Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Getting 403 Forbidden error. Client Cert didn't sent

Reply
Thread Tools

Getting 403 Forbidden error. Client Cert didn't sent

 
 
Abel Chan
Guest
Posts: n/a
 
      12-18-2005
Hi there,

I am getting the 403 Forbidden error when I ran the following code, which is
a very simple Windows application. BTW, I find couple similar problems
posted under dotnet.framework.asp.net.security so I post this question here.

What I tried to do is to attach a client certificate and post an XML
document to a remote web site which enforces SSL and requires client
certificate.

The client machine has a certificate installed under Certificates (Local
Computer) | Personal | Certificates. I have installed a valid Thawte
certificate and I also generated one using SelfSSL. They both give me the
same error message.

I also tried hitting the remote web site directly from IE. I got a pop up
window with "Choose a digital certificate" title. However, I don't see any
certificate listed under the list. Why? I can see both SelfSSL generated
and the official Thawte certificate. I got a little bit confused. Is my
problem related to my code or certificate security/setup issue? Could you
please help?

Thanks.

Abel Chan

-----------------------
Code extracted
------------------------
Imports System.Xml
Imports System.IO
Imports Microsoft.VisualBasic
Imports System.Diagnostics
Imports System.Net
Imports System.Security.Cryptography.X509Certificates

Public Class Form1
Inherits System.Windows.Forms.Form

Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles Button1.Click
Dim oWebRequest As Net.HttpWebRequest
Dim oIOStream As System.IO.Stream
Dim oWebResponse As Net.HttpWebResponse
Dim oReader As System.IO.StreamReader
Dim oResponseStream As System.IO.Stream
Dim strData As String
Dim docXMLDoc As New XmlDocument
Dim txtResponse As String
Dim strException As String = ""

Dim myURL As String = "https://[mywebsite]/[mydir]/[myurl.asp]"

Dim ServerTimeOut As Integer = 60000

Try
Dim Cert As X509Certificate =
X509Certificate.CreateFromCertFile("c:\[Path containing my cer]\mycer.cer")

'Create TrustAllCertificatePolicy class which will return TRUE
on all SSL web request.
System.Net.ServicePointManager.CertificatePolicy = New
TrustAllCertificatePolicy

'Load soap envelope
strData = "<MyTestXML>Hi</MyTestXML>"

'Setup request URL
oWebRequest = Net.WebRequest.Create(myURL)

oWebRequest.ClientCertificates.Add(Cert)

'Setup request parameter
oWebRequest.ContentType = "text/xml"
oWebRequest.Method = "POST"
oWebRequest.ContentLength = strData.Length
oWebRequest.KeepAlive = True
oWebRequest.Timeout = ServerTimeOut

'Wrtie to stream
Dim arrData As Byte() =
System.Text.Encoding.ASCII.GetBytes(strData)
oIOStream = oWebRequest.GetRequestStream()


oIOStream.Write(arrData, 0, strData.Length)
oIOStream.Flush()

'Get the response from web address
oWebResponse = oWebRequest.GetResponse()
If (oWebResponse.StatusCode() <> Net.HttpStatusCode.OK) Then
txtResponse = ""
strException = oWebResponse.StatusDescription()

GoTo exitfcuntion
End If

'Get response stream
oResponseStream = oWebResponse.GetResponseStream()


Catch ex As WebException 'Exception
strException = "Message: " + ex.Message() + " Source: " +
ex.Source()

MsgBox(strException)

Finally
'Close resource
If (False = (oIOStream Is Nothing)) Then oIOStream.Close()
If (False = (oWebResponse Is Nothing)) Then oWebResponse.Close()
End Try

exitfcuntion:


End Sub
End Class

Public Class TrustAllCertificatePolicy
Implements System.Net.ICertificatePolicy
Public Function CheckValidationResult(ByVal srvPoint As _
System.Net.ServicePoint, ByVal certificate As _
System.Security.Cryptography.X509Certificates.X509 Certificate, ByVal _
request As System.Net.WebRequest, ByVal certificateProblem As
Integer) _
As Boolean Implements
System.Net.ICertificatePolicy.CheckValidationResul t
Dim myname As String = certificate.GetName
Return True
End Function
End Class


 
Reply With Quote
 
 
 
