473,725 Members | 2,193 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Client Certificate Validation

I am working on a special ASP.Net application that receives files from
customers. The connection is made via HTTPS and the client sends the file
as a POST to my ASP.Net listener. All of this works fine. Now I am looking
at how to validate the clients certificate programmaticall y. The client
application sends to me with something like:
....
Dim myHttp As HttpWebRequest =
CType(WebReques t.Create(https://myserver/Receive.aspx), HttpWebRequest)
myHttp.Timeout = 300000
myHttp.KeepAliv e = True
myHttp.ContentL ength = PostData.Length
myHttp.UserAgen t = "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)"
myHttp.Method = "POST"
myHttp.AllowAut oRedirect = True

'-- Cert Stuff
Dim cert As X509Certificate =
X509Certificate .CreateFromCert File("d:\temp\c ert\ProdCert.ce r")
myHttp.ClientCe rtificates.Add( cert)

Dim tmpStream As Stream
Try
tmpStream = myHttp.GetReque stStream()
Catch ex As WebException
End Try

tmpStream.Write (PostData, 0, PostData.Length )
tmpStream.Flush ()
tmpStream.Close ()
....

This process seems to work fine, but then I perform a
Request.ClientC ertificate in my Receive.aspx nothing is there. In my
Receive.aspx page I have the following code:

Dim cert as HttpClientCerti ficate

cert = Request.ClientC ertificate

Nothing comes across or at least doesn't seem to populate the
ClientCertifica te object. If I use the above client to send data to
another system that is Java based they say the client certificate is there.
Can Java do something that .Net can't?

I hope someone can shed some light into why the client certificate is not
showing up in the ClientCertficat e object as I am really hoping to keep this
project small by staying in the same language environment.

Thanks,

Matt

Nov 17 '05 #1
4 11325
Matt,

Sounds like a webserver config issue. Is your IIS application setup to
accept or require client certificates? Do you use 1-1 or 1-many certificate
mapping to log the user on? Is the certificate issued by a CA trusted by
the IIS LocalSystem (i.e., computer) account. In other words, is the CA
cert installed in the "Certificat es (Local Computer)\Trust ed Root
Certificate Authorities\Cer tificates" certificate store?

You might want to check out the Patterns & Practices doc "How To: Set Up
Client Certificates (.NET Framework Security)"

http://msdn.microsoft.com/library/de...SecNetHT17.asp

-Steve Jansen

"Matt Frame" <ma**@sorvive.c om> wrote in message
news:ej******** ******@TK2MSFTN GP10.phx.gbl...
I am working on a special ASP.Net application that receives files from
customers. The connection is made via HTTPS and the client sends the file
as a POST to my ASP.Net listener. All of this works fine. Now I am looking at how to validate the clients certificate programmaticall y. The client
application sends to me with something like:
...
Dim myHttp As HttpWebRequest =
CType(WebReques t.Create(https://myserver/Receive.aspx), HttpWebRequest)
myHttp.Timeout = 300000
myHttp.KeepAliv e = True
myHttp.ContentL ength = PostData.Length
myHttp.UserAgen t = "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)"
myHttp.Method = "POST"
myHttp.AllowAut oRedirect = True

'-- Cert Stuff
Dim cert As X509Certificate =
X509Certificate .CreateFromCert File("d:\temp\c ert\ProdCert.ce r")
myHttp.ClientCe rtificates.Add( cert)

Dim tmpStream As Stream
Try
tmpStream = myHttp.GetReque stStream()
Catch ex As WebException
End Try

tmpStream.Write (PostData, 0, PostData.Length )
tmpStream.Flush ()
tmpStream.Close ()
...

This process seems to work fine, but then I perform a
Request.ClientC ertificate in my Receive.aspx nothing is there. In my
Receive.aspx page I have the following code:

Dim cert as HttpClientCerti ficate

cert = Request.ClientC ertificate

Nothing comes across or at least doesn't seem to populate the
ClientCertifica te object. If I use the above client to send data to
another system that is Java based they say the client certificate is there. Can Java do something that .Net can't?

