Getting 403 Forbidden error. Client Cert didn't sent

[Abel Chan]

Hi there,

I am getting the 403 Forbidden error when I ran the following code, which is
a very simple Windows application. BTW, I find couple similar problems
posted under dotnet.framework.asp.net.security so I post this question here.

What I tried to do is to attach a client certificate and post an XML
document to a remote web site which enforces SSL and requires client
certificate.

The client machine has a certificate installed under Certificates (Local
Computer) | Personal | Certificates. I have installed a valid Thawte
certificate and I also generated one using SelfSSL. They both give me the
same error message.

I also tried hitting the remote web site directly from IE. I got a pop up
window with "Choose a digital certificate" title. However, I don't see any
certificate listed under the list. Why? I can see both SelfSSL generated
and the official Thawte certificate. I got a little bit confused. Is my
problem related to my code or certificate security/setup issue? Could you
please help?

Thanks.

Abel Chan

-----------------------
Code extracted
------------------------
Imports System.Xml
Imports System.IO
Imports Microsoft.VisualBasic
Imports System.Diagnostics
Imports System.Net
Imports System.Security.Cryptography.X509Certificates

Public Class Form1
Inherits System.Windows.Forms.Form

Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles Button1.Click
Dim oWebRequest As Net.HttpWebRequest
Dim oIOStream As System.IO.Stream
Dim oWebResponse As Net.HttpWebResponse
Dim oReader As System.IO.StreamReader
Dim oResponseStream As System.IO.Stream
Dim strData As String
Dim docXMLDoc As New XmlDocument
Dim txtResponse As String
Dim strException As String = ""

Dim myURL As String = "https://[mywebsite]/[mydir]/[myurl.asp]"

Dim ServerTimeOut As Integer = 60000

Try
Dim Cert As X509Certificate =
X509Certificate.CreateFromCertFile("c:\[Path containing my cer]\mycer.cer")

'Create TrustAllCertificatePolicy class which will return TRUE
on all SSL web request.
System.Net.ServicePointManager.CertificatePolicy = New
TrustAllCertificatePolicy

'Load soap envelope
strData = "<MyTestXML>Hi</MyTestXML>"

'Setup request URL
oWebRequest = Net.WebRequest.Create(myURL)

oWebRequest.ClientCertificates.Add(Cert)

'Setup request parameter
oWebRequest.ContentType = "text/xml"
oWebRequest.Method = "POST"
oWebRequest.ContentLength = strData.Length
oWebRequest.KeepAlive = True
oWebRequest.Timeout = ServerTimeOut

'Wrtie to stream
Dim arrData As Byte() =
System.Text.Encoding.ASCII.GetBytes(strData)
oIOStream = oWebRequest.GetRequestStream()


oIOStream.Write(arrData, 0, strData.Length)
oIOStream.Flush()

'Get the response from web address
oWebResponse = oWebRequest.GetResponse()
If (oWebResponse.StatusCode() <> Net.HttpStatusCode.OK) Then
txtResponse = ""
strException = oWebResponse.StatusDescription()

GoTo exitfcuntion
End If

'Get response stream
oResponseStream = oWebResponse.GetResponseStream()


Catch ex As WebException 'Exception
strException = "Message: " + ex.Message() + " Source: " +
ex.Source()

MsgBox(strException)

Finally
'Close resource
If (False = (oIOStream Is Nothing)) Then oIOStream.Close()
If (False = (oWebResponse Is Nothing)) Then oWebResponse.Close()
End Try

exitfcuntion:


End Sub
End Class

Public Class TrustAllCertificatePolicy
Implements System.Net.ICertificatePolicy
Public Function CheckValidationResult(ByVal srvPoint As _
System.Net.ServicePoint, ByVal certificate As _
System.Security.Cryptography.X509Certificates.X509Certificate, ByVal _
request As System.Net.WebRequest, ByVal certificateProblem As
Integer) _
As Boolean Implements
System.Net.ICertificatePolicy.CheckValidationResult
Dim myname As String = certificate.GetName
Return True
End Function
End Class

 

[Dominick Baier [DevelopMentor]]

Hello Abel,

maybe this helps:
http://www.leastprivilege.com/IIS6AndClientCertificates.aspx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hi there,

I am getting the 403 Forbidden error when I ran the following code,
which is a very simple Windows application. BTW, I find couple
similar problems posted under dotnet.framework.asp.net.security so I
post this question here.

