ASP.Net using a Client Certificate on IIS 6.0

[CatpWilco]

I have an ASP.Net application application that uses a client
certificate to communicate to a third party.

Now, in Win2K, to install the Class 1 Client Certificate, you have to
log in as the ASPNET user (or what ever user the aspnet_wp runs as),
and install the certificate for that user.

In Win2003 (IIS 6.0), I have followed the same process and it does not
work. I have not been able to find documentation on this. Any tips
out there?


Although my question does not refer to any code, here is a sample to
give a better picture of what the ASP.Net app is doing.

Dim oRequest As HttpWebRequest
Dim oResponse As HttpWebResponse
Dim oClientCert As
System.Security.Cryptography.X509Certificates.X509Certificate
Dim POSTBuffer() As Byte
Dim DataStream As System.IO.Stream
Dim sr As System.IO.StreamReader
Dim OutputString As String

POSTBuffer =
System.Text.Encoding.UTF8.GetBytes("DataToSend")

oClientCert = New
X509Certificate(X509Certificate.CreateFromCertFile(ApplicationConfig.CertificatePath))

oRequest = HttpWebRequest.Create("http://ThirdPartyURL")
oRequest.Credentials = CredentialCache.DefaultCredentials
oRequest.ClientCertificates.Add(oClientCert)
oRequest.Method = POST
oRequest.ContentType = "application/x-www-form-urlencoded"

Try

DataStream = oRequest.GetRequestStream()
DataStream.Write(POSTBuffer, 0, POSTBuffer.Length)
DataStream.Close()

'* * * * * * * * * * * * * * * * * * * * * * * * * *
'* Code fails here due to a 403.1 error
oResponse = CType(oRequest.GetResponse,
HttpWebResponse)
sr = New
System.IO.StreamReader(oResponse.GetResponseStream())
OutputString = sr.ReadToEnd
sr.Close()
catch ex Exception
'(more boring code) ...


Thanks,
R. Wilco

 

[Jeffrey Hasan]

I'm not sure what did not work, but in Win2003 you should sign in as a local
admin to install certificates. Are you just encrypting requests, or, are you
also decrypting responses? If it is the former then you should be good to
go. If it is the latter then you may need to grant the ASPNET account
permission to access the private key. Simon Horrell has an article that
clearly shows you how to do this. (His article relates to WSE but the same
principle applies to what you need to accomplish):

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwse/html/wse2wspolicy.asp

Good luck,

Jeffrey Hasan, MCSD
President, Bluestone Partners, Inc.

 

[CatpWilco]

Thank you Jeffrey.

The link you provided is very informative but does not go in the right
direction for this issue. It did help me come accross some other
links that helped.

I did make some progress.
By changing the Identity for the Application Pool (
http://msdn.microsoft.com/library/d...html/cpconidentityapplicationpoolsettings.asp
) to use the ASPNet account and logging onto the machine as the ASPNet
user, the web app worked. When I reboot the machine, the web app does
not work. So, this leads to the following:

When the ASPNET user account logs in, the credentials (which includes
the client certificate installed for the ASPNET account) are loaded
and remain in memory for a while (or until reboot).

I am still stumped on getting the ASPNET credentials loaded without
logging into the machine as the ASPNET user. I am still looking for
some help on this one. Any ideas? I could write a windows service to
run as ASPNET and to startup automatically, but there must be a better
way. I think I am missing something where I set the Identity for the
Application Pool (or maybe not).

(General statement: If the root of the problem is not clear, let me
know and I can clarify the scenario)

Thanks,
RW