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      12-18-2005
Hello Abel,

maybe this helps:
http://www.leastprivilege.com/IIS6An...tificates.aspx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi there,
>
> I am getting the 403 Forbidden error when I ran the following code,
> which is a very simple Windows application. BTW, I find couple
> similar problems posted under dotnet.framework.asp.net.security so I
> post this question here.
>
> What I tried to do is to attach a client certificate and post an XML
> document to a remote web site which enforces SSL and requires client
> certificate.
>
> The client machine has a certificate installed under Certificates
> (Local Computer) | Personal | Certificates. I have installed a valid
> Thawte certificate and I also generated one using SelfSSL. They both
> give me the same error message.
>
> I also tried hitting the remote web site directly from IE. I got a
> pop up window with "Choose a digital certificate" title. However, I
> don't see any certificate listed under the list. Why? I can see both
> SelfSSL generated and the official Thawte certificate. I got a little
> bit confused. Is my problem related to my code or certificate
> security/setup issue? Could you please help?
>
> Thanks.
>
> Abel Chan
>
> -----------------------
> Code extracted
> ------------------------
> Imports System.Xml
> Imports System.IO
> Imports Microsoft.VisualBasic
> Imports System.Diagnostics
> Imports System.Net
> Imports System.Security.Cryptography.X509Certificates
> Public Class Form1
> Inherits System.Windows.Forms.Form
> Private Sub Button1_Click(ByVal sender As System.Object, ByVal e
> As
> System.EventArgs) Handles Button1.Click
> Dim oWebRequest As Net.HttpWebRequest
> Dim oIOStream As System.IO.Stream
> Dim oWebResponse As Net.HttpWebResponse
> Dim oReader As System.IO.StreamReader
> Dim oResponseStream As System.IO.Stream
> Dim strData As String
> Dim docXMLDoc As New XmlDocument
> Dim txtResponse As String
> Dim strException As String = ""
> Dim myURL As String =
> "https://[mywebsite]/[mydir]/[myurl.asp]"
>
> Dim ServerTimeOut As Integer = 60000
>
> Try
> Dim Cert As X509Certificate =
> X509Certificate.CreateFromCertFile("c:\[Path containing my
> cer]\mycer.cer")
> 'Create TrustAllCertificatePolicy class which will return
> TRUE
> on all SSL web request.
> System.Net.ServicePointManager.CertificatePolicy = New
> TrustAllCertificatePolicy
> 'Load soap envelope
> strData = "<MyTestXML>Hi</MyTestXML>"
> 'Setup request URL
> oWebRequest = Net.WebRequest.Create(myURL)
> oWebRequest.ClientCertificates.Add(Cert)
>
> 'Setup request parameter
> oWebRequest.ContentType = "text/xml"
> oWebRequest.Method = "POST"
> oWebRequest.ContentLength = strData.Length
> oWebRequest.KeepAlive = True
> oWebRequest.Timeout = ServerTimeOut
> 'Wrtie to stream
> Dim arrData As Byte() =
> System.Text.Encoding.ASCII.GetBytes(strData)
> oIOStream = oWebRequest.GetRequestStream()
> oIOStream.Write(arrData, 0, strData.Length)
> oIOStream.Flush()
> 'Get the response from web address
> oWebResponse = oWebRequest.GetResponse()
> If (oWebResponse.StatusCode() <> Net.HttpStatusCode.OK)
> Then
> txtResponse = ""
> strException = oWebResponse.StatusDescription()
> GoTo exitfcuntion
> End If
> 'Get response stream
> oResponseStream = oWebResponse.GetResponseStream()
> Catch ex As WebException 'Exception
> strException = "Message: " + ex.Message() + " Source: " +
> ex.Source()
> MsgBox(strException)
>
> Finally
> 'Close resource
> If (False = (oIOStream Is Nothing)) Then oIOStream.Close()
> If (False = (oWebResponse Is Nothing)) Then
> oWebResponse.Close()
> End Try
> exitfcuntion:
>
> End Sub
> End Class
> Public Class TrustAllCertificatePolicy
> Implements System.Net.ICertificatePolicy
> Public Function CheckValidationResult(ByVal srvPoint As _
> System.Net.ServicePoint, ByVal certificate As _
> System.Security.Cryptography.X509Certificates.X509 Certificate,
> ByVal _
> request As System.Net.WebRequest, ByVal certificateProblem As
> Integer) _
> As Boolean Implements
> System.Net.ICertificatePolicy.CheckValidationResul t
> Dim myname As String = certificate.GetName
> Return True
> End Function
> End Class



 
Reply With Quote
 
 
 
 
Abel Chan
Guest
Posts: n/a
 
      12-19-2005
Hi Dominick,

Thanks to your prompt response. I really appreciate it.

I took the suggestion stated at
http://www.leastprivilege.com/IIS6An...tificates.aspx

and enabled the Client Authentication under Thawte Premium Server CA. Now
if I look at the offical Thawte client cer property, I can see both Server
and Client Authentication are checked.

However, I am still getting the same 403 error when I ran the code. If I
bring up my IE, I still can't see my client cert as an available option. Did
I miss a step?

Thanks.

Abel

"Dominick Baier [DevelopMentor]" wrote:

> Hello Abel,
>
> maybe this helps:
> http://www.leastprivilege.com/IIS6An...tificates.aspx
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > Hi there,
> >
> > I am getting the 403 Forbidden error when I ran the following code,
> > which is a very simple Windows application. BTW, I find couple
> > similar problems posted under dotnet.framework.asp.net.security so I
> > post this question here.
> >
> > What I tried to do is to attach a client certificate and post an XML
> > document to a remote web site which enforces SSL and requires client
> > certificate.
> >
> > The client machine has a certificate installed under Certificates
> > (Local Computer) | Personal | Certificates. I have installed a valid
> > Thawte certificate and I also generated one using SelfSSL. They both
> > give me the same error message.
> >
> > I also tried hitting the remote web site directly from IE. I got a
> > pop up window with "Choose a digital certificate" title. However, I
> > don't see any certificate listed under the list. Why? I can see both
> > SelfSSL generated and the official Thawte certificate. I got a little
> > bit confused. Is my problem related to my code or certificate
> > security/setup issue? Could you please help?
> >
> > Thanks.
> >
> > Abel Chan
> >
> > -----------------------
> > Code extracted
> > ------------------------
> > Imports System.Xml
> > Imports System.IO
> > Imports Microsoft.VisualBasic
> > Imports System.Diagnostics
> > Imports System.Net
> > Imports System.Security.Cryptography.X509Certificates
> > Public Class Form1
> > Inherits System.Windows.Forms.Form
> > Private Sub Button1_Click(ByVal sender As System.Object, ByVal e
> > As
> > System.EventArgs) Handles Button1.Click
> > Dim oWebRequest As Net.HttpWebRequest
> > Dim oIOStream As System.IO.Stream
> > Dim oWebResponse As Net.HttpWebResponse
> > Dim oReader As System.IO.StreamReader
> > Dim oResponseStream As System.IO.Stream
> > Dim strData As String
> > Dim docXMLDoc As New XmlDocument
> > Dim txtResponse As String
> > Dim strException As String = ""
> > Dim myURL As String =
> > "https://[mywebsite]/[mydir]/[myurl.asp]"
> >
> > Dim ServerTimeOut As Integer = 60000
> >
> > Try
> > Dim Cert As X509Certificate =
> > X509Certificate.CreateFromCertFile("c:\[Path containing my
> > cer]\mycer.cer")
> > 'Create TrustAllCertificatePolicy class which will return
> > TRUE
> > on all SSL web request.
> > System.Net.ServicePointManager.CertificatePolicy = New
> > TrustAllCertificatePolicy
> > 'Load soap envelope
> > strData = "<MyTestXML>Hi</MyTestXML>"
> > 'Setup request URL
> > oWebRequest = Net.WebRequest.Create(myURL)
> > oWebRequest.ClientCertificates.Add(Cert)
> >
> > 'Setup request parameter
> > oWebRequest.ContentType = "text/xml"
> > oWebRequest.Method = "POST"
> > oWebRequest.ContentLength = strData.Length
> > oWebRequest.KeepAlive = True
> > oWebRequest.Timeout = ServerTimeOut
> > 'Wrtie to stream
> > Dim arrData As Byte() =
> > System.Text.Encoding.ASCII.GetBytes(strData)
> > oIOStream = oWebRequest.GetRequestStream()
> > oIOStream.Write(arrData, 0, strData.Length)
> > oIOStream.Flush()
> > 'Get the response from web address
> > oWebResponse = oWebRequest.GetResponse()
> > If (oWebResponse.StatusCode() <> Net.HttpStatusCode.OK)
> > Then
> > txtResponse = ""
> > strException = oWebResponse.StatusDescription()
> > GoTo exitfcuntion
> > End If
> > 'Get response stream
> > oResponseStream = oWebResponse.GetResponseStream()
> > Catch ex As WebException 'Exception
> > strException = "Message: " + ex.Message() + " Source: " +
> > ex.Source()
> > MsgBox(strException)
> >
> > Finally
> > 'Close resource
> > If (False = (oIOStream Is Nothing)) Then oIOStream.Close()
> > If (False = (oWebResponse Is Nothing)) Then
> > oWebResponse.Close()
> > End Try
> > exitfcuntion:
> >
> > End Sub
> > End Class
> > Public Class TrustAllCertificatePolicy
> > Implements System.Net.ICertificatePolicy
> > Public Function CheckValidationResult(ByVal srvPoint As _
> > System.Net.ServicePoint, ByVal certificate As _
> > System.Security.Cryptography.X509Certificates.X509 Certificate,
> > ByVal _
> > request As System.Net.WebRequest, ByVal certificateProblem As
> > Integer) _
> > As Boolean Implements
> > System.Net.ICertificatePolicy.CheckValidationResul t
> > Dim myname As String = certificate.GetName
> > Return True
> > End Function
> > End Class

>
>
>

 
Reply With Quote
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      12-19-2005
Hello Abel,

is the CA trusted on both client and server?


