传统的ASP"对于消息验证的安全性时发生错误&QUOT。 IIS7传输级安全性 [英] Classic asp "An error occurred when verifying security for the message." iis7 transport level security
问题描述
在II7我们举办一个基于WCF / asp.net API。为了允许一个经典ASP应用的用户连接到该API我们不得不发布我们称为传输的一个版本。此版本运输是用asp.net过,它指向同一个程序集,它只是安全层不同的是,让传统的ASP进行身份验证。用于传输级安全性,而不是基于消息的安全性。
On II7 we host a WCF/asp.net based API. In order to allow users of a classic asp application to connect to the API we had to publish a version we refer to as "transport". This Transport version is written in asp.net too, it points to the same assembly , its just the security layer is different to allow classic asp to authenticate. Transport level security is used as opposed to message based security.
在使用浏览器加载服务引用我可以加载svcutil.exe的...... WDSL页。
When using a browser to load the service reference i can loading the svcutil.exe ... WDSL page.
在使用我的测试asp网页中调用从这个基准我得到一个Web方法下面的返回:
When using my test asp page to call a web method from this reference i get the following returned:
完成调用Web服务。
状态=内部服务器错误
的responseText =一:为消息验证安全性时发生错误InvalidSecurityAn
Finished calling Web Service. Status = Internal Server Error ResponseText = a:InvalidSecurityAn error occurred when verifying security for the message.
这表明认证失败。当使用asp.net或应用程序WCF风暴测试接触正常API一切正常。
This suggests that the authentication is failing. When testing using asp.net or the application WCF storm to contact the normal API everything works well.
该API是最近迁移,它会正确显示的东西一直没有安装,但我茫然地解释一下。
The API was recently migrated , it would appear something has not been setup correctly but i am at a loss to explain what.
通过浏览器我得到的预期XML响应选择它的时候,我可以浏览到svcutil.exe的... WDSL服务引用。
I can browse to the svcutil.exe ... WDSL service reference, when selecting it via the browser i get the expect XML response.
的用户名和密码,利用工作中使用使用基于消息的secuirty API的非传统的ASP publicaiton时。
The USER NAME and password utilised work when using the non-classic asp publicaiton of the API using the message based secuirty.
有没有可能发布一些故障排除技巧,可以帮助diagnoise请特别是关于传输层安全性故障查找和安装的问题?
Would it be possible to post some troubleshooting tip that may help diagnoise the issue please specifically regarding transport level security fault finding and setup ?
感谢您
斯科特
Thank you Scott
编辑补充以下更新:
试图使用默认的应用程序池和一个新的应用程序池,但同样的问题仍然存在。
Attempted to use the Default App Pool and a new App Pool but same problem persists.
我的测试页面错误:responseText的= A:为消息验证安全性时发生错误InvalidSecurityAn
My test page error: ResponseText = a:InvalidSecurityAn error occurred when verifying security for the message.
IIS日志显示:
V3 /运输/ testclassicasptransportwcfservice.asp(200 0 0)(即非法入境200)
/V3/Transport/DeviceService.svc/DeviceService(500 0 0)(即非法入境错误500)
IIS LOG shows: v3/transport/testclassicasptransportwcfservice.asp ( 200 0 0 ) (i.e iis 200) /V3/Transport/DeviceService.svc/DeviceService (500 0 0) (i.e iis error 500)
请注意:交通和V3定义的虚拟目录。 V3使用.NET,而不是传统的ASP认证工作正常。
note: virtual dir defined on TRANSPORT and V3. V3 works ok using .net as opposed to classic asp to authenticate.
事件日志:
模板永久性缓存初始化,因为下面的错误而失败的应用程序池运输:无法创建磁盘缓存子目录的应用程序池。数据可能包含额外的错误codeS。
EVENT LOG: The Template Persistent Cache initialization failed for Application Pool 'transport' because of the following error: Could not create a Disk Cache Sub-directory for the Application Pool. The data may have additional error codes.
此参考似乎表明一个修复,但许多APPCMD的DIR路径和引用不存在的。
This reference appears to suggest a fix but many of the DIR paths and references in "appcmd" dont exist.
_http://theether.net/kb/100127
_http://theether.net/kb/100127
推荐答案
REF _http://theether.net/kb/100127
REF _http://theether.net/kb/100127
负载的命令提示符
CD到C:\\ WINDOWS \\ SYSTEM32 \\ INETSRV
输入:APPCMD列表配置-section:system.webServer / ASP
显示以下路径:C:\\的Inetpub \\的conf \\ TEMP \\ ASP编译模板
检查路径存在(它)
检查网络服务有权访问ASP编译模板
如果不从APPCMD执行
load cmd prompt CD to C:\Windows\System32\inetsrv enter: appcmd list config -section:system.webServer/asp the following path is displayed: c:\inetpub\conf\temp\ASP compiled templates check path exists (it does) Check if the NETWORK SERVICE has permissions to access "ASP compiled templates" If not from appcmd execute
ICACLSC:\\的Inetpub \\的conf \\ TEMP \\ ASP编译模板/批NETWORK SERVICE:(OI)(CI)(M)
icacls "c:\inetpub\conf\temp\ASP Compiled Templates" /grant "NETWORK SERVICE:(OI)(CI)(M)"
应改为成功地处理1个文件
should read "sucessfully processed 1 files"
重新启动应用程序池。
的消息确认安全时发生错误InvalidSecurityAn问题依然存在,但无法创建磁盘缓存SUB-猪病....错误从事件日志是否不再发生。
THE "InvalidSecurityAn error occurred when verifying security for the message" problem still persists but the "COULD NOT CREATE A DISK CACHE SUB-DIRECORY .... " error from the eventlog is no longer occurring.
对不起另一个更新。网络服务权限更改没有解决问题,量变到质变的默认应用程序池解决了这个问题。
Sorry another update. The network service permission change DID NOT resolve the issue , changeing to the DEFAULT APP POOL solved the problem.
终于获得了领先。检查:
Got a lead at last. Examined:
- ServiceSecurityAudit服务行为设置。 _http://intrepiddeveloper.word$p$pss.com/2008/08/07/security-event-logging-auditing/#
- IIS日志(只显示非特定的错误500。)
- 启用故障跟踪(也显示错误500)。
- 自定义错误是关闭
- 友情IE信息是关
- ASP客户端和服务器端的调试上
- ProcessMon运行,没有错误。
- 的Web.config httpErrors errorMode =详细/> +
ServiceSecurityAudit找到了我一个不设置到对象的实例对象引用这样听起来像我们的应用程序有一个bug。
ServiceSecurityAudit found me an "Object reference not set to an instance of an object" so sounds like our app has a bug.
跟进(17/08/11):
Follow up (17/08/11):
服务安全审计记录在这里:
Service Security Audit documented here:
的http://intrepiddeveloper.word$p$pss.com/2008/08/07/security-event-logging-auditing/
是我们解决这一问题的关键。揭秘这表明了业务对象和数据访问的DLL对齐的对象引用错误。使用传统的ASP中使用传输认证联系WCF.NET API有abolutely没有这个错误的指示,直到服务安全审计是对在WCF部署behaviour.config文件enavled。
Was the key for us to resolve this issue. Uncovered the Object Reference Error which indicated out Business Objects and Data Access dlls were out of alignment. Using CLASSIC ASP to contact the WCF.NET API using TRANSPORT AUTHENTICATION there was abolutely no indication of this error until Service Security Audit was enavled on the behaviour.config file in the WCF deployment.
*解决*
这篇关于传统的ASP"对于消息验证的安全性时发生错误&QUOT。 IIS7传输级安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
