473,242 Members | 1,458 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,242 software developers and data experts.

ASPNET To Web Service using SSL w/Client Certs

At the top here i will put a quick description of my problem followed by the long description. This way you want get bored reading! :

short version
what is the best/recommended way for ASPNET apps to call web services that REQUIRE Client Certificates via SSL

long version
our company has new requirements, all servers must REQUIRE SSL and Server/client certificates
i have setup a test Win2003 server to issue certs so i have a full test environment on my machine. I have gen'd the server cert and applied it to my IIS secure site. I have issued 2 client certs, one for web browser one advanced and issued a "localmachine" cert. all this is done using http://myserver/certsvr tool. one to a seperate machine which as installed my test server's root authority chain and the client cert. if i hit a webpage or webservice using that machine and user i am prompted for my Certificate, i choose the one i gen'd and it works great. i can see webpages and get webservice data.
The other Cert that I gen'd is installed in the localmachine section of my 2003 server in the hope that my ASPNet code could use that client certificate to call the webservice that reside on the same machine. I added a reference to microsoft.web.services and used the x509 certificate objects from that dll to get the local machine store and find my certificate. that works great. I put the certificate in my webservice object's clientcertificate collection and call the webservice but i still get a 403 access forbidden error. I use the certificate plugin in MMC to see that the cert installed in Local machine DOES have a private key associated with it. I THINK that the problem is that somehow my ASPNET account cannot access the private key to property send my cert to the webservice. i've, reluctantly, given ASPNET full access to the \app data\Microsoft\Crypto\RSA folder. Ideas? suggestions?
this is extremely urgent as NONE of our 20+ servers can run any of our .NET applications now that they have made this SSL certificate changes
Nov 18 '05 #1
3 2788
First, a couple of URLs
http://msdn.microsoft.com/library/de...ebservices.asp
the above link is also in the help file (has code samples)

This one is mobile dev, but the concepts still apply:
http://msdn.microsoft.com/library/de...SecNetHT13.asp

Now that we have theory out of the way, here is a good sample code
(scroll down to "Web Services Security with C#")
http://docs.msdnaa.net/ark_new3.0/cd...plications.htm

NOTE: You can speed this talking process up with Remoting (web services that
do not use ASAMX, are not tied to HTTP and can use any port -- okay, rather
simplistic explanation, but it works). Perf is not everything, however, so
assess your needs before changing, as Remoting is a bit more involved in the
current .NET architecture.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

************************************************** ********************
Think Outside the Box!
************************************************** ********************
"Tim Burris" <tb*****@colletonprep.org> wrote in message
news:0D**********************************@microsof t.com...
At the top here i will put a quick description of my problem followed by the long description. This way you want get bored reading! :)
short version:
what is the best/recommended way for ASPNET apps to call web services that REQUIRE Client Certificates via SSL?
long version:
our company has new requirements, all servers must REQUIRE SSL and Server/client certificates. i have setup a test Win2003 server to issue certs so i have a full test environment on my machine. I have gen'd the server cert and applied it to
my IIS secure site. I have issued 2 client certs, one for web browser one
advanced and issued a "localmachine" cert. all this is done using
http://myserver/certsvr tool. one to a seperate machine which as installed
my test server's root authority chain and the client cert. if i hit a
webpage or webservice using that machine and user i am prompted for my
Certificate, i choose the one i gen'd and it works great. i can see webpages
and get webservice data. The other Cert that I gen'd is installed in the localmachine section of my 2003 server in the hope that my ASPNet code could use that client
certificate to call the webservice that reside on the same machine. I added
a reference to microsoft.web.services and used the x509 certificate objects
from that dll to get the local machine store and find my certificate. that
works great. I put the certificate in my webservice object's
clientcertificate collection and call the webservice but i still get a 403
access forbidden error. I use the certificate plugin in MMC to see that the
cert installed in Local machine DOES have a private key associated with it.
I THINK that the problem is that somehow my ASPNET account cannot access the
private key to property send my cert to the webservice. i've, reluctantly,
given ASPNET full access to the \app data\Microsoft\Crypto\RSA folder.
Ideas? suggestions? this is extremely urgent as NONE of our 20+ servers can run any of our

..NET applications now that they have made this SSL certificate changes
Nov 18 '05 #2
It really depends on how you are setting up your applications. In general,
for a web server, you are tightly controlling access to the cert, so you can
set up a user with very limited rights on the domain and issue to that user.
I would recommend that route, overall, with internal apps where the web
service is largely set up as a method of distributing the application across
multiple servers (like DCOM in .NET). The admins may still balk, but they
can still be in control of the server.

For wider distribution it gets a lot trickier.