---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi Dominick,
>
> Thanks to your prompt response. I really appreciate it.
>
> I took the suggestion stated at
> http://www.leastprivilege.com/IIS6An...tificates.aspx
>
> and enabled the Client Authentication under Thawte Premium Server CA.
> Now if I look at the offical Thawte client cer property, I can see
> both Server and Client Authentication are checked.
>
> However, I am still getting the same 403 error when I ran the code.
> If I bring up my IE, I still can't see my client cert as an available
> option. Did I miss a step?
>
> Thanks.
>
> Abel
>
> "Dominick Baier [DevelopMentor]" wrote:
>
>> Hello Abel,
>>
>> maybe this helps:
>> http://www.leastprivilege.com/IIS6An...tificates.aspx
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> Hi there,
>>>
>>> I am getting the 403 Forbidden error when I ran the following code,
>>> which is a very simple Windows application. BTW, I find couple
>>> similar problems posted under dotnet.framework.asp.net.security so I
>>> post this question here.
>>>
>>> What I tried to do is to attach a client certificate and post an XML
>>> document to a remote web site which enforces SSL and requires client
>>> certificate.
>>>
>>> The client machine has a certificate installed under Certificates
>>> (Local Computer) | Personal | Certificates. I have installed a
>>> valid Thawte certificate and I also generated one using SelfSSL.
>>> They both give me the same error message.
>>>
>>> I also tried hitting the remote web site directly from IE. I got a
>>> pop up window with "Choose a digital certificate" title. However, I
>>> don't see any certificate listed under the list. Why? I can see
>>> both SelfSSL generated and the official Thawte certificate. I got a
>>> little bit confused. Is my problem related to my code or
>>> certificate security/setup issue? Could you please help?
>>>
>>> Thanks.
>>>
>>> Abel Chan
>>>
>>> -----------------------
>>> Code extracted
>>> ------------------------
>>> Imports System.Xml
>>> Imports System.IO
>>> Imports Microsoft.VisualBasic
>>> Imports System.Diagnostics
>>> Imports System.Net
>>> Imports System.Security.Cryptography.X509Certificates
>>> Public Class Form1
>>> Inherits System.Windows.Forms.Form
>>> Private Sub Button1_Click(ByVal sender As System.Object, ByVal e
>>> As
>>> System.EventArgs) Handles Button1.Click
>>> Dim oWebRequest As Net.HttpWebRequest
>>> Dim oIOStream As System.IO.Stream
>>> Dim oWebResponse As Net.HttpWebResponse
>>> Dim oReader As System.IO.StreamReader
>>> Dim oResponseStream As System.IO.Stream
>>> Dim strData As String
>>> Dim docXMLDoc As New XmlDocument
>>> Dim txtResponse As String
>>> Dim strException As String = ""
>>> Dim myURL As String =
>>> "https://[mywebsite]/[mydir]/[myurl.asp]"
>>> Dim ServerTimeOut As Integer = 60000
>>>
>>> Try
>>> Dim Cert As X509Certificate =
>>> X509Certificate.CreateFromCertFile("c:\[Path containing my
>>> cer]\mycer.cer")
>>> 'Create TrustAllCertificatePolicy class which will return
>>> TRUE
>>> on all SSL web request.
>>> System.Net.ServicePointManager.CertificatePolicy = New
>>> TrustAllCertificatePolicy
>>> 'Load soap envelope
>>> strData = "<MyTestXML>Hi</MyTestXML>"
>>> 'Setup request URL
>>> oWebRequest = Net.WebRequest.Create(myURL)
>>> oWebRequest.ClientCertificates.Add(Cert)
>>> 'Setup request parameter
>>> oWebRequest.ContentType = "text/xml"
>>> oWebRequest.Method = "POST"
>>> oWebRequest.ContentLength = strData.Length
>>> oWebRequest.KeepAlive = True
>>> oWebRequest.Timeout = ServerTimeOut
>>> 'Wrtie to stream
>>> Dim arrData As Byte() =
>>> System.Text.Encoding.ASCII.GetBytes(strData)
>>> oIOStream = oWebRequest.GetRequestStream()
>>> oIOStream.Write(arrData, 0, strData.Length)
>>> oIOStream.Flush()
>>> 'Get the response from web address
>>> oWebResponse = oWebRequest.GetResponse()
>>> If (oWebResponse.StatusCode() <> Net.HttpStatusCode.OK)
>>> Then
>>> txtResponse = ""
>>> strException = oWebResponse.StatusDescription()
>>> GoTo exitfcuntion
>>> End If
>>> 'Get response stream
>>> oResponseStream = oWebResponse.GetResponseStream()
>>> Catch ex As WebException 'Exception
>>> strException = "Message: " + ex.Message() + " Source: " +
>>> ex.Source()
>>> MsgBox(strException)
>>> Finally
>>> 'Close resource
>>> If (False = (oIOStream Is Nothing)) Then oIOStream.Close()
>>> If (False = (oWebResponse Is Nothing)) Then
>>> oWebResponse.Close()
>>> End Try
>>> exitfcuntion:
>>> End Sub
>>> End Class
>>> Public Class TrustAllCertificatePolicy
>>> Implements System.Net.ICertificatePolicy
>>> Public Function CheckValidationResult(ByVal srvPoint As _
>>> System.Net.ServicePoint, ByVal certificate As _
>>> System.Security.Cryptography.X509Certificates.X509 Certificate,
>>> ByVal _
>>> request As System.Net.WebRequest, ByVal certificateProblem As
>>> Integer) _
>>> As Boolean Implements
>>> System.Net.ICertificatePolicy.CheckValidationResul t
>>> Dim myname As String = certificate.GetName
>>> Return True
>>> End Function
>>> End Class



