?
Solved

Digitial Certificates in ASP

Posted on 2005-02-25
44
Medium Priority
?
1,849 Views
Last Modified: 2010-05-18
Windows 2003 Server, IIS 6.0, classic ASP

I was provided a digital certificate by an external company to install on my server for authentication/access permissions into their server.  To test the connection, they've provided a ping service which must be accessed over a non-standard port:
https://www.targetCompany.com:9999?ping

If I hit this from my a browser on my server, it prompts me to select my cert, I hit OK, and all is well.  I get the page returned by the ping function.

However, if I hit my ASP script via my website, it hangs till it times out.

http://www.myWebSite.com/foo.asp

*****  foo.asp  *****
<%
Set objXmlHTTP = Server.CreateObject("MSXML2.XMLHTTP")
objXmlHTTP.open "GET", "https://www.targetCompany.com:9999/?ping", false
objXmlHttp.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
objXmlHttp.send

response.write "response: " & objXmlHttp.responseText
%>

To install the certificate (filetype is .p12), I logged into the server with admin priviledges, and clicked thru.

I haven't no stinkin' idea what's failing.  IUSR_[machineName] permissions?

500 points - I need this one pretty bad.

-Steve
0
Comment
Question by:BigMonkeyHead
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 23
  • 13
  • 5
  • +2
44 Comments
 
LVL 7

Expert Comment

by:TRACEYMARY
ID: 13410161
Did you install the certificate on the server as an SSL ....
on iis you go to default web site and click on directory security and secure communications

then you can run any page
https://

0
 
LVL 13

Expert Comment

by:davidlars99
ID: 13410377
XmlHttp is unreliable when used from within an ASP server-side context. If you attempt to use XmlHttp from within an ASP page for a server-to-server communication, you'll experience unpredictable results that might vary from an incredibly long completion time to random errors to an inability to connect to SSL sites. it seems that MSXML was released without a careful and complete testing cycle. Microsoft admits that XmlHttpRequest was designed and tested only to be used from a client machine. you should try it using some client side script i.e. javascript or vbscript and see if it works and I hate to say this, but I don't think you will be able to get this thing work in ASP. I wish you lots of luck though... :)
0
 
LVL 1

Author Comment

by:BigMonkeyHead
ID: 13410820
TM:  I don't believe SSL is the issue - I've got a thawte cert that the site already uses for SSL extensively.  This cert was issued by the company I'm trying to connect to...As such, I can install it on as many machines as I want.  I had tried the same procedure I outlined above with non-SSL, but since SSL will be required in production, I figured it would be better to focus on getting that worked first.

DL99:  i wrote a quick and dirty javascript using XmlHttpRequest, didn't see anything promising, though i'm not well-versed in js.  I have seen a working example in Java, but since NONE of the site (that I inherited, mind you) is written in Java, I've really never considered trying to implement it.  I'm not ready for a re-write, so a Java solution would have to be able to talk to the rest of the ASP code.

Can Java and ASP co-exist happily?  Or what about an ASP.NET solution, maybe that would play nicer?  Performance considerations?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 13

Expert Comment

by:davidlars99
ID: 13411205
forget about javascript it will give you nothing but a headache with xmlhttp, I got example of it right here

http://www.frozendev.com/temp/xmlhttp.html


in .NET it's a little different, but more reliable and you need to import following dll:  "System.Net"

Dim myReq As HttpWebRequest = CType(WebRequest.Create("http://www.google.com/"), HttpWebRequest)
myReq.ContentType = "application/x-www-form-urlencoded"
myReq.Method = "GET"
Dim myRes As WebResponse = myReq.GetResponse()
Dim respStream As System.IO.Stream = myRes.GetResponseStream()
Dim reader As System.IO.StreamReader = New System.IO.StreamReader(respStream, System.Text.Encoding.ASCII)
Dim strResponse As String = reader.ReadToEnd
Response.Write(strResponse.ToString)
0
 
LVL 13

Expert Comment

by:davidlars99
ID: 13411210
if you use "POST" method than you need to configure IIS like so

http://www.somacon.com/blog/page26.php
0
 
LVL 13

Expert Comment

by:davidlars99
ID: 13411342
sorry I forgot to tell you that you have close response object after everything is done

myRes.Close()
0
 
LVL 1

Author Comment

by:BigMonkeyHead
ID: 13416844
ok, so i'm a complete .net noob.  i put your code into a .aspx file, and i put Imports System.Net as the first line.  apparently this is wrong.

