The remote server returned an error: (403) Forbidden - even with a valid verisign certificate


A

aswathsn

Hello Folks,

Here is my problem:

I have a console app that is trying to connect to an asp.net webservice
hosted by a third party and runs in a secure mode(HTTPS). My code is
running on Windows 2000 Professional and the web service is running on
Windows 2003 Server ("SERVER"). As I said the webservice is running in
HTTPS mode using an SSL cert issued by verisign.

We have decided to use Mutual Authentication due to security concerns.
I have a SSL cert valid for Client Authentication installed on my
machine ("CLIENT"). Everything works fine when the IIS on the SERVER
doesn't require a client cert with every request. The CLIENT can
connect to the SERVER and get a response back.

But the moment the setting on the SERVER is changed to REQUIRE client
cert with every incoming request, I start getting the following
exception on line 69:

"The remote server returned an error: (403) Forbidden"

This is inspite the fact that the CLIENT is attaching a valid client
authentication cert with the request. I have stepped through the
attached code to verify this.

On the SERVER side we are seeing the following error in the weblogs

"HTTP Error 403
403.7 Forbidden: Client certificate required"
From the error it looks like either the cert gets stripped from the
request enroute to the SERVER (I dont know how this could happen!) or
the cert is being rejected for some other reason.

Any insights as to why this is happening or as to how to further debug
this problem would be highly appreciated.

Thanks
1 private static void TransmitSecure(string Url, string reqXml)
2 {
3 string errorMessage = "";
4 X509Certificate cert = null;
5 X509CertificateStore certstore = null;
6 X509CertificateCollection certcol = null;
7
8 string certName = "TestCert";
9
10 Encoding isoEncoding = Encoding.UTF8;
11 //string httpHeaders;
12
13 try
14 {
15 certstore =
X509CertificateStore.LocalMachineStore(X509CertificateStore.MyStore);
16
17 certstore.OpenRead();
18
19 certcol =
certstore.FindCertificateBySubjectString(certName);
20
21 cert = certcol[0];
22 }
23 catch(Exception ex)
24 {
25 // Close the X.509 certificate store.
26 if (certstore != null)
27 {
28 certstore.Close();
29 }
30
31 // No Client Certificate, No Mutual
Authenticated SSL.
32 errorMessage = "Certificate Error! " +
ex.Message.ToString();
33 }
34
35 // Close the X.509 certificate store.
36 if (certstore != null)
37 {
38 certstore.Close();
39 }
40
41 try
42 {
43 byte[] bytes;
44 string urlEncodedRequest =
HttpUtility.UrlEncode(requestXml);
45 bytes = isoEncoding.GetBytes("acordXml=" +
urlEncodedRequest);
46
47 HttpWebRequest wRequest =
(HttpWebRequest)WebRequest.Create(partnerSiteUrl);
48
49 //Create WebRequest cast as HTTPWebRequest to
access additional methods
50
51 WebProxy proxyObject = new
WebProxy("YourProxyServerName", true);
52 proxyObject.Credentials = new
NetworkCredential("UserID", "Password", "Domain");
53 wRequest.Proxy = proxyObject;
54
55 //Add the X.509 Certificate to the request
56 int i = wRequest.ClientCertificates.Add(cert);
57 wRequest.Method = "POST";
58 wRequest.ContentLength = bytes.Length;
59 wRequest.ContentType =
"application/x-www-form-urlencoded";
60
61 Stream requestStream =
wRequest.GetRequestStream();
62
63 using(requestStream)
64 {
65 requestStream.Write(bytes, 0,
bytes.Length);
66 }
67
68 Stream dataStream;
69 HttpWebResponse wResponse =
(HttpWebResponse)wRequest.GetResponse();
70
71 using(wResponse)
72 {
73 if(wResponse.StatusCode !=
HttpStatusCode.OK)
74 {
75 errorMessage = String.Format("POST
failed. Received HTTP {0}", wResponse.StatusCode.ToString());
76 throw new Exception(errorMessage);
77 }
78
79 // Get HTTP Headers
80 //httpHeaders =
wResponse.Headers.ToString();
81
82 // Get the stream containing content
returnedby the server.
83 dataStream =
wResponse.GetResponseStream();
84
85 // Open the stream using a StreamReader
86 StreamReader reader = new StreamReader
(dataStream);
87
88 // Read the content.
89 string responseXml = reader.ReadToEnd();
90
91 WriteToFile(responseXml);
92
93 // Cleanup the streams and the response.
94 reader.Close ();
95 dataStream.Close ();
96 }
97 }
98 catch(Exception wxcp)
99 {
100 errorMessage = "HTTPS Request Error! " +
wxcp.Message;
101 WriteToFile(wxcp.Message);
102 }
103 }
 
