Getting 403 Forbidden error. Client Cert didn't sent

Discussion in 'ASP .Net Security' started by Abel Chan, Dec 18, 2005.

  1. Abel Chan

    Abel Chan Guest

    Hi there,

    I am getting the 403 Forbidden error when I ran the following code, which is
    a very simple Windows application. BTW, I find couple similar problems
    posted under dotnet.framework.asp.net.security so I post this question here.

    What I tried to do is to attach a client certificate and post an XML
    document to a remote web site which enforces SSL and requires client
    certificate.

    The client machine has a certificate installed under Certificates (Local
    Computer) | Personal | Certificates. I have installed a valid Thawte
    certificate and I also generated one using SelfSSL. They both give me the
    same error message.

    I also tried hitting the remote web site directly from IE. I got a pop up
    window with "Choose a digital certificate" title. However, I don't see any
    certificate listed under the list. Why? I can see both SelfSSL generated
    and the official Thawte certificate. I got a little bit confused. Is my
    problem related to my code or certificate security/setup issue? Could you
    please help?

    Thanks.

    Abel Chan

    -----------------------
    Code extracted
    ------------------------
    Imports System.Xml
    Imports System.IO
    Imports Microsoft.VisualBasic
    Imports System.Diagnostics
    Imports System.Net
    Imports System.Security.Cryptography.X509Certificates

    Public Class Form1
    Inherits System.Windows.Forms.Form

    Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As
    System.EventArgs) Handles Button1.Click
    Dim oWebRequest As Net.HttpWebRequest
    Dim oIOStream As System.IO.Stream
    Dim oWebResponse As Net.HttpWebResponse
    Dim oReader As System.IO.StreamReader
    Dim oResponseStream As System.IO.Stream
    Dim strData As String
    Dim docXMLDoc As New XmlDocument
    Dim txtResponse As String
    Dim strException As String = ""

    Dim myURL As String = "https://[mywebsite]/[mydir]/[myurl.asp]"

    Dim ServerTimeOut As Integer = 60000

    Try
    Dim Cert As X509Certificate =
    X509Certificate.CreateFromCertFile("c:\[Path containing my cer]\mycer.cer")

    'Create TrustAllCertificatePolicy class which will return TRUE
    on all SSL web request.
    System.Net.ServicePointManager.CertificatePolicy = New
    TrustAllCertificatePolicy

    'Load soap envelope
    strData = "<MyTestXML>Hi</MyTestXML>"

    'Setup request URL
    oWebRequest = Net.WebRequest.Create(myURL)

    oWebRequest.ClientCertificates.Add(Cert)

    'Setup request parameter
    oWebRequest.ContentType = "text/xml"
    oWebRequest.Method = "POST"
    oWebRequest.ContentLength = strData.Length
    oWebRequest.KeepAlive = True
    oWebRequest.Timeout = ServerTimeOut

    'Wrtie to stream
    Dim arrData As Byte() =
    System.Text.Encoding.ASCII.GetBytes(strData)
    oIOStream = oWebRequest.GetRequestStream()


    oIOStream.Write(arrData, 0, strData.Length)
    oIOStream.Flush()

    'Get the response from web address
    oWebResponse = oWebRequest.GetResponse()
    If (oWebResponse.StatusCode() <> Net.HttpStatusCode.OK) Then
    txtResponse = ""
    strException = oWebResponse.StatusDescription()

    GoTo exitfcuntion
    End If

    'Get response stream
    oResponseStream = oWebResponse.GetResponseStream()


    Catch ex As WebException 'Exception
    strException = "Message: " + ex.Message() + " Source: " +
    ex.Source()

    MsgBox(strException)

    Finally
    'Close resource
    If (False = (oIOStream Is Nothing)) Then oIOStream.Close()
    If (False = (oWebResponse Is Nothing)) Then oWebResponse.Close()
    End Try

    exitfcuntion:


    End Sub
    End Class

    Public Class TrustAllCertificatePolicy
    Implements System.Net.ICertificatePolicy
    Public Function CheckValidationResult(ByVal srvPoint As _
    System.Net.ServicePoint, ByVal certificate As _
    System.Security.Cryptography.X509Certificates.X509Certificate, ByVal _
    request As System.Net.WebRequest, ByVal certificateProblem As
    Integer) _
    As Boolean Implements
    System.Net.ICertificatePolicy.CheckValidationResult
    Dim myname As String = certificate.GetName
    Return True
    End Function
    End Class
     
    Abel Chan, Dec 18, 2005
    #1
    1. Advertising

  2. Hello Abel,

    maybe this helps:
    http://www.leastprivilege.com/IIS6AndClientCertificates.aspx

