经典 asp“验证消息的安全性时出错."iis7 传输级安全 [英] Classic asp "An error occurred when verifying security for the message." iis7 transport level security

问题描述

在 II7 上，我们托管了一个基于 WCF/asp.net 的 API.为了允许经典 asp 应用程序的用户连接到 API，我们必须发布一个我们称为传输"的版本.这个传输版本也是用asp.net编写的，它指向同一个程序集，只是安全层不同，允许经典的asp进行身份验证.使用传输级安全而不是基于消息的安全.

On II7 we host a WCF/asp.net based API. In order to allow users of a classic asp application to connect to the API we had to publish a version we refer to as "transport". This Transport version is written in asp.net too, it points to the same assembly , its just the security layer is different to allow classic asp to authenticate. Transport level security is used as opposed to message based security.

当使用浏览器加载服务引用时，我可以加载 svcutil.exe ... WDSL 页面.

When using a browser to load the service reference i can loading the svcutil.exe ... WDSL page.

当使用我的测试 asp 页面从此引用调用 web 方法时，我得到以下返回:

When using my test asp page to call a web method from this reference i get the following returned:

完成调用 Web 服务.状态 = 内部服务器错误ResponseText = a:InvalidSecurity 验证消息的安全性时出错.

Finished calling Web Service. Status = Internal Server Error ResponseText = a:InvalidSecurityAn error occurred when verifying security for the message.

这表明身份验证失败.在测试使用 asp.net 或应用程序 WCF Storm 联系正常 API 时，一切正常.

This suggests that the authentication is failing. When testing using asp.net or the application WCF storm to contact the normal API everything works well.

最近迁移了 API，看起来有些东西没有正确设置，但我无法解释什么.

The API was recently migrated , it would appear something has not been setup correctly but i am at a loss to explain what.

我可以浏览到 svcutil.exe ... WDSL 服务参考，当通过浏览器选择它时，我得到了预期的 XML 响应.

I can browse to the svcutil.exe ... WDSL service reference, when selecting it via the browser i get the expect XML response.

使用基于消息的安全性的 API 的非经典 asp 公开时，所使用的用户名和密码会起作用.

The USER NAME and password utilised work when using the non-classic asp publicaiton of the API using the message based secuirty.

是否可以发布一些可能有助于诊断问题的故障排除提示，特别是关于传输级安全故障查找和设置?

Would it be possible to post some troubleshooting tip that may help diagnoise the issue please specifically regarding transport level security fault finding and setup ?

谢谢斯科特

编辑添加以下更新:

尝试使用默认应用程序池和新的应用程序池，但同样的问题仍然存在.

Attempted to use the Default App Pool and a new App Pool but same problem persists.

我的测试页错误:ResponseText = a:InvalidSecurity 验证消息的安全性时发生错误.

My test page error: ResponseText = a:InvalidSecurityAn error occurred when verifying security for the message.

IIS 日志显示:v3/transport/testclassicasptransportwcfservice.asp ( 200 0 0 ) (即 iis 200)/V3/Transport/DeviceService.svc/DeviceService (500 0 0)(即iis错误500)

IIS LOG shows: v3/transport/testclassicasptransportwcfservice.asp ( 200 0 0 ) (i.e iis 200) /V3/Transport/DeviceService.svc/DeviceService (500 0 0) (i.e iis error 500)

注意:TRANSPORT 和 V3 上定义的虚拟目录.V3 使用 .net 可以正常工作，而不是经典的 asp 进行身份验证.

note: virtual dir defined on TRANSPORT and V3. V3 works ok using .net as opposed to classic asp to authenticate.

事件日志:由于以下错误，应用程序池传输"的模板持久缓存初始化失败:无法为应用程序池创建磁盘缓存子目录.数据可能有额外的错误代码.

EVENT LOG: The Template Persistent Cache initialization failed for Application Pool 'transport' because of the following error: Could not create a Disk Cache Sub-directory for the Application Pool. The data may have additional error codes.

此参考似乎建议修复，但appcmd"中的许多 DIR 路径和参考都不存在.

This reference appears to suggest a fix but many of the DIR paths and references in "appcmd" dont exist.

_http://theether.net/kb/100127

_http://theether.net/kb/100127

推荐答案

REF http://theether.net/kb/100127

1. 加载 cmd 提示
2. CD 到 C:\Windows\System32\inetsrv
3. 输入:appcmd list config -section:system.webServer/asp
4. 显示如下路径:c:\inetpub\conf\temp\ASP已编译的模板
5. 检查路径是否存在(确实存在)

6. 检查网络服务是否有权限访问ASP编译模板"如果没有从appcmd执行；

1. load cmd prompt
2. CD to C:\Windows\System32\inetsrv
3. enter: appcmd list config -section:system.webServer/asp
4. the following path is displayed: c:\inetpub\conf\temp\ASP compiled templates
5. check path exists (it does)

6. Check if the NETWORK SERVICE has permissions to access "ASP compiled templates" If not from appcmd execute;

icacls "c:\inetpub\conf\temp\ASP Compiled Templates" /grant "NETWORK SERVICE:(OI)(CI)(M)"

应为已成功处理 1 个文件"

should read "sucessfully processed 1 files"

重新启动应用程序池.

验证消息的安全性时发生 InvalidSecurityAn 错误"问题仍然存在，但事件日志中的无法创建磁盘缓存子目录...."错误不再发生.

THE "InvalidSecurityAn error occurred when verifying security for the message" problem still persists but the "COULD NOT CREATE A DISK CACHE SUB-DIRECORY .... " error from the eventlog is no longer occurring.

抱歉又更新了.网络服务权限更改未解决问题，更改为DEFAULT APP POOL解决了问题.

Sorry another update. The network service permission change DID NOT resolve the issue , changeing to the DEFAULT APP POOL solved the problem.

终于领先了.已检查:

1. ServiceSecurityAudit 设置在服务行为中.参考 http://intrepiddeveloper.wordpress.com/2008/08/07/security-event-logging-auditing/#
2. IIS 日志(仅显示非特定错误 500.)
3. 故障跟踪已启用(也显示错误 500).
4. 自定义错误已关闭
5. 友好的 IE 消息已关闭
6. Asp 客户端和服务器端调试
7. ProcessMon 正在运行，没有错误.
8. Web.config httpErrors errorMode="Detailed"/> +

ServiceSecurityAudit 发现我未将对象引用设置为对象的实例"，所以听起来我们的应用程序存在错误.

ServiceSecurityAudit found me an "Object reference not set to an instance of an object" so sounds like our app has a bug.

跟进 (17/08/11):

Follow up (17/08/11):

此处记录了服务安全审计:

Service Security Audit documented here:

http://intrepiddeveloper.wordpress.com/2008/08/07/security-event-logging-auditing/

是我们解决此问题的关键.发现了指示业务对象和数据访问 dll 不对齐的对象引用错误.使用 CLASSIC ASP 使用 TRANSPORT AUTHENTICATION 联系 WCF.NET API，在 WCF 部署中的 behavior.config 文件上启用服务安全审计之前，绝对没有迹象表明此错误.

Was the key for us to resolve this issue. Uncovered the Object Reference Error which indicated out Business Objects and Data Access dlls were out of alignment. Using CLASSIC ASP to contact the WCF.NET API using TRANSPORT AUTHENTICATION there was abolutely no indication of this error until Service Security Audit was enavled on the behaviour.config file in the WCF deployment.

这篇关于经典 asp“验证消息的安全性时出错."iis7 传输级安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！