none
Session - Request message doesn't validate against any of the configured assertion RRS feed

  • Question

  • Hi,

    I experienced an error on the Session server, this error seems to appear randomly, below you can find the errors from the Event viewer (the two errors appear toghether).

    Session Error

    Message: Session pipe line fault - Request message doesn't validate against any of the configured assertion.
    Category: Session OperationalEvent
    Priority: 1
    EventId: 20152
    Severity: Error
    Title:Session
    Machine: CORE
    Application Domain: /LM/W3SVC/1/Root/Session30-1-128493773003942624
    Process Id: 4000
    Process Name: c:\windows\system32\inetsrv\w3wp.exe
    Win32 Thread Id: 3392
    Thread Name:
    Extended Properties:

     

     

    WSE 3.0 Error

    Failure Processing a Fault: Microsoft.Web.Services3.Security.SecurityFault: Request message doesn't validate against any of the configured assertion.
       at Microsoft.ConnectedServices.Sdk.Security.DynamicAssertionServiceInputFilter.ValidateMessageSecurity(SoapEnvelope envelope, Security security)
       at Microsoft.Web.Services3.Security.ReceiveSecurityFilter.ProcessMessage(SoapEnvelope envelope)
       at Microsoft.Web.Services3.Pipeline.ProcessInputMessage(SoapEnvelope envelope)
       at Microsoft.Web.Services3.Messaging.SoapReceiver.FilterMessage(SoapEnvelope envelope)
       at Microsoft.ConnectedServices.Sdk.Messaging.CsfService.FilterMessage(SoapEnvelope envelope)
       at Microsoft.Web.Services3.Messaging.SoapReceiver.ProcessMessage(SoapEnvelope message)

     

     

     

    anyone knows what is the cause? what can I do to avoid them?

    Thanks in advance

    Antonio

    Tuesday, May 13, 2008 3:28 PM

All replies

  •  

    Hi Antonio,

     

    This error occurs when there is a mismatch in WSE Policy. The server side and client side policy should match.

    Can you please share more details about the policies you used?

     

    -

    Ragu

    Wednesday, May 14, 2008 11:51 AM
  •  

    Hi Ragu,

    below you can find the SBE policy, Session policy and Adapter policy.

    The problem we exerience seems to be random (but it frequency increase with the load of the servers), could it be linked in some way to something regarding the Domain Controller configuration?

     

     

    Adapter Policy

    <?xml version="1.0" encoding="utf-8" ?>
    <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy">
      <extensions>
        <extension name="kerberosSecurity" type="Microsoft.Web.Services3.Design.KerberosAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
        <extension name="dynamicSecurity" type="Microsoft.ConnectedServices.Sdk.Security.DynamicSecurityAssertion, Microsoft.ConnectedServices.Sdk"/>
        <extension name="AdapterAssert"
            type="Pcf.PortaleServizi.AdapterFilter.AdapterAssert, Pcf.PortaleServizi.AdapterFilter" />
      </extensions>
      <policy name="AdapterServerPolicy">
            <AdapterAssert/>
     <dynamicSecurity>
       <usernameOverTransportSecurity/>
       <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
        <protection>
         <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
         <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
         <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false"/>
        </protection>
       </kerberosSecurity>
     </dynamicSecurity>
      </policy>
     
      <policy name="AdapterClientPolicy">
            <AdapterAssert/>
     <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
       <token>
        <kerberos targetPrincipal="domain/Session-service" impersonationLevel="Identification"/>
       </token>
       <protection>
        <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
        <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
        <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false"/>
       </protection>
     </kerberosSecurity>
      </policy>

    </policies>

     

     




    Thursday, May 15, 2008 6:47 PM
  • SBE POLICY

     

    <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy">
      <extensions>
        <extension name="requireActionHeader" type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
        <extension name="usernameOverTransportSecurity" type="Microsoft.Web.Services3.Design.UsernameOverTransportAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
        <extension name="username" type="Microsoft.Web.Services3.Design.UsernameTokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
        <extension name="kerberosSecurity"
                    type="Microsoft.Web.Services3.Design.KerberosAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
        <extension name="kerberos"
                   type="Microsoft.Web.Services3.Design.KerberosTokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
        <extension name="dynamicSecurity" type="Microsoft.ConnectedServices.Sdk.Security.DynamicSecurityAssertion, Microsoft.ConnectedServices.Sdk"/>

