Re: ASP.Net using a Client Certificate on IIS 6.0

From: CatpWilco (captwilco2002_at_yahoo.com)
Date: 08/04/04 

Date: 4 Aug 2004 11:51:44 -0700

Thank you Jeffrey.

The link you provided is very informative but does not go in the right
direction for this issue. It did help me come accross some other
links that helped.

I did make some progress.
By changing the Identity for the Application Pool (
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconidentityapplicationpoolsettings.asp
) to use the ASPNet account and logging onto the machine as the ASPNet
user, the web app worked. When I reboot the machine, the web app does
not work. So, this leads to the following:

When the ASPNET user account logs in, the credentials (which includes
the client certificate installed for the ASPNET account) are loaded
and remain in memory for a while (or until reboot).

I am still stumped on getting the ASPNET credentials loaded without
logging into the machine as the ASPNET user. I am still looking for
some help on this one. Any ideas? I could write a windows service to
run as ASPNET and to startup automatically, but there must be a better
way. I think I am missing something where I set the Identity for the
Application Pool (or maybe not).

(General statement: If the root of the problem is not clear, let me
know and I can clarify the scenario)

Thanks,
RW

"Jeffrey Hasan" <jeff@noreply.com> wrote in message news:<e9hQUeaeEHA.3792@TK2MSFTNGP09.phx.gbl>...
> I'm not sure what did not work, but in Win2003 you should sign in as a local
> admin to install certificates. Are you just encrypting requests, or, are you
> also decrypting responses? If it is the former then you should be good to
> go. If it is the latter then you may need to grant the ASPNET account
> permission to access the private key. Simon Horrell has an article that
> clearly shows you how to do this. (His article relates to WSE but the same
> principle applies to what you need to accomplish):
>
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwse/html/wse2wspolicy.asp
>
> Good luck,
>
> Jeffrey Hasan, MCSD
> President, Bluestone Partners, Inc.
> -----------------------------------------------
> Author of: Expert SOA in C# Using WSE 2.0 (APress, 2004)
> http://www.bluestonepartners.com/soa.aspx
>
> "CatpWilco" <captwilco2002@yahoo.com> wrote in message
> news:b5611c77.0408031359.1386ddeb@posting.google.com...
> > I have an ASP.Net application application that uses a client
> > certificate to communicate to a third party.
> >
> > Now, in Win2K, to install the Class 1 Client Certificate, you have to
> > log in as the ASPNET user (or what ever user the aspnet_wp runs as),
> > and install the certificate for that user.
> >
> > In Win2003 (IIS 6.0), I have followed the same process and it does not
> > work. I have not been able to find documentation on this. Any tips
> > out there?
> >
> >
> > Although my question does not refer to any code, here is a sample to
> > give a better picture of what the ASP.Net app is doing.
> >
> > Dim oRequest As HttpWebRequest
> > Dim oResponse As HttpWebResponse
> > Dim oClientCert As
> > System.Security.Cryptography.X509Certificates.X509Certificate
> > Dim POSTBuffer() As Byte
> > Dim DataStream As System.IO.Stream
> > Dim sr As System.IO.StreamReader
> > Dim OutputString As String
> >
> > POSTBuffer =
> > System.Text.Encoding.UTF8.GetBytes("DataToSend")
> >
> > oClientCert = New
> >
> X509Certificate(X509Certificate.CreateFromCertFile(ApplicationConfig.Certifi
> catePath))
> >
> > oRequest = HttpWebRequest.Create("http://ThirdPartyURL")
> > oRequest.Credentials = CredentialCache.DefaultCredentials
> > oRequest.ClientCertificates.Add(oClientCert)
> > oRequest.Method = POST
> > oRequest.ContentType = "application/x-www-form-urlencoded"
> >
> > Try
> >
> > DataStream = oRequest.GetRequestStream()
> > DataStream.Write(POSTBuffer, 0, POSTBuffer.Length)
> > DataStream.Close()
> >
> > '* * * * * * * * * * * * * * * * * * * * * * * * * *
> > '* Code fails here due to a 403.1 error
> > oResponse = CType(oRequest.GetResponse,
> > HttpWebResponse)
> > sr = New
> > System.IO.StreamReader(oResponse.GetResponseStream())
> > OutputString = sr.ReadToEnd
> > sr.Close()
> > catch ex Exception
> > '(more boring code) ...
> >
> >
> > Thanks,
> > R. Wilco

Relevant Pages

  • RE: X509 Cert Services Cert
    ... "HOL202 Exploring WSE 3.0 Security " Hands-On Lab ... certificate that you installed a few steps ago. ... ASPNET local account by default, so grant read access to that account by ... > certs with no issue but receive a bunch of different errors when attempting ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: 403 Error Web App to Web App with Client Certificates
    ... to this point) was grant ASPNET access to the private key to the certificate ... the user who installs the certificate is automatically ... granted access to the private key, in my case, me. ... > Joe K. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Using pfx certificate to authenticate a webrequest
    ... Using webrequest and the exported certificate ... The problem was because my ASPNET account didnt have the rights to ... access installed certificate. ... I had to use a microsoft tool to give access to ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: From ASPX page, cant access file on another PC on network
    ... | The ASPNET user in your computer didn't have the permission to access ... | on the remote computer. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Web Service Security problem
    ... the server. ... the failed logon attempt was ASPNET. ... >Allowin that account access to lan resources would be a large security risk. ... >> Another possible issue is the ASPNET account on the server. ...
    (microsoft.public.dotnet.framework.aspnet.webservices)