What I tried to do is to attach a client certificate and post an XML
document to a remote web site which enforces SSL and requires client
certificate.

The client machine has a certificate installed under Certificates
(Local Computer) | Personal | Certificates. I have installed a valid
Thawte certificate and I also generated one using SelfSSL. They both
give me the same error message.

I also tried hitting the remote web site directly from IE. I got a
pop up window with "Choose a digital certificate" title. However, I
don't see any certificate listed under the list. Why? I can see both
SelfSSL generated and the official Thawte certificate. I got a little
bit confused. Is my problem related to my code or certificate
security/setup issue? Could you please help?

Thanks.

Abel Chan

-----------------------
Code extracted
------------------------
Imports System.Xml
Imports System.IO
Imports Microsoft.VisualBasic
Imports System.Diagnostics
Imports System.Net
Imports System.Security.Cryptography.X509Certificates
Public Class Form1
Inherits System.Windows.Forms.Form
Private Sub Button1_Click(ByVal sender As System.Object, ByVal e
As
System.EventArgs) Handles Button1.Click
Dim oWebRequest As Net.HttpWebRequest
Dim oIOStream As System.IO.Stream
Dim oWebResponse As Net.HttpWebResponse
Dim oReader As System.IO.StreamReader
Dim oResponseStream As System.IO.Stream
Dim strData As String
Dim docXMLDoc As New XmlDocument
Dim txtResponse As String
Dim strException As String = ""
Dim myURL As String =
"https://[mywebsite]/[mydir]/[myurl.asp]"

Dim ServerTimeOut As Integer = 60000

Try
Dim Cert As X509Certificate =
X509Certificate.CreateFromCertFile("c:\[Path containing my
cer]\mycer.cer")
'Create TrustAllCertificatePolicy class which will return
TRUE
on all SSL web request.
System.Net.ServicePointManager.CertificatePolicy = New
TrustAllCertificatePolicy
'Load soap envelope
strData = "<MyTestXML>Hi</MyTestXML>"
'Setup request URL
oWebRequest = Net.WebRequest.Create(myURL)
oWebRequest.ClientCertificates.Add(Cert)

'Setup request parameter
oWebRequest.ContentType = "text/xml"
oWebRequest.Method = "POST"
oWebRequest.ContentLength = strData.Length
oWebRequest.KeepAlive = True
oWebRequest.Timeout = ServerTimeOut
'Wrtie to stream
Dim arrData As Byte() =
System.Text.Encoding.ASCII.GetBytes(strData)
oIOStream = oWebRequest.GetRequestStream()
oIOStream.Write(arrData, 0, strData.Length)
oIOStream.Flush()
'Get the response from web address
oWebResponse = oWebRequest.GetResponse()
If (oWebResponse.StatusCode() <> Net.HttpStatusCode.OK)
Then
txtResponse = ""
strException = oWebResponse.StatusDescription()
GoTo exitfcuntion
End If
'Get response stream
oResponseStream = oWebResponse.GetResponseStream()
Catch ex As WebException 'Exception
strException = "Message: " + ex.Message() + " Source: " +
ex.Source()
MsgBox(strException)

Finally
'Close resource
If (False = (oIOStream Is Nothing)) Then oIOStream.Close()
If (False = (oWebResponse Is Nothing)) Then
oWebResponse.Close()
End Try
exitfcuntion:

End Sub
End Class
Public Class TrustAllCertificatePolicy
Implements System.Net.ICertificatePolicy
Public Function CheckValidationResult(ByVal srvPoint As _
System.Net.ServicePoint, ByVal certificate As _
System.Security.Cryptography.X509Certificates.X509Certificate,
ByVal _
request As System.Net.WebRequest, ByVal certificateProblem As
Integer) _
As Boolean Implements
System.Net.ICertificatePolicy.CheckValidationResult
Dim myname As String = certificate.GetName
Return True
End Function
End Class

 

[Abel Chan]

Hi Dominick,

Thanks to your prompt response. I really appreciate it.

I took the suggestion stated at
http://www.leastprivilege.com/IIS6AndClientCertificates.aspx

and enabled the Client Authentication under Thawte Premium Server CA. Now
if I look at the offical Thawte client cer property, I can see both Server
and Client Authentication are checked.

