403: Forbidden when sending client certificate to remove web servi

Discussion in 'ASP .Net Web Services' started by Raphael Gray, May 22, 2009.

  1. Raphael Gray

    Raphael Gray Guest

    Summary:
    I am accessing a remote web service as a client and passing a client
    certificate as part of a call. The client certificate works perfectly when
    checking via a local user account to access the data. It also works on my
    local PC. On the Windows 2003 Server it is failing. I have tried several
    options as outlined below to make this work.

    Environment:
    Windows Server 2003 SP3, .Net 2.0.50727, IIS 6.0

    Application:
    C# .Net web page. This is calling the WebService via a proxy and using the
    WSE 3.0 classes to get the certificate.

    Certificate:
    The certificate is an X509 pfx that includes the private key and works fine
    from a local user account.

    Code Sample:
    //Certificate Collection Location where certificate is gathered from
    X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine)

    //Request
    Proxy myProxy = new Proxy();
    myProxy.ClientCertificates.Add(signatureToken.Certificate)
    string myResult = myProxy.Execute(xmlString)



    Error: I then receive a WebException as: The request failed with HTTP
    status 403: Forbidden.


    Setup/Attempted Solutions:
    1. Ensured that the certificate includes the private key
    (signatureToken.Certificate.HasPrivateKey).

    2. Ensured that the Security needed should be the NT Authority\Network
    Service Account.

    3. Ensured that the Certificate was in the Local Machine Store Personal
    Certificates Repository. (using MMC - Certificates Add-In - Ensured this
    was added to the local machine store - Personal Folder).

    4. Used WinHttpCertCfg.exe to ensure that needed accounts should have
    authority to the certificate: ("C:\Program Files\Windows Resource
    Kits\Tools\WinHttpCertCfg.exe" -g -c LOCAL_MACHINE\MY -s "CertName" -a
    "Server\NETWORK SERVICE") (Confirmation using -l method: Additional
    accounts and groups with access to the private key include:
    BUILTIN\Administrators
    NT AUTHORITY\SYSTEM
    NT AUTHORITY\NETWORK SERVICE)
    I also have tried adding the ASPNet and IUSR_MACHINE securities for this.


    This seems to have followed all the instructions I have seen and I have
    combed the posts for several hours looking for a resolution. Sorry about the
    glut of info, but I wanted to ensure that steps already taken were known.
    I'm sorry about any posting etiquette issues as well as I post very
    infrequently.

    Thanks
    Raphael Gray, May 22, 2009
    #1
    1. Advertising

  2. Raphael Gray

    Raphael Gray Guest

    Issue Resolution:

    This was a Verisign Class 1 Individual CA - G2.

    The problem ended up being the chaining of the certificates.

    On Windows Server 2003, when the certificate was imported into the local
    machine store, the certificate and all of the intermediate and root
    certificates were being pulled into the "Local" store.

    Once I identified the intermediate certificate and moved it in the
    Intermediate CA location, the process worked.



    "Raphael Gray" wrote:

    > Summary:
    > I am accessing a remote web service as a client and passing a client
    > certificate as part of a call. The client certificate works perfectly when
    > checking via a local user account to access the data. It also works on my
    > local PC. On the Windows 2003 Server it is failing. I have tried several
    > options as outlined below to make this work.
    >
    > Environment:
    > Windows Server 2003 SP3, .Net 2.0.50727, IIS 6.0
    >
    > Application:
    > C# .Net web page. This is calling the WebService via a proxy and using the
    > WSE 3.0 classes to get the certificate.
    >
    > Certificate:
    > The certificate is an X509 pfx that includes the private key and works fine
    > from a local user account.
    >
    > Code Sample:
    > //Certificate Collection Location where certificate is gathered from
    > X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine)
    >
    > //Request
    > Proxy myProxy = new Proxy();
    > myProxy.ClientCertificates.Add(signatureToken.Certificate)
    > string myResult = myProxy.Execute(xmlString)
    >
    >
    >
    > Error: I then receive a WebException as: The request failed with HTTP
    > status 403: Forbidden.
    >
    >
    > Setup/Attempted Solutions:
    > 1. Ensured that the certificate includes the private key
    > (signatureToken.Certificate.HasPrivateKey).
    >
    > 2. Ensured that the Security needed should be the NT Authority\Network
    > Service Account.
    >
    > 3. Ensured that the Certificate was in the Local Machine Store Personal
    > Certificates Repository. (using MMC - Certificates Add-In - Ensured this
    > was added to the local machine store - Personal Folder).
    >
    > 4. Used WinHttpCertCfg.exe to ensure that needed accounts should have
    > authority to the certificate: ("C:\Program Files\Windows Resource
    > Kits\Tools\WinHttpCertCfg.exe" -g -c LOCAL_MACHINE\MY -s "CertName" -a
    > "Server\NETWORK SERVICE") (Confirmation using -l method: Additional
    > accounts and groups with access to the private key include:
    > BUILTIN\Administrators
    > NT AUTHORITY\SYSTEM
    > NT AUTHORITY\NETWORK SERVICE)
    > I also have tried adding the ASPNet and IUSR_MACHINE securities for this.
    >
    >
    > This seems to have followed all the instructions I have seen and I have
    > combed the posts for several hours looking for a resolution. Sorry about the
    > glut of info, but I wanted to ensure that steps already taken were known.
    > I'm sorry about any posting etiquette issues as well as I post very
    > infrequently.
    >
    > Thanks
    Raphael Gray, Jun 3, 2009
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. David Hunt
    Replies:
    4
    Views:
    11,304
    gullsinn
    Oct 4, 2009
  2. Mfenetre
    Replies:
    11
    Views:
    1,632
    Joe Kaplan \(MVP - ADSI\)
    Oct 12, 2005
  3. willem joubert

    Error 403-Error 403-Error 403

    willem joubert, Feb 8, 2005, in forum: ASP .Net Web Services
    Replies:
    1
    Views:
    173
    Bruce Johnson [C# MVP]
    Feb 8, 2005
  4. Ani Kinare
    Replies:
    0
    Views:
    273
    Ani Kinare
    May 26, 2005
  5. Mark J. McGinty

    IIS HTTP 403.1 Forbidden: Execute Access Forbidden

    Mark J. McGinty, Dec 9, 2005, in forum: ASP General
    Replies:
    2
    Views:
    354
    Kyle Peterson
    Dec 9, 2005
Loading...

Share This Page