Client Cert Doesn’t work after Deployment

Discussion in 'ASP .Net Security' started by Ty, Sep 22, 2005.

  1. Ty

    Ty Guest

    One of our Asp.Net web applications utilizes a 3rd party webservice that
    requires a client cert as part of the security model. The application code
    runs fine, authenticates the message, and returns the expected results in the
    development environment.

    I have installed the CA & Client Certs into:
    Certificates (Local Computer)/Trusted Root Certification
    Authorities/Certificates/CA.CER

    In Dev when I manually open the secure webservice URL in IE6 I am prompted
    to select the client cert I want to use to access this resource. I select the
    client cert (the only one listed) and click “ok†and the destination page
    opens.

    In Dev When I run my client application the transaction completes
    successfully, so I know that the cert is working properly.

    However, after I deployed to my staging server, all of the messages to the
    3rd party webservice fail with an http 403.7 error.

    I can access the webservice in IE6 by manual selecting the client cert, but
    when I run the application it fails with HTTP 403.7.

    I have looked at the IIS6 configuration on both servers and they match. I
    have uninstalled all the certs on both the Dev & Staging servers and started
    from scratch with the same results. When I step thru the code while debugging
    I can see that the Client Cert is getting attached.

    My Question is: Does anyone have any tips on resolving and or debugging this
    issue?
    Ty, Sep 22, 2005
    #1
    1. Advertising

  2. Ty

    Peter Jakab Guest

    Re: Client Cert Doesn't work after Deployment

    Hi Ty,

    if your web application ran in an application pool with Network Service
    identity, you should grant access to the certificate to it with
    winhttpcertcfg tool as mentioned in

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT13.asp

    Peter

    "Ty" <> wrote in message
    news:...
    > One of our Asp.Net web applications utilizes a 3rd party webservice that
    > requires a client cert as part of the security model. The application code
    > runs fine, authenticates the message, and returns the expected results in
    > the
    > development environment.
    >
    > I have installed the CA & Client Certs into:
    > Certificates (Local Computer)/Trusted Root Certification
    > Authorities/Certificates/CA.CER
    >
    > In Dev when I manually open the secure webservice URL in IE6 I am prompted
    > to select the client cert I want to use to access this resource. I select
    > the
    > client cert (the only one listed) and click "ok" and the destination page
    > opens.
    >
    > In Dev When I run my client application the transaction completes
    > successfully, so I know that the cert is working properly.
    >
    > However, after I deployed to my staging server, all of the messages to the
    > 3rd party webservice fail with an http 403.7 error.
    >
    > I can access the webservice in IE6 by manual selecting the client cert,
    > but
    > when I run the application it fails with HTTP 403.7.
    >
    > I have looked at the IIS6 configuration on both servers and they match. I
    > have uninstalled all the certs on both the Dev & Staging servers and
    > started
    > from scratch with the same results. When I step thru the code while
    > debugging
    > I can see that the Client Cert is getting attached.
    >
    > My Question is: Does anyone have any tips on resolving and or debugging
    > this
    > issue?
    >
    >
    Peter Jakab, Oct 7, 2005
    #2
    1. Advertising

  3. Ty

    Peter Jakab Guest

    Re: Client Cert Doesn't work after Deployment

    I dont know how you are calling the web service from code, but if you use
    httpwebrequest, you should add the certificate to it like this:

    ....
    string url =https://server.x.com:7002/xxx.apmx;

    HttpWebRequest req;

    HttpWebResponse res;

    // Create request object that connects to NetSuite

    req = (HttpWebRequest) WebRequest.Create( url );

    req.Method = "POST";

    ....

    ....



    // The path to the certificate.



    string certFilePath = "C:\\cleientcert.cer";

    // Load the certificate into an X509Certificate object.

    X509Certificate x509Cert = X509Certificate.CreateFromCertFile(
    @certFilePath );

    // Add certificate to request

    req.ClientCertificates.Add( x509Cert );

    res = (HttpWebResponse) req.GetResponse();



    "Peter Jakab" <> wrote in message
    news:%...
    > Hi Ty,
    >
    > if your web application ran in an application pool with Network Service
    > identity, you should grant access to the certificate to it with
    > winhttpcertcfg tool as mentioned in
    >
    > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT13.asp
    >
    > Peter
    >
    > "Ty" <> wrote in message
    > news:...
    >> One of our Asp.Net web applications utilizes a 3rd party webservice that
    >> requires a client cert as part of the security model. The application
    >> code
    >> runs fine, authenticates the message, and returns the expected results in
    >> the
    >> development environment.
    >>
    >> I have installed the CA & Client Certs into:
    >> Certificates (Local Computer)/Trusted Root Certification
    >> Authorities/Certificates/CA.CER
    >>
    >> In Dev when I manually open the secure webservice URL in IE6 I am
    >> prompted
    >> to select the client cert I want to use to access this resource. I select
    >> the
    >> client cert (the only one listed) and click "ok" and the destination page
    >> opens.
    >>
    >> In Dev When I run my client application the transaction completes
    >> successfully, so I know that the cert is working properly.
    >>
    >> However, after I deployed to my staging server, all of the messages to
    >> the
    >> 3rd party webservice fail with an http 403.7 error.
    >>
    >> I can access the webservice in IE6 by manual selecting the client cert,
    >> but
    >> when I run the application it fails with HTTP 403.7.
    >>
    >> I have looked at the IIS6 configuration on both servers and they match. I
    >> have uninstalled all the certs on both the Dev & Staging servers and
    >> started
    >> from scratch with the same results. When I step thru the code while
    >> debugging
    >> I can see that the Client Cert is getting attached.
    >>
    >> My Question is: Does anyone have any tips on resolving and or debugging
    >> this
    >> issue?
    >>
    >>

    >
    >
    Peter Jakab, Oct 7, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Param R.

    asp.net client cert issue

    Param R., Jan 2, 2005, in forum: ASP .Net
    Replies:
    3
    Views:
    591
    Joerg Jooss
    Jan 3, 2005
  2. hepsubah
    Replies:
    2
    Views:
    744
    hepsubah
    Aug 28, 2007
  3. David Chan via .NET 247
    Replies:
    1
    Views:
    338
    Dominick Baier [DevelopMentor]
    Jun 2, 2005
  4. Mark Toth
    Replies:
    0
    Views:
    95
    Mark Toth
    Dec 29, 2007
  5. Replies:
    2
    Views:
    271
Loading...

Share This Page