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi there,
    >
    > I am getting the 403 Forbidden error when I ran the following code,
    > which is a very simple Windows application. BTW, I find couple
    > similar problems posted under dotnet.framework.asp.net.security so I
    > post this question here.
    >
    > What I tried to do is to attach a client certificate and post an XML
    > document to a remote web site which enforces SSL and requires client
    > certificate.
    >
    > The client machine has a certificate installed under Certificates
    > (Local Computer) | Personal | Certificates. I have installed a valid
    > Thawte certificate and I also generated one using SelfSSL. They both
    > give me the same error message.
    >
    > I also tried hitting the remote web site directly from IE. I got a
    > pop up window with "Choose a digital certificate" title. However, I
    > don't see any certificate listed under the list. Why? I can see both
    > SelfSSL generated and the official Thawte certificate. I got a little
    > bit confused. Is my problem related to my code or certificate
    > security/setup issue? Could you please help?
    >
    > Thanks.
    >
    > Abel Chan
    >
    > -----------------------
    > Code extracted
    > ------------------------
    > Imports System.Xml
    > Imports System.IO
    > Imports Microsoft.VisualBasic
    > Imports System.Diagnostics
    > Imports System.Net
    > Imports System.Security.Cryptography.X509Certificates
    > Public Class Form1
    > Inherits System.Windows.Forms.Form
    > Private Sub Button1_Click(ByVal sender As System.Object, ByVal e
    > As
    > System.EventArgs) Handles Button1.Click
    > Dim oWebRequest As Net.HttpWebRequest
    > Dim oIOStream As System.IO.Stream
    > Dim oWebResponse As Net.HttpWebResponse
    > Dim oReader As System.IO.StreamReader
    > Dim oResponseStream As System.IO.Stream
    > Dim strData As String
    > Dim docXMLDoc As New XmlDocument
    > Dim txtResponse As String
    > Dim strException As String = ""
    > Dim myURL As String =
    > "https://[mywebsite]/[mydir]/[myurl.asp]"
    >
    > Dim ServerTimeOut As Integer = 60000
    >
    > Try
    > Dim Cert As X509Certificate =
    > X509Certificate.CreateFromCertFile("c:\[Path containing my
    > cer]\mycer.cer")
    > 'Create TrustAllCertificatePolicy class which will return
    > TRUE
    > on all SSL web request.
    > System.Net.ServicePointManager.CertificatePolicy = New
    > TrustAllCertificatePolicy
    > 'Load soap envelope
    > strData = "<MyTestXML>Hi</MyTestXML>"
    > 'Setup request URL
    > oWebRequest = Net.WebRequest.Create(myURL)
    > oWebRequest.ClientCertificates.Add(Cert)
    >
    > 'Setup request parameter
    > oWebRequest.ContentType = "text/xml"
    > oWebRequest.Method = "POST"
    > oWebRequest.ContentLength = strData.Length
    > oWebRequest.KeepAlive = True
    > oWebRequest.Timeout = ServerTimeOut
    > 'Wrtie to stream
    > Dim arrData As Byte() =
    > System.Text.Encoding.ASCII.GetBytes(strData)
    > oIOStream = oWebRequest.GetRequestStream()
    > oIOStream.Write(arrData, 0, strData.Length)
    > oIOStream.Flush()
    > 'Get the response from web address
    > oWebResponse = oWebRequest.GetResponse()
    > If (oWebResponse.StatusCode() <> Net.HttpStatusCode.OK)
    > Then
    > txtResponse = ""
    > strException = oWebResponse.StatusDescription()
    > GoTo exitfcuntion
    > End If
    > 'Get response stream
    > oResponseStream = oWebResponse.GetResponseStream()
    > Catch ex As WebException 'Exception
    > strException = "Message: " + ex.Message() + " Source: " +
    > ex.Source()
    > MsgBox(strException)
    >
    > Finally
    > 'Close resource
    > If (False = (oIOStream Is Nothing)) Then oIOStream.Close()
    > If (False = (oWebResponse Is Nothing)) Then
    > oWebResponse.Close()
    > End Try
    > exitfcuntion:
    >
    > End Sub
    > End Class
    > Public Class TrustAllCertificatePolicy
    > Implements System.Net.ICertificatePolicy
    > Public Function CheckValidationResult(ByVal srvPoint As _
    > System.Net.ServicePoint, ByVal certificate As _
    > System.Security.Cryptography.X509Certificates.X509Certificate,
    > ByVal _
    > request As System.Net.WebRequest, ByVal certificateProblem As
    > Integer) _
    > As Boolean Implements
    > System.Net.ICertificatePolicy.CheckValidationResult
    > Dim myname As String = certificate.GetName
    > Return True
    > End Function
    > End Class
     
    Dominick Baier [DevelopMentor], Dec 18, 2005
    #2
    1. Advertising

  3. Abel Chan

    Abel Chan Guest

    Hi Dominick,

    Thanks to your prompt response. I really appreciate it.

    I took the suggestion stated at
    http://www.leastprivilege.com/IIS6AndClientCertificates.aspx

    and enabled the Client Authentication under Thawte Premium Server CA. Now
    if I look at the offical Thawte client cer property, I can see both Server
    and Client Authentication are checked.

    However, I am still getting the same 403 error when I ran the code. If I
    bring up my IE, I still can't see my client cert as an available option. Did
    I miss a step?

    Thanks.

