Re: HttpWebRequest failure with TLS
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 09/26/05
- Previous message: Marcos Martínez: "ReadXml (DataSet) and WebException (401)"
- Maybe in reply to: Joe Kaplan \(MVP - ADSI\): "Re: HttpWebRequest failure with TLS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 26 Sep 2005 09:52:50 -0500
Interesting. No Schannel error on the client credential creation? It
sounds like it is actually creating the client certificate part of the
handshake. Is it possible that the server side implementation doesn't
properly trust the client certificate or there is a configuration issue on
their side?
I have no idea how to suggest to troubleshoot that as I only know IIS, but
they probably use OpenSSL and I think it has some good logging facilities.
Best of luck on this one...
Joe K.
"Sholto Douglas" <SholtoDouglas@discussions.microsoft.com> wrote in message
news:2512E596-9C97-4A50-AB6C-ACAA17F47DCC@microsoft.com...
> Hi Joe,
> Still no progress.... However I do have a couple of pointers.
> Firstly when I try to bring up the web service in IE, I just get "The page
> cannot be displayed". On the Tomcat server they get exactly the same log
> message as when it fails from my app, and it dies at the same point
> (ServerHelloDone). Apparently the server is waiting for a certificate,
> which
> it doesn't get (either from my app, or from IE). I get no message
> prompting
> me for a client certificate.
> I have added the client key to the Personal folders of both the Local
> Machine store, and the Current User one. As I said, there is definitely a
> private key because when I try to export the certificate (in MMC), it
> prompts
> me if I want to export the private key.
> I have also added the root certificate to the Trusted Root Certification
> Authority in both stores. As you said, given that it is a console app, it
> should always have access to the Current User store.
>
> I activated the SCHANNEL logging, setting the value to 7 (i.e everything).
> However I only got one (Information) line - it just said "Creating an SSL
> client credential." There were no error messages, suggesting it bombed
> out
> early.
>
> Finally to see if the problem was TLS related, I removed the code that
> forced a TLS handshake (so it would default to SSLv3). Still failed.
>
> I appreciate your help Joe. This whole business is making me look very
> incompetent!
> --
> Cheers,
> Sholto
>
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>
>> My guess is that you are going to want it in the machine store as the
>> account your web service client is running under will eventually change
>> to
>> the service process' account, but it should work in either for the
>> console
>> app as your user profile will be loaded.
>>
>> The MMC snap-in will tell you for sure if the client certificate has a
>> private key associated with it in the cert properties dialog. The client
>> certificate should go in the personal store.
>>
>> You probably don't need the server's certificate on your machine at all
>> as
>> long as your machine trusts it.
>>
>> If you can't bring up the page in IE, that might mean that the underlying
>> Wininet goo can't get to it either. Be careful with that as this might
>> not
>> be a client certificate issue at all.
>>
>> Another useful thing is to play with the schannel logging level to see
>> detailed log messages on the certificate exchange stuff in the event log:
>> http://support.microsoft.com/?id=260729
>>
>> Joe K.
>
- Previous message: Marcos Martínez: "ReadXml (DataSet) and WebException (401)"
- Maybe in reply to: Joe Kaplan \(MVP - ADSI\): "Re: HttpWebRequest failure with TLS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