Server Error in '/' Application.
The resource cannot be found.

what do i need to do to get the application configured?  where do i import system.net?  big apologies for not understanding this...:)
0
 
LVL 13

Expert Comment

by:davidlars99
ID: 13417384
no apologies BigMonkeyHead, we're all here to learn, so take your time and review...  :) by the way, you can put <script> block anywhere in the page to write stuff out, but directives must be at the top of everything


<%@ Import Namespace="System.Net" %>
<%@ Page Language="vb" Debug="true" %>
<HTML>
<HEAD>
<Script Language="vb" Runat="server">
Sub Page_Load()
      Dim myReq As HttpWebRequest = CType(WebRequest.Create("http://www.google.com/"), HttpWebRequest)
      myReq.ContentType = "application/x-www-form-urlencoded"
      myReq.Method = "GET"
      Dim myRes As WebResponse = myReq.GetResponse()
      Dim respStream As System.IO.Stream = myRes.GetResponseStream()
      Dim reader As System.IO.StreamReader = New System.IO.StreamReader(respStream, System.Text.Encoding.ASCII)
      Dim strResponse As String = reader.ReadToEnd
      Response.Write(strResponse.ToString)
End Sub
</Script>
<TITLE></TITLE>
</HEAD>
<BODY>
<form id="form1" runat="server">
<p> &nbsp; </p>
</form>
</BODY>
</HTML>


when you're done go to IIS window and click folder in which this *.aspx file will be located and click on "Create", IIS needs to create application in order to compile it properly
0
 
LVL 13

Expert Comment

by:davidlars99
ID: 13417387
maybe you just need to create an application directory in IIS, try last step first and if it doesn't work than try the whole thing
0
 
LVL 12

Expert Comment

by:fruhj
ID: 13417545
BMH,

I think this discussion is getting off track,

You were given a client certificate by targetcompany.

The client cert got registered/used by IE, but you haven't specified any code to use it in your connection you initiate from ASP.

try this:

*****  foo.asp  *****
<%
const SXH_OPTION_SELECT_CLIENT_SSL_CERT=3
const certname="" 'certname when left blank pulls your first client certificate

'I changed this:
Set objXmlHTTP = Server.CreateObject("Msxml2.ServerXMLHTTP.4.0")

'I added this:
objXMLhttp.setoption(SXH_OPTION_SELECT_CLIENT_SSL_CERT, certname)


objXmlHTTP.open "GET", "https://www.targetCompany.com:9999/?ping", false
objXmlHttp.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
objXmlHttp.send

response.write "response: " & objXmlHttp.responseText
%>

Note that I changed the object you were using to the server version of the file.
Also note that how you call that object depends on what version you install(the Msxml2.ServerXMLHTTP.4.0 might be differnt for your install)

lastly you might need to upgrade your MSXML to the latest version - when you do, it will install a help file and add it to your start menu, which is where Im getting my info from.

Hope this is the answer you need!

- Jack
0
 
LVL 1

Author Comment

by:BigMonkeyHead
ID: 13424631
Thanks for the help guys!  I'll hit this from both ways, my boss won't feed me until I get this working.  ;)

DL99:
code is failing on      Dim myRes As WebResponse = myReq.GetResponse()
"The underlying connection was closed: An unexpected error occurred on a receive.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive."

Jack:
Access is Denied.  
It's failing on objXmlHttp.send  I also tried specifying the cert in certname as well - same result.