    Abel

    "Dominick Baier [DevelopMentor]" wrote:

    > Hello Abel,
    >
    > maybe this helps:
    > http://www.leastprivilege.com/IIS6AndClientCertificates.aspx
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > Hi there,
    > >
    > > I am getting the 403 Forbidden error when I ran the following code,
    > > which is a very simple Windows application. BTW, I find couple
    > > similar problems posted under dotnet.framework.asp.net.security so I
    > > post this question here.
    > >
    > > What I tried to do is to attach a client certificate and post an XML
    > > document to a remote web site which enforces SSL and requires client
    > > certificate.
    > >
    > > The client machine has a certificate installed under Certificates
    > > (Local Computer) | Personal | Certificates. I have installed a valid
    > > Thawte certificate and I also generated one using SelfSSL. They both
    > > give me the same error message.
    > >
    > > I also tried hitting the remote web site directly from IE. I got a
    > > pop up window with "Choose a digital certificate" title. However, I
    > > don't see any certificate listed under the list. Why? I can see both
    > > SelfSSL generated and the official Thawte certificate. I got a little
    > > bit confused. Is my problem related to my code or certificate
    > > security/setup issue? Could you please help?
    > >
    > > Thanks.
    > >
    > > Abel Chan
    > >
    > > -----------------------
    > > Code extracted
    > > ------------------------
    > > Imports System.Xml
    > > Imports System.IO
    > > Imports Microsoft.VisualBasic
    > > Imports System.Diagnostics
    > > Imports System.Net
    > > Imports System.Security.Cryptography.X509Certificates
    > > Public Class Form1
    > > Inherits System.Windows.Forms.Form
    > > Private Sub Button1_Click(ByVal sender As System.Object, ByVal e
    > > As
    > > System.EventArgs) Handles Button1.Click
    > > Dim oWebRequest As Net.HttpWebRequest
    > > Dim oIOStream As System.IO.Stream
    > > Dim oWebResponse As Net.HttpWebResponse
    > > Dim oReader As System.IO.StreamReader
    > > Dim oResponseStream As System.IO.Stream
    > > Dim strData As String
    > > Dim docXMLDoc As New XmlDocument
    > > Dim txtResponse As String
    > > Dim strException As String = ""
    > > Dim myURL As String =
    > > "https://[mywebsite]/[mydir]/[myurl.asp]"
    > >
    > > Dim ServerTimeOut As Integer = 60000
    > >
    > > Try
    > > Dim Cert As X509Certificate =
    > > X509Certificate.CreateFromCertFile("c:\[Path containing my
    > > cer]\mycer.cer")
    > > 'Create TrustAllCertificatePolicy class which will return
    > > TRUE
    > > on all SSL web request.
    > > System.Net.ServicePointManager.CertificatePolicy = New
    > > TrustAllCertificatePolicy
    > > 'Load soap envelope
    > > strData = "<MyTestXML>Hi</MyTestXML>"
    > > 'Setup request URL
    > > oWebRequest = Net.WebRequest.Create(myURL)
    > > oWebRequest.ClientCertificates.Add(Cert)
    > >
    > > 'Setup request parameter
    > > oWebRequest.ContentType = "text/xml"
    > > oWebRequest.Method = "POST"
    > > oWebRequest.ContentLength = strData.Length
    > > oWebRequest.KeepAlive = True
    > > oWebRequest.Timeout = ServerTimeOut
    > > 'Wrtie to stream
    > > Dim arrData As Byte() =
    > > System.Text.Encoding.ASCII.GetBytes(strData)
    > > oIOStream = oWebRequest.GetRequestStream()
    > > oIOStream.Write(arrData, 0, strData.Length)
    > > oIOStream.Flush()
    > > 'Get the response from web address
    > > oWebResponse = oWebRequest.GetResponse()
    > > If (oWebResponse.StatusCode() <> Net.HttpStatusCode.OK)
    > > Then
    > > txtResponse = ""
    > > strException = oWebResponse.StatusDescription()
    > > GoTo exitfcuntion
    > > End If
    > > 'Get response stream
    > > oResponseStream = oWebResponse.GetResponseStream()
    > > Catch ex As WebException 'Exception
    > > strException = "Message: " + ex.Message() + " Source: " +
    > > ex.Source()
    > > MsgBox(strException)
    > >
    > > Finally
    > > 'Close resource
    > > If (False = (oIOStream Is Nothing)) Then oIOStream.Close()
    > > If (False = (oWebResponse Is Nothing)) Then
    > > oWebResponse.Close()
    > > End Try
    > > exitfcuntion:
    > >
    > > End Sub
    > > End Class
    > > Public Class TrustAllCertificatePolicy
    > > Implements System.Net.ICertificatePolicy
    > > Public Function CheckValidationResult(ByVal srvPoint As _
    > > System.Net.ServicePoint, ByVal certificate As _
    > > System.Security.Cryptography.X509Certificates.X509Certificate,
    > > ByVal _
    > > request As System.Net.WebRequest, ByVal certificateProblem As
    > > Integer) _
    > > As Boolean Implements
    > > System.Net.ICertificatePolicy.CheckValidationResult
    > > Dim myname As String = certificate.GetName
    > > Return True
    > > End Function
    > > End Class

    >
    >
    >
     
    Abel Chan, Dec 19, 2005
    #3
  4. Hello Abel,

    is the CA trusted on both client and server?