Ad

Advertisements

D

DerekJMiller1

Hi,

We are having exactly the same problem. Have tried gettings cert from local
machine store and www service account store, but neither works correctly.

ANYBODY FROM MSFT HAVE SOME INPUT PLEASE.



--
Derek


Hello Folks,

Here is my problem:

I have a console app that is trying to connect to an asp.net webservice
hosted by a third party and runs in a secure mode(HTTPS). My code is
running on Windows 2000 Professional and the web service is running on
Windows 2003 Server ("SERVER"). As I said the webservice is running in
HTTPS mode using an SSL cert issued by verisign.

We have decided to use Mutual Authentication due to security concerns.
I have a SSL cert valid for Client Authentication installed on my
machine ("CLIENT"). Everything works fine when the IIS on the SERVER
doesn't require a client cert with every request. The CLIENT can
connect to the SERVER and get a response back.

But the moment the setting on the SERVER is changed to REQUIRE client
cert with every incoming request, I start getting the following
exception on line 69:

"The remote server returned an error: (403) Forbidden"

This is inspite the fact that the CLIENT is attaching a valid client
authentication cert with the request. I have stepped through the
attached code to verify this.

On the SERVER side we are seeing the following error in the weblogs

"HTTP Error 403
403.7 Forbidden: Client certificate required"
From the error it looks like either the cert gets stripped from the
request enroute to the SERVER (I dont know how this could happen!) or
the cert is being rejected for some other reason.

Any insights as to why this is happening or as to how to further debug
this problem would be highly appreciated.

Thanks
1 private static void TransmitSecure(string Url, string reqXml)
2 {
3 string errorMessage = "";
4 X509Certificate cert = null;
5 X509CertificateStore certstore = null;
6 X509CertificateCollection certcol = null;
7
8 string certName = "TestCert";
9
10 Encoding isoEncoding = Encoding.UTF8;
11 //string httpHeaders;
12
13 try
14 {
15 certstore =
X509CertificateStore.LocalMachineStore(X509CertificateStore.MyStore);
16
17 certstore.OpenRead();
18
19 certcol =
certstore.FindCertificateBySubjectString(certName);
20
21 cert = certcol[0];
22 }
23 catch(Exception ex)
24 {
25 // Close the X.509 certificate store.
26 if (certstore != null)
27 {
28 certstore.Close();
29 }
30
31 // No Client Certificate, No Mutual
Authenticated SSL.
32 errorMessage = "Certificate Error! " +
ex.Message.ToString();
33 }
34
35 // Close the X.509 certificate store.
36 if (certstore != null)
37 {
38 certstore.Close();
39 }
40
41 try
42 {
43 byte[] bytes;
44 string urlEncodedRequest =
HttpUtility.UrlEncode(requestXml);
45 bytes = isoEncoding.GetBytes("acordXml=" +
urlEncodedRequest);
46
47 HttpWebRequest wRequest =
(HttpWebRequest)WebRequest.Create(partnerSiteUrl);
48
49 //Create WebRequest cast as HTTPWebRequest to
access additional methods
50
51 WebProxy proxyObject = new
WebProxy("YourProxyServerName", true);
52 proxyObject.Credentials = new
NetworkCredential("UserID", "Password", "Domain");
53 wRequest.Proxy = proxyObject;
54
55 //Add the X.509 Certificate to the request
56 int i = wRequest.ClientCertificates.Add(cert);
57 wRequest.Method = "POST";
58 wRequest.ContentLength = bytes.Length;
59 wRequest.ContentType =
"application/x-www-form-urlencoded";
60
61 Stream requestStream =
wRequest.GetRequestStream();
62
63 using(requestStream)
64 {
65 requestStream.Write(bytes, 0,
bytes.Length);
66 }
67
68 Stream dataStream;
69 HttpWebResponse wResponse =
(HttpWebResponse)wRequest.GetResponse();
70
71 using(wResponse)
72 {
73 if(wResponse.StatusCode !=
HttpStatusCode.OK)
74 {
75 errorMessage = String.Format("POST
failed. Received HTTP {0}", wResponse.StatusCode.ToString());
76 throw new Exception(errorMessage);
77 }
78
79 // Get HTTP Headers
80 //httpHeaders =
wResponse.Headers.ToString();
81
82 // Get the stream containing content
returnedby the server.
83 dataStream =
wResponse.GetResponseStream();
84
85 // Open the stream using a StreamReader
86 StreamReader reader = new StreamReader
(dataStream);
87
88 // Read the content.
89 string responseXml = reader.ReadToEnd();
90
91 WriteToFile(responseXml);
92
93 // Cleanup the streams and the response.
94 reader.Close ();
95 dataStream.Close ();
96 }
97 }
98 catch(Exception wxcp)
99 {
100 errorMessage = "HTTPS Request Error! " +
wxcp.Message;
101 WriteToFile(wxcp.Message);
102 }
103 }
 