-----

I think that both of these are the same type of failure.  Is there a way to see what cert the code thinks it's trying to use?  One of the things I was concerned about was the IUSR_machineName acct having access to the certificate (since I installed it as admin) - is this a "real" concern?

-Steve
0
 
LVL 13

Expert Comment

by:davidlars99
ID: 13424847
if you think that it's a admin account issue than create file named "web.config" in the same directory where ".aspx" file is and put this code inside it. Note, that you have to impersonate that particular windows account which certificate was installed with by putting username and password for the attributes of <identity> element

<configuration>
     <system.web>
        <authentication mode="Windows" />
      <identity impersonate="true" username="username" password="password" />
     </system.web>
</configuration>
0
 
LVL 13

Expert Comment

by:davidlars99
ID: 13424899
I found some great info on ASP issue, there are two resolution for the above mentioned problem and I'm sure if you follow the instructions you'll get it to work, but please just do me a favor and try ASP.NET way as well I'm just curious about it

thanks


http://support.microsoft.com/default.aspx?scid=kb;EN-US;q302080
0
 
LVL 12

Expert Comment

by:fruhj
ID: 13425392
Hey BMH, I think you're getting closer.

Check this article to see if your certificate is installed right http://support.microsoft.com/kb/301429/EN-US/

Also make sure you have the latest MSXML installed, they've fixed a few bugs related to this.

Also as a side note, when you do your testing, make sure you are hitting the real server.

I used MSXML to retrieve a page from my own server for caching once, it worked fine on my workstation, and failed on the server.
As it turned out, on the workstation, I had debugging enabled, which caused all tasks to run one after the other so my script waited for the result. On the production server where debugging was off, it tried to fetch the page concurrently and the exact same script failed - Can't tell you how much time I spent troubleshooting that one...
0
 
LVL 1

Author Comment

by:BigMonkeyHead
ID: 13425883
ok, now i'm really hosing things up!!  followed this Microsoft links (i had seen them before, but didn't know if that was the right path).  i tried to reset the IWAM_machineName password, now i can't access large parts of my site.

i was following the instructions at http://support.microsoft.com/kb/269367 and i'm getting the 80110414 error when trying to run synciwam....HELP!!
0
 
LVL 13

Expert Comment

by:davidlars99
ID: 13426073
FOUND THE SOLUTION!!!!

I created https site and I was unable to access it with either msxml or .NET all I had to was enable anonimous access to that directory where htts protocol was registered
0
 
LVL 1

Author Comment

by:BigMonkeyHead
ID: 13426128
ok...i fixed by 7:02 freakout.  had to reset the IUSR password too.

enable anonymous access eh?  so if i've got my script at /webroot/myscript.asp, i should enable anon access to /webroot via iis?
0
 
LVL 13

Expert Comment

by:davidlars99
ID: 13426133
so you need to call those poeple and tell them to enable anonimous access to that directory or grant access to your IP address, I just did both and they worked
0
 
LVL 13

Expert Comment

by:davidlars99
ID: 13426168
without enabling anonimous access to the SSL protected directory it is impossible to do things like that
0
 
LVL 13

Expert Comment

by:davidlars99
ID: 13426182
>  ok...i fixed by 7:02 freakout.  had to reset the IUSR password too.

so I was wrong than...?  :)
0
 
LVL 1

Author Comment

by:BigMonkeyHead
ID: 13426268
dl99 (3:31 PST):  including those items in the web.config had no affect.  username should be userName, but otherwise, i did it just as you showed.

fruhj:  my 45 min of insanity earlier tonite was while i was trying to get the IWAM and IUSR passwords sync'ed up across the system.  i needed to reset the IWAM password in order to install the cert while logged in as IWAM.  unfortunately, i'm operating remotely tonite and IWAM is not allowed remote login permissions...i'll mess with that some more, or just log in on site, so i can install the cert as IWAM w/ admin permissions.

dl99 (7:43 PST and subs): i've got another script in the same directory that hits a different remote server under SSL.  so i know that things work on my end to enable this - I've got a Thawte cert - i believe that's what allows it to tick.  however, i'm not sure that have the target server grant anon access will make it work.  otherwise, i wouldn't be able to hit their server from the browser on my server, right?
0
 
LVL 12

Expert Comment

by:fruhj
ID: 13426308
BMH, DL99:

  assuming the company who owns the remote server was willing to enable anon access, then no client certificate would be needed for authentication, since they would have just opened up the site to everyone.