 
Reply With Quote
 
Abel Chan
Guest
Posts: n/a
 
      12-19-2005
Hi there,

I believe the CA is trusted on both client and server.

To be 100% sure, the following is how I setup the certificate:

Server side
-------------
1) Purchased an official SSL Web Server certificate issued by Thawte Premium
Server CA.
2) Installed SSL Web Server certificate on a back up server, which has
BizTalk on it.
3) Test the certificate by posting a document to an external web site (https
posting) through a BizTalk channel by attaching the SSL Web Server
certificate. It passed the test so I am 100% sure the certificate is
installed correctly.
4) Export the SSL Web Server certificate without a private key. (I tried
with private key before. I don’t see any difference. Just to make it simple
without a private key)

Client side
-------------
1) Go to a XP client machine | MMC | Certificate and install the exported
certificate into Certificate (Local Computer) | Personal | Certificate.
2) Double click on the certificate and it shows: This certificate is
intended for the following purpose(s): Ensures the identity of a remote
computer. Proves your identify to a remote computer. All other information
is correct including expiration date.
3) Go to Certificate (Local Computer) | Trusted Root Certification
Authorities | Certificates. Select Thawte Premium Server CA. Right mouse
click Properties and go to the General tab.
4) Check the Client Authentication check box.
5) Go back to Certificate (Local Computer) | Personal | Certificate.
Select the installed certificate. Right mouse click Properties and go to the
General tab.
6) Verified that both Server Authentication and Client Authentication check
boxes are checked.
7) Bring up an IE and try to hit the same external web site as described in
Server Side Step 3) above. (I don’t have BizTalk installed on my client
machine.). A “Choose a digital certificate” window pops up but no
certificate is available from the list. Click OK and I got 403 error.
Run the sample application that I posted in my first message. I got 403
error also.

I just don’t know where I mess up the setup process. I follow all standard
procedures but … Could you please help me again?

Thanks a lot.

Abel


"Dominick Baier [DevelopMentor]" wrote:

> Hello Abel,
>
> is the CA trusted on both client and server?
>
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > Hi Dominick,
> >
> > Thanks to your prompt response. I really appreciate it.
> >
> > I took the suggestion stated at
> > http://www.leastprivilege.com/IIS6An...tificates.aspx
> >
> > and enabled the Client Authentication under Thawte Premium Server CA.
> > Now if I look at the offical Thawte client cer property, I can see
> > both Server and Client Authentication are checked.
> >
> > However, I am still getting the same 403 error when I ran the code.
> > If I bring up my IE, I still can't see my client cert as an available
> > option. Did I miss a step?
> >
> > Thanks.
> >
> > Abel
> >
> > "Dominick Baier [DevelopMentor]" wrote:
> >
> >> Hello Abel,
> >>
> >> maybe this helps:
> >> http://www.leastprivilege.com/IIS6An...tificates.aspx
> >> ---------------------------------------
> >> Dominick Baier - DevelopMentor
> >> http://www.leastprivilege.com


 
Reply With Quote
 
thawte
Guest
Posts: n/a
 
      12-21-2005
Hi there Abel

I'd advise that you try exporting the SSL certificate again however
include the option for exporting the private key as well and then try
the process again. The private key is a very important component in a
certificate key pair and could be the cause of the problem you
experience.