D

Dominick Baier

can you request the resource using a browser - does e.g. IE pop up the certificate
selector?

dominick
Hello Folks,

Here is my problem:

I have a console app that is trying to connect to an asp.net
webservice hosted by a third party and runs in a secure mode(HTTPS).
My code is running on Windows 2000 Professional and the web service is
running on Windows 2003 Server ("SERVER"). As I said the webservice is
running in HTTPS mode using an SSL cert issued by verisign.

We have decided to use Mutual Authentication due to security concerns.
I have a SSL cert valid for Client Authentication installed on my
machine ("CLIENT"). Everything works fine when the IIS on the SERVER
doesn't require a client cert with every request. The CLIENT can
connect to the SERVER and get a response back.

But the moment the setting on the SERVER is changed to REQUIRE client
cert with every incoming request, I start getting the following
exception on line 69:

"The remote server returned an error: (403) Forbidden"

This is inspite the fact that the CLIENT is attaching a valid client
authentication cert with the request. I have stepped through the
attached code to verify this.

On the SERVER side we are seeing the following error in the weblogs

"HTTP Error 403
403.7 Forbidden: Client certificate required"
From the error it looks like either the cert gets stripped from the
request enroute to the SERVER (I dont know how this could happen!) or
the cert is being rejected for some other reason.

Any insights as to why this is happening or as to how to further debug
this problem would be highly appreciated.

