«

Hello all,

I'm trying to build a .Net client connecting to a Web service and I
want to use SSL with mutual authentication. The web service is designed
to require a client certificate.

I use .Net Framework v1.1.4322, IIS 6.0, Windows 2003 Srv and Visual
Studio.

So far I've been able to set SSL with just server authentication and I
can't succeed in writing a C# client using a client certificate.

I've a client certificate installed in the Personnal Store of the
Administrator and I'm trying to use it with this piece of code :

//opening the current user store
X509CertificateStore store =
X509CertificateStore.CurrentUserStore(X509Certific ateStore.MyStore);
store.OpenRead();

//looking for the right certificate
X509CertificateCollection col=
(X509CertificateCollection)store.FindCertificateBy KeyIdentifier(Convert.FromBase64String("dUvy6QHZTk uzfwQFqh2ZvYE6gdE="));
X509Certificate cert =null;
cert = col[0];

//my proxy to the web service
CreditCardWebServiceMutAuth.CreditCardWebServiceMu tAuth ws = new
CreditCardWebServiceMutAuth.CreditCardWebServiceMu tAuth();

//adding the client certificate
ws.ClientCertificates.Add(cert);

[some personal code]

//getting the result
string resultString =
ws.analyzeCreditCard(creditCardNumberString,typeSt ring,ownerString,expirationDateString);

And here it fails, I get a 403 error : Forbidden. It seems that the
client certificate is not sent/used by the .Net client.

What I am sure :
# the certificate is the current user store, Personal Store (I've tried
with Local Machine store, but no success)
# I've the private key and I've granted access to this private key to
anyone
# I can access to my web service as long as I don't require a client
certificate

Can you help me ? Do you have any clue ?

Thanks in advance,
Regards,

Alexis.

Hello Mfenetre,

have you tried to access the WS with the browser and supply the same client
cert - does that work??

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hello all,
>
> I'm trying to build a .Net client connecting to a Web service and I
> want to use SSL with mutual authentication. The web service is
> designed to require a client certificate.
>
> I use .Net Framework v1.1.4322, IIS 6.0, Windows 2003 Srv and Visual
> Studio.
>
> So far I've been able to set SSL with just server authentication and I
> can't succeed in writing a C# client using a client certificate.
>
> I've a client certificate installed in the Personnal Store of the
> Administrator and I'm trying to use it with this piece of code :
>
> //opening the current user store
> X509CertificateStore store =
> X509CertificateStore.CurrentUserStore(X509Certific ateStore.MyStore);
> store.OpenRead();
> //looking for the right certificate
>
> X509CertificateCollection col=
>
> (X509CertificateCollection)store.FindCertificateBy KeyIdentifier(Conver
> t.FromBase64String("dUvy6QHZTkuzfwQFqh2ZvYE6gdE=") );
>
> X509Certificate cert =null;
>
> cert = col[0];
>
> //my proxy to the web service
> CreditCardWebServiceMutAuth.CreditCardWebServiceMu tAuth ws = new
> CreditCardWebServiceMutAuth.CreditCardWebServiceMu tAuth();
>
> //adding the client certificate
> ws.ClientCertificates.Add(cert);
> [some personal code]
>
> //getting the result
> string resultString =
> ws.analyzeCreditCard(creditCardNumberString,typeSt ring,ownerString,exp
> irationDateString);
> And here it fails, I get a 403 error : Forbidden. It seems that the
> client certificate is not sent/used by the .Net client.
>
> What I am sure :
> # the certificate is the current user store, Personal Store (I've
> tried
> with Local Machine store, but no success)
> # I've the private key and I've granted access to this private key to
> anyone
> # I can access to my web service as long as I don't require a client
> certificate
> Can you help me ? Do you have any clue ?
>
> Thanks in advance,
> Regards,
> Alexis.
>

Hello Dominick,

Yes it works with IE or Firefox.
That's what makes me think that in my .Net client the client
certificate is not used/sent.
Perhaps it doesn't have access to the private key but I've followed
this article :

http://msdn.microsoft.com/library/de...SecNetHT13.asp

and granted access to the "Network Service" :

WinHttpCertCfg.exe -g -c LOCAL_MACHINE\MY -s "CreditCardClientSSL" -a
"Network Service"

Hi,
Did you try debugging your code?

At the
cert = col[0];

line is there anything in the col[0] ?

Is your client an asp .Net web application?

If so, is its application pool running as network service identity?