However, I am still getting the same 403 error when I ran the code. If I
bring up my IE, I still can't see my client cert as an available option. Did
I miss a step?

Thanks.

Abel

Hello Abel,

maybe this helps:
http://www.leastprivilege.com/IIS6AndClientCertificates.aspx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hi there,

I am getting the 403 Forbidden error when I ran the following code,
which is a very simple Windows application. BTW, I find couple
similar problems posted under dotnet.framework.asp.net.security so I
post this question here.

What I tried to do is to attach a client certificate and post an XML
document to a remote web site which enforces SSL and requires client
certificate.

The client machine has a certificate installed under Certificates
(Local Computer) | Personal | Certificates. I have installed a valid
Thawte certificate and I also generated one using SelfSSL. They both
give me the same error message.

I also tried hitting the remote web site directly from IE. I got a
pop up window with "Choose a digital certificate" title. However, I
don't see any certificate listed under the list. Why? I can see both
SelfSSL generated and the official Thawte certificate. I got a little
bit confused. Is my problem related to my code or certificate
security/setup issue? Could you please help?

Thanks.

Abel Chan

-----------------------
Code extracted
------------------------
Imports System.Xml
Imports System.IO
Imports Microsoft.VisualBasic
Imports System.Diagnostics
Imports System.Net
Imports System.Security.Cryptography.X509Certificates
Public Class Form1
Inherits System.Windows.Forms.Form
Private Sub Button1_Click(ByVal sender As System.Object, ByVal e
As
System.EventArgs) Handles Button1.Click
Dim oWebRequest As Net.HttpWebRequest
Dim oIOStream As System.IO.Stream
Dim oWebResponse As Net.HttpWebResponse
Dim oReader As System.IO.StreamReader
Dim oResponseStream As System.IO.Stream
Dim strData As String
Dim docXMLDoc As New XmlDocument
Dim txtResponse As String
Dim strException As String = ""
Dim myURL As String =
"https://[mywebsite]/[mydir]/[myurl.asp]"

Dim ServerTimeOut As Integer = 60000

Try
Dim Cert As X509Certificate =
X509Certificate.CreateFromCertFile("c:\[Path containing my
cer]\mycer.cer")
'Create TrustAllCertificatePolicy class which will return
TRUE
on all SSL web request.
System.Net.ServicePointManager.CertificatePolicy = New
TrustAllCertificatePolicy
'Load soap envelope
strData = "<MyTestXML>Hi</MyTestXML>"
'Setup request URL
oWebRequest = Net.WebRequest.Create(myURL)
oWebRequest.ClientCertificates.Add(Cert)

'Setup request parameter
oWebRequest.ContentType = "text/xml"
oWebRequest.Method = "POST"
oWebRequest.ContentLength = strData.Length
oWebRequest.KeepAlive = True
oWebRequest.Timeout = ServerTimeOut
'Wrtie to stream
Dim arrData As Byte() =
System.Text.Encoding.ASCII.GetBytes(strData)
oIOStream = oWebRequest.GetRequestStream()
oIOStream.Write(arrData, 0, strData.Length)
oIOStream.Flush()
'Get the response from web address
oWebResponse = oWebRequest.GetResponse()
If (oWebResponse.StatusCode() <> Net.HttpStatusCode.OK)
Then
txtResponse = ""
strException = oWebResponse.StatusDescription()
GoTo exitfcuntion
End If
'Get response stream
oResponseStream = oWebResponse.GetResponseStream()
Catch ex As WebException 'Exception
strException = "Message: " + ex.Message() + " Source: " +
ex.Source()
MsgBox(strException)

Finally
'Close resource
If (False = (oIOStream Is Nothing)) Then oIOStream.Close()
If (False = (oWebResponse Is Nothing)) Then
oWebResponse.Close()
End Try
exitfcuntion:

End Sub
End Class
Public Class TrustAllCertificatePolicy
Implements System.Net.ICertificatePolicy
Public Function CheckValidationResult(ByVal srvPoint As _
System.Net.ServicePoint, ByVal certificate As _
System.Security.Cryptography.X509Certificates.X509Certificate,
ByVal _
request As System.Net.WebRequest, ByVal certificateProblem As
Integer) _
As Boolean Implements
System.Net.ICertificatePolicy.CheckValidationResult
Dim myname As String = certificate.GetName
Return True
End Function
End Class

 

[Dominick Baier [DevelopMentor]]

Hello Abel,

is the CA trusted on both client and server?