Thanks
1 private static void TransmitSecure(string Url, string reqXml)
2 {
3 string errorMessage = "";
4 X509Certificate cert = null;
5 X509CertificateStore certstore = null;
6 X509CertificateCollection certcol = null;
7
8 string certName = "TestCert";
9
10 Encoding isoEncoding = Encoding.UTF8;
11 //string httpHeaders;
12
13 try
14 {
15 certstore =
X509CertificateStore.LocalMachineStore(X509CertificateStore.MyStore);
16
17 certstore.OpenRead();
18
19 certcol =
certstore.FindCertificateBySubjectString(certName);
20
21 cert = certcol[0];
22 }
23 catch(Exception ex)
24 {
25 // Close the X.509 certificate store.
26 if (certstore != null)
27 {
28 certstore.Close();
29 }
30
31 // No Client Certificate, No Mutual
Authenticated SSL.
32 errorMessage = "Certificate Error! " +
ex.Message.ToString();
33 }
34
35 // Close the X.509 certificate store.
36 if (certstore != null)
37 {
38 certstore.Close();
39 }
40
41 try
42 {
43 byte[] bytes;
44 string urlEncodedRequest =
HttpUtility.UrlEncode(requestXml);
45 bytes = isoEncoding.GetBytes("acordXml=" +
urlEncodedRequest);
46
47 HttpWebRequest wRequest =
(HttpWebRequest)WebRequest.Create(partnerSiteUrl);
48
49 //Create WebRequest cast as HTTPWebRequest to
access additional methods
50
51 WebProxy proxyObject = new
WebProxy("YourProxyServerName", true);
52 proxyObject.Credentials = new
NetworkCredential("UserID", "Password", "Domain");
53 wRequest.Proxy = proxyObject;
54
55 //Add the X.509 Certificate to the request
56 int i =
wRequest.ClientCertificates.Add(cert);
57 wRequest.Method = "POST";
58 wRequest.ContentLength = bytes.Length;
59 wRequest.ContentType =
"application/x-www-form-urlencoded";
60
61 Stream requestStream =
wRequest.GetRequestStream();
62
63 using(requestStream)
64 {
65 requestStream.Write(bytes, 0,
bytes.Length);
66 }
67
68 Stream dataStream;
69 HttpWebResponse wResponse =
(HttpWebResponse)wRequest.GetResponse();
70
71 using(wResponse)
72 {
73 if(wResponse.StatusCode !=
HttpStatusCode.OK)
74 {
75 errorMessage =
String.Format("POST
failed. Received HTTP {0}", wResponse.StatusCode.ToString());
76 throw new
Exception(errorMessage);
77 }
78
79 // Get HTTP Headers
80 //httpHeaders =
wResponse.Headers.ToString();
81
82 // Get the stream containing content
returnedby the server.
83 dataStream =
wResponse.GetResponseStream();
84
85 // Open the stream using a StreamReader
86 StreamReader reader = new StreamReader
(dataStream);
87
88 // Read the content.
89 string responseXml =
reader.ReadToEnd();
90
91 WriteToFile(responseXml);
92
93 // Cleanup the streams and the
response.
94 reader.Close ();
95 dataStream.Close ();
96 }
97 }
98 catch(Exception wxcp)
99 {
100 errorMessage = "HTTPS Request Error! " +
wxcp.Message;
101 WriteToFile(wxcp.Message);
102 }
103 }
 
D

DerekJMiller1

Yeah, no problem accessing via browser. The issue is only when running in an
ASP.NET application. We thought it had something to do with where we were
picking up the cert and have tried from the www service account's store as
well as localmachine. No luck.

--
Derek


Dominick Baier said:
can you request the resource using a browser - does e.g. IE pop up the certificate
selector?

dominick
Hello Folks,

Here is my problem:

I have a console app that is trying to connect to an asp.net
webservice hosted by a third party and runs in a secure mode(HTTPS).
My code is running on Windows 2000 Professional and the web service is
running on Windows 2003 Server ("SERVER"). As I said the webservice is
running in HTTPS mode using an SSL cert issued by verisign.

We have decided to use Mutual Authentication due to security concerns.
I have a SSL cert valid for Client Authentication installed on my
machine ("CLIENT"). Everything works fine when the IIS on the SERVER
doesn't require a client cert with every request. The CLIENT can
connect to the SERVER and get a response back.

But the moment the setting on the SERVER is changed to REQUIRE client
cert with every incoming request, I start getting the following
exception on line 69:

"The remote server returned an error: (403) Forbidden"

This is inspite the fact that the CLIENT is attaching a valid client
authentication cert with the request. I have stepped through the
attached code to verify this.

On the SERVER side we are seeing the following error in the weblogs

"HTTP Error 403
403.7 Forbidden: Client certificate required"
From the error it looks like either the cert gets stripped from the
request enroute to the SERVER (I dont know how this could happen!) or
the cert is being rejected for some other reason.

Any insights as to why this is happening or as to how to further debug
this problem would be highly appreciated.

