Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Web Services > 403: Forbidden when sending client certificate to remove web servi

Reply
Thread Tools

403: Forbidden when sending client certificate to remove web servi

 
 
Raphael Gray
Guest
Posts: n/a
 
      05-22-2009
Summary:
I am accessing a remote web service as a client and passing a client
certificate as part of a call. The client certificate works perfectly when
checking via a local user account to access the data. It also works on my
local PC. On the Windows 2003 Server it is failing. I have tried several
options as outlined below to make this work.

Environment:
Windows Server 2003 SP3, .Net 2.0.50727, IIS 6.0

Application:
C# .Net web page. This is calling the WebService via a proxy and using the
WSE 3.0 classes to get the certificate.

Certificate:
The certificate is an X509 pfx that includes the private key and works fine
from a local user account.

Code Sample:
//Certificate Collection Location where certificate is gathered from
X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine)

//Request
Proxy myProxy = new Proxy();
myProxy.ClientCertificates.Add(signatureToken.Cert ificate)
string myResult = myProxy.Execute(xmlString)



Error: I then receive a WebException as: The request failed with HTTP
status 403: Forbidden.


Setup/Attempted Solutions:
1. Ensured that the certificate includes the private key
(signatureToken.Certificate.HasPrivateKey).

2. Ensured that the Security needed should be the NT Authority\Network
Service Account.

3. Ensured that the Certificate was in the Local Machine Store Personal
Certificates Repository. (using MMC - Certificates Add-In - Ensured this
was added to the local machine store - Personal Folder).

4. Used WinHttpCertCfg.exe to ensure that needed accounts should have
authority to the certificate: ("C:\Program Files\Windows Resource
Kits\Tools\WinHttpCertCfg.exe" -g -c LOCAL_MACHINE\MY -s "CertName" -a
"Server\NETWORK SERVICE") (Confirmation using -l method: Additional
accounts and groups with access to the private key include:
BUILTIN\Administrators
NT AUTHORITY\SYSTEM
NT AUTHORITY\NETWORK SERVICE)
I also have tried adding the ASPNet and IUSR_MACHINE securities for this.


This seems to have followed all the instructions I have seen and I have
combed the posts for several hours looking for a resolution. Sorry about the
glut of info, but I wanted to ensure that steps already taken were known.
I'm sorry about any posting etiquette issues as well as I post very
infrequently.

Thanks
 
Reply With Quote
 
 
 
 
Raphael Gray
Guest
Posts: n/a
 
      06-03-2009
Issue Resolution:

This was a Verisign Class 1 Individual CA - G2.

The problem ended up being the chaining of the certificates.

On Windows Server 2003, when the certificate was imported into the local
machine store, the certificate and all of the intermediate and root
certificates were being pulled into the "Local" store.

Once I identified the intermediate certificate and moved it in the
Intermediate CA location, the process worked.



"Raphael Gray" wrote:

> Summary:
> I am accessing a remote web service as a client and passing a client
> certificate as part of a call. The client certificate works perfectly when
> checking via a local user account to access the data. It also works on my
> local PC. On the Windows 2003 Server it is failing. I have tried several
> options as outlined below to make this work.
>
> Environment:
> Windows Server 2003 SP3, .Net 2.0.50727, IIS 6.0
>
> Application:
> C# .Net web page. This is calling the WebService via a proxy and using the
> WSE 3.0 classes to get the certificate.
>
> Certificate:
> The certificate is an X509 pfx that includes the private key and works fine
> from a local user account.
>
> Code Sample:
> //Certificate Collection Location where certificate is gathered from
> X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine)
>
> //Request
> Proxy myProxy = new Proxy();
> myProxy.ClientCertificates.Add(signatureToken.Cert ificate)
> string myResult = myProxy.Execute(xmlString)
>
>
>
> Error: I then receive a WebException as: The request failed with HTTP
> status 403: Forbidden.
>
>
> Setup/Attempted Solutions:
> 1. Ensured that the certificate includes the private key
> (signatureToken.Certificate.HasPrivateKey).
>
> 2. Ensured that the Security needed should be the NT Authority\Network
> Service Account.
>
> 3. Ensured that the Certificate was in the Local Machine Store Personal
> Certificates Repository. (using MMC - Certificates Add-In - Ensured this
> was added to the local machine store - Personal Folder).
>
> 4. Used WinHttpCertCfg.exe to ensure that needed accounts should have
> authority to the certificate: ("C:\Program Files\Windows Resource
> Kits\Tools\WinHttpCertCfg.exe" -g -c LOCAL_MACHINE\MY -s "CertName" -a
> "Server\NETWORK SERVICE") (Confirmation using -l method: Additional
> accounts and groups with access to the private key include:
> BUILTIN\Administrators
> NT AUTHORITY\SYSTEM
> NT AUTHORITY\NETWORK SERVICE)
> I also have tried adding the ASPNet and IUSR_MACHINE securities for this.
>
>
> This seems to have followed all the instructions I have seen and I have
> combed the posts for several hours looking for a resolution. Sorry about the
> glut of info, but I wanted to ensure that steps already taken were known.
> I'm sorry about any posting etiquette issues as well as I post very
> infrequently.
>
> Thanks

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
HTTP 403.1 Forbidden: Execute Access Forbidden David Hunt ASP .Net 4 10-04-2009 08:40 PM
HELP: ASP.NET AJAX Page Continuously Getting Values from Web Servi lmttag ASP .Net Web Services 0 02-05-2009 06:24 PM
IIS HTTP 403.1 Forbidden: Execute Access Forbidden Mark J. McGinty ASP General 2 12-09-2005 08:54 PM
.Net client and SSL mutual authentication : 403 Forbidden, client certificate not sent Mfenetre ASP .Net Security 11 10-12-2005 03:02 PM
Use Client Certificate from Pocket PC VB.Net app to call Web Servi Ani Kinare ASP .Net Web Services 0 05-26-2005 05:24 PM



Advertisments