---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hi Dominick,

Thanks to your prompt response. I really appreciate it.

I took the suggestion stated at
http://www.leastprivilege.com/IIS6AndClientCertificates.aspx

and enabled the Client Authentication under Thawte Premium Server CA.
Now if I look at the offical Thawte client cer property, I can see
both Server and Client Authentication are checked.

However, I am still getting the same 403 error when I ran the code.
If I bring up my IE, I still can't see my client cert as an available
option. Did I miss a step?

Thanks.

Abel

Hello Abel,

maybe this helps:
http://www.leastprivilege.com/IIS6AndClientCertificates.aspx
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hi there,

I am getting the 403 Forbidden error when I ran the following code,
which is a very simple Windows application. BTW, I find couple
similar problems posted under dotnet.framework.asp.net.security so I
post this question here.

What I tried to do is to attach a client certificate and post an XML
document to a remote web site which enforces SSL and requires client
certificate.

The client machine has a certificate installed under Certificates
(Local Computer) | Personal | Certificates. I have installed a
valid Thawte certificate and I also generated one using SelfSSL.
They both give me the same error message.

I also tried hitting the remote web site directly from IE. I got a
pop up window with "Choose a digital certificate" title. However, I
don't see any certificate listed under the list. Why? I can see
both SelfSSL generated and the official Thawte certificate. I got a
little bit confused. Is my problem related to my code or
certificate security/setup issue? Could you please help?

Thanks.

Abel Chan

-----------------------
Code extracted
------------------------
Imports System.Xml
Imports System.IO
Imports Microsoft.VisualBasic
Imports System.Diagnostics
Imports System.Net
Imports System.Security.Cryptography.X509Certificates
Public Class Form1
Inherits System.Windows.Forms.Form
Private Sub Button1_Click(ByVal sender As System.Object, ByVal e
As
System.EventArgs) Handles Button1.Click
Dim oWebRequest As Net.HttpWebRequest
Dim oIOStream As System.IO.Stream
Dim oWebResponse As Net.HttpWebResponse
Dim oReader As System.IO.StreamReader
Dim oResponseStream As System.IO.Stream
Dim strData As String
Dim docXMLDoc As New XmlDocument
Dim txtResponse As String
Dim strException As String = ""
Dim myURL As String =
"https://[mywebsite]/[mydir]/[myurl.asp]"
Dim ServerTimeOut As Integer = 60000

Try
Dim Cert As X509Certificate =
X509Certificate.CreateFromCertFile("c:\[Path containing my
cer]\mycer.cer")
'Create TrustAllCertificatePolicy class which will return
TRUE
on all SSL web request.
System.Net.ServicePointManager.CertificatePolicy = New
TrustAllCertificatePolicy
'Load soap envelope
strData = "<MyTestXML>Hi</MyTestXML>"
'Setup request URL
oWebRequest = Net.WebRequest.Create(myURL)
oWebRequest.ClientCertificates.Add(Cert)
'Setup request parameter
oWebRequest.ContentType = "text/xml"
oWebRequest.Method = "POST"
oWebRequest.ContentLength = strData.Length
oWebRequest.KeepAlive = True
oWebRequest.Timeout = ServerTimeOut
'Wrtie to stream
Dim arrData As Byte() =
System.Text.Encoding.ASCII.GetBytes(strData)
oIOStream = oWebRequest.GetRequestStream()
oIOStream.Write(arrData, 0, strData.Length)
oIOStream.Flush()
'Get the response from web address
oWebResponse = oWebRequest.GetResponse()
If (oWebResponse.StatusCode() <> Net.HttpStatusCode.OK)
Then
txtResponse = ""
strException = oWebResponse.StatusDescription()
GoTo exitfcuntion
End If
'Get response stream
oResponseStream = oWebResponse.GetResponseStream()
Catch ex As WebException 'Exception
strException = "Message: " + ex.Message() + " Source: " +
ex.Source()
MsgBox(strException)
Finally
'Close resource
If (False = (oIOStream Is Nothing)) Then oIOStream.Close()
If (False = (oWebResponse Is Nothing)) Then
oWebResponse.Close()
End Try
exitfcuntion:
End Sub
End Class
Public Class TrustAllCertificatePolicy
Implements System.Net.ICertificatePolicy
Public Function CheckValidationResult(ByVal srvPoint As _
System.Net.ServicePoint, ByVal certificate As _
System.Security.Cryptography.X509Certificates.X509Certificate,
ByVal _
request As System.Net.WebRequest, ByVal certificateProblem As
Integer) _
As Boolean Implements
System.Net.ICertificatePolicy.CheckValidationResult
Dim myname As String = certificate.GetName
Return True
End Function
End Class