      </extensions>

      <!-- Policy of OH-SBE Service -->
      <policy name="OHSBEServicePolicy">
        <dynamicSecurity allowUnsecuredMessage="false">
          <usernameOverTransportSecurity />
          <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
            <protection>
              <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
              <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
              <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
            </protection>
          </kerberosSecurity>
        </dynamicSecurity>
        <requireActionHeader />
      </policy>

      <!-- Policy that OSS Client uses to communicate with OH-SBE -->
      <policy name="OssClientPolicy">
        <usernameOverTransportSecurity/>
        <requireActionHeader />
      </policy>

     <!-- Policy that OSS Client uses to communicate with PSM -->
    <policy name="ProductServiceMappingClientPolicy">
         <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
     <token>
            <kerberos targetPrincipal="domain/csfwebuser" impersonationLevel="Identification" />
          </token>
            <protection>
              <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
              <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
              <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
            </protection>
          </kerberosSecurity>
        <requireActionHeader />
    </policy>
     
      <!-- Policy that OH-SBE uses to communicate with Service Catalog -->
      <policy name="ServiceCatalogClientPolicy">
          <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
          <token>
            <kerberos targetPrincipal="domain/ServiceCatalog-service" impersonationLevel="Identification" />
          </token>
          <protection>
            <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
            <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
            <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
          </protection>
        </kerberosSecurity>
        <requireActionHeader />
      </policy>

      <!-- Policy that OH-SBE uses to communicate with IDM -->
      <policy name="IDMClientPolicy">
        <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
          <token>
            <kerberos targetPrincipal="domain/IdentityManager-service" impersonationLevel="Impersonation" />
          </token>
          <protection>
            <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
            <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
            <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
          </protection>
        </kerberosSecurity>
        <requireActionHeader />
      </policy>

      <!-- Policy that OH-SBE uses to communicate with Session -->
      <policy name="SessionClientPolicy">
        <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
          <token>
            <kerberos targetPrincipal="domain/Session-service" impersonationLevel="Impersonation" />
          </token>
          <protection>
            <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
            <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
            <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
          </protection>
        </kerberosSecurity>
        <requireActionHeader />
      </policy>

      <!-- Policy that OH-SBE uses to communicate with SessionManagerAdmin -->
      <policy name="SessionManagerAdminClientPolicy">
        <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
          <token>
            <kerberos targetPrincipal="domain/Session-service" impersonationLevel="Impersonation" />
          </token>
          <protection>
            <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
            <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
            <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
          </protection>
        </kerberosSecurity>
        <requireActionHeader />
      </policy>
     
      <policy name="ServiceParticipantPolicy">
         <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
          <token>
            <kerberos targetPrincipal="domain/csfwebuser" impersonationLevel="Impersonation" />
          </token>
          <protection>
            <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
            <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
            <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
          </protection>
         </kerberosSecurity>
         <requireActionHeader />
      </policy>

      <policy name="ServiceLogicPolicy">
         <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
     <token>
              <kerberos targetPrincipal="domain/csfwebuser" impersonationLevel="Identification" />
            </token>
            <protection>
              <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
              <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
              <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
            </protection>
          </kerberosSecurity>
        <requireActionHeader />
       </policy>

    </policies>

     

     

    Thursday, May 15, 2008 7:00 PM
  • Session Policy

     

