Common Configuration Issues
When troubleshooting, set the mode attribute of the <customErrors> element to Off or RemoteOnly and inspect the event log of the Web server receiving the SOAP message. Setting the mode attribute to Off or RemoteOnly instructs WSE to throw SOAP faults with detailed error information for all incoming SOAP messages and incoming SOAP messages sent from a different computer than the recipient, respectively. For non-HTTP SOAP Messaging, set the enabled attribute of the <detailedErrors> element to true to receive detailed error information. For more information, see Web Services Enhancements Diagnostic Settings. WSE also adds detailed error information to the event log when it receives a SOAP message that causes an error.
Solutions to common configuration issues
The following table details solutions to common configuration issues with the WSE.
| Feature of WSE being used | Exception or fault | Error message | Possible cause and solution |
|---|---|---|---|
Any feature of WSE. |
FileNotFoundException (System.IO) |
File or assembly name Microsoft.Web.Services3, or one of its dependencies, was not found. |
When specifying that the WSE SOAP extension is configured for a Web application, the strong name for the Microsoft.Web.Services3 was not specified. See <soapServerProtocolFactory> Element for the correct settings. |
Any feature of WSE. |
SoapHeaderException (System.Web.Services.Protocols) |
Service Unavailable. |
An expired SOAP message is received. Expired SOAP messages sent to a Web service are automatically detected by WSE. WSE sends a SOAP fault back to the sender. The time-to-live (TTL) is set by the SoapRequest.Security.Timestamp.TtlInSeconds property. |
Signing or encrypting a SOAP message by using an X.509 certificate. |
SoapHeaderException (System.Web.Services.Protocols) |
An invalid security token was provided. |
WSE does not have permission to access the certificate store where an X.509 certificate is stored. For more information, see Managing X.509 Certificates. -or- The X.509 certificate used to sign a SOAP message has expired. -or- The recipient does not trust the X.509 certificate. That is, the X.509 certificate is a member of the Untrusted Certificates for the given certificate store. -or- The Key Usage property of the X.509 certificate does not match the functionality that the certificate is being used for. For instance, if the X.509 certificate is being used for encryption, it must have either the Data Encipherment or Data Encryption Key Usage attribute. |
Signing or encrypting a SOAP message by using an X.509 certificate. |
SoapHeaderException (System.Web.Services.Protocols) |
Private Key is not available. |
The account that WSE is running under does not have read permission for the file containing the private key for the X.509 certificate. For more information, see Managing X.509 Certificates. |
Signing or encrypting a SOAP message by using a Kerberos token. |
SecurityFault (Microsoft.Web.Services3.Security) |
The incoming Kerberos service ticket could not be validated. The LsaLogonUser call failed with the following message: The trust relationship between this workstation and the primary domain failed. |
This error happens when the Kerberos target host name does not match the host name of the Web service that receives the SOAP message. Change the target host name to match the host name of the Web service. For more information, see How to: Sign a SOAP Message By Using a Kerberos Ticket. |
Using the QuickStart Samples. |
WebException (System.Net) |
The request failed with HTTP status 404: Not Found. |
The Web application has not been created for the QuickStarts. |
Sending SOAP messages using the HTTPS transport. |
WebException (System.Net) |
The underlying connection was closed: Could not establish trust relationship with remote server. |
The computer receiving the SOAP message does not trust the issuer of the X.509 certificate used by the SOAP message sender. To trust a Certificate Authority, a certificate chain must be installed into the correct certificate store. For details about doing this, see How to: Specify the Certificate Authority Certificate Chain Used to Verify Signatures -or- The X.509 certificate used by the SOAP message sender has expired. -or- The name on the X.509 certificate used by the Web server is invalid or does not match the name of the Web site receiving the SOAP message. |
Using the WSE router or the Routing Sample. |
SoapHeaderException (System.Web.Services.Protocols) |
Service Unavailable. |
The file specified in the <cache> Element for <referral> element does not exist. For more information about specifying the location of the file containing the referral cache, see Routing SOAP Messages with WSE. -or- The referral cache has invalid XML elements. For a list of the supported XML elements in the referral cache, see Routing SOAP Messages with WSE. |
Using the Routing Sample. |
SoapHeaderException (System.Web.Services.Protocols) |
Service Unavailable |
The additional Web application needed for the sample has not been created. -or- The ASP service account (default ASPNET) does not have read/write permission to the file containing the referral cache. |
Configuring the referral cache file. |
EndpointNotSupported Code="712" |
712 Endpoint Not Supported <URI endpoint> |
The routing receiver does not support the URI scheme or it does not service the URI space (for example, Unicode characters that are not supported are used in the referral cache). |