Problem in Hosting WCF Service using wsHttpBinding in IIS

Question

I am trying to host my service using following configuration.

<system.serviceModel>
    <services>
        <service name="Test.MyService" behaviorConfiguration="MyServiceBehavior">
            <!--         Service Endpoints -->
            <endpoint address="MyTestService" binding="wsHttpBinding" bindingConfiguration="WebserviceHttpBinding" contract="Test.IMyService"/>
            <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
        </service>
    </services>
    <bindings>
        <wsHttpBinding>
            <binding name="WebserviceHttpBinding">
                <security mode="Message">
                    <message clientCredentialType="UserName" negotiateServiceCredential="false"/>
                </security>
            </binding>
        </wsHttpBinding>
    </bindings>
    <behaviors>
        <serviceBehaviors>
            <behavior name="MyServiceBehavior">
                <serviceCredentials>
                    <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="Test.CredentialValidator, Test"/>
                    <serviceCertificate findValue="RPKey" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
                </serviceCredentials>
                <!--           To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
                <serviceMetadata httpGetEnabled="true"/>
                <!--           To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
                <serviceDebug includeExceptionDetailInFaults="true"/>
            </behavior>
        </serviceBehaviors>
    </behaviors>
</system.serviceModel>

When I debug this service, I am having no problem. I hosted this service in IIS using Website. When I browse this service from IIS I am getting following exception.

Server Error in '/MyTestService' Application.

Keyset does not exist

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Security.Cryptography.CryptographicException: Keyset does not exist

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[CryptographicException: Keyset does not exist ] System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) +369 System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) +151 System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() +85 System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize) +280 System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey() +468 System.ServiceModel.Security.SecurityUtils.EnsureCertificateCanDoKeyExchange(X509Certificate2 certificate) +85

[ArgumentException: The certificate 'CN=RPKey' must have a private key that is capable of key exchange. The process must have access rights for the private key.] System.ServiceModel.Security.SecurityUtils.EnsureCertificateCanDoKeyExchange(X509Certificate2 certificate) +15832031 System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateServerX509TokenProvider() +45 System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateLocalSecurityTokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement) +73 System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateSecurityTokenProvider(SecurityTokenRequirement requirement) +65 System.ServiceModel.Security.SessionRenewSecurityTokenManager.CreateSecurityTokenProvider(SecurityTokenRequirement requirement) +14 System.ServiceModel.Security.SymmetricSecurityProtocolFactory.OnOpen(TimeSpan timeout) +15334232 System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) +23 System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +563 System.ServiceModel.Security.SecurityListenerSettingsLifetimeManager.Open(TimeSpan timeout) +101 System.ServiceModel.Channels.SecurityChannelListener1.OnOpen(TimeSpan timeout) +203 System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +563 System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout) +87 System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +563 System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout) +110 System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +563 System.ServiceModel.Security.SecuritySessionSecurityTokenAuthenticator.OnOpen(TimeSpan timeout) +149 System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) +23 System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +563 System.ServiceModel.Security.SecurityUtils.OpenCommunicationObject(ICommunicationObject obj, TimeSpan timeout) +24 System.ServiceModel.Security.SecuritySessionServerSettings.OnOpen(TimeSpan timeout) +878 System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) +23 System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +563 System.ServiceModel.Security.SecurityListenerSettingsLifetimeManager.Open(TimeSpan timeout) +153 System.ServiceModel.Channels.SecurityChannelListener1.OnOpen(TimeSpan timeout) +203 System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +563 System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout) +87 System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +563 System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout) +110 System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +563 System.ServiceModel.HostingManager.ActivateService(String normalizedVirtualPath) +135 System.ServiceModel.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath) +654

[ServiceActivationException: The service '/AtlasServices/Service.svc' cannot be activated due to an exception during compilation. The exception message is: The certificate 'CN=RPKey' must have a private key that is capable of key exchange. The process must have access rights for the private key..] System.ServiceModel.AsyncResult.End(IAsyncResult result) +15700960 System.ServiceModel.Activation.HostedHttpRequestAsyncResult.End(IAsyncResult result) +15623609 System.ServiceModel.Activation.HostedHttpRequestAsyncResult.ExecuteSynchronous(HttpApplication context, Boolean flowContext) +265 System.ServiceModel.Activation.HttpModule.ProcessRequest(Object sender, EventArgs e) +227 System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +171

Answer 1

This is propabely because on the IIS the account settings are different from the account that you are using to run a local server.

are you working with an X.509 certificate? If so, are you sure you gave read acces privileges to the account that is running the process (that is running IIS) for the file containing the private key?

So if IIS is running under the account Saghar, does Saghar have read privilesges for the key file ?

@update

ArgumentException: The certificate 'CN=RPKey' must have a private key that is capable of key exchange. The process must have access rights for the private key.

this tells me that your IIS account doesn't have permissions to your private key

Answer 2

If you do not require wshttpbinding, just try changing to basichttpbinding and your issue will probably go away.

We had trouble with this in the past when the client was connecting from a site outside our network. Since the connection was over vpn we had the option of abandoning security for the binding.

Answer 3

Based on the exception report, it sounds like one of two things may be happening. The certificate you are referencing was either installed into the keystore with only the public key, or the installed certificate is restricted and the account your application pool is running under does not have permission to access the key.

The former case is very easy to run into if the x.509 certificate was not exported as a .pfx, but instead as a .cer. To exchange certificates that contain a private key, the .cer format is insufficient, as it can only contain a DER encoded x.509 public key certificate. You must export your certificate from a certificate server (or from a store that has both keys) as a .pfx file, and make sure you include the private key.

If it is the latter case, then you need to make sure the account of the application pool your service is running under in IIS has permission to access the certificate store the keys are contained within. This article may be helpful: Make X.509 Certificates Accessible to WCF