Re: 403 Error Web App to Web App with Client Certificates
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: Thu, 11 Nov 2004 13:09:40 -0600
Are you sure the client certificate private key is available to the account
that is running the web code? That seems like the most likely reason you
would get a failure.
"jlento" <email@example.com> wrote in message
>I have a similar, yet different problem.
> I have a .dll that I've been able to successfully run in both a test and
> production environment that does a WebRequest.Create() and a
> request.GetResponse() with a digital certificate attached.
> Everything works fine when I put a Windows frontend in front of my .dll.
> However, when I put an Web page in front of my .dll, the server I am
> with returns an HTTP 403 Forbidden error.
> When I do a hash of the HttpWebRequest object created with the Windows
> frontend, I get the exact same hash every time. When I do a hash of the
> HttpWebRequest object created with the Web page front end, I get a
> hash eash time. Obviously there's a difference in how the HttpWebRequest
> object is being created depending upon the front end being used and this
> difference is the source of my problems.
> I initally thought of instantiating the request object using the Windows
> front end, then serialize the object and save it to a database.
> calls would de-serialize the request object and use it. Trouble is, the
> request uses a variable query string, which as far as I can tell must be
> place at the time Create() is called. There's no way to set this property
> after the object has been instantiated
> "[MSFT]" wrote:
>> Hi Peter,
>> For 1.1 framework :
>> 821156 INFO: ASP.NET 1.1 June 2003 Hotfix Rollup Package
>> Along with this fix you will need to install the client certificate under
>> the Local_Machine registry hive and not the Current_User hive. You will
>> then need to give the ASP.Net account access to the private key for the
>> client certificate to get all of this to work. You can use KeyWiz.EXE for
>> this purpose.
>> Also, you may consider following solution:
>> Invoke the Web service from a Serviced Component, and use a Microsoft
>> Windows service to automatically load the profile of the certificate user
>> so that the Serviced Component can retrieve the client certificate and
>> communicate with the Web service over SSL.
>> 1. Create a Windows service program with only one function to run under
>> certificate user identity.
>> 2. Create a Serviced Component that runs under the identity of the
>> certificate user.
>> 3. Move the authentication code from the ASP.NET application to the
>> Serviced Component. Verify that the Serviced Component runs under the
>> identity of the certificate user.
>> 4. Call the Serviced Component method from the ASP.NET Web application.
>> Hope this help,