.Net client and SSL mutual authentication : 403 Forbidden, client certificate not sent

Discussion in 'ASP .Net Security' started by Mfenetre, Oct 10, 2005.

  1. Mfenetre

    Mfenetre Guest

    Hello all,

    I'm trying to build a .Net client connecting to a Web service and I
    want to use SSL with mutual authentication. The web service is designed
    to require a client certificate.

    I use .Net Framework v1.1.4322, IIS 6.0, Windows 2003 Srv and Visual
    Studio.

    So far I've been able to set SSL with just server authentication and I
    can't succeed in writing a C# client using a client certificate.

    I've a client certificate installed in the Personnal Store of the
    Administrator and I'm trying to use it with this piece of code :

    //opening the current user store
    X509CertificateStore store =
    X509CertificateStore.CurrentUserStore(X509CertificateStore.MyStore);
    store.OpenRead();

    //looking for the right certificate
    X509CertificateCollection col=
    (X509CertificateCollection)store.FindCertificateByKeyIdentifier(Convert.FromBase64String("dUvy6QHZTkuzfwQFqh2ZvYE6gdE="));
    X509Certificate cert =null;
    cert = col[0];

    //my proxy to the web service
    CreditCardWebServiceMutAuth.CreditCardWebServiceMutAuth ws = new
    CreditCardWebServiceMutAuth.CreditCardWebServiceMutAuth();

    //adding the client certificate
    ws.ClientCertificates.Add(cert);

    [some personal code]

    //getting the result
    string resultString =
    ws.analyzeCreditCard(creditCardNumberString,typeString,ownerString,expirationDateString);

    And here it fails, I get a 403 error : Forbidden. It seems that the
    client certificate is not sent/used by the .Net client.

    What I am sure :
    # the certificate is the current user store, Personal Store (I've tried
    with Local Machine store, but no success)
    # I've the private key and I've granted access to this private key to
    anyone
    # I can access to my web service as long as I don't require a client
    certificate

    Can you help me ? Do you have any clue ?

    Thanks in advance,
    Regards,

    Alexis.
     
    Mfenetre, Oct 10, 2005
    #1
    1. Advertisements

  2. Hello Mfenetre,

    have you tried to access the WS with the browser and supply the same client
    cert - does that work??
     
    Dominick Baier [DevelopMentor], Oct 10, 2005
    #2
    1. Advertisements

  3. Mfenetre

    Mfenetre Guest

    Mfenetre, Oct 10, 2005
    #3
  4. Mfenetre

    Peter Jakab Guest

    Hi,
    Did you try debugging your code?

    At the
    cert = col[0];

    line is there anything in the col[0] ?

    Is your client an asp .Net web application?

    If so, is its application pool running as network service identity?

    Was the access grant with winhttpcertcfg successful? (the command you
    mentioned works only when the cert is installed in the local_machine store!)

    If your client is an asp.net code, are you sure, that impersonation is not
    set?


    I have this ideas at the moment.

    You could also try loading the cert from file instead of loading from store
    with WSE 2.0.

    You should try with a console or a windows app first, if that works you
    could get 1 step forth...

    Regards

    Peter
     
    Peter Jakab, Oct 10, 2005
    #4
  5. Try using Filemon and Regmon (sysinternals) to figure out what access is
    being denied when the access to the private key occurs. Hopefully that will
    work.

    These things can be a huge pain to debug, but if you go with the machine
    store and do the cert config thing you showed, you should be able to get
    this to work.

    Also, make sure the private key is not password protected as IIS obviously
    can't deal with that.

    Joe K.
     
    Joe Kaplan \(MVP - ADSI\), Oct 10, 2005
    #5
  6. Hello Mfenetre,

    So your client is running as network service? this means that the cert has
    to be in the Local Machine/MY store - is that the case?
     
