.Net client and SSL mutual authentication : 403 Forbidden, client certificate not sent

Discussion in 'ASP .Net Security' started by Mfenetre, Oct 10, 2005.

  1. Mfenetre

    Mfenetre Guest

    Hello all,

    I'm trying to build a .Net client connecting to a Web service and I
    want to use SSL with mutual authentication. The web service is designed
    to require a client certificate.

    I use .Net Framework v1.1.4322, IIS 6.0, Windows 2003 Srv and Visual
    Studio.

    So far I've been able to set SSL with just server authentication and I
    can't succeed in writing a C# client using a client certificate.

    I've a client certificate installed in the Personnal Store of the
    Administrator and I'm trying to use it with this piece of code :

    //opening the current user store
    X509CertificateStore store =
    X509CertificateStore.CurrentUserStore(X509CertificateStore.MyStore);
    store.OpenRead();

    //looking for the right certificate
    X509CertificateCollection col=
    (X509CertificateCollection)store.FindCertificateByKeyIdentifier(Convert.FromBase64String("dUvy6QHZTkuzfwQFqh2ZvYE6gdE="));
    X509Certificate cert =null;
    cert = col[0];

    //my proxy to the web service
    CreditCardWebServiceMutAuth.CreditCardWebServiceMutAuth ws = new
    CreditCardWebServiceMutAuth.CreditCardWebServiceMutAuth();

    //adding the client certificate
    ws.ClientCertificates.Add(cert);

    [some personal code]

    //getting the result
    string resultString =
    ws.analyzeCreditCard(creditCardNumberString,typeString,ownerString,expirationDateString);

    And here it fails, I get a 403 error : Forbidden. It seems that the
    client certificate is not sent/used by the .Net client.

    What I am sure :
    # the certificate is the current user store, Personal Store (I've tried
    with Local Machine store, but no success)
    # I've the private key and I've granted access to this private key to
    anyone
    # I can access to my web service as long as I don't require a client
    certificate

    Can you help me ? Do you have any clue ?

    Thanks in advance,
    Regards,

    Alexis.
     
    Mfenetre, Oct 10, 2005
    #1
    1. Advertising

  2. Hello Mfenetre,

    have you tried to access the WS with the browser and supply the same client
    cert - does that work??

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hello all,
    >
    > I'm trying to build a .Net client connecting to a Web service and I
    > want to use SSL with mutual authentication. The web service is
    > designed to require a client certificate.
    >
    > I use .Net Framework v1.1.4322, IIS 6.0, Windows 2003 Srv and Visual
    > Studio.
    >
    > So far I've been able to set SSL with just server authentication and I
    > can't succeed in writing a C# client using a client certificate.
    >
    > I've a client certificate installed in the Personnal Store of the
    > Administrator and I'm trying to use it with this piece of code :
    >
    > //opening the current user store
    > X509CertificateStore store =
    > X509CertificateStore.CurrentUserStore(X509CertificateStore.MyStore);
    > store.OpenRead();
    > //looking for the right certificate
    >
    > X509CertificateCollection col=
    >
    > (X509CertificateCollection)store.FindCertificateByKeyIdentifier(Conver
    > t.FromBase64String("dUvy6QHZTkuzfwQFqh2ZvYE6gdE="));
    >
    > X509Certificate cert =null;
    >
    > cert = col[0];
    >
    > //my proxy to the web service
    > CreditCardWebServiceMutAuth.CreditCardWebServiceMutAuth ws = new
    > CreditCardWebServiceMutAuth.CreditCardWebServiceMutAuth();
    >
    > //adding the client certificate
    > ws.ClientCertificates.Add(cert);
    > [some personal code]
    >
    > //getting the result
    > string resultString =
    > ws.analyzeCreditCard(creditCardNumberString,typeString,ownerString,exp
    > irationDateString);
    > And here it fails, I get a 403 error : Forbidden. It seems that the
    > client certificate is not sent/used by the .Net client.
    >
    > What I am sure :
    > # the certificate is the current user store, Personal Store (I've
    > tried
    > with Local Machine store, but no success)
    > # I've the private key and I've granted access to this private key to
    > anyone
    > # I can access to my web service as long as I don't require a client
    > certificate
    > Can you help me ? Do you have any clue ?
    >
    > Thanks in advance,
    > Regards,
    > Alexis.
    >
     
    Dominick Baier [DevelopMentor], Oct 10, 2005
    #2
    1. Advertising

  3. Mfenetre

    Mfenetre Guest

    Mfenetre, Oct 10, 2005
    #3
  4. Mfenetre

    Peter Jakab Guest

    Hi,
    Did you try debugging your code?