    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi Dominick,
    >
    > Thanks to your prompt response. I really appreciate it.
    >
    > I took the suggestion stated at
    > http://www.leastprivilege.com/IIS6AndClientCertificates.aspx
    >
    > and enabled the Client Authentication under Thawte Premium Server CA.
    > Now if I look at the offical Thawte client cer property, I can see
    > both Server and Client Authentication are checked.
    >
    > However, I am still getting the same 403 error when I ran the code.
    > If I bring up my IE, I still can't see my client cert as an available
    > option. Did I miss a step?
    >
    > Thanks.
    >
    > Abel
    >
    > "Dominick Baier [DevelopMentor]" wrote:
    >
    >> Hello Abel,
    >>
    >> maybe this helps:
    >> http://www.leastprivilege.com/IIS6AndClientCertificates.aspx
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> Hi there,
    >>>
    >>> I am getting the 403 Forbidden error when I ran the following code,
    >>> which is a very simple Windows application. BTW, I find couple
    >>> similar problems posted under dotnet.framework.asp.net.security so I
    >>> post this question here.
    >>>
    >>> What I tried to do is to attach a client certificate and post an XML
    >>> document to a remote web site which enforces SSL and requires client
    >>> certificate.
    >>>
    >>> The client machine has a certificate installed under Certificates
    >>> (Local Computer) | Personal | Certificates. I have installed a
    >>> valid Thawte certificate and I also generated one using SelfSSL.
    >>> They both give me the same error message.
    >>>
    >>> I also tried hitting the remote web site directly from IE. I got a
    >>> pop up window with "Choose a digital certificate" title. However, I
    >>> don't see any certificate listed under the list. Why? I can see
    >>> both SelfSSL generated and the official Thawte certificate. I got a
    >>> little bit confused. Is my problem related to my code or
    >>> certificate security/setup issue? Could you please help?
    >>>
    >>> Thanks.
    >>>
    >>> Abel Chan
    >>>
    >>> -----------------------
    >>> Code extracted
    >>> ------------------------
    >>> Imports System.Xml
    >>> Imports System.IO
    >>> Imports Microsoft.VisualBasic
    >>> Imports System.Diagnostics
    >>> Imports System.Net
    >>> Imports System.Security.Cryptography.X509Certificates
    >>> Public Class Form1
    >>> Inherits System.Windows.Forms.Form
    >>> Private Sub Button1_Click(ByVal sender As System.Object, ByVal e
    >>> As
    >>> System.EventArgs) Handles Button1.Click
    >>> Dim oWebRequest As Net.HttpWebRequest
    >>> Dim oIOStream As System.IO.Stream
    >>> Dim oWebResponse As Net.HttpWebResponse
    >>> Dim oReader As System.IO.StreamReader
    >>> Dim oResponseStream As System.IO.Stream
    >>> Dim strData As String
    >>> Dim docXMLDoc As New XmlDocument
    >>> Dim txtResponse As String
    >>> Dim strException As String = ""
    >>> Dim myURL As String =
    >>> "https://[mywebsite]/[mydir]/[myurl.asp]"
    >>> Dim ServerTimeOut As Integer = 60000
    >>>
    >>> Try
    >>> Dim Cert As X509Certificate =
    >>> X509Certificate.CreateFromCertFile("c:\[Path containing my
    >>> cer]\mycer.cer")
    >>> 'Create TrustAllCertificatePolicy class which will return
    >>> TRUE
    >>> on all SSL web request.
    >>> System.Net.ServicePointManager.CertificatePolicy = New
    >>> TrustAllCertificatePolicy
    >>> 'Load soap envelope
    >>> strData = "<MyTestXML>Hi</MyTestXML>"
    >>> 'Setup request URL
    >>> oWebRequest = Net.WebRequest.Create(myURL)
    >>> oWebRequest.ClientCertificates.Add(Cert)
    >>> 'Setup request parameter
    >>> oWebRequest.ContentType = "text/xml"
    >>> oWebRequest.Method = "POST"
    >>> oWebRequest.ContentLength = strData.Length
    >>> oWebRequest.KeepAlive = True
    >>> oWebRequest.Timeout = ServerTimeOut
    >>> 'Wrtie to stream
    >>> Dim arrData As Byte() =
    >>> System.Text.Encoding.ASCII.GetBytes(strData)
    >>> oIOStream = oWebRequest.GetRequestStream()
    >>> oIOStream.Write(arrData, 0, strData.Length)
    >>> oIOStream.Flush()
    >>> 'Get the response from web address
    >>> oWebResponse = oWebRequest.GetResponse()
    >>> If (oWebResponse.StatusCode() <> Net.HttpStatusCode.OK)
    >>> Then
    >>> txtResponse = ""
    >>> strException = oWebResponse.StatusDescription()
    >>> GoTo exitfcuntion
    >>> End If
    >>> 'Get response stream
    >>> oResponseStream = oWebResponse.GetResponseStream()
    >>> Catch ex As WebException 'Exception
    >>> strException = "Message: " + ex.Message() + " Source: " +
    >>> ex.Source()
    >>> MsgBox(strException)
    >>> Finally
    >>> 'Close resource
    >>> If (False = (oIOStream Is Nothing)) Then oIOStream.Close()
    >>> If (False = (oWebResponse Is Nothing)) Then
    >>> oWebResponse.Close()
    >>> End Try
    >>> exitfcuntion:
    >>> End Sub
    >>> End Class
    >>> Public Class TrustAllCertificatePolicy
    >>> Implements System.Net.ICertificatePolicy
    >>> Public Function CheckValidationResult(ByVal srvPoint As _
    >>> System.Net.ServicePoint, ByVal certificate As _
    >>> System.Security.Cryptography.X509Certificates.X509Certificate,
    >>> ByVal _
    >>> request As System.Net.WebRequest, ByVal certificateProblem As
    >>> Integer) _
    >>> As Boolean Implements
    >>> System.Net.ICertificatePolicy.CheckValidationResult
    >>> Dim myname As String = certificate.GetName
    >>> Return True
    >>> End Function
    >>> End Class
     
