473,624 Members | 2,191 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

ASPNET To Web Service using SSL w/Client Certs

At the top here i will put a quick description of my problem followed by the long description. This way you want get bored reading! :

short version
what is the best/recommended way for ASPNET apps to call web services that REQUIRE Client Certificates via SSL

long version
our company has new requirements, all servers must REQUIRE SSL and Server/client certificates
i have setup a test Win2003 server to issue certs so i have a full test environment on my machine. I have gen'd the server cert and applied it to my IIS secure site. I have issued 2 client certs, one for web browser one advanced and issued a "localmachi ne" cert. all this is done using http://myserver/certsvr tool. one to a seperate machine which as installed my test server's root authority chain and the client cert. if i hit a webpage or webservice using that machine and user i am prompted for my Certificate, i choose the one i gen'd and it works great. i can see webpages and get webservice data.
The other Cert that I gen'd is installed in the localmachine section of my 2003 server in the hope that my ASPNet code could use that client certificate to call the webservice that reside on the same machine. I added a reference to microsoft.web.s ervices and used the x509 certificate objects from that dll to get the local machine store and find my certificate. that works great. I put the certificate in my webservice object's clientcertifica te collection and call the webservice but i still get a 403 access forbidden error. I use the certificate plugin in MMC to see that the cert installed in Local machine DOES have a private key associated with it. I THINK that the problem is that somehow my ASPNET account cannot access the private key to property send my cert to the webservice. i've, reluctantly, given ASPNET full access to the \app data\Microsoft\ Crypto\RSA folder. Ideas? suggestions?
this is extremely urgent as NONE of our 20+ servers can run any of our .NET applications now that they have made this SSL certificate changes
Nov 18 '05 #1
3 2811
First, a couple of URLs
http://msdn.microsoft.com/library/de...ebservices.asp
the above link is also in the help file (has code samples)

This one is mobile dev, but the concepts still apply:
http://msdn.microsoft.com/library/de...SecNetHT13.asp

Now that we have theory out of the way, here is a good sample code
(scroll down to "Web Services Security with C#")
http://docs.msdnaa.net/ark_new3.0/cd...plications.htm

NOTE: You can speed this talking process up with Remoting (web services that
do not use ASAMX, are not tied to HTTP and can use any port -- okay, rather
simplistic explanation, but it works). Perf is not everything, however, so
assess your needs before changing, as Remoting is a bit more involved in the
current .NET architecture.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

*************** *************** *************** *************** **********
Think Outside the Box!
*************** *************** *************** *************** **********
"Tim Burris" <tb*****@collet onprep.org> wrote in message
news:0D******** *************** ***********@mic rosoft.com...
At the top here i will put a quick description of my problem followed by the long description. This way you want get bored reading! :)
short version:
what is the best/recommended way for ASPNET apps to call web services that REQUIRE Client Certificates via SSL?
long version:
our company has new requirements, all servers must REQUIRE SSL and Server/client certificates. i have setup a test Win2003 server to issue certs so i have a full test environment on my machine. I have gen'd the server cert and applied it to
my IIS secure site. I have issued 2 client certs, one for web browser one
advanced and issued a "localmachi ne" cert. all this is done using
http://myserver/certsvr tool. one to a seperate machine which as installed
my test server's root authority chain and the client cert. if i hit a
webpage or webservice using that machine and user i am prompted for my
Certificate, i choose the one i gen'd and it works great. i can see webpages
and get webservice data. The other Cert that I gen'd is installed in the localmachine section of my 2003 server in the hope that my ASPNet code could use that client
certificate to call the webservice that reside on the same machine. I added
a reference to microsoft.web.s ervices and used the x509 certificate objects
from that dll to get the local machine store and find my certificate. that
works great. I put the certificate in my webservice object's
clientcertifica te collection and call the webservice but i still get a 403
access forbidden error. I use the certificate plugin in MMC to see that the
cert installed in Local machine DOES have a private key associated with it.
I THINK that the problem is that somehow my ASPNET account cannot access the
private key to property send my cert to the webservice. i've, reluctantly,
given ASPNET full access to the \app data\Microsoft\ Crypto\RSA folder.
Ideas? suggestions? this is extremely urgent as NONE of our 20+ servers can run any of our

..NET applications now that they have made this SSL certificate changes
Nov 18 '05 #2
It really depends on how you are setting up your applications. In general,
for a web server, you are tightly controlling access to the cert, so you can
set up a user with very limited rights on the domain and issue to that user.
I would recommend that route, overall, with internal apps where the web
service is largely set up as a method of distributing the application across
multiple servers (like DCOM in .NET). The admins may still balk, but they
can still be in control of the server.

For wider distribution it gets a lot trickier.

The mobile method still works in the same, if not similar, manner. I expect
huge changes in the entire model with Longhorn and it appears there are
better alternatives with Whidbey, as well. The problem is there has not been
a major change to the Framework or the server space (unless you consider 2k3
really major in this arena). I will have to re-read the article (it has been
awhile) to ensure nothing has changed.