Thanks
1 private static void TransmitSecure(string Url, string reqXml)
2 {
3 string errorMessage = "";
4 X509Certificate cert = null;
5 X509CertificateStore certstore = null;
6 X509CertificateCollection certcol = null;
7
8 string certName = "TestCert";
9
10 Encoding isoEncoding = Encoding.UTF8;
11 //string httpHeaders;
12
13 try
14 {
15 certstore =
X509CertificateStore.LocalMachineStore(X509CertificateStore.MyStore);
16
17 certstore.OpenRead();
18
19 certcol =
certstore.FindCertificateBySubjectString(certName);
20
21 cert = certcol[0];
22 }
23 catch(Exception ex)
24 {
25 // Close the X.509 certificate store.
26 if (certstore != null)
27 {
28 certstore.Close();
29 }
30
31 // No Client Certificate, No Mutual
Authenticated SSL.
32 errorMessage = "Certificate Error! " +
ex.Message.ToString();
33 }
34
35 // Close the X.509 certificate store.
36 if (certstore != null)
37 {
38 certstore.Close();
39 }
40
41 try
42 {
43 byte[] bytes;
44 string urlEncodedRequest =
HttpUtility.UrlEncode(requestXml);
45 bytes = isoEncoding.GetBytes("acordXml=" +
urlEncodedRequest);
46
47 HttpWebRequest wRequest =
(HttpWebRequest)WebRequest.Create(partnerSiteUrl);
48
49 //Create WebRequest cast as HTTPWebRequest to
access additional methods
50
51 WebProxy proxyObject = new
WebProxy("YourProxyServerName", true);
52 proxyObject.Credentials = new
NetworkCredential("UserID", "Password", "Domain");
53 wRequest.Proxy = proxyObject;
54
55 //Add the X.509 Certificate to the request
56 int i =
wRequest.ClientCertificates.Add(cert);
57 wRequest.Method = "POST";
58 wRequest.ContentLength = bytes.Length;
59 wRequest.ContentType =
"application/x-www-form-urlencoded";
60
61 Stream requestStream =
wRequest.GetRequestStream();
62
63 using(requestStream)
64 {
65 requestStream.Write(bytes, 0,
bytes.Length);
66 }
67
68 Stream dataStream;
69 HttpWebResponse wResponse =
(HttpWebResponse)wRequest.GetResponse();
70
71 using(wResponse)
72 {
73 if(wResponse.StatusCode !=
HttpStatusCode.OK)
74 {
75 errorMessage =
String.Format("POST
failed. Received HTTP {0}", wResponse.StatusCode.ToString());
76 throw new
Exception(errorMessage);
77 }
78
79 // Get HTTP Headers
80 //httpHeaders =
wResponse.Headers.ToString();
81
82 // Get the stream containing content
returnedby the server.
83 dataStream =
wResponse.GetResponseStream();
84
85 // Open the stream using a StreamReader
86 StreamReader reader = new StreamReader
(dataStream);
87
88 // Read the content.
89 string responseXml =
reader.ReadToEnd();
90
91 WriteToFile(responseXml);
92
93 // Cleanup the streams and the
response.
94 reader.Close ();
95 dataStream.Close ();
96 }
97 }
98 catch(Exception wxcp)
99 {
100 errorMessage = "HTTPS Request Error! " +
wxcp.Message;
101 WriteToFile(wxcp.Message);
102 }
103 }
 
Ad

Advertisements

D

Dominick Baier

Hi,

maybe this helps:

http://go.microsoft.com/?linkid=5151512
-----
Dominick Baier (http://www.leastprivilege.com)
Yeah, no problem accessing via browser. The issue is only when running
in an ASP.NET application. We thought it had something to do with
where we were picking up the cert and have tried from the www service
account's store as well as localmachine. No luck.

Dominick Baier said:
can you request the resource using a browser - does e.g. IE pop up
the certificate selector?

dominick
Hello Folks,

Here is my problem:

I have a console app that is trying to connect to an asp.net
webservice hosted by a third party and runs in a secure mode(HTTPS).
My code is running on Windows 2000 Professional and the web service
is running on Windows 2003 Server ("SERVER"). As I said the
webservice is running in HTTPS mode using an SSL cert issued by
verisign.

We have decided to use Mutual Authentication due to security
concerns. I have a SSL cert valid for Client Authentication
installed on my machine ("CLIENT"). Everything works fine when the
IIS on the SERVER doesn't require a client cert with every request.
The CLIENT can connect to the SERVER and get a response back.