    Dominick Baier [DevelopMentor], Dec 19, 2005
    #4
  5. Abel Chan

    Abel Chan Guest

    Hi there,

    I believe the CA is trusted on both client and server.

    To be 100% sure, the following is how I setup the certificate:

    Server side
    -------------
    1) Purchased an official SSL Web Server certificate issued by Thawte Premium
    Server CA.
    2) Installed SSL Web Server certificate on a back up server, which has
    BizTalk on it.
    3) Test the certificate by posting a document to an external web site (https
    posting) through a BizTalk channel by attaching the SSL Web Server
    certificate. It passed the test so I am 100% sure the certificate is
    installed correctly.
    4) Export the SSL Web Server certificate without a private key. (I tried
    with private key before. I don’t see any difference. Just to make it simple
    without a private key)

    Client side
    -------------
    1) Go to a XP client machine | MMC | Certificate and install the exported
    certificate into Certificate (Local Computer) | Personal | Certificate.
    2) Double click on the certificate and it shows: This certificate is
    intended for the following purpose(s): Ensures the identity of a remote
    computer. Proves your identify to a remote computer. All other information
    is correct including expiration date.
    3) Go to Certificate (Local Computer) | Trusted Root Certification
    Authorities | Certificates. Select Thawte Premium Server CA. Right mouse
    click Properties and go to the General tab.
    4) Check the Client Authentication check box.
    5) Go back to Certificate (Local Computer) | Personal | Certificate.
    Select the installed certificate. Right mouse click Properties and go to the
    General tab.
    6) Verified that both Server Authentication and Client Authentication check
    boxes are checked.
    7) Bring up an IE and try to hit the same external web site as described in
    Server Side Step 3) above. (I don’t have BizTalk installed on my client
    machine.). A “Choose a digital certificate†window pops up but no
    certificate is available from the list. Click OK and I got 403 error.
    8) Run the sample application that I posted in my first message. I got 403
    error also.

    I just don’t know where I mess up the setup process. I follow all standard
    procedures but … Could you please help me again?

    Thanks a lot.

    Abel


    "Dominick Baier [DevelopMentor]" wrote:

    > Hello Abel,
    >
    > is the CA trusted on both client and server?
    >
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > Hi Dominick,
    > >
    > > Thanks to your prompt response. I really appreciate it.
    > >
    > > I took the suggestion stated at
    > > http://www.leastprivilege.com/IIS6AndClientCertificates.aspx
    > >
    > > and enabled the Client Authentication under Thawte Premium Server CA.
    > > Now if I look at the offical Thawte client cer property, I can see
    > > both Server and Client Authentication are checked.
    > >
    > > However, I am still getting the same 403 error when I ran the code.
    > > If I bring up my IE, I still can't see my client cert as an available
    > > option. Did I miss a step?
    > >
    > > Thanks.
    > >
    > > Abel
    > >
    > > "Dominick Baier [DevelopMentor]" wrote:
    > >
    > >> Hello Abel,
    > >>
    > >> maybe this helps:
    > >> http://www.leastprivilege.com/IIS6AndClientCertificates.aspx
    > >> ---------------------------------------
    > >> Dominick Baier - DevelopMentor
    > >> http://www.leastprivilege.com
     
    Abel Chan, Dec 19, 2005
    #5
  6. Abel Chan

    thawte Guest

    Re: Getting 403 Forbidden error. Client Cert didn't sent

    Hi there Abel

    I'd advise that you try exporting the SSL certificate again however
    include the option for exporting the private key as well and then try
    the process again. The private key is a very important component in a
    certificate key pair and could be the cause of the problem you
    experience.