Was the access grant with winhttpcertcfg successful? (the command you
mentioned works only when the cert is installed in the local_machine store!)

If your client is an asp.net code, are you sure, that impersonation is not
set?


I have this ideas at the moment.

You could also try loading the cert from file instead of loading from store
with WSE 2.0.

You should try with a console or a windows app first, if that works you
could get 1 step forth...

Regards

Peter

"Mfenetre" <> wrote in message
news: ups.com...
> Hello all,
>
> I'm trying to build a .Net client connecting to a Web service and I
> want to use SSL with mutual authentication. The web service is designed
> to require a client certificate.
>
> I use .Net Framework v1.1.4322, IIS 6.0, Windows 2003 Srv and Visual
> Studio.
>
> So far I've been able to set SSL with just server authentication and I
> can't succeed in writing a C# client using a client certificate.
>
> I've a client certificate installed in the Personnal Store of the
> Administrator and I'm trying to use it with this piece of code :
>
> //opening the current user store
> X509CertificateStore store =
> X509CertificateStore.CurrentUserStore(X509Certific ateStore.MyStore);
> store.OpenRead();
>
> //looking for the right certificate
> X509CertificateCollection col=
> (X509CertificateCollection)store.FindCertificateBy KeyIdentifier(Convert.FromBase64String("dUvy6QHZTk uzfwQFqh2ZvYE6gdE="));
> X509Certificate cert =null;
> cert = col[0];
>
> //my proxy to the web service
> CreditCardWebServiceMutAuth.CreditCardWebServiceMu tAuth ws = new
> CreditCardWebServiceMutAuth.CreditCardWebServiceMu tAuth();
>
> //adding the client certificate
> ws.ClientCertificates.Add(cert);
>
> [some personal code]
>
> //getting the result
> string resultString =
> ws.analyzeCreditCard(creditCardNumberString,typeSt ring,ownerString,expirationDateString);
>
> And here it fails, I get a 403 error : Forbidden. It seems that the
> client certificate is not sent/used by the .Net client.
>
> What I am sure :
> # the certificate is the current user store, Personal Store (I've tried
> with Local Machine store, but no success)
> # I've the private key and I've granted access to this private key to
> anyone
> # I can access to my web service as long as I don't require a client
> certificate
>
> Can you help me ? Do you have any clue ?
>
> Thanks in advance,
> Regards,
>
> Alexis.
>

Try using Filemon and Regmon (sysinternals) to figure out what access is
being denied when the access to the private key occurs. Hopefully that will
work.

These things can be a huge pain to debug, but if you go with the machine
store and do the cert config thing you showed, you should be able to get
this to work.

Also, make sure the private key is not password protected as IIS obviously
can't deal with that.

Joe K.

"Mfenetre" <> wrote in message
news: ups.com...
> Hello Dominick,
>
> Yes it works with IE or Firefox.
> That's what makes me think that in my .Net client the client
> certificate is not used/sent.
> Perhaps it doesn't have access to the private key but I've followed
> this article :
>
> http://msdn.microsoft.com/library/de...SecNetHT13.asp
>
> and granted access to the "Network Service" :
>
> WinHttpCertCfg.exe -g -c LOCAL_MACHINE\MY -s "CreditCardClientSSL" -a
> "Network Service"
>

Hello Mfenetre,

So your client is running as network service? this means that the cert has
to be in the Local Machine/MY store - is that the case?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hello Dominick,
>
> Yes it works with IE or Firefox.
> That's what makes me think that in my .Net client the client
> certificate is not used/sent.
> Perhaps it doesn't have access to the private key but I've followed
> this article :
> http://msdn.microsoft.com/library/de...ry/en-us/dnnet
> sec/html/SecNetHT13.asp
>
> and granted access to the "Network Service" :
>
> WinHttpCertCfg.exe -g -c LOCAL_MACHINE\MY -s "CreditCardClientSSL" -a
> "Network Service"
>

Hello all,

Thanks for all your answers, so let me answer all of these questions :

>Try using Filemon and Regmon (sysinternals)
Ok I don't know these tools but I'll do that

>Also, make sure the private key is not password protected as IIS obviously can't deal with that.
No password

>So your client is running as network service?
Yes, i'm sure, I'm printing the identity on screen just to be sure

>this means that the cert has to be in the Local Machine/MY store - is that the case?
Yes that's the case.