But the moment the setting on the SERVER is changed to REQUIRE
client cert with every incoming request, I start getting the
following exception on line 69:

"The remote server returned an error: (403) Forbidden"

This is inspite the fact that the CLIENT is attaching a valid client
authentication cert with the request. I have stepped through the
attached code to verify this.

On the SERVER side we are seeing the following error in the weblogs

"HTTP Error 403
403.7 Forbidden: Client certificate required"
From the error it looks like either the cert gets stripped from the

request enroute to the SERVER (I dont know how this could happen!)
or the cert is being rejected for some other reason.

Any insights as to why this is happening or as to how to further
debug this problem would be highly appreciated.

Thanks
1 private static void TransmitSecure(string Url, string reqXml)
2 {
3 string errorMessage = "";
4 X509Certificate cert = null;
5 X509CertificateStore certstore = null;
6 X509CertificateCollection certcol = null;
7
8 string certName = "TestCert";
9
10 Encoding isoEncoding = Encoding.UTF8;
11 //string httpHeaders;
12
13 try
14 {
15 certstore =
X509CertificateStore.LocalMachineStore(X509CertificateStore.MyStore)
;
16
17 certstore.OpenRead();
18
19 certcol =
certstore.FindCertificateBySubjectString(certName);
20
21 cert = certcol[0];
22 }
23 catch(Exception ex)
24 {
25 // Close the X.509 certificate store.
26 if (certstore != null)
27 {
28 certstore.Close();
29 }
30
31 // No Client Certificate, No Mutual
Authenticated SSL.
32 errorMessage = "Certificate Error! " +
ex.Message.ToString();
33 }
34
35 // Close the X.509 certificate store.
36 if (certstore != null)
37 {
38 certstore.Close();
39 }
40
41 try
42 {
43 byte[] bytes;
44 string urlEncodedRequest =
HttpUtility.UrlEncode(requestXml);
45 bytes = isoEncoding.GetBytes("acordXml=" +
urlEncodedRequest);
46
47 HttpWebRequest wRequest =
(HttpWebRequest)WebRequest.Create(partnerSiteUrl);
48
49 //Create WebRequest cast as HTTPWebRequest
to
access additional methods
50
51 WebProxy proxyObject = new
WebProxy("YourProxyServerName", true);
52 proxyObject.Credentials = new
NetworkCredential("UserID", "Password", "Domain");
53 wRequest.Proxy = proxyObject;
54
55 //Add the X.509 Certificate to the request
56 int i =
wRequest.ClientCertificates.Add(cert);
57 wRequest.Method = "POST";
58 wRequest.ContentLength = bytes.Length;
59 wRequest.ContentType =
"application/x-www-form-urlencoded";
60
61 Stream requestStream =
wRequest.GetRequestStream();
62
63 using(requestStream)
64 {
65 requestStream.Write(bytes, 0,
bytes.Length);
66 }
67
68 Stream dataStream;
69 HttpWebResponse wResponse =
(HttpWebResponse)wRequest.GetResponse();
70
71 using(wResponse)
72 {
73 if(wResponse.StatusCode !=
HttpStatusCode.OK)
74 {
75 errorMessage =
String.Format("POST
failed. Received HTTP {0}", wResponse.StatusCode.ToString());
76 throw new
Exception(errorMessage);
77 }
78
79 // Get HTTP Headers
80 //httpHeaders =
wResponse.Headers.ToString();
81
82 // Get the stream containing content
returnedby the server.
83 dataStream =
wResponse.GetResponseStream();
84
85 // Open the stream using a
StreamReader
86 StreamReader reader = new
StreamReader
(dataStream);
87
88 // Read the content.
89 string responseXml =
reader.ReadToEnd();
90
91 WriteToFile(responseXml);
92
93 // Cleanup the streams and the
response.
94 reader.Close ();
95 dataStream.Close ();
96 }
97 }
98 catch(Exception wxcp)
99 {
100 errorMessage = "HTTPS Request Error! " +
wxcp.Message;
101 WriteToFile(wxcp.Message);
102 }
103 }
 

Top