I hope someone can shed some light into why the client certificate is not
showing up in the ClientCertficat e object as I am really hoping to keep this project small by staying in the same language environment.

Thanks,

Matt

Nov 17 '05 #2
Steve,

My IIS settings are set to require encryption and require client
certificate. I think you are misunderstandin g what I am doing. This
application does not use browsers in any way and I am not using the system
to log a user into our server. My client uses WebMethods and they require
that I receive their certificate on the POST and validate it against the
same certificate I put into my certificate store but I need to be able to
get to the client certificate on their POST for other reasons and that is
why I am expecting to get it with Request.ClientC ertificate.

The problem may be that I am sending and receiving on the same development
workstation but I would assume that the certificate would be returned from
the call to Request.ClientC ertificate any time.

Thanks,

Matt
"Steve Jansen" <st*****@dev.nu l> wrote in message
news:%2******** ********@TK2MSF TNGP11.phx.gbl. ..
Matt,

Sounds like a webserver config issue. Is your IIS application setup to
accept or require client certificates? Do you use 1-1 or 1-many certificate mapping to log the user on? Is the certificate issued by a CA trusted by
the IIS LocalSystem (i.e., computer) account. In other words, is the CA
cert installed in the "Certificat es (Local Computer)\Trust ed Root
Certificate Authorities\Cer tificates" certificate store?

You might want to check out the Patterns & Practices doc "How To: Set Up
Client Certificates (.NET Framework Security)"

http://msdn.microsoft.com/library/de...SecNetHT17.asp
-Steve Jansen

"Matt Frame" <ma**@sorvive.c om> wrote in message
news:ej******** ******@TK2MSFTN GP10.phx.gbl...
I am working on a special ASP.Net application that receives files from
customers. The connection is made via HTTPS and the client sends the file as a POST to my ASP.Net listener. All of this works fine. Now I am

looking
at how to validate the clients certificate programmaticall y. The client
application sends to me with something like:
...
Dim myHttp As HttpWebRequest =
CType(WebReques t.Create(https://myserver/Receive.aspx), HttpWebRequest)
myHttp.Timeout = 300000
myHttp.KeepAliv e = True
myHttp.ContentL ength = PostData.Length
myHttp.UserAgen t = "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)"
myHttp.Method = "POST"
myHttp.AllowAut oRedirect = True

'-- Cert Stuff
Dim cert As X509Certificate =
X509Certificate .CreateFromCert File("d:\temp\c ert\ProdCert.ce r")
myHttp.ClientCe rtificates.Add( cert)

Dim tmpStream As Stream
Try
tmpStream = myHttp.GetReque stStream()
Catch ex As WebException
End Try

tmpStream.Write (PostData, 0, PostData.Length )
tmpStream.Flush ()
tmpStream.Close ()
...

This process seems to work fine, but then I perform a
Request.ClientC ertificate in my Receive.aspx nothing is there. In my
Receive.aspx page I have the following code:

Dim cert as HttpClientCerti ficate

cert = Request.ClientC ertificate

Nothing comes across or at least doesn't seem to populate the
ClientCertifica te object. If I use the above client to send data to
another system that is Java based they say the client certificate is

there.
Can Java do something that .Net can't?

I hope someone can shed some light into why the client certificate is not showing up in the ClientCertficat e object as I am really hoping to keep

this
project small by staying in the same language environment.

Thanks,

Matt


Nov 17 '05 #3
Hi Matt,

Sorry for the confusion, but, I do think I understand what you are trying to
do, as I have worked with the exact same scenario.

IIS treats all HTTP clients equally, whether they are a browser or a simple
telnet client issuing HTTP request headers on port 80. So, the IIS
configuration was worth bringing up. It sounds like you have everything
configured correctly.

It is interesting that you are using a single machine for testing. I
believe I saw this problem before with using localhost, in that the CN of
the SSL certificate does not match the server name. You may want to check
out
http://msdn.microsoft.com/library/de...e&hidetoc=true,
which instructs you to either use the .NET 1.1 config setting:

<system.net>
<settings>
<servicePointMa nager
checkCertificat eName="true"
/>
</settings>
</system.net>

or create a class that implements ICertificatePol icy and returns true in a
name mismatch scenario. It would interesting to know if this solves your
problem on the client:
....
System.Net.Serv icePointManager .CertificatePol icy = new MyPolicy();
....
public class MyPolicy : ICertificatePol icy {
public bool CheckValidation Result(ServiceP oint srvPoint, X509Certificate
certificate, WebRequest request, int certificateProb lem) {
return true; // always return true for testing
// Check for policy common name mismatch.
/* if (certificatePro blem == 0 || certificateProb lem == 0x800c010f)
return true;
else
return false;
*/
}
}

-Steve

"Matt Frame" <ma**@sorvive.c om> wrote in message
news:e$******** ******@tk2msftn gp13.phx.gbl...
Steve,

My IIS settings are set to require encryption and require client
certificate. I think you are misunderstandin g what I am doing. This
application does not use browsers in any way and I am not using the system
to log a user into our server. My client uses WebMethods and they require
that I receive their certificate on the POST and validate it against the
same certificate I put into my certificate store but I need to be able to
get to the client certificate on their POST for other reasons and that is
why I am expecting to get it with Request.ClientC ertificate.

The problem may be that I am sending and receiving on the same development
workstation but I would assume that the certificate would be returned from
the call to Request.ClientC ertificate any time.

Thanks,

Matt
"Steve Jansen" <st*****@dev.nu l> wrote in message
news:%2******** ********@TK2MSF TNGP11.phx.gbl. ..
Matt,

Sounds like a webserver config issue. Is your IIS application setup to
accept or require client certificates? Do you use 1-1 or 1-many

certificate
mapping to log the user on? Is the certificate issued by a CA trusted by
the IIS LocalSystem (i.e., computer) account. In other words, is the CA
cert installed in the "Certificat es (Local Computer)\Trust ed Root
Certificate Authorities\Cer tificates" certificate store?

You might want to check out the Patterns & Practices doc "How To: Set Up
Client Certificates (.NET Framework Security)"

http://msdn.microsoft.com/library/de...SecNetHT17.asp

-Steve Jansen

"Matt Frame" <ma**@sorvive.c om> wrote in message
news:ej******** ******@TK2MSFTN GP10.phx.gbl...
I am working on a special ASP.Net application that receives files from
customers. The connection is made via HTTPS and the client sends the file as a POST to my ASP.Net listener. All of this works fine. Now I am

looking
at how to validate the clients certificate programmaticall y. The client application sends to me with something like:
...
Dim myHttp As HttpWebRequest =
CType(WebReques t.Create(https://myserver/Receive.aspx), HttpWebRequest) myHttp.Timeout = 300000
myHttp.KeepAliv e = True
myHttp.ContentL ength = PostData.Length
myHttp.UserAgen t = "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)"
myHttp.Method = "POST"
myHttp.AllowAut oRedirect = True

'-- Cert Stuff
Dim cert As X509Certificate =
X509Certificate .CreateFromCert File("d:\temp\c ert\ProdCert.ce r")
myHttp.ClientCe rtificates.Add( cert)

Dim tmpStream As Stream
Try
tmpStream = myHttp.GetReque stStream()
Catch ex As WebException
End Try

tmpStream.Write (PostData, 0, PostData.Length )
tmpStream.Flush ()
tmpStream.Close ()
...

This process seems to work fine, but then I perform a
Request.ClientC ertificate in my Receive.aspx nothing is there. In my
Receive.aspx page I have the following code:

Dim cert as HttpClientCerti ficate

cert = Request.ClientC ertificate

Nothing comes across or at least doesn't seem to populate the
ClientCertifica te object. If I use the above client to send data to
another system that is Java based they say the client certificate is

there.
Can Java do something that .Net can't?

I hope someone can shed some light into why the client certificate is not showing up in the ClientCertficat e object as I am really hoping to

keep this
project small by staying in the same language environment.

Thanks,

Matt



Nov 17 '05 #4

It depends on which .NET Runtime you've installed - if you work on .NET
1.1, the you have to deploy Service Pack 1 and all will work just fine
(I had the same problem and solve it that way).
Best regards,

George
--
catalinr
------------------------------------------------------------------------
catalinr's Profile: http://www.highdots.com/forums/m1120
View this thread: http://www.highdots.com/forums/t633874

Nov 19 '05 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
0
1421
Dump client certificates from SSL to file?
by: Jonas Oholm (Sweden) | last post by:
Hi I'm using the following ASP-page (taken from http://support.microsoft.com/default.aspx?scid=kb;en-us;216829) to dump client certificates from an SSL connection to a file on the webserver. It worked fine before on an IIS5 but now, using IIS6 it gives me a strange output. (see at the end of the messege) Here's the code <% @Language = VBScript %><% Response.Buffer = True %><html><head><title>Client Certificate...
ASP / Active Server Pages
1
3108
SOAP access denied when IIS set to required client certificate
by: Bob | last post by:
I'm building a .NET web service which requires client certificate for strong security. I set IIS to require SSL and client certificate (under site properties in IIS admin, Directory Security tab, Secure Communication, Edit... button. then check Require Secure Channel and Require Client Certificates). Then in my client side code, I add my client certificate to the property HttpWebClientProtocol.Certificates. However, I keep getting a...
ASP.NET
0
1782
Client Certificates
by: Russ | last post by:
I have set up a C# web application that runs on my test Web Server (Windows 2003 Server, Web Edition). It in turn calls a web service running on the internal network. Now I want to issue a client certificate to each client connecting to the web app, and use it to authenticate and identify the clients on the web server (and use the SSL for secure encrypted exchanges). There is no issue requiring SSL between the web server and the back...
ASP.NET
3
1977
Some queries on Client Certificates
by: dinoo | last post by:
I would appreciate if some one answers these queries. Thanks in advance. If My web server is SSL enabled, then why should I havea client certificate authentication? what extra security it provides? Can I use client certificate without having SSL connection? How do I get the Client Certificate? Is it necessary to be issued from the same webservice server i want to use? Or I can get it from any CA e.g verisign? Is it possible to get free...
ASP.NET
5
2314
SSL Client Authentication
by: wrytat | last post by:
I'm not sure if I'm posting the correct place. I posted it somewhere else, but someone told me to post it at another place. Anyway, some background first. I am currently building a web application for my company. This application is going to be hosted with an ISP on a shared server. And my company doesn't have a static IP. I want to make part of my web application such that only my company's computer can access (something like an...
ASP.NET
5
4448
using Multiple client certificates
by: | last post by:
Hi all, HttpWebRequest, and SoapHttpClientProtocol both expose a ClientCertificates property, which can hold multiple client certificates, but on the service side, it can only receive one client certificate, since it derives System.Web.Services.WebService class, and it's Context.Request.ClientCertificate is a single HttpClientCertificate object, is there a way to receive all the client certificates that is sent in the request? or does IIS...
.NET Framework
0
5695
"The remote certificate is invalid according to the validation procedure"
by: jens Jensen | last post by:
Hello, I'm trying to connect to a system via https. As an additional security measure, the server requires me to attach an x509 certs to my "HTTP POST" request. I get the error described in the subject.
C# / C Sharp
1
3432
https client certificate validation
by: Yogesh Chawla - PD | last post by:
Hello All, I work for the State of Wisconsin and we are trying to build a reference implementation using python. Our goals are this: 1) establish an HTTPS connection between our client and ourselves 2) exchange client and server certificates to perform mutual authentication
Python
0
2831
Forbidden with client authentication scheme 'Anonymous'
by: =?Utf-8?B?PT10aW1lPT0=?= | last post by:
I am trying to build a proof of concept of a WCF service utilisting a wsHttpBinding with Transport Certificate security. I am having problems connecting to it with a console client - everytime I try to open the channel I get the following error: Forbidden with client authentication scheme 'Anonymous' InnerException: The remote server returned an error: (403) Forbidden I have taken the following steps to set up the server: * Acquired a...
.NET Framework
0
8752
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
Windows Server
0
9401
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
0
9257
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
Online Marketing
1
9176
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
Windows Server
0
8097
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
Career Advice
1
6702
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
Microsoft Access / VBA
1
3221
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp
2
2635
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP
3
2157
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us