  BMH is going through all this because the company requires him to have a client certificate.

 DL99: I'm not sure you're getting the distinction between a Server SSL certificate, and a Client Access certificate. (found in IE under tools -> internet options -> content tab -> Certificates -> personal. The test you said you performed would have nothing to do with the scenario BMH has descirbed.
   
0
 
LVL 13

Expert Comment

by:davidlars99
ID: 13426324
> DL99: I'm not sure you're getting the distinction between a Server SSL certificate..........

I think I also said the following
> without enabling anonimous access to the SSL protected directory it is impossible to do things like that

than lets just consider that you cannot access SSL with MSXML or HttpWebRequest because both use anonim access and that's the end of it!!!

0
 
LVL 13

Expert Comment

by:davidlars99
ID: 13426351
this article doesn't exactly tell you that MSXML uses anonim access, but it's easy to guess by reading the entire thing

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q315909
0
 
LVL 13

Expert Comment

by:davidlars99
ID: 13426405
and again I might be wrong about the whole thing but that's how the problem suggests itself, but anyway I have a good solution which I'm not gonna reveal until tomorrow morning, right now I really need a nice goodnight sleeeeeee..........p.....
0
 
LVL 1

Author Comment

by:BigMonkeyHead
ID: 13426725
my existing functional code that uses SSL successfully uses the Microsoft.XmlHttp object.  i'm leaning towards the IWAM install solution...

i appreciate everyone's help here, i think we're real close!!
0
 
LVL 13

Expert Comment

by:davidlars99
ID: 13431496
I got .NET code working

        Dim cert As System.Security.Cryptography.X509Certificates.X509Certificate
        cert = System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromCertFile("c:\clientcert.cer")

        Dim myReq As HttpWebRequest = CType(WebRequest.Create("https://URL/"), HttpWebRequest)
        myReq.ClientCertificates.Add(cert)
        myReq.ContentType = "application/x-www-form-urlencoded"
        myReq.Method = "GET"

        Dim myRes As WebResponse = myReq.GetResponse()
        Dim respStream As System.IO.Stream = myRes.GetResponseStream()
        Dim reader As System.IO.StreamReader = New System.IO.StreamReader(respStream, System.Text.Encoding.ASCII)
        Dim strResponse As String = reader.ReadToEnd
        myRes.Close()
        Response.Write(strResponse.ToString)
0
 
LVL 12

Expert Comment

by:fruhj
ID: 13431622
David,
  Thanks for the .net post.  What was the final verdict on the Anonymous access? Were you able to get around it?
0
 
LVL 13

Expert Comment

by:davidlars99
ID: 13431859
yes,  myReq.ClientCertificates.Add(cert) gets around the problem easily... is that what you asked...?  :)
0
 
LVL 1

Author Comment

by:BigMonkeyHead
ID: 13436037
DL99:  I don't have a .cer file - the original cert was provided in a .p12 format - I think it's buried in a system config somewhere (like a DB? or Local Certificate Store?), and not necessarily in a separte file.  I did, however, find an article http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/http/winhttpcertcfg_exe__a_certificate_configuration_tool.asp that gives details on a cert config tool - looks promising, though it only refers to .pfx files....

I'd have tried your method if I could, but for now it looks like I have to log in as IUSR/IWAM and install, or attempt the config tool.