Sorry for the quick answer, but I hope this helps you get a leg up on the
issue.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

*************** *************** *************** *************** **********
Think Outside the Box!
*************** *************** *************** *************** **********
"Tim Burris" <tb*****@collet onprep.org> wrote in message
news:28******** *************** ***********@mic rosoft.com...
Thank you for your quick reply! looking back over my hastily typed post, i must apologize for the typos!
I had previously read the "mobile dev"article that you supplied and noticed it is dated Nov. 2002. Is that still Microsoft's recommended best
practice? I didn't know if in the past year and a half technology had
evolved producing a more up-to-date solution.
as for the article showing how to add a certificate to my webservice call. Who should the Certificate(the one in the .cer file) be issued to?
and does the private key have to be included in that exported .cer file? My
network admins are reluctant to give us a .Cer file that includes the
private key in it. But without the private key the certificate will not be
accepted correct? That's the trouble that i have right now.
Again, I appreciate your help!

Nov 18 '05 #3
In an attempt to prove that i can pass certificates from and ASPNet web app to a WebService i have done the following
added a <identity imperstonate="t rue" username password/> to my web.confi
then using the microsoft.web.s ervices DLL with WSE1.0 i connected to my local store, verified my impersonation worked by getting my client certificate that is installed for the impersonated user
i added that certificate to the webservice object's client certificates but I STILL get the 403 erro

if i log in to the server as the user that i'm impersonating, navigate to the web service asmx i am prompted to select my cert. I select the cert and it works fine. This is the same cert i'm attaching the the web service object in code

i'm using a very simple web app and my web service is just the default "helloworld ' web service... nothing complicate

I don't understand what i'm missin

Nov 18 '05 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
6
1959
ASPNET and CreateProcessWithLogonW
by: Matthew Wieder | last post by:
I have an ASPNET app that is running as the ASPNET machine user. It makes a call to the API CreateProcessWithLogonW. On Windows XP it executes without a problem, but on Windows 2000, I get an "Access is Denied" exception. I tried adding the ASPNET account to all the items in the "User Rights Assignment" list but to no avail. The only think that work was adding the ASPNET account to the local admin group; then it executed perfectly. ...
ASP.NET
3
1480
asp.net client cert issue
by: Param R. | last post by:
Hi all, I have an aspx page that needs to call a remote website that is protected by client cert authentication. I have installed the client cert and set permissions for IIS_WPG as per http://support.microsoft.com/default.aspx?scid=kb;en-us;817854. I then exported the cert to a DER encoded file. Now here is my code:- Dim h as httpwebrequest h = Ctype(WebRequest.Create(strurl), httpwebrequest)
ASP.NET
3
1603
ASPNET permissions woe - even when writing to a local drive that is mapped
by: jimmyfishbean | last post by:
Hi, My client has the following network structure: 2 Windows 2003 servers : Server 1 - Web server running IIS, ftp import and export folder, ASP.NET SOAP web service and asp code on here. Server 2 - SQL server with database on. Want to store images on here accessed via a share.
ASP.NET
7
2517
ASPNET to work on Citrix
by: SK | last post by:
Hi, Would appreciate if anyone could help me on this. Basically my client having few branches across state. And they used Citrix in which to connect to the server side for accessing application running on ASPNET (C# code behind). Basically, all my form was coded as user control and loaded as component to the IFrame. The problem is when browsing the page, it could not be loaded. and there
ASP.NET
0
2302
WSE 3.0 Kerberos Auth and issue with Windows XP ASPNET Account
by: CESAR DE LA TORRE [MVP] | last post by:
I am using WSE 3.0 with Visual Studio 2005, specifically I'm using Kerberos authentication and passing Kerberos ticket from Presentation Tier (VSTO.2005 client) to Server Tier through our Web Services (based on WSE 3.0). Having our WSE 3.0-WebService over Windows Server 2003, everything works great, but, over Windows XP, I have a problem (which is documented in WSE 3.0 help) but its workaround does not work properly (at least with my...
.NET Framework
1
1152
Secure a web service
by: John Wright | last post by:
We are starting to use web services on the intranet to share data between sites. In order to use a web service, we want the site to make a request to use the service, and let us provide them with a username/password combination to send to access the service. We would like to validate the user's credentials against an Oracle database we set up and log each connection to the web service. I have installed WSE 3.0 and looked at...
.NET Framework
0
1095
Client Certificate Selection
by: lnap | last post by:
Hey everybody, I've got what I hope to be a simple question. I'm currently working on a project that uses IIS to request a Client Cert (X509) from a CAC/Smart Card. However, we want to get away from IIS mandating this requirement and have ASP.NET (C#) request this cert from the client. Is there anyway in .NET to force the Client Cert request dialog as IIS would do it? Or even automatically select a client cert from the supplied certs? (The...
.NET Framework
7
1908
Is the aspnet account called "aspnet" for all non-English versions of Windows and IIS?
by: torus | last post by:
Is the aspnet account called "aspnet" for all non-English versions of Windows and IIS?
ASP.NET
2
2458
Aspnet Worker Thread Memory Usage
by: jld | last post by:
Hi, I developed an asp.net based eCommerce Website for a client and it is hosted at discount asp. The site is quite interactive, queries a database a lot and uses ajax.asp.net to spice up interactivity. The service suffers from a lot of restarts since discountasp enforces a 100mb per worker thread limit and when you top it, the service gets restarted. When there is a lot of traffic on the site, this happens
ASP.NET
0
8234
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
General
0
8172
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
Windows Server
0
8677
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
0
8474
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
General
0
7158
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
Career Advice
0
5563
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
0
4079
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
Networking - Hardware / Configuration
0
4174
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
2
1482
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us