> is there anything in the col[0] ?
Yes, I did debugging and I checked that the right certificate was found

>Was the access grant with winhttpcertcfg successful?
Yes, I granted access to the private key for the user "Network Service"

>If your client is an asp.net code, are you sure, that impersonation is not set?
I tried impersonation with the user "Administrator", just to use the
Current User Store instead of Local Machine Store but no luck...

>You could also try loading the cert from file instead of loading from store with WSE 2.0.
I did it but no luck too...

>You should try with a console or a windows app first, if that works you could get 1 step forth...
Good idea. I'll try that. So far I know it works with a browser.

Anyway, thank you Joe, Dominick and Peter for all your answers.

regards,
Alexis.

One more thing:
You should check if there is a problem with the cert switching logging on
for schannel:

http://support.microsoft.com/?id=260729

and one more question:

with IE did you get any notifications about the server certificate that you
had to bypass manually( for example site is not trusted, the cert and site
urls dont match, or cert is expired) ?
In this case you can do this trick in development environment:
http://weblogs.asp.net/jan/archive/2.../04/41154.aspx

Best regards

Peter


"Mfenetre" <> wrote in message
news: oups.com...
> Hello all,
>
> Thanks for all your answers, so let me answer all of these questions :
>
>>Try using Filemon and Regmon (sysinternals)
> Ok I don't know these tools but I'll do that
>
>>Also, make sure the private key is not password protected as IIS obviously
>>can't deal with that.
> No password
>
>>So your client is running as network service?
> Yes, i'm sure, I'm printing the identity on screen just to be sure
>
>>this means that the cert has to be in the Local Machine/MY store - is that
>>the case?
> Yes that's the case.
>
>> is there anything in the col[0] ?
> Yes, I did debugging and I checked that the right certificate was found
>
>>Was the access grant with winhttpcertcfg successful?
> Yes, I granted access to the private key for the user "Network Service"
>
>>If your client is an asp.net code, are you sure, that impersonation is not
>>set?
> I tried impersonation with the user "Administrator", just to use the
> Current User Store instead of Local Machine Store but no luck...
>
>>You could also try loading the cert from file instead of loading from
>>store with WSE 2.0.
> I did it but no luck too...
>
>>You should try with a console or a windows app first, if that works you
>>could get 1 step forth...
> Good idea. I'll try that. So far I know it works with a browser.
>
> Anyway, thank you Joe, Dominick and Peter for all your answers.
>
> regards,
> Alexis.
>

Well, I've switched logging on and apprently there is somethin strange.
When I try to do a single connection, I see many events in 'Event
Viewer' :

"Creating an SSL client credential." -> 2 times : why 2 times ?
"The remote server has requested SSL client authentication, but no
suitable client certificate could be found." -> well ok, apparently no
client certificate is provided.

But what is strange is that is see this :

An SSL client handshake completed successfully. The negotiated
cryptographic parameters are as follows.

Protocol: SSL 3.0
Cipher: RC4
Cipher strength: 128
MAC: MD5
Exchange: RSA
Exchange strength: 1024

How is this possible ? A successfull client handshake ? Then why do I
have a 403 : Forbidden error ?

Is it possible that the server doesn't trust the client certificate you are
trying to use?

Typically what happens during client certificate authentication is that the
server sends down to the client a list of the CAs it trusts (depending on
what trusted roots are configured on the server). Then the client looks
through this list and checks to see if the certificate matches that list.
If it does not, it will not be used.

Based on the first error, that might be the problem.

One other thing--impersonating the administrator does not load the
administrator's profile automatically, so the process would not necessarily
have access to the admin's personal certificate store.

Joe K.

"Mfenetre" <> wrote in message
news: oups.com...
> Well, I've switched logging on and apprently there is somethin strange.
> When I try to do a single connection, I see many events in 'Event
> Viewer' :
>
> "Creating an SSL client credential." -> 2 times : why 2 times ?
> "The remote server has requested SSL client authentication, but no
> suitable client certificate could be found." -> well ok, apparently no
> client certificate is provided.
>
> But what is strange is that is see this :
>
> An SSL client handshake completed successfully. The negotiated
> cryptographic parameters are as follows.
>
> Protocol: SSL 3.0
> Cipher: RC4
> Cipher strength: 128
> MAC: MD5
> Exchange: RSA
> Exchange strength: 1024
>
> How is this possible ? A successfull client handshake ? Then why do I
> have a 403 : Forbidden error ?
>