    At the
    cert = col[0];

    line is there anything in the col[0] ?

    Is your client an asp .Net web application?

    If so, is its application pool running as network service identity?

    Was the access grant with winhttpcertcfg successful? (the command you
    mentioned works only when the cert is installed in the local_machine store!)

    If your client is an asp.net code, are you sure, that impersonation is not
    set?


    I have this ideas at the moment.

    You could also try loading the cert from file instead of loading from store
    with WSE 2.0.

    You should try with a console or a windows app first, if that works you
    could get 1 step forth...

    Regards

    Peter

    "Mfenetre" <> wrote in message
    news:...
    > Hello all,
    >
    > I'm trying to build a .Net client connecting to a Web service and I
    > want to use SSL with mutual authentication. The web service is designed
    > to require a client certificate.
    >
    > I use .Net Framework v1.1.4322, IIS 6.0, Windows 2003 Srv and Visual
    > Studio.
    >
    > So far I've been able to set SSL with just server authentication and I
    > can't succeed in writing a C# client using a client certificate.
    >
    > I've a client certificate installed in the Personnal Store of the
    > Administrator and I'm trying to use it with this piece of code :
    >
    > //opening the current user store
    > X509CertificateStore store =
    > X509CertificateStore.CurrentUserStore(X509CertificateStore.MyStore);
    > store.OpenRead();
    >
    > //looking for the right certificate
    > X509CertificateCollection col=
    > (X509CertificateCollection)store.FindCertificateByKeyIdentifier(Convert.FromBase64String("dUvy6QHZTkuzfwQFqh2ZvYE6gdE="));
    > X509Certificate cert =null;
    > cert = col[0];
    >
    > //my proxy to the web service
    > CreditCardWebServiceMutAuth.CreditCardWebServiceMutAuth ws = new
    > CreditCardWebServiceMutAuth.CreditCardWebServiceMutAuth();
    >
    > //adding the client certificate
    > ws.ClientCertificates.Add(cert);
    >
    > [some personal code]
    >
    > //getting the result
    > string resultString =
    > ws.analyzeCreditCard(creditCardNumberString,typeString,ownerString,expirationDateString);
    >
    > And here it fails, I get a 403 error : Forbidden. It seems that the
    > client certificate is not sent/used by the .Net client.
    >
    > What I am sure :
    > # the certificate is the current user store, Personal Store (I've tried
    > with Local Machine store, but no success)
    > # I've the private key and I've granted access to this private key to
    > anyone
    > # I can access to my web service as long as I don't require a client
    > certificate
    >
    > Can you help me ? Do you have any clue ?
    >
    > Thanks in advance,
    > Regards,
    >
    > Alexis.
    >
     
    Peter Jakab, Oct 10, 2005
    #4
  5. Try using Filemon and Regmon (sysinternals) to figure out what access is
    being denied when the access to the private key occurs. Hopefully that will
    work.

    These things can be a huge pain to debug, but if you go with the machine
    store and do the cert config thing you showed, you should be able to get
    this to work.

    Also, make sure the private key is not password protected as IIS obviously
    can't deal with that.

    Joe K.

    "Mfenetre" <> wrote in message
    news:...
    > Hello Dominick,
    >
    > Yes it works with IE or Firefox.
    > That's what makes me think that in my .Net client the client
    > certificate is not used/sent.
    > Perhaps it doesn't have access to the private key but I've followed
    > this article :
    >
    > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT13.asp
    >
    > and granted access to the "Network Service" :
    >
    > WinHttpCertCfg.exe -g -c LOCAL_MACHINE\MY -s "CreditCardClientSSL" -a
    > "Network Service"
    >
     
    Joe Kaplan \(MVP - ADSI\), Oct 10, 2005
    #5
  6. Hello Mfenetre,

    So your client is running as network service? this means that the cert has
    to be in the Local Machine/MY store - is that the case?