Regards
Marshall

Abel Chan wrote:
> Hi there,
>
> I believe the CA is trusted on both client and server.
>
> To be 100% sure, the following is how I setup the certificate:
>
> Server side
> -------------
> 1) Purchased an official SSL Web Server certificate issued by Thawte Premium
> Server CA.
> 2) Installed SSL Web Server certificate on a back up server, which has
> BizTalk on it.
> 3) Test the certificate by posting a document to an external web site (https
> posting) through a BizTalk channel by attaching the SSL Web Server
> certificate. It passed the test so I am 100% sure the certificate is
> installed correctly.
> 4) Export the SSL Web Server certificate without a private key. (I tried
> with private key before. I don't see any difference. Just to make it simple
> without a private key)
>
> Client side
> -------------
> 1) Go to a XP client machine | MMC | Certificate and install the exported
> certificate into Certificate (Local Computer) | Personal | Certificate.
> 2) Double click on the certificate and it shows: This certificate is
> intended for the following purpose(s): Ensures the identity of a remote
> computer. Proves your identify to a remote computer. All other information
> is correct including expiration date.
> 3) Go to Certificate (Local Computer) | Trusted Root Certification
> Authorities | Certificates. Select Thawte Premium Server CA. Right mouse
> click Properties and go to the General tab.
> 4) Check the Client Authentication check box.
> 5) Go back to Certificate (Local Computer) | Personal | Certificate.
> Select the installed certificate. Right mouse click Properties and go to the
> General tab.
> 6) Verified that both Server Authentication and Client Authentication check
> boxes are checked.
> 7) Bring up an IE and try to hit the same external web site as described in
> Server Side Step 3) above. (I don't have BizTalk installed on my client
> machine.). A "Choose a digital certificate" window pops up but no
> certificate is available from the list. Click OK and I got 403 error.
> Run the sample application that I posted in my first message. I got 403
> error also.
>
> I just don't know where I mess up the setup process. I follow all standard
> procedures but ... Could you please help me again?
>
> Thanks a lot.
>
> Abel
>
>
> "Dominick Baier [DevelopMentor]" wrote:
>
> > Hello Abel,
> >
> > is the CA trusted on both client and server?
> >
> >
> > ---------------------------------------
> > Dominick Baier - DevelopMentor
> > http://www.leastprivilege.com
> >
> > > Hi Dominick,
> > >
> > > Thanks to your prompt response. I really appreciate it.
> > >
> > > I took the suggestion stated at
> > > http://www.leastprivilege.com/IIS6An...tificates.aspx
> > >
> > > and enabled the Client Authentication under Thawte Premium Server CA.
> > > Now if I look at the offical Thawte client cer property, I can see
> > > both Server and Client Authentication are checked.
> > >
> > > However, I am still getting the same 403 error when I ran the code.
> > > If I bring up my IE, I still can't see my client cert as an available
> > > option. Did I miss a step?
> > >
> > > Thanks.
> > >
> > > Abel
> > >
> > > "Dominick Baier [DevelopMentor]" wrote:
> > >
> > >> Hello Abel,
> > >>
> > >> maybe this helps:
> > >> http://www.leastprivilege.com/IIS6An...tificates.aspx
> > >> ---------------------------------------
> > >> Dominick Baier - DevelopMentor
> > >> http://www.leastprivilege.com


 
Reply With Quote
 
Abel Chan
Guest
Posts: n/a
 
      12-21-2005
Hi Marshall,

I tried and the certificate now included the option for exporting private
key. I am still getting 403 error. :<

Abel

"thawte" wrote:

> Hi there Abel
>
> I'd advise that you try exporting the SSL certificate again however
> include the option for exporting the private key as well and then try
> the process again. The private key is a very important component in a
> certificate key pair and could be the cause of the problem you
> experience.
>
> Regards
> Marshall
>
> Abel Chan wrote:
> > Hi there,
> >
> > I believe the CA is trusted on both client and server.
> >
> > To be 100% sure, the following is how I setup the certificate:
> >
> > Server side
> > -------------
> > 1) Purchased an official SSL Web Server certificate issued by Thawte Premium
> > Server CA.
> > 2) Installed SSL Web Server certificate on a back up server, which has
> > BizTalk on it.
> > 3) Test the certificate by posting a document to an external web site (https
> > posting) through a BizTalk channel by attaching the SSL Web Server
> > certificate. It passed the test so I am 100% sure the certificate is
> > installed correctly.
> > 4) Export the SSL Web Server certificate without a private key. (I tried
> > with private key before. I don't see any difference. Just to make it simple
> > without a private key)
> >
> > Client side
> > -------------
> > 1) Go to a XP client machine | MMC | Certificate and install the exported
> > certificate into Certificate (Local Computer) | Personal | Certificate.
> > 2) Double click on the certificate and it shows: This certificate is
> > intended for the following purpose(s): Ensures the identity of a remote
> > computer. Proves your identify to a remote computer. All other information
> > is correct including expiration date.
> > 3) Go to Certificate (Local Computer) | Trusted Root Certification
> > Authorities | Certificates. Select Thawte Premium Server CA. Right mouse
> > click Properties and go to the General tab.
> > 4) Check the Client Authentication check box.
> > 5) Go back to Certificate (Local Computer) | Personal | Certificate.
> > Select the installed certificate. Right mouse click Properties and go to the
> > General tab.
> > 6) Verified that both Server Authentication and Client Authentication check
> > boxes are checked.
> > 7) Bring up an IE and try to hit the same external web site as described in
> > Server Side Step 3) above. (I don't have BizTalk installed on my client
> > machine.). A "Choose a digital certificate" window pops up but no
> > certificate is available from the list. Click OK and I got 403 error.
> > Run the sample application that I posted in my first message. I got 403
> > error also.
> >
> > I just don't know where I mess up the setup process. I follow all standard
> > procedures but ... Could you please help me again?
> >
> > Thanks a lot.
> >
> > Abel
> >
> >
> > "Dominick Baier [DevelopMentor]" wrote:
> >
> > > Hello Abel,
> > >
> > > is the CA trusted on both client and server?
> > >
> > >
> > > ---------------------------------------
> > > Dominick Baier - DevelopMentor
> > > http://www.leastprivilege.com
> > >
> > > > Hi Dominick,
> > > >
> > > > Thanks to your prompt response. I really appreciate it.
> > > >
> > > > I took the suggestion stated at
> > > > http://www.leastprivilege.com/IIS6An...tificates.aspx
> > > >
> > > > and enabled the Client Authentication under Thawte Premium Server CA.
> > > > Now if I look at the offical Thawte client cer property, I can see
> > > > both Server and Client Authentication are checked.
> > > >
> > > > However, I am still getting the same 403 error when I ran the code.
> > > > If I bring up my IE, I still can't see my client cert as an available
> > > > option. Did I miss a step?
> > > >
> > > > Thanks.
> > > >
> > > > Abel
> > > >
> > > > "Dominick Baier [DevelopMentor]" wrote:
> > > >
> > > >> Hello Abel,
> > > >>
> > > >> maybe this helps:
> > > >> http://www.leastprivilege.com/IIS6An...tificates.aspx
> > > >> ---------------------------------------
> > > >> Dominick Baier - DevelopMentor
> > > >> http://www.leastprivilege.com

>
>

 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      12-21-2005
Are you positive the identity that is trying to access the private key has
access to it? For example, if this process runs in a web app but the
private key is associated to your user account, the web app won't have your
profile loaded when it goes to access the private key.

You generally need to make sure the private key is properly associated with
a cert in the machine store and that the account running in the web app has
rights to read the private key.

Joe K.

"Abel Chan" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi Marshall,
>
> I tried and the certificate now included the option for exporting private
> key. I am still getting 403 error. :<
>
> Abel
>
> "thawte" wrote:
>
>> Hi there Abel
>>
>> I'd advise that you try exporting the SSL certificate again however
>> include the option for exporting the private key as well and then try
>> the process again. The private key is a very important component in a
>> certificate key pair and could be the cause of the problem you
>> experience.
>>
>> Regards
>> Marshall
>>
>> Abel Chan wrote:
>> > Hi there,
>> >
>> > I believe the CA is trusted on both client and server.
>> >
>> > To be 100% sure, the following is how I setup the certificate:
>> >
>> > Server side
>> > -------------
>> > 1) Purchased an official SSL Web Server certificate issued by Thawte
>> > Premium
>> > Server CA.
>> > 2) Installed SSL Web Server certificate on a back up server, which has
>> > BizTalk on it.
>> > 3) Test the certificate by posting a document to an external web site
>> > (https
>> > posting) through a BizTalk channel by attaching the SSL Web Server
>> > certificate. It passed the test so I am 100% sure the certificate is
>> > installed correctly.
>> > 4) Export the SSL Web Server certificate without a private key. (I
>> > tried
>> > with private key before. I don't see any difference. Just to make it
>> > simple
>> > without a private key)
>> >
>> > Client side
>> > -------------
>> > 1) Go to a XP client machine | MMC | Certificate and install the
>> > exported
>> > certificate into Certificate (Local Computer) | Personal |
>> > Certificate.
>> > 2) Double click on the certificate and it shows: This certificate is
>> > intended for the following purpose(s): Ensures the identity of a remote
>> > computer. Proves your identify to a remote computer. All other
>> > information
>> > is correct including expiration date.
>> > 3) Go to Certificate (Local Computer) | Trusted Root Certification
>> > Authorities | Certificates. Select Thawte Premium Server CA. Right
>> > mouse
>> > click Properties and go to the General tab.
>> > 4) Check the Client Authentication check box.
>> > 5) Go back to Certificate (Local Computer) | Personal | Certificate.
>> > Select the installed certificate. Right mouse click Properties and go
>> > to the
>> > General tab.
>> > 6) Verified that both Server Authentication and Client Authentication
>> > check
>> > boxes are checked.
>> > 7) Bring up an IE and try to hit the same external web site as
>> > described in
>> > Server Side Step 3) above. (I don't have BizTalk installed on my
>> > client
>> > machine.). A "Choose a digital certificate" window pops up but no
>> > certificate is available from the list. Click OK and I got 403 error.
>> > Run the sample application that I posted in my first message. I got
>> > 403
>> > error also.
>> >
>> > I just don't know where I mess up the setup process. I follow all
>> > standard
>> > procedures but ... Could you please help me again?
>> >
>> > Thanks a lot.
>> >
>> > Abel
>> >
>> >
>> > "Dominick Baier [DevelopMentor]" wrote:
>> >
>> > > Hello Abel,
>> > >
>> > > is the CA trusted on both client and server?
>> > >
>> > >
>> > > ---------------------------------------
>> > > Dominick Baier - DevelopMentor
>> > > http://www.leastprivilege.com
>> > >
>> > > > Hi Dominick,
>> > > >
>> > > > Thanks to your prompt response. I really appreciate it.
>> > > >
>> > > > I took the suggestion stated at
>> > > > http://www.leastprivilege.com/IIS6An...tificates.aspx
>> > > >
>> > > > and enabled the Client Authentication under Thawte Premium Server
>> > > > CA.
>> > > > Now if I look at the offical Thawte client cer property, I can see
>> > > > both Server and Client Authentication are checked.
>> > > >
>> > > > However, I am still getting the same 403 error when I ran the code.
>> > > > If I bring up my IE, I still can't see my client cert as an
>> > > > available
>> > > > option. Did I miss a step?
>> > > >
>> > > > Thanks.
>> > > >
>> > > > Abel
>> > > >
>> > > > "Dominick Baier [DevelopMentor]" wrote:
>> > > >
>> > > >> Hello Abel,
>> > > >>
>> > > >> maybe this helps:
>> > > >> http://www.leastprivilege.com/IIS6An...tificates.aspx
>> > > >> ---------------------------------------
>> > > >> Dominick Baier - DevelopMentor
>> > > >> http://www.leastprivilege.com