    <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy">
     <extensions>
      <extension name="authorization" type="Microsoft.Web.Services3.Design.AuthorizationAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
      <extension name="usernameOverTransportSecurity" type="Microsoft.Web.Services3.Design.UsernameOverTransportAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
      <extension name="kerberosSecurity" type="Microsoft.Web.Services3.Design.KerberosAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
      <extension name="requireActionHeader" type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
      <extension name="dynamicSecurity" type="Microsoft.ConnectedServices.Sdk.Security.DynamicSecurityAssertion, Microsoft.ConnectedServices.Sdk"/>
      <extension name="traceAssertion" type="Microsoft.ConnectedServices.InternalUtils.TraceFilters.TraceFilterAssertion, Microsoft.ConnectedServices.InternalUtils"/>
     </extensions>
     <policy name="IdentityManagerServerPolicy">
      <authorization>
       <allow role="domain\Requestors@CSF_IDM"/>
       <deny user="*"/>
      </authorization>
      <dynamicSecurity>
       <usernameOverTransportSecurity/>
       <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
        <protection>
         <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
         <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
         <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false"/>
        </protection>
       </kerberosSecurity>
      </dynamicSecurity>
      <requireActionHeader/>
     </policy>
     <policy name="NotificationParticipantServerPolicy">
      <authorization>
       <allow role="domain\Writers@CSF_NP"/>
       <deny user="*"/>
      </authorization>
      <dynamicSecurity>
       <usernameOverTransportSecurity/>
       <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
        <protection>
         <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
         <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
         <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false"/>
        </protection>
       </kerberosSecurity>
      </dynamicSecurity>
      <requireActionHeader/>
     </policy>
     <policy name="ProfileIntegratorServerPolicy">
      <authorization>
       <allow role="domain\Requestors@CSF_PI"/>
       <deny user="*"/>
      </authorization>
      <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
       <protection>
        <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
        <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
        <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false"/>
       </protection>
      </kerberosSecurity>
     </policy>
     <policy name="ProfileManagerServerPolicy">
      <dynamicSecurity>
       <usernameOverTransportSecurity/>
       <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
        <protection>
         <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
         <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
         <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false"/>
        </protection>
       </kerberosSecurity>
      </dynamicSecurity>
      <requireActionHeader/>
     </policy>
     <policy name="SessionServerPolicy">
      <authorization>
       <allow role="domain\Requestors@CSF_Session"/>
       <deny user="*"/>
      </authorization>
      <!--<traceAssertion remoteServerUri="http://csftraceservername:9502/LogWriter.soap" />-->
      <dynamicSecurity>
       <usernameOverTransportSecurity/>
       <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
        <protection>
         <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
         <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
         <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false"/>
        </protection>
       </kerberosSecurity>
      </dynamicSecurity>
      <requireActionHeader/>
     </policy>
     <policy name="ServiceCatalogServerPolicy">
      <authorization>
       <allow role="domain\Requestors@CSF_SC"/>
       <deny user="*"/>
      </authorization>
      <dynamicSecurity>
       <usernameOverTransportSecurity/>
       <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
        <protection>
         <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
         <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
         <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false"/>
        </protection>
       </kerberosSecurity>
      </dynamicSecurity>
      <requireActionHeader/>
     </policy>
     <policy name="SessionAdminServerPolicy">
      <authorization>
       <allow role="domain\Requestors@CSF_SessionAdmin"/>
       <deny user="*"/>
      </authorization>
      <!--<traceAssertion remoteServerUri="http://csftraceservername:9502/LogWriter.soap" />-->
      <dynamicSecurity>
       <usernameOverTransportSecurity/>
       <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
        <protection>
         <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
         <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
         <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false"/>
        </protection>
       </kerberosSecurity>
      </dynamicSecurity>
      <requireActionHeader/>
     </policy>
     <policy name="SessionManagerAdminServerPolicy">
      <authorization>
       <allow role="domain\Requestors@CSF_SessionManagerAdmin"/>
       <deny user="*"/>
      </authorization>
      <!--<traceAssertion remoteServerUri="http://csftraceservername:9502/LogWriter.soap" />-->
      <dynamicSecurity>
       <usernameOverTransportSecurity/>
       <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
        <protection>
         <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
         <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
         <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false"/>
        </protection>
       </kerberosSecurity>
      </dynamicSecurity>
      <requireActionHeader/>
     </policy>
     <policy name="SessionClientPolicy">
      <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
       <token>
        <kerberos targetPrincipal="domain/Session-service" impersonationLevel="Identification"/>
       </token>
       <protection>
        <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
        <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
        <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false"/>
       </protection>
      </kerberosSecurity>
     </policy>
     <policy name="SessionAdminClientPolicy">
      <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
       <token>
        <kerberos targetPrincipal="domain/Session-service" impersonationLevel="Identification"/>
       </token>
       <protection>
        <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
        <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
        <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false"/>
       </protection>
      </kerberosSecurity>
     </policy>
     <policy name="SessionManagerAdminClientPolicy">
      <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
       <token>
        <kerberos targetPrincipal="domain/Session-service" impersonationLevel="Identification"/>
       </token>
       <protection>
        <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
        <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
        <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false"/>
       </protection>
      </kerberosSecurity>
     </policy>
     <policy name="ProfileManagerClientPolicy">
      <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
       <token>
        <kerberos targetPrincipal="domain/ProfileManager-service" impersonationLevel="Identification"/>
       </token>
       <protection>
        <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
        <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
        <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false"/>
       </protection>
      </kerberosSecurity>
     </policy>
     <policy name="IdentityManagerClientPolicy">
      <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
       <token>
        <kerberos targetPrincipal="domain/IdentityManager-service" impersonationLevel="Impersonation"/>
       </token>
       <protection>
        <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
        <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
        <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false"/>
       </protection>
      </kerberosSecurity>
     </policy>
     <policy name="NotificationParticipantClientPolicy">
      <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
       <token>
        <kerberos targetPrincipal="domain/NotificationParticipant-service" impersonationLevel="Identification"/>
       </token>
       <protection>
        <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
        <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
        <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false"/>
       </protection>
      </kerberosSecurity>
     </policy>
     <policy name="ServiceCatalogClientPolicy">
      <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
       <token>
        <kerberos targetPrincipal="domain/ServiceCatalog-service" impersonationLevel="Identification"/>
       </token>
       <protection>
        <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
        <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
        <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false"/>
       </protection>
      </kerberosSecurity>
     </policy>
     <policy name="ProfileIntegratorClientPolicy">
      <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
       <token>
        <kerberos targetPrincipal="domain/ProfileIntegrator-service" impersonationLevel="Identification"/>
       </token>
       <protection>
        <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
        <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
        <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false"/>
       </protection>
      </kerberosSecurity>
      <requireActionHeader/>
     </policy>
     <policy name="PersonaParticipantPolicy">
      <!--<traceAssertion remoteServerUri="http://csftraceservername:9502/LogWriter.soap" />-->
      <dynamicSecurity>
       <usernameOverTransportSecurity/>
       <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
        <token>
         <kerberos targetPrincipal="domain/IdentityManager-service" impersonationLevel="Impersonation"/>
        </token>
        <protection>
         <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
         <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
         <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false"/>
        </protection>
       </kerberosSecurity>
      </dynamicSecurity>
      <requireActionHeader/>
     </policy>

