Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > ASP.Net using a Client Certificate on IIS 6.0

Reply
Thread Tools

ASP.Net using a Client Certificate on IIS 6.0

 
 
CatpWilco
Guest
Posts: n/a
 
      08-03-2004
I have an ASP.Net application application that uses a client
certificate to communicate to a third party.

Now, in Win2K, to install the Class 1 Client Certificate, you have to
log in as the ASPNET user (or what ever user the aspnet_wp runs as),
and install the certificate for that user.

In Win2003 (IIS 6.0), I have followed the same process and it does not
work. I have not been able to find documentation on this. Any tips
out there?


Although my question does not refer to any code, here is a sample to
give a better picture of what the ASP.Net app is doing.

Dim oRequest As HttpWebRequest
Dim oResponse As HttpWebResponse
Dim oClientCert As
System.Security.Cryptography.X509Certificates.X509 Certificate
Dim POSTBuffer() As Byte
Dim DataStream As System.IO.Stream
Dim sr As System.IO.StreamReader
Dim OutputString As String

POSTBuffer =
System.Text.Encoding.UTF8.GetBytes("DataToSend")

oClientCert = New
X509Certificate(X509Certificate.CreateFromCertFile (ApplicationConfig.CertificatePath))

oRequest = HttpWebRequest.Create("http://ThirdPartyURL")
oRequest.Credentials = CredentialCache.DefaultCredentials
oRequest.ClientCertificates.Add(oClientCert)
oRequest.Method = POST
oRequest.ContentType = "application/x-www-form-urlencoded"

Try

DataStream = oRequest.GetRequestStream()
DataStream.Write(POSTBuffer, 0, POSTBuffer.Length)
DataStream.Close()

'* * * * * * * * * * * * * * * * * * * * * * * * * *
'* Code fails here due to a 403.1 error
oResponse = CType(oRequest.GetResponse,
HttpWebResponse)
sr = New
System.IO.StreamReader(oResponse.GetResponseStream ())
OutputString = sr.ReadToEnd
sr.Close()
catch ex Exception
'(more boring code) ...


Thanks,
R. Wilco
 
Reply With Quote
 
 
 
 
Jeffrey Hasan
Guest
Posts: n/a
 
      08-03-2004
I'm not sure what did not work, but in Win2003 you should sign in as a local
admin to install certificates. Are you just encrypting requests, or, are you
also decrypting responses? If it is the former then you should be good to
go. If it is the latter then you may need to grant the ASPNET account
permission to access the private key. Simon Horrell has an article that
clearly shows you how to do this. (His article relates to WSE but the same
principle applies to what you need to accomplish):

http://msdn.microsoft.com/library/de...e2wspolicy.asp

Good luck,

Jeffrey Hasan, MCSD
President, Bluestone Partners, Inc.
-----------------------------------------------
Author of: Expert SOA in C# Using WSE 2.0 (APress, 2004)
http://www.bluestonepartners.com/soa.aspx

"CatpWilco" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> I have an ASP.Net application application that uses a client
> certificate to communicate to a third party.
>
> Now, in Win2K, to install the Class 1 Client Certificate, you have to
> log in as the ASPNET user (or what ever user the aspnet_wp runs as),
> and install the certificate for that user.
>
> In Win2003 (IIS 6.0), I have followed the same process and it does not
> work. I have not been able to find documentation on this. Any tips
> out there?
>
>
> Although my question does not refer to any code, here is a sample to
> give a better picture of what the ASP.Net app is doing.
>
> Dim oRequest As HttpWebRequest
> Dim oResponse As HttpWebResponse
> Dim oClientCert As
> System.Security.Cryptography.X509Certificates.X509 Certificate
> Dim POSTBuffer() As Byte
> Dim DataStream As System.IO.Stream
> Dim sr As System.IO.StreamReader
> Dim OutputString As String
>
> POSTBuffer =
> System.Text.Encoding.UTF8.GetBytes("DataToSend")
>
> oClientCert = New
>

X509Certificate(X509Certificate.CreateFromCertFile (ApplicationConfig.Certifi
catePath))
>
> oRequest = HttpWebRequest.Create("http://ThirdPartyURL")
> oRequest.Credentials = CredentialCache.DefaultCredentials
> oRequest.ClientCertificates.Add(oClientCert)
> oRequest.Method = POST
> oRequest.ContentType = "application/x-www-form-urlencoded"
>
> Try
>
> DataStream = oRequest.GetRequestStream()
> DataStream.Write(POSTBuffer, 0, POSTBuffer.Length)
> DataStream.Close()
>
> '* * * * * * * * * * * * * * * * * * * * * * * * * *
> '* Code fails here due to a 403.1 error
> oResponse = CType(oRequest.GetResponse,
> HttpWebResponse)
> sr = New
> System.IO.StreamReader(oResponse.GetResponseStream ())
> OutputString = sr.ReadToEnd
> sr.Close()
> catch ex Exception
> '(more boring code) ...
>
>
> Thanks,
> R. Wilco




 
Reply With Quote
 
 
 
 
CatpWilco
Guest
Posts: n/a
 
      08-04-2004
Thank you Jeffrey.