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hello Dominick,
    >
    > Yes it works with IE or Firefox.
    > That's what makes me think that in my .Net client the client
    > certificate is not used/sent.
    > Perhaps it doesn't have access to the private key but I've followed
    > this article :
    > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnet
    > sec/html/SecNetHT13.asp
    >
    > and granted access to the "Network Service" :
    >
    > WinHttpCertCfg.exe -g -c LOCAL_MACHINE\MY -s "CreditCardClientSSL" -a
    > "Network Service"
    >
     
    Dominick Baier [DevelopMentor], Oct 10, 2005
    #6
  7. Mfenetre

    Mfenetre Guest

    Hello all,

    Thanks for all your answers, so let me answer all of these questions :

    >Try using Filemon and Regmon (sysinternals)

    Ok I don't know these tools but I'll do that

    >Also, make sure the private key is not password protected as IIS obviously can't deal with that.

    No password

    >So your client is running as network service?

    Yes, i'm sure, I'm printing the identity on screen just to be sure

    >this means that the cert has to be in the Local Machine/MY store - is that the case?

    Yes that's the case.

    > is there anything in the col[0] ?

    Yes, I did debugging and I checked that the right certificate was found

    >Was the access grant with winhttpcertcfg successful?

    Yes, I granted access to the private key for the user "Network Service"

    >If your client is an asp.net code, are you sure, that impersonation is not set?

    I tried impersonation with the user "Administrator", just to use the
    Current User Store instead of Local Machine Store but no luck...

    >You could also try loading the cert from file instead of loading from store with WSE 2.0.

    I did it but no luck too...

    >You should try with a console or a windows app first, if that works you could get 1 step forth...

    Good idea. I'll try that. So far I know it works with a browser.

    Anyway, thank you Joe, Dominick and Peter for all your answers.

    regards,
    Alexis.
     
    Mfenetre, Oct 11, 2005
    #7
  8. Mfenetre

    Peter Jakab Guest

    One more thing:
    You should check if there is a problem with the cert switching logging on
    for schannel:

    http://support.microsoft.com/?id=260729

    and one more question:

    with IE did you get any notifications about the server certificate that you
    had to bypass manually( for example site is not trusted, the cert and site
    urls dont match, or cert is expired) ?
    In this case you can do this trick in development environment:
    http://weblogs.asp.net/jan/archive/2003/12/04/41154.aspx

    Best regards

    Peter


    "Mfenetre" <> wrote in message
    news:...
    > Hello all,
    >
    > Thanks for all your answers, so let me answer all of these questions :
    >
    >>Try using Filemon and Regmon (sysinternals)

    > Ok I don't know these tools but I'll do that
    >
    >>Also, make sure the private key is not password protected as IIS obviously
    >>can't deal with that.

    > No password
    >
    >>So your client is running as network service?

    > Yes, i'm sure, I'm printing the identity on screen just to be sure
    >
    >>this means that the cert has to be in the Local Machine/MY store - is that
    >>the case?

    > Yes that's the case.
    >
    >> is there anything in the col[0] ?

    > Yes, I did debugging and I checked that the right certificate was found
    >
    >>Was the access grant with winhttpcertcfg successful?

    > Yes, I granted access to the private key for the user "Network Service"
    >
    >>If your client is an asp.net code, are you sure, that impersonation is not
    >>set?

    > I tried impersonation with the user "Administrator", just to use the
    > Current User Store instead of Local Machine Store but no luck...
    >
    >>You could also try loading the cert from file instead of loading from
    >>store with WSE 2.0.

    > I did it but no luck too...
    >
    >>You should try with a console or a windows app first, if that works you
    >>could get 1 step forth...

    > Good idea. I'll try that. So far I know it works with a browser.
    >
    > Anyway, thank you Joe, Dominick and Peter for all your answers.
    >
    > regards,
    > Alexis.
    >
     
    Peter Jakab, Oct 11, 2005
    #8
  9. Mfenetre

    Mfenetre Guest

    Well, I've switched logging on and apprently there is somethin strange.
    When I try to do a single connection, I see many events in 'Event
    Viewer' :

    "Creating an SSL client credential." -> 2 times : why 2 times ?
    "The remote server has requested SSL client authentication, but no
    suitable client certificate could be found." -> well ok, apparently no
    client certificate is provided.

    But what is strange is that is see this :

    An SSL client handshake completed successfully. The negotiated
    cryptographic parameters are as follows.

    Protocol: SSL 3.0
    Cipher: RC4
    Cipher strength: 128
    MAC: MD5
    Exchange: RSA
    Exchange strength: 1024

    How is this possible ? A successfull client handshake ? Then why do I
    have a 403 : Forbidden error ?
     
    Mfenetre, Oct 11, 2005
    #9
  10. Is it possible that the server doesn't trust the client certificate you are
    trying to use?