>>
>>



 
Reply With Quote
 
Abel Chan
Guest
Posts: n/a
 
      01-12-2006
Hi Joe and others,

After talking to Thawte and confirmed with MS, I made two mistakes here:
1) Exporting a Server side certificate (from my 2000 server box) and put it
on a client machine (my XP Pro with SP2) won't work at all. I need a CLIENT
certificate. I have 2 ways to get it: a) Pay Verisign or b) Get a FREE
personal/email certificate from Thawte. For this application, I pick b)

2) After I installed the FREE client certificate from Thawte, now I can see
the certificate from on my IE. However, it still won't work on my .NET code.


After doing some search on Google, I found this article:
http://blogs.msdn.com/kevinha/archiv...15/373254.aspx

Basically, when I import the certificate into the certificate store, I need
to UNCHECK the option "Enable strong private key protection". This solve the
whole problem. :>

Thanks all for your help.

Abel Chan

"Joe Kaplan (MVP - ADSI)" wrote:

> Are you positive the identity that is trying to access the private key has
> access to it? For example, if this process runs in a web app but the
> private key is associated to your user account, the web app won't have your
> profile loaded when it goes to access the private key.
>
> You generally need to make sure the private key is properly associated with
> a cert in the machine store and that the account running in the web app has
> rights to read the private key.
>
> Joe K.
>


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
microsoft.public.certification, microsoft.public.cert.exam.mcsa, microsoft.public.cert.exam.mcad, microsoft.public.cert.exam.mcse, microsoft.public.cert.exam.mcsd loyola MCSE 4 11-15-2006 02:40 AM
microsoft.public.certification, microsoft.public.cert.exam.mcsa, microsoft.public.cert.exam.mcad, microsoft.public.cert.exam.mcse, microsoft.public.cert.exam.mcsd loyola Microsoft Certification 3 11-14-2006 05:18 PM
microsoft.public.certification, microsoft.public.cert.exam.mcsa, microsoft.public.cert.exam.mcad, microsoft.public.cert.exam.mcse, microsoft.public.cert.exam.mcsd loyola MCSD 3 11-14-2006 05:18 PM
microsoft.public.certification, microsoft.public.cert.exam.mcsa, microsoft.public.cert.exam.mcad, microsoft.public.cert.exam.mcse, microsoft.public.cert.exam.mcsd realexxams@yahoo.com Microsoft Certification 0 05-10-2006 02:35 PM
.Net client and SSL mutual authentication : 403 Forbidden, client certificate not sent Mfenetre ASP .Net Security 11 10-12-2005 03:02 PM



Advertisments