The mobile method still works in the same, if not similar, manner. I expect
huge changes in the entire model with Longhorn and it appears there are
better alternatives with Whidbey, as well. The problem is there has not been
a major change to the Framework or the server space (unless you consider 2k3
really major in this arena). I will have to re-read the article (it has been
awhile) to ensure nothing has changed.

Sorry for the quick answer, but I hope this helps you get a leg up on the
issue.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

************************************************** ********************
Think Outside the Box!
************************************************** ********************
"Tim Burris" <tb*****@colletonprep.org> wrote in message
news:28**********************************@microsof t.com...
Thank you for your quick reply! looking back over my hastily typed post, i must apologize for the typos!
I had previously read the "mobile dev"article that you supplied and noticed it is dated Nov. 2002. Is that still Microsoft's recommended best
practice? I didn't know if in the past year and a half technology had
evolved producing a more up-to-date solution.
as for the article showing how to add a certificate to my webservice call. Who should the Certificate(the one in the .cer file) be issued to?
and does the private key have to be included in that exported .cer file? My
network admins are reluctant to give us a .Cer file that includes the
private key in it. But without the private key the certificate will not be
accepted correct? That's the trouble that i have right now.
Again, I appreciate your help!

Nov 18 '05 #3
In an attempt to prove that i can pass certificates from and ASPNet web app to a WebService i have done the following
added a <identity imperstonate="true" username password/> to my web.confi
then using the microsoft.web.services DLL with WSE1.0 i connected to my local store, verified my impersonation worked by getting my client certificate that is installed for the impersonated user
i added that certificate to the webservice object's client certificates but I STILL get the 403 erro

if i log in to the server as the user that i'm impersonating, navigate to the web service asmx i am prompted to select my cert. I select the cert and it works fine. This is the same cert i'm attaching the the web service object in code

i'm using a very simple web app and my web service is just the default "helloworld' web service... nothing complicate

I don't understand what i'm missin

Nov 18 '05 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

6
by: Matthew Wieder | last post by:
I have an ASPNET app that is running as the ASPNET machine user. It makes a call to the API CreateProcessWithLogonW. On Windows XP it executes without a problem, but on Windows 2000, I get an...
3
by: Param R. | last post by:
Hi all, I have an aspx page that needs to call a remote website that is protected by client cert authentication. I have installed the client cert and set permissions for IIS_WPG as per...
3
by: jimmyfishbean | last post by:
Hi, My client has the following network structure: 2 Windows 2003 servers : Server 1 - Web server running IIS, ftp import and export folder, ASP.NET SOAP web service and asp code on here....
7
by: SK | last post by:
Hi, Would appreciate if anyone could help me on this. Basically my client having few branches across state. And they used Citrix in which to connect to the server side for accessing application...
0
by: CESAR DE LA TORRE [MVP] | last post by:
I am using WSE 3.0 with Visual Studio 2005, specifically I'm using Kerberos authentication and passing Kerberos ticket from Presentation Tier (VSTO.2005 client) to Server Tier through our Web...
1
by: John Wright | last post by:
We are starting to use web services on the intranet to share data between sites. In order to use a web service, we want the site to make a request to use the service, and let us provide them with...
0
by: lnap | last post by:
Hey everybody, I've got what I hope to be a simple question. I'm currently working on a project that uses IIS to request a Client Cert (X509) from a CAC/Smart Card. However, we want to get away...
7
by: torus | last post by:
Is the aspnet account called "aspnet" for all non-English versions of Windows and IIS?
2
by: jld | last post by:
Hi, I developed an asp.net based eCommerce Website for a client and it is hosted at discount asp. The site is quite interactive, queries a database a lot and uses ajax.asp.net to spice up...
0
by: abbasky | last post by:
### Vandf component communication method one: data sharing ​ Vandf components can achieve data exchange through data sharing, state sharing, events, and other methods. Vandf's data exchange method...
2
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 7 Feb 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:30 (7.30PM). In this month's session, the creator of the excellent VBE...
0
by: stefan129 | last post by:
Hey forum members, I'm exploring options for SSL certificates for multiple domains. Has anyone had experience with multi-domain SSL certificates? Any recommendations on reliable providers or specific...
0
Git
by: egorbl4 | last post by:
Скачал я git, хотел начать настройку, а там вылезло вот это Что это? Что мне с этим делать? ...
0
by: DolphinDB | last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation. Take...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: Aftab Ahmad | last post by:
Hello Experts! I have written a code in MS Access for a cmd called "WhatsApp Message" to open WhatsApp using that very code but the problem is that it gives a popup message everytime I clicked on...
0
by: Aftab Ahmad | last post by:
So, I have written a code for a cmd called "Send WhatsApp Message" to open and send WhatsApp messaage. The code is given below. Dim IE As Object Set IE =...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.