    Regards
    Marshall

    Abel Chan wrote:
    > Hi there,
    >
    > I believe the CA is trusted on both client and server.
    >
    > To be 100% sure, the following is how I setup the certificate:
    >
    > Server side
    > -------------
    > 1) Purchased an official SSL Web Server certificate issued by Thawte Premium
    > Server CA.
    > 2) Installed SSL Web Server certificate on a back up server, which has
    > BizTalk on it.
    > 3) Test the certificate by posting a document to an external web site (https
    > posting) through a BizTalk channel by attaching the SSL Web Server
    > certificate. It passed the test so I am 100% sure the certificate is
    > installed correctly.
    > 4) Export the SSL Web Server certificate without a private key. (I tried
    > with private key before. I don't see any difference. Just to make it simple
    > without a private key)
    >
    > Client side
    > -------------
    > 1) Go to a XP client machine | MMC | Certificate and install the exported
    > certificate into Certificate (Local Computer) | Personal | Certificate.
    > 2) Double click on the certificate and it shows: This certificate is
    > intended for the following purpose(s): Ensures the identity of a remote
    > computer. Proves your identify to a remote computer. All other information
    > is correct including expiration date.
    > 3) Go to Certificate (Local Computer) | Trusted Root Certification
    > Authorities | Certificates. Select Thawte Premium Server CA. Right mouse
    > click Properties and go to the General tab.
    > 4) Check the Client Authentication check box.
    > 5) Go back to Certificate (Local Computer) | Personal | Certificate.
    > Select the installed certificate. Right mouse click Properties and go to the
    > General tab.
    > 6) Verified that both Server Authentication and Client Authentication check
    > boxes are checked.
    > 7) Bring up an IE and try to hit the same external web site as described in
    > Server Side Step 3) above. (I don't have BizTalk installed on my client
    > machine.). A "Choose a digital certificate" window pops up but no
    > certificate is available from the list. Click OK and I got 403 error.
    > 8) Run the sample application that I posted in my first message. I got 403
    > error also.
    >
    > I just don't know where I mess up the setup process. I follow all standard
    > procedures but ... Could you please help me again?
    >
    > Thanks a lot.
    >
    > Abel
    >
    >
    > "Dominick Baier [DevelopMentor]" wrote:
    >
    > > Hello Abel,
    > >
    > > is the CA trusted on both client and server?
    > >
    > >
    > > ---------------------------------------
    > > Dominick Baier - DevelopMentor
    > > http://www.leastprivilege.com
    > >
    > > > Hi Dominick,
    > > >
    > > > Thanks to your prompt response. I really appreciate it.
    > > >
    > > > I took the suggestion stated at
    > > > http://www.leastprivilege.com/IIS6AndClientCertificates.aspx
    > > >
    > > > and enabled the Client Authentication under Thawte Premium Server CA.
    > > > Now if I look at the offical Thawte client cer property, I can see
    > > > both Server and Client Authentication are checked.
    > > >
    > > > However, I am still getting the same 403 error when I ran the code.
    > > > If I bring up my IE, I still can't see my client cert as an available
    > > > option. Did I miss a step?
    > > >
    > > > Thanks.
    > > >
    > > > Abel
    > > >
    > > > "Dominick Baier [DevelopMentor]" wrote:
    > > >
    > > >> Hello Abel,
    > > >>
    > > >> maybe this helps:
    > > >> http://www.leastprivilege.com/IIS6AndClientCertificates.aspx
    > > >> ---------------------------------------
    > > >> Dominick Baier - DevelopMentor
    > > >> http://www.leastprivilege.com
     
    thawte, Dec 21, 2005
    #6
  7. Abel Chan

    Abel Chan Guest

    Re: Getting 403 Forbidden error. Client Cert didn't sent

    Hi Marshall,

    I tried and the certificate now included the option for exporting private
    key. I am still getting 403 error. :<

    Abel

    "thawte" wrote:

    > Hi there Abel
    >
    > I'd advise that you try exporting the SSL certificate again however
    > include the option for exporting the private key as well and then try
    > the process again. The private key is a very important component in a
    > certificate key pair and could be the cause of the problem you
    > experience.
    >
    > Regards
    > Marshall
    >
    > Abel Chan wrote:
    > > Hi there,
    > >
    > > I believe the CA is trusted on both client and server.
    > >
    > > To be 100% sure, the following is how I setup the certificate:
    > >
    > > Server side
    > > -------------
    > > 1) Purchased an official SSL Web Server certificate issued by Thawte Premium
    > > Server CA.
    > > 2) Installed SSL Web Server certificate on a back up server, which has
    > > BizTalk on it.
    > > 3) Test the certificate by posting a document to an external web site (https
    > > posting) through a BizTalk channel by attaching the SSL Web Server
    > > certificate. It passed the test so I am 100% sure the certificate is
    > > installed correctly.
    > > 4) Export the SSL Web Server certificate without a private key. (I tried
    > > with private key before. I don't see any difference. Just to make it simple
    > > without a private key)
    > >
    > > Client side
    > > -------------
    > > 1) Go to a XP client machine | MMC | Certificate and install the exported
    > > certificate into Certificate (Local Computer) | Personal | Certificate.
    > > 2) Double click on the certificate and it shows: This certificate is
    > > intended for the following purpose(s): Ensures the identity of a remote
    > > computer. Proves your identify to a remote computer. All other information
    > > is correct including expiration date.
    > > 3) Go to Certificate (Local Computer) | Trusted Root Certification
    > > Authorities | Certificates. Select Thawte Premium Server CA. Right mouse
    > > click Properties and go to the General tab.
    > > 4) Check the Client Authentication check box.
    > > 5) Go back to Certificate (Local Computer) | Personal | Certificate.
    > > Select the installed certificate. Right mouse click Properties and go to the
    > > General tab.
    > > 6) Verified that both Server Authentication and Client Authentication check
    > > boxes are checked.
    > > 7) Bring up an IE and try to hit the same external web site as described in
    > > Server Side Step 3) above. (I don't have BizTalk installed on my client
    > > machine.). A "Choose a digital certificate" window pops up but no
    > > certificate is available from the list. Click OK and I got 403 error.
    > > 8) Run the sample application that I posted in my first message. I got 403
    > > error also.
    > >
    > > I just don't know where I mess up the setup process. I follow all standard
    > > procedures but ... Could you please help me again?
    > >
    > > Thanks a lot.
    > >
    > > Abel
    > >
    > >
    > > "Dominick Baier [DevelopMentor]" wrote:
    > >
    > > > Hello Abel,
    > > >
    > > > is the CA trusted on both client and server?
    > > >
    > > >
    > > > ---------------------------------------
    > > > Dominick Baier - DevelopMentor
    > > > http://www.leastprivilege.com
    > > >
    > > > > Hi Dominick,
    > > > >
    > > > > Thanks to your prompt response. I really appreciate it.
    > > > >
    > > > > I took the suggestion stated at
    > > > > http://www.leastprivilege.com/IIS6AndClientCertificates.aspx
    > > > >
    > > > > and enabled the Client Authentication under Thawte Premium Server CA.
    > > > > Now if I look at the offical Thawte client cer property, I can see
    > > > > both Server and Client Authentication are checked.
    > > > >
    > > > > However, I am still getting the same 403 error when I ran the code.
    > > > > If I bring up my IE, I still can't see my client cert as an available
    > > > > option. Did I miss a step?
    > > > >
    > > > > Thanks.
    > > > >
    > > > > Abel
    > > > >
    > > > > "Dominick Baier [DevelopMentor]" wrote:
    > > > >
    > > > >> Hello Abel,
    > > > >>
    > > > >> maybe this helps:
    > > > >> http://www.leastprivilege.com/IIS6AndClientCertificates.aspx
    > > > >> ---------------------------------------
    > > > >> Dominick Baier - DevelopMentor
    > > > >> http://www.leastprivilege.com

    >
    >
     
    Abel Chan, Dec 21, 2005
    #7
  8. Re: Getting 403 Forbidden error. Client Cert didn't sent

    Are you positive the identity that is trying to access the private key has
    access to it? For example, if this process runs in a web app but the
    private key is associated to your user account, the web app won't have your
    profile loaded when it goes to access the private key.

    You generally need to make sure the private key is properly associated with
    a cert in the machine store and that the account running in the web app has
    rights to read the private key.

    Joe K.

