Getting 403 Forbidden error. Client Cert didn't sent

Discussion in 'ASP .Net Security' started by Abel Chan, Dec 18, 2005.

  1. Abel Chan

    Abel Chan Guest

    Hi there,

    I am getting the 403 Forbidden error when I ran the following code, which is
    a very simple Windows application. BTW, I find couple similar problems
    posted under dotnet.framework.asp.net.security so I post this question here.

    What I tried to do is to attach a client certificate and post an XML
    document to a remote web site which enforces SSL and requires client
    certificate.

    The client machine has a certificate installed under Certificates (Local
    Computer) | Personal | Certificates. I have installed a valid Thawte
    certificate and I also generated one using SelfSSL. They both give me the
    same error message.

    I also tried hitting the remote web site directly from IE. I got a pop up
    window with "Choose a digital certificate" title. However, I don't see any
    certificate listed under the list. Why? I can see both SelfSSL generated
    and the official Thawte certificate. I got a little bit confused. Is my
    problem related to my code or certificate security/setup issue? Could you
    please help?

    Thanks.

    Abel Chan

    -----------------------
    Code extracted
    ------------------------
    Imports System.Xml
    Imports System.IO
    Imports Microsoft.VisualBasic
    Imports System.Diagnostics
    Imports System.Net
    Imports System.Security.Cryptography.X509Certificates

    Public Class Form1
    Inherits System.Windows.Forms.Form

    Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As
    System.EventArgs) Handles Button1.Click
    Dim oWebRequest As Net.HttpWebRequest
    Dim oIOStream As System.IO.Stream
    Dim oWebResponse As Net.HttpWebResponse
    Dim oReader As System.IO.StreamReader
    Dim oResponseStream As System.IO.Stream
    Dim strData As String
    Dim docXMLDoc As New XmlDocument
    Dim txtResponse As String
    Dim strException As String = ""

    Dim myURL As String = "https://[mywebsite]/[mydir]/[myurl.asp]"

    Dim ServerTimeOut As Integer = 60000

    Try
    Dim Cert As X509Certificate =
    X509Certificate.CreateFromCertFile("c:\[Path containing my cer]\mycer.cer")

    'Create TrustAllCertificatePolicy class which will return TRUE
    on all SSL web request.
    System.Net.ServicePointManager.CertificatePolicy = New
    TrustAllCertificatePolicy

    'Load soap envelope
    strData = "<MyTestXML>Hi</MyTestXML>"

    'Setup request URL
    oWebRequest = Net.WebRequest.Create(myURL)

    oWebRequest.ClientCertificates.Add(Cert)

    'Setup request parameter
    oWebRequest.ContentType = "text/xml"
    oWebRequest.Method = "POST"
    oWebRequest.ContentLength = strData.Length
    oWebRequest.KeepAlive = True
    oWebRequest.Timeout = ServerTimeOut

    'Wrtie to stream
    Dim arrData As Byte() =
    System.Text.Encoding.ASCII.GetBytes(strData)
    oIOStream = oWebRequest.GetRequestStream()


    oIOStream.Write(arrData, 0, strData.Length)
    oIOStream.Flush()

    'Get the response from web address
    oWebResponse = oWebRequest.GetResponse()
    If (oWebResponse.StatusCode() <> Net.HttpStatusCode.OK) Then
    txtResponse = ""
    strException = oWebResponse.StatusDescription()

    GoTo exitfcuntion
    End If

    'Get response stream
    oResponseStream = oWebResponse.GetResponseStream()


    Catch ex As WebException 'Exception
    strException = "Message: " + ex.Message() + " Source: " +
    ex.Source()

    MsgBox(strException)

    Finally
    'Close resource
    If (False = (oIOStream Is Nothing)) Then oIOStream.Close()
    If (False = (oWebResponse Is Nothing)) Then oWebResponse.Close()
    End Try

    exitfcuntion:


    End Sub
    End Class

    Public Class TrustAllCertificatePolicy
    Implements System.Net.ICertificatePolicy
    Public Function CheckValidationResult(ByVal srvPoint As _
    System.Net.ServicePoint, ByVal certificate As _
    System.Security.Cryptography.X509Certificates.X509Certificate, ByVal _
    request As System.Net.WebRequest, ByVal certificateProblem As
    Integer) _
    As Boolean Implements
    System.Net.ICertificatePolicy.CheckValidationResult
    Dim myname As String = certificate.GetName
    Return True
    End Function
    End Class
     
    Abel Chan, Dec 18, 2005
    #1
    1. Advertisements

  2. Hello Abel,

    maybe this helps:
    http://www.leastprivilege.com/IIS6AndClientCertificates.aspx

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com
     
    Dominick Baier [DevelopMentor], Dec 18, 2005
    #2
    1. Advertisements

  3. Abel Chan

    Abel Chan Guest

    Hi Dominick,

    Thanks to your prompt response. I really appreciate it.

