Re: HttpWebRequest failure with TLS

• Previous message: Franco: "messenger"
• Maybe in reply to: Joe Kaplan \(MVP - ADSI\): "Re: HttpWebRequest failure with TLS"
• Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: HttpWebRequest failure with TLS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 23 Sep 2005 20:43:24 -0500

My guess is that you are going to want it in the machine store as the
account your web service client is running under will eventually change to
the service process' account, but it should work in either for the console
app as your user profile will be loaded.

The MMC snap-in will tell you for sure if the client certificate has a
private key associated with it in the cert properties dialog. The client
certificate should go in the personal store.

You probably don't need the server's certificate on your machine at all as
long as your machine trusts it.

If you can't bring up the page in IE, that might mean that the underlying
Wininet goo can't get to it either. Be careful with that as this might not
be a client certificate issue at all.

Another useful thing is to play with the schannel logging level to see
detailed log messages on the certificate exchange stuff in the event log:
http://support.microsoft.com/?id=260729

Joe K.

"Sholto Douglas" <SholtoDouglas@discussions.microsoft.com> wrote in message
news:F3B8FF0A-6D45-42B6-B17B-2F349FB7B786@microsoft.com...
> Thanks for answering, Joe,
>
>> Debugging these issues is notoriously difficult I'm afraid.
>>
> Tell me about it..... What is annoying is that whatever the problem, I
> always get the same exception message. The .NET error messages should be
> more explicit.
>
>> This generally means that your client code doesn't have access to the
>> private key for the certificate in question, although it could be an
>> issue
>> with certificate trust as well.
>>
> I put both keys (client and server) into the Personal 'folder' of the
> CurrentUser store. Do they need to be in the LocalMachine store? If so,
> which folder? Personal, Trusted People? I imagine the CurrentUser store
> would be less prone to permission problems, which is why I put them there.
> How can I be sure I do have the required access?
>
>> The first thing I would do is make sure the certificate in question has a
>> private key associated with it. Then, make sure you can navigate to the
>> page in question with the browser and that IE will prompt you for the
>> client
>> certificate.
>>
> I am confident there is a private key, because I was asked if I wanted to
> export it (I didn't, of course!). I am actually going through a
> colleague's
> laptop with Tomcat installed, then to a proxy, before the actual web
> service.
> So I have never been able to bring up the page in IE (they aren't making
> it
> easy for me).
>
> Thanks again, Joe,
> Sholto Douglas
> His Nerdship Pty Ltd (Australia)
>
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>
>> This generally means that your client code doesn't have access to the
>> private key for the certificate in question, although it could be an
>> issue
>> with certificate trust as well.
>>
>> Debugging these issues is notoriously difficult I'm afraid.
>>
>> The first thing I would do is make sure the certificate in question has a
>> private key associated with it. Then, make sure you can navigate to the
>> page in question with the browser and that IE will prompt you for the
>> client
>> certificate.
>>
>> After that, using regmon and filemon while the program is running is
>> often
>> very helpful for determining where Windows is looking for the private key
>> file and who is getting denied access.
>>
>> There are also some kbase articles on this issue.
>>
>> Joe K.
>

• Previous message: Franco: "messenger"
• Maybe in reply to: Joe Kaplan \(MVP - ADSI\): "Re: HttpWebRequest failure with TLS"
• Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: HttpWebRequest failure with TLS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]