 

[Abel Chan]

Hi there,

I believe the CA is trusted on both client and server.

To be 100% sure, the following is how I setup the certificate:

Server side
-------------
1) Purchased an official SSL Web Server certificate issued by Thawte Premium
Server CA.
2) Installed SSL Web Server certificate on a back up server, which has
BizTalk on it.
3) Test the certificate by posting a document to an external web site (https
posting) through a BizTalk channel by attaching the SSL Web Server
certificate. It passed the test so I am 100% sure the certificate is
installed correctly.
4) Export the SSL Web Server certificate without a private key. (I tried
with private key before. I don’t see any difference. Just to make it simple
without a private key)

Client side
-------------
1) Go to a XP client machine | MMC | Certificate and install the exported
certificate into Certificate (Local Computer) | Personal | Certificate.
2) Double click on the certificate and it shows: This certificate is
intended for the following purpose(s): Ensures the identity of a remote
computer. Proves your identify to a remote computer. All other information
is correct including expiration date.
3) Go to Certificate (Local Computer) | Trusted Root Certification
Authorities | Certificates. Select Thawte Premium Server CA. Right mouse
click Properties and go to the General tab.
4) Check the Client Authentication check box.
5) Go back to Certificate (Local Computer) | Personal | Certificate.
Select the installed certificate. Right mouse click Properties and go to the
General tab.
6) Verified that both Server Authentication and Client Authentication check
boxes are checked.
7) Bring up an IE and try to hit the same external web site as described in
Server Side Step 3) above. (I don’t have BizTalk installed on my client
machine.). A “Choose a digital certificate†window pops up but no
certificate is available from the list. Click OK and I got 403 error.
8) Run the sample application that I posted in my first message. I got 403
error also.

I just don’t know where I mess up the setup process. I follow all standard
procedures but … Could you please help me again?

Thanks a lot.

Abel

 

[thawte]

Hi there Abel

I'd advise that you try exporting the SSL certificate again however
include the option for exporting the private key as well and then try
the process again. The private key is a very important component in a
certificate key pair and could be the cause of the problem you
experience.

Regards
Marshall

 

[Abel Chan]

Hi Marshall,

I tried and the certificate now included the option for exporting private
key. I am still getting 403 error. :<

Abel

 

[Joe Kaplan \(MVP - ADSI\)]

Are you positive the identity that is trying to access the private key has
access to it? For example, if this process runs in a web app but the
private key is associated to your user account, the web app won't have your
profile loaded when it goes to access the private key.

You generally need to make sure the private key is properly associated with
a cert in the machine store and that the account running in the web app has
rights to read the private key.

Joe K.

Hi Marshall,

I tried and the certificate now included the option for exporting private
key. I am still getting 403 error. :<

Abel

 

[Abel Chan]

Hi Joe and others,

After talking to Thawte and confirmed with MS, I made two mistakes here:
1) Exporting a Server side certificate (from my 2000 server box) and put it
on a client machine (my XP Pro with SP2) won't work at all. I need a CLIENT
certificate. I have 2 ways to get it: a) Pay Verisign or b) Get a FREE
personal/email certificate from Thawte. For this application, I pick b)

2) After I installed the FREE client certificate from Thawte, now I can see
the certificate from on my IE. However, it still won't work on my .NET code.


After doing some search on Google, I found this article:
http://blogs.msdn.com/kevinha/archive/2005/02/15/373254.aspx

Basically, when I import the certificate into the certificate store, I need
to UNCHECK the option "Enable strong private key protection". This solve the
whole problem. :>

Thanks all for your help.

Abel Chan