Consider the following scenario. You configure a Microsoft Web Services Enhancements 3.0 (WSE 3.0)-based Web service to use a secure conversation. You configure the application pool in Internet Information Services (IIS) to use a custom user account to run the Web service. In this scenario, the following Error events may be logged:
Event Type: Error Event Source: Microsoft WSE 3.0 Event Category: None Event ID: 0 Date: 5/19/2007 Time: 3:30:00 PM User: N/A Computer: ServerName Description: System.ApplicationException: WSE841: An error occured processing an outgoing fault response. System.Web.Services.Protocols.SoapException: System.Web.Services.Protocols.SoapException: Server was unable to process request. System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
Note In these events, the word "occured" is a misspelling for the word "occurred."
By default, WSE 3.0 uses the stateful SecurityContextToken object if you configure the Web service to use a secure conversation by setting the EstablishSecurityContext property of the policy to true. WSE 3.0 uses the Data Protection API (DPAPI) to encode the state of the SecurityContextToken object and to decode the state of the SecurityContextToken object. Or, WSE 3.0 uses the DPAPI to encode the cookie of the SecurityContextToken object and to decode the cookie of the SecurityContextToken object.
This problem occurs because WSE 3.0 cannot call the DPAPI if the user profile of the application pool identity is not loaded.
To work around this problem, use one of the following methods.
Configure the application pool identity to run as a user account for which the user profile is already loaded. For example, configure the application pool identity to run as the Network Service account.
Manually load the user profile of the application pool identity. To do this, use one of the following methods.
Follow these steps:
Use a user account to log on to the computer, and then do not change the user account.
Under this user account, create a Microsoft Windows service, or run a Windows service.
Configure the Windows service so that the user account can interact with the desktop.
To load the user profile, call the LoadUserProfile function.
Disable the stateful SecurityContextToken object of the Web service by configuring the statefulSecurityContextToken element. For example, you can use the application configuration file that contains the following code to disable the stateful security tokens.
To configure the Web service to use a secure conversation, use an X509 certificate, or use another security token type instead of using the default DPAPI implementation. To do this, configure the serviceToken element in the application configuration file of each Web server. For example, the following code configures the Web service to use an X509 certificate instead of using the default DPAPI implementation.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
When you send a SOAP message, the stateful SecurityContextToken object is serialized together with an encrypted key that can be retrieved only by the Web service. On the contrary, the encrypted key of the stateless SecurityContextToken object is cached by the client and by the Web service. Therefore, a unique string that represents the cached SecurityContext security token must be sent in the SOAP message. When the caches are available, no problem occurs. If you use the stateless SecurityContextToken object and if the application domain that is hosting the Web service is reset, the caches are destroyed. Therefore, a SOAP error occurs.
Note Some virus scanners may cause the application domain to be reset.
Steps to reproduce the problem
Open the WSE 3.0 Secure Conversation Quickstart sample. By default, this sample is in the following location: