ASPNET To Web Service using SSL w/Client Certs

[Guest]

At the top here i will put a quick description of my problem followed by the long description. This way you want get bored reading! :

short version
what is the best/recommended way for ASPNET apps to call web services that REQUIRE Client Certificates via SSL

long version
our company has new requirements, all servers must REQUIRE SSL and Server/client certificates
i have setup a test Win2003 server to issue certs so i have a full test environment on my machine. I have gen'd the server cert and applied it to my IIS secure site. I have issued 2 client certs, one for web browser one advanced and issued a "localmachine" cert. all this is done using http://myserver/certsvr tool. one to a seperate machine which as installed my test server's root authority chain and the client cert. if i hit a webpage or webservice using that machine and user i am prompted for my Certificate, i choose the one i gen'd and it works great. i can see webpages and get webservice data.
The other Cert that I gen'd is installed in the localmachine section of my 2003 server in the hope that my ASPNet code could use that client certificate to call the webservice that reside on the same machine. I added a reference to microsoft.web.services and used the x509 certificate objects from that dll to get the local machine store and find my certificate. that works great. I put the certificate in my webservice object's clientcertificate collection and call the webservice but i still get a 403 access forbidden error. I use the certificate plugin in MMC to see that the cert installed in Local machine DOES have a private key associated with it. I THINK that the problem is that somehow my ASPNET account cannot access the private key to property send my cert to the webservice. i've, reluctantly, given ASPNET full access to the \app data\Microsoft\Crypto\RSA folder. Ideas? suggestions?
this is extremely urgent as NONE of our 20+ servers can run any of our .NET applications now that they have made this SSL certificate changes

 

[Cowboy \(Gregory A. Beamer\)]

First, a couple of URLs
http://msdn.microsoft.com/library/d...guide/html/cpconsecuringaspnetwebservices.asp
the above link is also in the help file (has code samples)

This one is mobile dev, but the concepts still apply:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT13.asp

Now that we have theory out of the way, here is a good sample code
(scroll down to "Web Services Security with C#")
http://docs.msdnaa.net/ark_new3.0/cd3/content/Type_Sample Applications.htm

NOTE: You can speed this talking process up with Remoting (web services that
do not use ASAMX, are not tied to HTTP and can use any port -- okay, rather
simplistic explanation, but it works). Perf is not everything, however, so
assess your needs before changing, as Remoting is a bit more involved in the
current .NET architecture.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

**********************************************************************
Think Outside the Box!
**********************************************************************

At the top here i will put a quick description of my problem followed by

the long description. This way you want get bored reading!

short version:
what is the best/recommended way for ASPNET apps to call web services that

REQUIRE Client Certificates via SSL?

long version:
our company has new requirements, all servers must REQUIRE SSL and Server/client certificates.
i have setup a test Win2003 server to issue certs so i have a full test

environment on my machine. I have gen'd the server cert and applied it to
my IIS secure site. I have issued 2 client certs, one for web browser one
advanced and issued a "localmachine" cert. all this is done using
http://myserver/certsvr tool. one to a seperate machine which as installed
my test server's root authority chain and the client cert. if i hit a
webpage or webservice using that machine and user i am prompted for my
Certificate, i choose the one i gen'd and it works great. i can see webpages
and get webservice data.

The other Cert that I gen'd is installed in the localmachine section of my

2003 server in the hope that my ASPNet code could use that client
certificate to call the webservice that reside on the same machine. I added
a reference to microsoft.web.services and used the x509 certificate objects
from that dll to get the local machine store and find my certificate. that
works great. I put the certificate in my webservice object's
clientcertificate collection and call the webservice but i still get a 403
access forbidden error. I use the certificate plugin in MMC to see that the
cert installed in Local machine DOES have a private key associated with it.
I THINK that the problem is that somehow my ASPNET account cannot access the
private key to property send my cert to the webservice. i've, reluctantly,
given ASPNET full access to the \app data\Microsoft\Crypto\RSA folder.
Ideas? suggestions?

this is extremely urgent as NONE of our 20+ servers can run any of our

..NET applications now that they have made this SSL certificate changes

 

[Cowboy \(Gregory A. Beamer\)]

It really depends on how you are setting up your applications. In general,
for a web server, you are tightly controlling access to the cert, so you can
set up a user with very limited rights on the domain and issue to that user.
I would recommend that route, overall, with internal apps where the web
service is largely set up as a method of distributing the application across
multiple servers (like DCOM in .NET). The admins may still balk, but they
can still be in control of the server.

For wider distribution it gets a lot trickier.

The mobile method still works in the same, if not similar, manner. I expect
huge changes in the entire model with Longhorn and it appears there are
better alternatives with Whidbey, as well. The problem is there has not been
a major change to the Framework or the server space (unless you consider 2k3
really major in this arena). I will have to re-read the article (it has been
awhile) to ensure nothing has changed.

Sorry for the quick answer, but I hope this helps you get a leg up on the
issue.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

**********************************************************************
Think Outside the Box!
**********************************************************************

Thank you for your quick reply! looking back over my hastily typed post,

i must apologize for the typos!

I had previously read the "mobile dev"article that you supplied and

noticed it is dated Nov. 2002. Is that still Microsoft's recommended best
practice? I didn't know if in the past year and a half technology had
evolved producing a more up-to-date solution.

as for the article showing how to add a certificate to my webservice

call. Who should the Certificate(the one in the .cer file) be issued to?
and does the private key have to be included in that exported .cer file? My
network admins are reluctant to give us a .Cer file that includes the
private key in it. But without the private key the certificate will not be
accepted correct? That's the trouble that i have right now.

 

[Guest]

In an attempt to prove that i can pass certificates from and ASPNet web app to a WebService i have done the following
added a <identity imperstonate="true" username password/> to my web.confi
then using the microsoft.web.services DLL with WSE1.0 i connected to my local store, verified my impersonation worked by getting my client certificate that is installed for the impersonated user
i added that certificate to the webservice object's client certificates but I STILL get the 403 erro

if i log in to the server as the user that i'm impersonating, navigate to the web service asmx i am prompted to select my cert. I select the cert and it works fine. This is the same cert i'm attaching the the web service object in code

i'm using a very simple web app and my web service is just the default "helloworld' web service... nothing complicate

I don't understand what i'm missin