Re: 403 Error Web App to Web App with Client Certificates

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 11/11/04


Date: Thu, 11 Nov 2004 13:09:40 -0600

Are you sure the client certificate private key is available to the account
that is running the web code? That seems like the most likely reason you
would get a failure.

Joe K.

"jlento" <jlento@discussions.microsoft.com> wrote in message
news:C5D7D4DD-6A5F-4EF4-B487-9DA624D0E7B1@microsoft.com...
>I have a similar, yet different problem.
>
> I have a .dll that I've been able to successfully run in both a test and
> production environment that does a WebRequest.Create() and a
> request.GetResponse() with a digital certificate attached.
>
> Everything works fine when I put a Windows frontend in front of my .dll.
> However, when I put an Web page in front of my .dll, the server I am
> dealing
> with returns an HTTP 403 Forbidden error.
>
> When I do a hash of the HttpWebRequest object created with the Windows
> frontend, I get the exact same hash every time. When I do a hash of the
> HttpWebRequest object created with the Web page front end, I get a
> different
> hash eash time. Obviously there's a difference in how the HttpWebRequest
> object is being created depending upon the front end being used and this
> difference is the source of my problems.
>
> I initally thought of instantiating the request object using the Windows
> front end, then serialize the object and save it to a database.
> Subsequent
> calls would de-serialize the request object and use it. Trouble is, the
> request uses a variable query string, which as far as I can tell must be
> in
> place at the time Create() is called. There's no way to set this property
> after the object has been instantiated
>
> "[MSFT]" wrote:
>
>> Hi Peter,
>>
>> For 1.1 framework :
>> 821156 INFO: ASP.NET 1.1 June 2003 Hotfix Rollup Package
>> http://support.microsoft.com/?id=821156
>> Along with this fix you will need to install the client certificate under
>> the Local_Machine registry hive and not the Current_User hive. You will
>> then need to give the ASP.Net account access to the private key for the
>> client certificate to get all of this to work. You can use KeyWiz.EXE for
>> this purpose.
>>
>> Also, you may consider following solution:
>>
>> Invoke the Web service from a Serviced Component, and use a Microsoft
>> Windows service to automatically load the profile of the certificate user
>> so that the Serviced Component can retrieve the client certificate and
>> then
>> communicate with the Web service over SSL.
>>
>> 1. Create a Windows service program with only one function to run under
>> the
>> certificate user identity.
>>
>> 2. Create a Serviced Component that runs under the identity of the
>> certificate user.
>>
>> 3. Move the authentication code from the ASP.NET application to the
>> Serviced Component. Verify that the Serviced Component runs under the
>> identity of the certificate user.
>>
>> 4. Call the Serviced Component method from the ASP.NET Web application.
>>
>> Hope this help,
>>
>> Luke
>>
>>



Relevant Pages

  • Re: require client certificates SSL
    ... I read that a client certificate can be made by exporting the certificate on ... them, and they install the certificate, will they trust my CA server then? ... Best Practices for Implementing a Microsoft Windows Server2003 Public ...
    (microsoft.public.inetserver.iis.security)
  • RE: 403 Error Web App to Web App with Client Certificates
    ... Along with this fix you will need to install the client certificate under ... Invoke the Web service from a Serviced Component, ... Windows service to automatically load the profile of the certificate user ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Enabling SSL on the server with test certificate
    ... > certificate to the server. ... Good luck! ... ready any certificate from any store. ... If you'll be able to make it work without the serviced component please let ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • Generating a user certificate?
    ... I've installed the Certificate Authority on our Domain Controller, and I can request a new certificate for itself, and I can see the user certificate template in the Certificate Authority, but i can't figure out how to use it. ... Googling for things like 'issue "user certificate" windows', "generate client certificate", etc, haven't been helpful. ... Lots of things in setting up client certificate mapping, and things for creating user certificates in IBM products, but not for Windows. ...
    (microsoft.public.platformsdk.security)
  • Fail to Get Whole Client Certificate on Windows XP
    ... I have problem to get the whole client certificate when IIS ... is running on Windows XP Professional. ...
    (microsoft.public.inetserver.iis.security)