| Subject: WCF MembershipAndRoleProvider Sample - Keyset does not exist error |
| Group: microsoft.public.windows.developer.winfx.announcements |
| Date: 9/20/2006 7:37:01 AM |
| From: =?Utf-8?B?TjhOVA==?= [Email Address Protection] |
I had a problem getting this sample to work. I kept getting an error "Keyset does not exist". Finally, I figured out that I needed to download a utility called WinHttpCertCfg.exe to set access to my certificate for services that are used by IIS (i.e., network and ASPNET). Someone somewhere had a reference to this link which describes what is necessary and where to get the file: http://support.microsoft.com/default.aspx?scid=kb;EN-US;901183 After I did this and set the access, then my test client ran, but still got an error. However, this error indicated that the 509certificate could not be trusted because it was not generated by an authority - which makes sense since I generated it with the makecert tool. All I had to do next was to use the svcutil.exe and create a new proxy based on my modified service where I had modified the web config to use my certificate. The web config changes were all in the behaviors section; the change: <serviceCertificate storeLocation ="LocalMachine" storeName ="My" x509FindType ="FindBySubjectName" findValue ="wcf004" /> So when I used the svcutil.exe to regenerate my proxy class and config file for the client, I had to add an attribute ( behaviorConfiguration="ClientBehavior" ) to the app.config file in the endpoint tag. Then I created the following <behaviors> section and added it to the app.config: <behaviors> <endpointBehaviors> <behavior name="ClientBehavior"> <clientCredentials> <serviceCertificate> <!-- Setting the certificateValidationMode to PeerOrChainTrust means that if the certificate is in the user's Trusted People store, then it will be trusted without performing a validation of the certificate's issuer chain. This setting is used here for convenience so that the sample can be run without having to have certificates issued by a certificate authority (CA). This setting is less secure than the default, ChainTrust. The security implications of this setting should be carefully considered before using PeerOrChainTrust in production code. --> <authentication certificateValidationMode="PeerOrChainTrust" /> </serviceCertificate> </clientCredentials> </behavior> </endpointBehaviors> </behaviors> NOTE: When I generated the proxy code with the svcutil.exe it created a class file with the name of the service and a config file named output.config. I changed those to "generatedClient.cs" and "App.config" and replaced the ones from the sample. Then I rebuilt the client and ran it. This time everything worked. I hope if someone else runs into this problem that this posting will help them figure it out. But then again, maybe I'm the only person who thought this was a problem! Regards, Bob |
| Back |