    I took the suggestion stated at
    http://www.leastprivilege.com/IIS6AndClientCertificates.aspx

    and enabled the Client Authentication under Thawte Premium Server CA. Now
    if I look at the offical Thawte client cer property, I can see both Server
    and Client Authentication are checked.

    However, I am still getting the same 403 error when I ran the code. If I
    bring up my IE, I still can't see my client cert as an available option. Did
    I miss a step?

    Thanks.

    Abel

     
    Abel Chan, Dec 19, 2005
    #3
  4. Hello Abel,

    is the CA trusted on both client and server?


    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com
     
    Dominick Baier [DevelopMentor], Dec 19, 2005
    #4
  5. Abel Chan

    Abel Chan Guest

    Hi there,

    I believe the CA is trusted on both client and server.

    To be 100% sure, the following is how I setup the certificate:

    Server side
    -------------
    1) Purchased an official SSL Web Server certificate issued by Thawte Premium
    Server CA.
    2) Installed SSL Web Server certificate on a back up server, which has
    BizTalk on it.
    3) Test the certificate by posting a document to an external web site (https
    posting) through a BizTalk channel by attaching the SSL Web Server
    certificate. It passed the test so I am 100% sure the certificate is
    installed correctly.
    4) Export the SSL Web Server certificate without a private key. (I tried
    with private key before. I don’t see any difference. Just to make it simple
    without a private key)

    Client side
    -------------
    1) Go to a XP client machine | MMC | Certificate and install the exported
    certificate into Certificate (Local Computer) | Personal | Certificate.
    2) Double click on the certificate and it shows: This certificate is
    intended for the following purpose(s): Ensures the identity of a remote
    computer. Proves your identify to a remote computer. All other information
    is correct including expiration date.
    3) Go to Certificate (Local Computer) | Trusted Root Certification
    Authorities | Certificates. Select Thawte Premium Server CA. Right mouse
    click Properties and go to the General tab.
    4) Check the Client Authentication check box.
    5) Go back to Certificate (Local Computer) | Personal | Certificate.
    Select the installed certificate. Right mouse click Properties and go to the
    General tab.
    6) Verified that both Server Authentication and Client Authentication check
    boxes are checked.
    7) Bring up an IE and try to hit the same external web site as described in
    Server Side Step 3) above. (I don’t have BizTalk installed on my client
    machine.). A “Choose a digital certificate†window pops up but no
    certificate is available from the list. Click OK and I got 403 error.
    8) Run the sample application that I posted in my first message. I got 403
    error also.

    I just don’t know where I mess up the setup process. I follow all standard
    procedures but … Could you please help me again?

    Thanks a lot.

    Abel
     
    Abel Chan, Dec 19, 2005
    #5
  6. Abel Chan

    thawte Guest

    Hi there Abel

    I'd advise that you try exporting the SSL certificate again however
    include the option for exporting the private key as well and then try
    the process again. The private key is a very important component in a
    certificate key pair and could be the cause of the problem you
    experience.

    Regards
    Marshall
     
    thawte, Dec 21, 2005
    #6
  7. Abel Chan

    Abel Chan Guest

    Hi Marshall,

    I tried and the certificate now included the option for exporting private
    key. I am still getting 403 error. :<

    Abel
     
    Abel Chan, Dec 21, 2005
    #7
  8. Are you positive the identity that is trying to access the private key has
    access to it? For example, if this process runs in a web app but the
    private key is associated to your user account, the web app won't have your
    profile loaded when it goes to access the private key.

    You generally need to make sure the private key is properly associated with
    a cert in the machine store and that the account running in the web app has
    rights to read the private key.

    Joe K.

     
    Joe Kaplan \(MVP - ADSI\), Dec 21, 2005
    #8
  9. Abel Chan

    Abel Chan Guest

    Hi Joe and others,

    After talking to Thawte and confirmed with MS, I made two mistakes here:
    1) Exporting a Server side certificate (from my 2000 server box) and put it
    on a client machine (my XP Pro with SP2) won't work at all. I need a CLIENT
    certificate. I have 2 ways to get it: a) Pay Verisign or b) Get a FREE
    personal/email certificate from Thawte. For this application, I pick b)

    2) After I installed the FREE client certificate from Thawte, now I can see
    the certificate from on my IE. However, it still won't work on my .NET code.


    After doing some search on Google, I found this article:
    http://blogs.msdn.com/kevinha/archive/2005/02/15/373254.aspx

    Basically, when I import the certificate into the certificate store, I need
    to UNCHECK the option "Enable strong private key protection". This solve the
    whole problem. :>

    Thanks all for your help.

    Abel Chan
     
    Abel Chan, Jan 12, 2006
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.