    Typically what happens during client certificate authentication is that the
    server sends down to the client a list of the CAs it trusts (depending on
    what trusted roots are configured on the server). Then the client looks
    through this list and checks to see if the certificate matches that list.
    If it does not, it will not be used.

    Based on the first error, that might be the problem.

    One other thing--impersonating the administrator does not load the
    administrator's profile automatically, so the process would not necessarily
    have access to the admin's personal certificate store.

    Joe K.

    "Mfenetre" <> wrote in message
    news:...
    > Well, I've switched logging on and apprently there is somethin strange.
    > When I try to do a single connection, I see many events in 'Event
    > Viewer' :
    >
    > "Creating an SSL client credential." -> 2 times : why 2 times ?
    > "The remote server has requested SSL client authentication, but no
    > suitable client certificate could be found." -> well ok, apparently no
    > client certificate is provided.
    >
    > But what is strange is that is see this :
    >
    > An SSL client handshake completed successfully. The negotiated
    > cryptographic parameters are as follows.
    >
    > Protocol: SSL 3.0
    > Cipher: RC4
    > Cipher strength: 128
    > MAC: MD5
    > Exchange: RSA
    > Exchange strength: 1024
    >
    > How is this possible ? A successfull client handshake ? Then why do I
    > have a 403 : Forbidden error ?
    >
     
    Joe Kaplan \(MVP - ADSI\), Oct 11, 2005
    #10
  11. Mfenetre

    Mfenetre Guest

    Hello all,

    So finally I've been able to solve my problem.

    I had checked that root certifications authorities were installed on
    client and server side, that the client had the right (I mean the
    ASPNET or "Network Service" process) to use the private key of the
    client certificate, that the client certificate was in the
    LOCAL_MACHINE\MY store, but I still had the 403 : Forbidden error.

    And finally the solution turned out to be the installation of the .Net
    Framework SP1, which apprently I had not installed. And then, magic,
    the error disappears, without changing a single line of code or
    configuration...

    How disappointing and not satisfying this solution can be... But, well,
    it works now.

    Thank you all again for your efforts,

    Regards,
    Alexis.
     
    Mfenetre, Oct 12, 2005
    #11
  12. There were some changes to how SSL client certificates work in SP1 of 1.1.
    As I recall, they changed the behavior to allow access to the machine store
    as well as MY store, but I can't remember for sure.

    Sorry we didn't mention this before. I honestly didn't know people ran with
    the service pack these days. It has been out for a long time and fixes a
    bunch of important stuff...

    Joe K.

    "Mfenetre" <> wrote in message
    news:...
    > Hello all,
    >
    > So finally I've been able to solve my problem.
    >
    > I had checked that root certifications authorities were installed on
    > client and server side, that the client had the right (I mean the
    > ASPNET or "Network Service" process) to use the private key of the
    > client certificate, that the client certificate was in the
    > LOCAL_MACHINE\MY store, but I still had the 403 : Forbidden error.
    >
    > And finally the solution turned out to be the installation of the .Net
    > Framework SP1, which apprently I had not installed. And then, magic,
    > the error disappears, without changing a single line of code or
    > configuration...
    >
    > How disappointing and not satisfying this solution can be... But, well,
    > it works now.
    >
    > Thank you all again for your efforts,
    >
    > Regards,
    > Alexis.
    >
     
    Joe Kaplan \(MVP - ADSI\), Oct 12, 2005
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. David Hunt
    Replies:
    4
    Views:
    11,393
    gullsinn
    Oct 4, 2009
  2. Abel Chan

    Getting 403 Forbidden error. Client Cert didn't sent

    Abel Chan, Dec 18, 2005, in forum: ASP .Net Security
    Replies:
    8
    Views:
    420
    Abel Chan
    Jan 12, 2006
  3. willem joubert

    Error 403-Error 403-Error 403

    willem joubert, Feb 8, 2005, in forum: ASP .Net Web Services
    Replies:
    1
    Views:
    209
    Bruce Johnson [C# MVP]
    Feb 8, 2005
  4. Raphael Gray
    Replies:
    1
    Views:
    1,243
    Raphael Gray
    Jun 3, 2009
  5. Mark J. McGinty

    IIS HTTP 403.1 Forbidden: Execute Access Forbidden

    Mark J. McGinty, Dec 9, 2005, in forum: ASP General
    Replies:
    2
    Views:
    391
    Kyle Peterson
    Dec 9, 2005
Loading...

Share This Page