     <policy name="ServiceParticipantPolicy">
      <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
        <token>
         <kerberos targetPrincipal="domain/csfwebuser" impersonationLevel="Impersonation"/>
        </token>
        <protection>
         <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
         <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
         <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false"/>
        </protection>
      </kerberosSecurity>
     </policy>

     <policy name="SessionToolsPolicy">
      <dynamicSecurity>
       <usernameOverTransportSecurity/>
       <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
        <token>
         <kerberos targetPrincipal="domain/Session-service" impersonationLevel="Identification"/>
        </token>
        <protection>
         <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
         <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
         <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false"/>
        </protection>
       </kerberosSecurity>
      </dynamicSecurity>
      <requireActionHeader/>
     </policy>
     <policy name="ServiceLogicPolicy">
          <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
        <token>
         <kerberos targetPrincipal="domain/csfwebuser" impersonationLevel="Impersonation"/>
        </token>
        <protection>
         <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
         <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
         <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false"/>
        </protection>
      </kerberosSecurity>
      </policy>

     <policy name="OHSBEServicePolicy">
      <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
        <token>
         <kerberos targetPrincipal="domain/OHSBE-service" impersonationLevel="Impersonation"/>
        </token>
        <protection>
         <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
         <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>
         <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false"/>
        </protection>
      </kerberosSecurity>
      <requireActionHeader/>
     </policy>
     
    </policies>

     

     

    Thursday, May 15, 2008 7:01 PM
  •  

    Is this problem already solved?

    Thursday, June 26, 2008 12:20 AM