经典 asp“验证消息安全性时发生错误。” iis7传输级安全
在 II7 上,我们托管基于 WCF/asp.net 的 API。为了允许经典 ASP 应用程序的用户连接到 API,我们必须发布一个我们称为“传输”的版本。这个传输版本也是用asp.net编写的,它指向相同的程序集,只是安全层不同以允许经典asp进行身份验证。使用传输级安全性而不是基于消息的安全性。
当使用浏览器加载服务引用时,我可以加载 svcutil.exe ... WDSL 页面。
当使用我的测试 asp 页面从此引用调用 Web 方法时,我得到以下返回信息:
已完成调用 Web 服务。 状态 = 内部服务器错误 ResponseText = a:InvalidSecurity验证消息的安全性时发生错误。
这表明身份验证失败。当使用 asp.net 或应用程序 WCF Storm 进行测试以联系正常 API 时,一切正常。
API 最近被迁移,看起来有些东西没有正确设置,但我无法解释是什么。
我可以浏览到 svcutil.exe ... WDSL 服务参考,当通过浏览器选择它时,我得到了预期的 XML 响应。
使用基于消息的安全性的 API 的非经典 ASP 公开时,所使用的用户名和密码有效。
是否可以发布一些故障排除提示来帮助诊断问题,特别是关于传输级安全故障查找和设置?
谢谢 Scott
编辑添加以下更新:
尝试使用默认应用程序池和新的应用程序池,但同样的问题仍然存在。
我的测试页错误:ResponseText = a:InvalidSecurity验证消息的安全性时发生错误。
IIS 日志显示: v3/transport/testclassicasptransportwcfservice.asp(200 0 0)(即iis 200) /V3/Transport/DeviceService.svc/DeviceService (500 0 0)(即 iis 错误 500)
注意:TRANSPORT 和 V3 上定义的虚拟目录。 V3 使用 .net 可以正常工作,而不是使用传统的 asp 进行身份验证。
事件日志: 由于以下错误,应用程序池“传输”的模板持久缓存初始化失败:无法为应用程序池创建磁盘缓存子目录。数据可能有附加错误代码。
此参考似乎建议修复,但“appcmd”中的许多 DIR 路径和参考并不存在。
_http://theether.net/kb/100127
On II7 we host a WCF/asp.net based API. In order to allow users of a classic asp application to connect to the API we had to publish a version we refer to as "transport". This Transport version is written in asp.net too, it points to the same assembly , its just the security layer is different to allow classic asp to authenticate. Transport level security is used as opposed to message based security.
When using a browser to load the service reference i can loading the svcutil.exe ... WDSL page.
When using my test asp page to call a web method from this reference i get the following returned:
Finished calling Web Service.
Status = Internal Server Error
ResponseText = a:InvalidSecurityAn error occurred when verifying security for the message.
This suggests that the authentication is failing. When testing using asp.net or the application WCF storm to contact the normal API everything works well.
The API was recently migrated , it would appear something has not been setup correctly but i am at a loss to explain what.
I can browse to the svcutil.exe ... WDSL service reference, when selecting it via the browser i get the expect XML response.
The USER NAME and password utilised work when using the non-classic asp publicaiton of the API using the message based secuirty.
Would it be possible to post some troubleshooting tip that may help diagnoise the issue please specifically regarding transport level security fault finding and setup ?
Thank you
Scott
EDITED TO ADD THE FOLLOWING UPDATE:
Attempted to use the Default App Pool and a new App Pool but same problem persists.
My test page error: ResponseText = a:InvalidSecurityAn error occurred when verifying security for the message.
IIS LOG shows:
v3/transport/testclassicasptransportwcfservice.asp ( 200 0 0 ) (i.e iis 200)
/V3/Transport/DeviceService.svc/DeviceService (500 0 0) (i.e iis error 500)
note: virtual dir defined on TRANSPORT and V3. V3 works ok using .net as opposed to classic asp to authenticate.
EVENT LOG:
The Template Persistent Cache initialization failed for Application Pool 'transport' because of the following error: Could not create a Disk Cache Sub-directory for the Application Pool. The data may have additional error codes.
This reference appears to suggest a fix but many of the DIR paths and references in "appcmd" dont exist.
_http://theether.net/kb/100127
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
REF http://theether.net/kb/100127
检查NETWORK SERVICE是否有权限访问“ASP编译模板”,如果没有则从appcmd执行;
应为“已成功处理 1 个文件”
重新启动应用程序池。
“验证消息安全性时发生 InvalidSecurityAn 错误”问题仍然存在,但事件日志中的“无法创建磁盘缓存子目录 ....”错误不再出现。
抱歉再次更新。网络服务权限更改没有解决问题,更改为默认应用程序池解决了问题。
终于取得领先了检查:
ServiceSecurityAudit 发现我“对象引用未设置到对象的实例”,所以听起来我们的应用程序有一个错误。
跟进(2011 年 8 月 17 日):
服务安全审计记录在此处:
http://intrepiddeveloper.wordpress.com/2008/08/07/security-event-logging-auditing/
是我们解决此问题的关键。发现了对象引用错误,该错误表明业务对象和数据访问 dll 未对齐。使用 CLASSIC ASP 使用传输身份验证联系 WCF.NET API,在 WCF 部署中的 Behaviour.config 文件上启用服务安全审核之前,绝对没有任何迹象表明此错误。
REF http://theether.net/kb/100127
Check if the NETWORK SERVICE has permissions to access "ASP compiled templates" If not from appcmd execute;
should read "sucessfully processed 1 files"
restarted app pool.
THE "InvalidSecurityAn error occurred when verifying security for the message" problem still persists but the "COULD NOT CREATE A DISK CACHE SUB-DIRECORY .... " error from the eventlog is no longer occurring.
Sorry another update. The network service permission change DID NOT resolve the issue , changeing to the DEFAULT APP POOL solved the problem.
Got a lead at last. Examined:
ServiceSecurityAudit found me an "Object reference not set to an instance of an object" so sounds like our app has a bug.
Follow up (17/08/11):
Service Security Audit documented here:
http://intrepiddeveloper.wordpress.com/2008/08/07/security-event-logging-auditing/
Was the key for us to resolve this issue. Uncovered the Object Reference Error which indicated out Business Objects and Data Access dlls were out of alignment. Using CLASSIC ASP to contact the WCF.NET API using TRANSPORT AUTHENTICATION there was abolutely no indication of this error until Service Security Audit was enavled on the behaviour.config file in the WCF deployment.