ASP.Net using a Client Certificate on IIS 6.0

Discussion in 'ASP .Net Security' started by CatpWilco, Aug 3, 2004.

  1. CatpWilco

    CatpWilco Guest

    I have an ASP.Net application application that uses a client
    certificate to communicate to a third party.

    Now, in Win2K, to install the Class 1 Client Certificate, you have to
    log in as the ASPNET user (or what ever user the aspnet_wp runs as),
    and install the certificate for that user.

    In Win2003 (IIS 6.0), I have followed the same process and it does not
    work. I have not been able to find documentation on this. Any tips
    out there?


    Although my question does not refer to any code, here is a sample to
    give a better picture of what the ASP.Net app is doing.

    Dim oRequest As HttpWebRequest
    Dim oResponse As HttpWebResponse
    Dim oClientCert As
    System.Security.Cryptography.X509Certificates.X509Certificate
    Dim POSTBuffer() As Byte
    Dim DataStream As System.IO.Stream
    Dim sr As System.IO.StreamReader
    Dim OutputString As String

    POSTBuffer =
    System.Text.Encoding.UTF8.GetBytes("DataToSend")

    oClientCert = New
    X509Certificate(X509Certificate.CreateFromCertFile(ApplicationConfig.CertificatePath))

    oRequest = HttpWebRequest.Create("http://ThirdPartyURL")
    oRequest.Credentials = CredentialCache.DefaultCredentials
    oRequest.ClientCertificates.Add(oClientCert)
    oRequest.Method = POST
    oRequest.ContentType = "application/x-www-form-urlencoded"

    Try

    DataStream = oRequest.GetRequestStream()
    DataStream.Write(POSTBuffer, 0, POSTBuffer.Length)
    DataStream.Close()

    '* * * * * * * * * * * * * * * * * * * * * * * * * *
    '* Code fails here due to a 403.1 error
    oResponse = CType(oRequest.GetResponse,
    HttpWebResponse)
    sr = New
    System.IO.StreamReader(oResponse.GetResponseStream())
    OutputString = sr.ReadToEnd
    sr.Close()
    catch ex Exception
    '(more boring code) ...


    Thanks,
    R. Wilco
    CatpWilco, Aug 3, 2004
    #1
    1. Advertising

  2. I'm not sure what did not work, but in Win2003 you should sign in as a local
    admin to install certificates. Are you just encrypting requests, or, are you
    also decrypting responses? If it is the former then you should be good to
    go. If it is the latter then you may need to grant the ASPNET account
    permission to access the private key. Simon Horrell has an article that
    clearly shows you how to do this. (His article relates to WSE but the same
    principle applies to what you need to accomplish):

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwse/html/wse2wspolicy.asp

    Good luck,

    Jeffrey Hasan, MCSD
    President, Bluestone Partners, Inc.
    -----------------------------------------------
    Author of: Expert SOA in C# Using WSE 2.0 (APress, 2004)
    http://www.bluestonepartners.com/soa.aspx

    "CatpWilco" <> wrote in message
    news:...
    > I have an ASP.Net application application that uses a client
    > certificate to communicate to a third party.
    >
    > Now, in Win2K, to install the Class 1 Client Certificate, you have to
    > log in as the ASPNET user (or what ever user the aspnet_wp runs as),
    > and install the certificate for that user.
    >
    > In Win2003 (IIS 6.0), I have followed the same process and it does not
    > work. I have not been able to find documentation on this. Any tips
    > out there?
    >
    >
    > Although my question does not refer to any code, here is a sample to
    > give a better picture of what the ASP.Net app is doing.
    >
    > Dim oRequest As HttpWebRequest
    > Dim oResponse As HttpWebResponse
    > Dim oClientCert As
    > System.Security.Cryptography.X509Certificates.X509Certificate
    > Dim POSTBuffer() As Byte
    > Dim DataStream As System.IO.Stream
    > Dim sr As System.IO.StreamReader
    > Dim OutputString As String
    >
    > POSTBuffer =
    > System.Text.Encoding.UTF8.GetBytes("DataToSend")
    >
    > oClientCert = New
    >

    X509Certificate(X509Certificate.CreateFromCertFile(ApplicationConfig.Certifi
    catePath))
    >
    > oRequest = HttpWebRequest.Create("http://ThirdPartyURL")
    > oRequest.Credentials = CredentialCache.DefaultCredentials
    > oRequest.ClientCertificates.Add(oClientCert)
    > oRequest.Method = POST
    > oRequest.ContentType = "application/x-www-form-urlencoded"
    >
    > Try
    >
    > DataStream = oRequest.GetRequestStream()
    > DataStream.Write(POSTBuffer, 0, POSTBuffer.Length)
    > DataStream.Close()
    >
    > '* * * * * * * * * * * * * * * * * * * * * * * * * *
    > '* Code fails here due to a 403.1 error
    > oResponse = CType(oRequest.GetResponse,
    > HttpWebResponse)
    > sr = New
    > System.IO.StreamReader(oResponse.GetResponseStream())
    > OutputString = sr.ReadToEnd
    > sr.Close()
    > catch ex Exception
    > '(more boring code) ...
    >
    >
    > Thanks,
    > R. Wilco
    Jeffrey Hasan, Aug 3, 2004
    #2
    1. Advertising

  3. CatpWilco

    CatpWilco Guest

    Thank you Jeffrey.