    Dominick Baier [DevelopMentor], Oct 10, 2005
    #6
  7. Mfenetre

    Mfenetre Guest

    Hello all,

    Thanks for all your answers, so let me answer all of these questions :
    Ok I don't know these tools but I'll do that
    No password
    Yes, i'm sure, I'm printing the identity on screen just to be sure
    Yes that's the case.
    Yes, I did debugging and I checked that the right certificate was found
    Yes, I granted access to the private key for the user "Network Service"
    I tried impersonation with the user "Administrator", just to use the
    Current User Store instead of Local Machine Store but no luck...
    I did it but no luck too...
    Good idea. I'll try that. So far I know it works with a browser.

    Anyway, thank you Joe, Dominick and Peter for all your answers.

    regards,
    Alexis.
     
    Mfenetre, Oct 11, 2005
    #7
  8. Mfenetre

    Peter Jakab Guest

    One more thing:
    You should check if there is a problem with the cert switching logging on
    for schannel:

    http://support.microsoft.com/?id=260729

    and one more question:

    with IE did you get any notifications about the server certificate that you
    had to bypass manually( for example site is not trusted, the cert and site
    urls dont match, or cert is expired) ?
    In this case you can do this trick in development environment:
    http://weblogs.asp.net/jan/archive/2003/12/04/41154.aspx

    Best regards

    Peter


     
    Peter Jakab, Oct 11, 2005
    #8
  9. Mfenetre

    Mfenetre Guest

    Well, I've switched logging on and apprently there is somethin strange.
    When I try to do a single connection, I see many events in 'Event
    Viewer' :

    "Creating an SSL client credential." -> 2 times : why 2 times ?
    "The remote server has requested SSL client authentication, but no
    suitable client certificate could be found." -> well ok, apparently no
    client certificate is provided.

    But what is strange is that is see this :

    An SSL client handshake completed successfully. The negotiated
    cryptographic parameters are as follows.

    Protocol: SSL 3.0
    Cipher: RC4
    Cipher strength: 128
    MAC: MD5
    Exchange: RSA
    Exchange strength: 1024

    How is this possible ? A successfull client handshake ? Then why do I
    have a 403 : Forbidden error ?
     
    Mfenetre, Oct 11, 2005
    #9
  10. Is it possible that the server doesn't trust the client certificate you are
    trying to use?

    Typically what happens during client certificate authentication is that the
    server sends down to the client a list of the CAs it trusts (depending on
    what trusted roots are configured on the server). Then the client looks
    through this list and checks to see if the certificate matches that list.
    If it does not, it will not be used.

    Based on the first error, that might be the problem.

    One other thing--impersonating the administrator does not load the
    administrator's profile automatically, so the process would not necessarily
    have access to the admin's personal certificate store.

    Joe K.
     
    Joe Kaplan \(MVP - ADSI\), Oct 11, 2005
    #10
  11. Mfenetre

    Mfenetre Guest

    Hello all,

    So finally I've been able to solve my problem.

    I had checked that root certifications authorities were installed on
    client and server side, that the client had the right (I mean the
    ASPNET or "Network Service" process) to use the private key of the
    client certificate, that the client certificate was in the
    LOCAL_MACHINE\MY store, but I still had the 403 : Forbidden error.

    And finally the solution turned out to be the installation of the .Net
    Framework SP1, which apprently I had not installed. And then, magic,
    the error disappears, without changing a single line of code or
    configuration...

    How disappointing and not satisfying this solution can be... But, well,
    it works now.

    Thank you all again for your efforts,

    Regards,
    Alexis.
     
    Mfenetre, Oct 12, 2005
    #11
  12. There were some changes to how SSL client certificates work in SP1 of 1.1.
    As I recall, they changed the behavior to allow access to the machine store
    as well as MY store, but I can't remember for sure.

    Sorry we didn't mention this before. I honestly didn't know people ran with
    the service pack these days. It has been out for a long time and fixes a
    bunch of important stuff...

    Joe K.
     
    Joe Kaplan \(MVP - ADSI\), Oct 12, 2005
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.