The link you provided is very informative but does not go in the right
direction for this issue. It did help me come accross some other
links that helped.

I did make some progress.
By changing the Identity for the Application Pool (
http://msdn.microsoft.com/library/de...olsettings.asp
) to use the ASPNet account and logging onto the machine as the ASPNet
user, the web app worked. When I reboot the machine, the web app does
not work. So, this leads to the following:

When the ASPNET user account logs in, the credentials (which includes
the client certificate installed for the ASPNET account) are loaded
and remain in memory for a while (or until reboot).

I am still stumped on getting the ASPNET credentials loaded without
logging into the machine as the ASPNET user. I am still looking for
some help on this one. Any ideas? I could write a windows service to
run as ASPNET and to startup automatically, but there must be a better
way. I think I am missing something where I set the Identity for the
Application Pool (or maybe not).

(General statement: If the root of the problem is not clear, let me
know and I can clarify the scenario)

Thanks,
RW


"Jeffrey Hasan" <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>...
> I'm not sure what did not work, but in Win2003 you should sign in as a local
> admin to install certificates. Are you just encrypting requests, or, are you
> also decrypting responses? If it is the former then you should be good to
> go. If it is the latter then you may need to grant the ASPNET account
> permission to access the private key. Simon Horrell has an article that
> clearly shows you how to do this. (His article relates to WSE but the same
> principle applies to what you need to accomplish):
>
> http://msdn.microsoft.com/library/de...e2wspolicy.asp
>
> Good luck,
>
> Jeffrey Hasan, MCSD
> President, Bluestone Partners, Inc.
> -----------------------------------------------
> Author of: Expert SOA in C# Using WSE 2.0 (APress, 2004)
> http://www.bluestonepartners.com/soa.aspx
>
> "CatpWilco" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) om...
> > I have an ASP.Net application application that uses a client
> > certificate to communicate to a third party.
> >
> > Now, in Win2K, to install the Class 1 Client Certificate, you have to
> > log in as the ASPNET user (or what ever user the aspnet_wp runs as),
> > and install the certificate for that user.
> >
> > In Win2003 (IIS 6.0), I have followed the same process and it does not
> > work. I have not been able to find documentation on this. Any tips
> > out there?
> >
> >
> > Although my question does not refer to any code, here is a sample to
> > give a better picture of what the ASP.Net app is doing.
> >
> > Dim oRequest As HttpWebRequest
> > Dim oResponse As HttpWebResponse
> > Dim oClientCert As
> > System.Security.Cryptography.X509Certificates.X509 Certificate
> > Dim POSTBuffer() As Byte
> > Dim DataStream As System.IO.Stream
> > Dim sr As System.IO.StreamReader
> > Dim OutputString As String
> >
> > POSTBuffer =
> > System.Text.Encoding.UTF8.GetBytes("DataToSend")
> >
> > oClientCert = New
> >

> X509Certificate(X509Certificate.CreateFromCertFile (ApplicationConfig.Certifi
> catePath))
> >
> > oRequest = HttpWebRequest.Create("http://ThirdPartyURL")
> > oRequest.Credentials = CredentialCache.DefaultCredentials
> > oRequest.ClientCertificates.Add(oClientCert)
> > oRequest.Method = POST
> > oRequest.ContentType = "application/x-www-form-urlencoded"
> >
> > Try
> >
> > DataStream = oRequest.GetRequestStream()
> > DataStream.Write(POSTBuffer, 0, POSTBuffer.Length)
> > DataStream.Close()
> >
> > '* * * * * * * * * * * * * * * * * * * * * * * * * *
> > '* Code fails here due to a 403.1 error
> > oResponse = CType(oRequest.GetResponse,
> > HttpWebResponse)
> > sr = New
> > System.IO.StreamReader(oResponse.GetResponseStream ())
> > OutputString = sr.ReadToEnd
> > sr.Close()
> > catch ex Exception
> > '(more boring code) ...
> >
> >
> > Thanks,
> > R. Wilco

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSL Client with client certificate Joe Wong Java 2 02-18-2006 05:00 AM
.Net client and SSL mutual authentication : 403 Forbidden, client certificate not sent Mfenetre ASP .Net Security 11 10-12-2005 03:02 PM
Getting client certificate from IIS Karel Miklav ASP General 0 01-20-2005 07:42 AM
SOAP access denied when IIS set to required client certificate Bob ASP .Net 1 12-15-2003 01:00 PM
Access denied when IIS set to require client certificate Bob ASP .Net Web Services 0 11-14-2003 11:48 PM



Advertisments