This section lists common WSE error messages, the situations that may cause them, and possible remedies.

X509 Related Errors

Certificate does not support Digital Signature

Cause

Remedy

The certificate does not support digital signature usage.

Use a different certificate that supports digital signatures.

No private key available for this certificate

Cause

Remedy

The private key is not available in the WSE store location, which is the local computer by default.

Add a private key to the configured store. Then change the WSE store location (current user) to where the private key is stored.

Keyset does not exist

Cause

Remedy

Private key access denied.

Grant the account under which ASP.NET is running read permission to the private key. For details about granting the read permission, see the Required Permissions for the WSE to Sign or Decrypt with an X.509 Certificate section of Managing X.509 Certificates.

Private key not found.

Make sure the private key for the certificate is installed.

Signature Verification

An invalid security token was provided

Cause

Remedy

A missing certificate chain at the configured WSE store location (local computer by default).

Install a trusted root chain into the configured WSE store location.

An untrusted certificate chain at the configured WSE store location (local computer by default).

Use a different certificate that is issued by a trusted root.

The certificate was revoked.

The certificate has expired.

The certificate is pending.

The security token cannot be authenticated or authorized

Cause

Remedy

The SOAP message was tampered with in transit or it is corrupt.

An invalid security token was provided

Cause

Remedy

The digital signature was signed by a certificate that does not support digital signatures.

Sign the SOAP message with a certificate that supports digital signatures.

Encryption

Security token does not support Data Encryption

Cause

Remedy

The Key Usage property of the certificate does not include Data Encipherment.

Use a certificate with a Key Usage property that includes Data Encipherment.

Decryption

Keyset does not exist

Cause

Remedy

The private key is not available in the configured WSE store location (local computer by default).

Add the private key to the configured store. Then change the WSE store location (current user) to the store that holds the private key.

The signature or encryption was invalid.

Use a different certificate.

Permission is not granted to use the private key.

Grant private key access permission to the WSE Web application. By default, the private key access is granted only to the Administrator account and the account that installs the private key. For details about granting the permission, see the Required Permissions for the WSE to Sign or Decrypt with an X.509 Certificate section of Managing X.509 Certificates.

An invalid security token was provided

Cause

Remedy

The Key Usage property of the certificate does not include Data Encipherment.

Use a certificate with a Key Usage property that includes Data Encipherment.

Referenced security token could not be retrieved

Cause

Remedy

Certificate not found.

Install the certificate with its private key in the certificate store location specified in the configuration file. For details about configuring the certificate store the WSE looks in, see <x509>.

Certificate revoked.

Use another certificate.

Certificate is not trusted by the recipient.

Use a certificate trusted by the recipient.

An unsupported signature or encryption algoritm was used

Cause

Description

An algorithm other than RSA was used for asymmetric encryption.

The sender is using an algorithm not supported by the WSE.

An algorithm other than RSA was used for session key encryption.

The sender is using an algorithm not supported by the WSE.

Algorithm other than Triple DES and Rihndael (AES128, AES192, AES256) was used for symmetric encryption.

The sender is using an algorithm not supported by the WSE.

Referral Cache

Endpoint Not Supported

Cause

Remedy

The WS-Routing receiver does not support the URI scheme or it does not service the URI space (for example, Unicode characters that are not supported are used in the referral cache).

Do not use an unsupported URI scheme or an unserviced portion of URI space (for example, Unicode characters in the referral cache file).

Cause	Remedy
The certificate does not support digital signature usage.	Use a different certificate that supports digital signatures.

Cause	Remedy
The private key is not available in the WSE store location, which is the local computer by default.	Add a private key to the configured store. Then change the WSE store location (current user) to where the private key is stored.

Cause	Remedy
Private key access denied.	Grant the account under which ASP.NET is running read permission to the private key. For details about granting the read permission, see the Required Permissions for the WSE to Sign or Decrypt with an X.509 Certificate section of Managing X.509 Certificates.
Private key not found.	Make sure the private key for the certificate is installed.

Cause	Remedy
A missing certificate chain at the configured WSE store location (local computer by default).	Install a trusted root chain into the configured WSE store location.
An untrusted certificate chain at the configured WSE store location (local computer by default).	Use a different certificate that is issued by a trusted root.
The certificate was revoked.
The certificate has expired.
The certificate is pending.

Cause	Remedy
The SOAP message was tampered with in transit or it is corrupt.

Cause	Remedy
The digital signature was signed by a certificate that does not support digital signatures.	Sign the SOAP message with a certificate that supports digital signatures.

Cause	Remedy
The Key Usage property of the certificate does not include Data Encipherment.	Use a certificate with a Key Usage property that includes Data Encipherment.

Cause	Remedy
Certificate not found.	Install the certificate with its private key in the certificate store location specified in the configuration file. For details about configuring the certificate store the WSE looks in, see <x509>.
Certificate revoked.	Use another certificate.
Certificate is not trusted by the recipient.	Use a certificate trusted by the recipient.

Cause	Description
An algorithm other than RSA was used for asymmetric encryption.	The sender is using an algorithm not supported by the WSE.
An algorithm other than RSA was used for session key encryption.	The sender is using an algorithm not supported by the WSE.
Algorithm other than Triple DES and Rihndael (AES128, AES192, AES256) was used for symmetric encryption.	The sender is using an algorithm not supported by the WSE.

Cause	Remedy
The WS-Routing receiver does not support the URI scheme or it does not service the URI space (for example, Unicode characters that are not supported are used in the referral cache).	Do not use an unsupported URI scheme or an unserviced portion of URI space (for example, Unicode characters in the referral cache file).

Common Error Messages

X509 Related Errors

Signature Verification

Encryption

Decryption

Referral Cache