    "Abel Chan" <> wrote in message
    news:...
    > Hi Marshall,
    >
    > I tried and the certificate now included the option for exporting private
    > key. I am still getting 403 error. :<
    >
    > Abel
    >
    > "thawte" wrote:
    >
    >> Hi there Abel
    >>
    >> I'd advise that you try exporting the SSL certificate again however
    >> include the option for exporting the private key as well and then try
    >> the process again. The private key is a very important component in a
    >> certificate key pair and could be the cause of the problem you
    >> experience.
    >>
    >> Regards
    >> Marshall
    >>
    >> Abel Chan wrote:
    >> > Hi there,
    >> >
    >> > I believe the CA is trusted on both client and server.
    >> >
    >> > To be 100% sure, the following is how I setup the certificate:
    >> >
    >> > Server side
    >> > -------------
    >> > 1) Purchased an official SSL Web Server certificate issued by Thawte
    >> > Premium
    >> > Server CA.
    >> > 2) Installed SSL Web Server certificate on a back up server, which has
    >> > BizTalk on it.
    >> > 3) Test the certificate by posting a document to an external web site
    >> > (https
    >> > posting) through a BizTalk channel by attaching the SSL Web Server
    >> > certificate. It passed the test so I am 100% sure the certificate is
    >> > installed correctly.
    >> > 4) Export the SSL Web Server certificate without a private key. (I
    >> > tried
    >> > with private key before. I don't see any difference. Just to make it
    >> > simple
    >> > without a private key)
    >> >
    >> > Client side
    >> > -------------
    >> > 1) Go to a XP client machine | MMC | Certificate and install the
    >> > exported
    >> > certificate into Certificate (Local Computer) | Personal |
    >> > Certificate.
    >> > 2) Double click on the certificate and it shows: This certificate is
    >> > intended for the following purpose(s): Ensures the identity of a remote
    >> > computer. Proves your identify to a remote computer. All other
    >> > information
    >> > is correct including expiration date.
    >> > 3) Go to Certificate (Local Computer) | Trusted Root Certification
    >> > Authorities | Certificates. Select Thawte Premium Server CA. Right
    >> > mouse
    >> > click Properties and go to the General tab.
    >> > 4) Check the Client Authentication check box.
    >> > 5) Go back to Certificate (Local Computer) | Personal | Certificate.
    >> > Select the installed certificate. Right mouse click Properties and go
    >> > to the
    >> > General tab.
    >> > 6) Verified that both Server Authentication and Client Authentication
    >> > check
    >> > boxes are checked.
    >> > 7) Bring up an IE and try to hit the same external web site as
    >> > described in
    >> > Server Side Step 3) above. (I don't have BizTalk installed on my
    >> > client
    >> > machine.). A "Choose a digital certificate" window pops up but no
    >> > certificate is available from the list. Click OK and I got 403 error.
    >> > 8) Run the sample application that I posted in my first message. I got
    >> > 403
    >> > error also.
    >> >
    >> > I just don't know where I mess up the setup process. I follow all
    >> > standard
    >> > procedures but ... Could you please help me again?
    >> >
    >> > Thanks a lot.
    >> >
    >> > Abel
    >> >
    >> >
    >> > "Dominick Baier [DevelopMentor]" wrote:
    >> >
    >> > > Hello Abel,
    >> > >
    >> > > is the CA trusted on both client and server?
    >> > >
    >> > >
    >> > > ---------------------------------------
    >> > > Dominick Baier - DevelopMentor
    >> > > http://www.leastprivilege.com
    >> > >
    >> > > > Hi Dominick,
    >> > > >
    >> > > > Thanks to your prompt response. I really appreciate it.
    >> > > >
    >> > > > I took the suggestion stated at
    >> > > > http://www.leastprivilege.com/IIS6AndClientCertificates.aspx
    >> > > >
    >> > > > and enabled the Client Authentication under Thawte Premium Server
    >> > > > CA.
    >> > > > Now if I look at the offical Thawte client cer property, I can see
    >> > > > both Server and Client Authentication are checked.
    >> > > >
    >> > > > However, I am still getting the same 403 error when I ran the code.
    >> > > > If I bring up my IE, I still can't see my client cert as an
    >> > > > available
    >> > > > option. Did I miss a step?
    >> > > >
    >> > > > Thanks.
    >> > > >
    >> > > > Abel
    >> > > >
    >> > > > "Dominick Baier [DevelopMentor]" wrote:
    >> > > >
    >> > > >> Hello Abel,
    >> > > >>
    >> > > >> maybe this helps:
    >> > > >> http://www.leastprivilege.com/IIS6AndClientCertificates.aspx
    >> > > >> ---------------------------------------
    >> > > >> Dominick Baier - DevelopMentor
    >> > > >> http://www.leastprivilege.com

    >>
    >>
     
    Joe Kaplan \(MVP - ADSI\), Dec 21, 2005
    #8
  9. Abel Chan

    Abel Chan Guest

    Re: Getting 403 Forbidden error. Client Cert didn't sent

    Hi Joe and others,

    After talking to Thawte and confirmed with MS, I made two mistakes here:
    1) Exporting a Server side certificate (from my 2000 server box) and put it
    on a client machine (my XP Pro with SP2) won't work at all. I need a CLIENT
    certificate. I have 2 ways to get it: a) Pay Verisign or b) Get a FREE
    personal/email certificate from Thawte. For this application, I pick b)

    2) After I installed the FREE client certificate from Thawte, now I can see
    the certificate from on my IE. However, it still won't work on my .NET code.


    After doing some search on Google, I found this article:
    http://blogs.msdn.com/kevinha/archive/2005/02/15/373254.aspx

    Basically, when I import the certificate into the certificate store, I need
    to UNCHECK the option "Enable strong private key protection". This solve the
    whole problem. :>

    Thanks all for your help.

    Abel Chan

    "Joe Kaplan (MVP - ADSI)" wrote:

    > Are you positive the identity that is trying to access the private key has
    > access to it? For example, if this process runs in a web app but the
    > private key is associated to your user account, the web app won't have your
    > profile loaded when it goes to access the private key.
    >
    > You generally need to make sure the private key is properly associated with
    > a cert in the machine store and that the account running in the web app has
    > rights to read the private key.
    >
    > Joe K.
    >
     
    Abel Chan, Jan 12, 2006
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. David Hunt
    Replies:
    4
    Views:
    11,348
    gullsinn
    Oct 4, 2009
  2. David Chan via .NET 247
    Replies:
    1
    Views:
    354
    Dominick Baier [DevelopMentor]
    Jun 2, 2005
  3. Mfenetre
    Replies:
    11
    Views:
    1,692
    Joe Kaplan \(MVP - ADSI\)
    Oct 12, 2005
  4. willem joubert

    Error 403-Error 403-Error 403

    willem joubert, Feb 8, 2005, in forum: ASP .Net Web Services
    Replies:
    1
    Views:
    191
    Bruce Johnson [C# MVP]
    Feb 8, 2005
  5. Mark J. McGinty

    IIS HTTP 403.1 Forbidden: Execute Access Forbidden

    Mark J. McGinty, Dec 9, 2005, in forum: ASP General
    Replies:
    2
    Views:
    370
    Kyle Peterson
    Dec 9, 2005
Loading...

Share This Page