Article ID: 939761 - View products that this article applies to.
Consider the following scenario. You configure a Microsoft Web Services Enhancements 3.0 (WSE 3.0)-based Web service to use a secure conversation. You configure the application pool in Internet Information Services (IIS) to use a custom user account to run the Web service. In this scenario, the following Error events may be logged:
Event Type: Error
Event Type: Error
By default, WSE 3.0 uses the stateful SecurityContextToken object if you configure the Web service to use a secure conversation by setting the EstablishSecurityContext property of the policy to true. WSE 3.0 uses the Data Protection API (DPAPI) to encode the state of the SecurityContextToken object and to decode the state of the SecurityContextToken object. Or, WSE 3.0 uses the DPAPI to encode the cookie of the SecurityContextToken object and to decode the cookie of the SecurityContextToken object.
This problem occurs because WSE 3.0 cannot call the DPAPI if the user profile of the application pool identity is not loaded.
To work around this problem, use one of the following methods.
Method 1Configure the application pool identity to run as a user account for which the user profile is already loaded. For example, configure the application pool identity to run as the Network Service account.
Method 2Manually load the user profile of the application pool identity. To do this, use one of the following methods.
Method AFollow these steps:
Method BTo load the user profile, call the LoadUserProfile function.
Method 3Disable the stateful SecurityContextToken object of the Web service by configuring the statefulSecurityContextToken element. For example, you can use the application configuration file that contains the following code to disable the stateful security tokens.
Method 4To configure the Web service to use a secure conversation, use an X509 certificate, or use another security token type instead of using the default DPAPI implementation. To do this, configure the serviceToken element in the application configuration file of each Web server. For example, the following code configures the Web service to use an X509 certificate instead of using the default DPAPI implementation.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
When you send a SOAP message, the stateful SecurityContextToken object is serialized together with an encrypted key that can be retrieved only by the Web service. On the contrary, the encrypted key of the stateless SecurityContextToken object is cached by the client and by the Web service. Therefore, a unique string that represents the cached SecurityContext security token must be sent in the SOAP message. When the caches are available, no problem occurs. If you use the stateless SecurityContextToken object and if the application domain that is hosting the Web service is reset, the caches are destroyed. Therefore, a SOAP error occurs.
Note Some virus scanners may cause the application domain to be reset.
Steps to reproduce the problem
For more information about how to troubleshoot the DPAPI, click the following article number to view the article in the Microsoft Knowledge Base:
309408For more information about Windows data protection, visit the following Microsoft Developer Network (MSDN) Web site:
(http://support.microsoft.com/kb/309408/ )How to troubleshoot the Data Protection API (DPAPI)
http://msdn2.microsoft.com/en-us/library/ms995355.aspxFor more information about the LoadUserProfile function, visit the following MSDN Web site:
Article ID: 939761 - Last Review: July 27, 2007 - Revision: 1.0