    The link you provided is very informative but does not go in the right
    direction for this issue. It did help me come accross some other
    links that helped.

    I did make some progress.
    By changing the Identity for the Application Pool (
    http://msdn.microsoft.com/library/d...html/cpconidentityapplicationpoolsettings.asp
    ) to use the ASPNet account and logging onto the machine as the ASPNet
    user, the web app worked. When I reboot the machine, the web app does
    not work. So, this leads to the following:

    When the ASPNET user account logs in, the credentials (which includes
    the client certificate installed for the ASPNET account) are loaded
    and remain in memory for a while (or until reboot).

    I am still stumped on getting the ASPNET credentials loaded without
    logging into the machine as the ASPNET user. I am still looking for
    some help on this one. Any ideas? I could write a windows service to
    run as ASPNET and to startup automatically, but there must be a better
    way. I think I am missing something where I set the Identity for the
    Application Pool (or maybe not).

    (General statement: If the root of the problem is not clear, let me
    know and I can clarify the scenario)

    Thanks,
    RW


    "Jeffrey Hasan" <> wrote in message news:<>...
    > I'm not sure what did not work, but in Win2003 you should sign in as a local
    > admin to install certificates. Are you just encrypting requests, or, are you
    > also decrypting responses? If it is the former then you should be good to
    > go. If it is the latter then you may need to grant the ASPNET account
    > permission to access the private key. Simon Horrell has an article that
    > clearly shows you how to do this. (His article relates to WSE but the same
    > principle applies to what you need to accomplish):
    >
    > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwse/html/wse2wspolicy.asp
    >
    > Good luck,
    >
    > Jeffrey Hasan, MCSD
    > President, Bluestone Partners, Inc.
    > -----------------------------------------------
    > Author of: Expert SOA in C# Using WSE 2.0 (APress, 2004)
    > http://www.bluestonepartners.com/soa.aspx
    >
    > "CatpWilco" <> wrote in message
    > news:...
    > > I have an ASP.Net application application that uses a client
    > > certificate to communicate to a third party.
    > >
    > > Now, in Win2K, to install the Class 1 Client Certificate, you have to
    > > log in as the ASPNET user (or what ever user the aspnet_wp runs as),
    > > and install the certificate for that user.
    > >
    > > In Win2003 (IIS 6.0), I have followed the same process and it does not
    > > work. I have not been able to find documentation on this. Any tips
    > > out there?
    > >
    > >
    > > Although my question does not refer to any code, here is a sample to
    > > give a better picture of what the ASP.Net app is doing.
    > >
    > > Dim oRequest As HttpWebRequest
    > > Dim oResponse As HttpWebResponse
    > > Dim oClientCert As
    > > System.Security.Cryptography.X509Certificates.X509Certificate
    > > Dim POSTBuffer() As Byte
    > > Dim DataStream As System.IO.Stream
    > > Dim sr As System.IO.StreamReader
    > > Dim OutputString As String
    > >
    > > POSTBuffer =
    > > System.Text.Encoding.UTF8.GetBytes("DataToSend")
    > >
    > > oClientCert = New
    > >

    > X509Certificate(X509Certificate.CreateFromCertFile(ApplicationConfig.Certifi
    > catePath))
    > >
    > > oRequest = HttpWebRequest.Create("http://ThirdPartyURL")
    > > oRequest.Credentials = CredentialCache.DefaultCredentials
    > > oRequest.ClientCertificates.Add(oClientCert)
    > > oRequest.Method = POST
    > > oRequest.ContentType = "application/x-www-form-urlencoded"
    > >
    > > Try
    > >
    > > DataStream = oRequest.GetRequestStream()
    > > DataStream.Write(POSTBuffer, 0, POSTBuffer.Length)
    > > DataStream.Close()
    > >
    > > '* * * * * * * * * * * * * * * * * * * * * * * * * *
    > > '* Code fails here due to a 403.1 error
    > > oResponse = CType(oRequest.GetResponse,
    > > HttpWebResponse)
    > > sr = New
    > > System.IO.StreamReader(oResponse.GetResponseStream())
    > > OutputString = sr.ReadToEnd
    > > sr.Close()
    > > catch ex Exception
    > > '(more boring code) ...
    > >
    > >
    > > Thanks,
    > > R. Wilco
    CatpWilco, Aug 4, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Colin
    Replies:
    1
    Views:
    804
    Masudur
    Jul 14, 2007
  2. Mfenetre
    Replies:
    11
    Views:
    1,605
    Joe Kaplan \(MVP - ADSI\)
    Oct 12, 2005
  3. Colin
    Replies:
    1
    Views:
    151
    Masudur
    Jul 14, 2007
  4. surya Prakash via .NET 247

    Request a Client-Side Certificate using ASP.NET Code

    surya Prakash via .NET 247, May 15, 2005, in forum: ASP .Net Web Services
    Replies:
    0
    Views:
    455
    surya Prakash via .NET 247
    May 15, 2005
  5. Colin
    Replies:
    0
    Views:
    108
    Colin
    Jul 13, 2007
Loading...

Share This Page