity associated with a KerberosToken security token is being used for constrained delegation and Domain Name Service (DNS) is not configured correctly for the network.

Configure DNS correctly. To determine if this is the problem, ping the computer that is hosting the target Web service using its fully qualified DNS name.

A specified logon session does not exist. It may already have been terminated.

The identity associated with a KerberosToken security token is being used for constrained delegation, but constrained delegation is not configured correctly.

Configure constrained delegation using the steps in the How to: Configure an Application to Use Constrained Delegation topic.

Logon failure: Unknown user name or bad password.

A KerberosToken security token is sent to a SoapReceiver that does not have a service principal name configured for it.

Configure a service principal name for the SoapReceiver using the SetSpn.exe tool. For details about registering service principal names, see SetSpn.exe. The following example maps the DomainMain\AccountName domain account to the TcpService/Contoso service principal name.

setspn.exe –a TcpService/Contoso DomainName\AccountName.

Logon failure: Unknown user name or bad password.

The identity associated with a KerberosToken security token is being used for constrained delegation and the target principal name used to create the KerberosToken security token instance is incorrect.

Use the correct target principal name. For more details, see the constructors for KerberosToken.

When the target Web service is created using a SoapReceiver class, this cannot be in the format HOST/ServerName.

Logon failure: Unknown user name or bad password.

The KerberosToken security token is obtained for a computer different than the computer to which the SOAP message that contains KerberosToken security token is sent to.

Obtain a KerberosToken security token for the computer to which the SOAP message is sent.

Logon failure: Unknown user name or bad password.

The KerberosToken security token is used for more than one security operation.

KerberosToken security tokens are unlike other security tokens, in that you must create a new instance of the security token for every SOAP message that you want to sign and/or encrypt with the security token.

Note

Error messages associated with KerberosToken security tokens may not contain the full HRESULT that is returned from the AcceptSecurityContext API. To get the full HRESULT, prepend the value 80090. That is, the full HRESULT value for the following error message is 80090317 (80090 + 317): WSE594: AcceptSecurityContext call failed with the following error message: WSE595: Failed to convert the error code 317.

Signature Verification

Error message Cause Remedy

An invalid security token was provided.

A missing certificate chain at the configured WSE store location (local computer by default).

Install a trusted root chain into the configured WSE store location.

An invalid security token was provided.

An untrusted certificate chain at the configured WSE store location (local computer by default).

Use a different certificate that is issued by a trusted root.

An invalid security token was provided.

The certificate was revoked.

Obtain a different certificate.

An invalid security token was provided.

The certificate has expired.

Renew the certificate.

An invalid security token was provided.

The certificate is pending.

Wait until the certificate is valid.

The security token cannot be authenticated or authorized.

The SOAP message was tampered with in transit or it is corrupt.

Investigate source of the problem.

An invalid security token was provided.

The digital signature was signed by a certificate that does not support digital signatures.

Sign the SOAP message with a certificate that supports digital signatures.

Encryption

Error message Cause Remedy

Security token does not support Data Encryption.

The Key Usage property of the certificate does not include Data Encipherment.

Use a certificate with a Key Usage property that includes Data Encipherment.

System.ComponentModel.Win32Exception: Bad Key.

The Key Usage property of the X.509 certificate is set to Sign Only.

Use a certificate with a Key Usage property that includes Data Encipherment.

Decryption

Error message Cause Remedy

Keyset does not exist.

The private key is not available in the configured WSE store location (local computer by default).

Add the private key to the configured store, and then change WSE store location (current user) to the store that holds the private key.

Keyset does not exist.

The signature or encryption was invalid.

Use a different certificate.

Keyset does not exist.

Permission is not granted to use the private key.

Grant private key access permission to WSE Web application. By default, the private key access is granted only to the Administrator account and the account that installs the private key. For more information about granting the permission, see the Required Permissions for WSE to Sign or Decrypt with an X.509 Certificate section of Managing X.509 Certificates.

An invalid security token was provided.

The Key Usage property of the certificate does not include Data Encipherment.

Use a certificate with a Key Usage property that includes Data Encipherment.

Referenced security token could not be retrieved.

Certificate not found.

Install the certificate with its private key in the certificate store location specified in the configuration file. For more information about configuring the certificate store that WSE looks in, see <x509> Element.

Referenced security token could not be retrieved.

Certificate revoked.

Use another certificate.

Referenced security token could not be retrieved.

Certificate is not trusted by the recipient.

Use a certificate that is trusted by the recipient.

An unsupported signature or encryption algorithm was used.

An algorithm other than RSA was used for asymmetric encryption.

The sender is using an algorithm that is not supported by WSE.

An unsupported signature or encryption algorithm was used.

An algorithm other than RSA was used for session key encryption.

The sender is using an algorithm that is not supported by WSE.

An unsupported signature or encryption algorithm was used.

Algorithm other than Triple DES and Rihndael (AES128, AES192, AES256) was used for symmetric encryption.

The sender is using an algorithm that is not supported by WSE.

Referral Cache

Error message Cause Remedy

Endpoint Not Supported.

The routing receiver does not support the URI scheme or it does not service the URI space (for example, Unicode characters that are not supported are used in the referral cache).

Do not use an unsupported URI scheme or an unserviced portion of URI space (for example, Unicode characters in the referral cache file).

See Also

Concepts

Frequently Asked Questions

Other Resources

Troubleshooting WSE Applications