Any other ideas?
0
 
LVL 1

Author Comment

by:BigMonkeyHead
ID: 13436115
oh, and that link came from this one, which directly speaks of ASP.NET's inability to do just that.  http://support.microsoft.com/default.aspx?scid=kb;en-us;817854
0
 
LVL 13

Expert Comment

by:davidlars99
ID: 13436422
hahaaa.... ASP.NET has better ways to deal with this kind of issues...  :)
0
 
LVL 13

Expert Comment

by:davidlars99
ID: 13439357
by the way you can do same thing in ASP.NET too, you just have reference "msxml4.dll" in your project

Dim xmlhttp As MSXML2.ServerXMLHTTP40Class = New MSXML2.ServerXMLHTTP40Class
xmlhttp.setOption(MSXML2.SERVERXMLHTTP_OPTION.SXH_OPTION_SELECT_CLIENT_SSL_CERT, "CertName_or_just_zero")
xmlhttp.open("GET", "https://ssl_site/", False)
xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded")
xmlhttp.send()
Response.Write(xmlhttp.responseText)
0
 
LVL 13

Expert Comment

by:davidlars99
ID: 13439401
BigMonkeyHead, when you said about ASP.NET's inability you're not quite right on that one, ASP.NET cannot do this under ASPNET user which default user, but you can do this by impersonating one of admin accounts as I showed you before
0
 
LVL 1

Author Comment

by:BigMonkeyHead
ID: 13502155
Sorry I've been away from this one - my boss is willing to wait a bit on it, but I'm sure I'll be back in a week or so.

I did log on the IUSR acct while physically at the server, but was not allowed to install the cert.  I couldn't log in as IWAM at all.  Maybe there's a permission I can tweak that will allow me to do this, but I'm not sure what it is.

David, I'll try the ASP.NET method soon and see what happens.  

Admin - I'd like to leave this open for a couple weeks if possible.  I'll be hitting this situation again at that time, and hit it till we find a solution!

Thanks for all your help so far.
0
 
LVL 12

Expert Comment

by:fruhj
ID: 13596925
BMH - any update?
0
 
LVL 13

Expert Comment

by:davidlars99
ID: 13701015
BMH, how did this end up..?
0
 
LVL 1

Author Comment

by:BigMonkeyHead
ID: 14344254
sorry guys, no update yet.  I did get a hold of a code example from the vendor.  The example uses a COM object from nSoftware.com...unfortunately it runs about $400, but it does allow easier control of the http request when a digital cert is present.

here's the gist of the code:

    'declare the IPWorks HTTPS1 control
    'withEvents is needed as this how the control
    'sends back information
    Private WithEvents https1 As HTTPS

    https1.SSLCertStoreType = sstPFXFile
    'next, identify the store
    https1.SSLCertStore = "C:\_foo\ns_export.TestCert.p12"
    'put in the password
    https1.SSLCertStorePassword = "myPassword"
    'there are 3 keys in the file (discovered using the "CertMgr" control)
    'by experimenting and trying all 3 keys I discovered which one to use
    '(figuring out this part took forever!)
    https1.SSLCertSubject = "Key1""Key2""Key3"

    'szData will be built by events
    szData = ""

    https1.Get "https://www.targetURL.com?" & Replace(szRequestString, " ", "%20")

and the results are in szData
0
 
LVL 13

Expert Comment

by:davidlars99
ID: 14362843
this is .NET, and you can view the source code of that COM object in .NET Reflector, check it out http://www.aisto.com/roeder/dotnet/
0
 
LVL 1

Author Comment

by:BigMonkeyHead
ID: 14687412
Problem solved!!!
Here are the steps:
Log in as admin, install certificate
Download Windows Resource Kits, use winhttpcertcfg.exe to grant access to the private key to the IWAM_machinename and Network Service accounts
> winhttpcertcfg.exe -g -a IWAM_machinename -c LOCAL_MACHINE\My -s "TransUnion Net Access Client Production"
> winhttpcertcfg.exe -g -a "Network Service" -c LOCAL_MACHINE\My -s "TransUnion Net Access Client Production"

This script works using the WinHttp object:
<%
Set htpp = Server.CreateObject("MSXML2.XMLHTTP")
http.open "GET", "https://www.targetCompany.com:9999/?ping", false
http.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
http.setClientCertificate "LOCAL_MACHINE\My\[certificate name]"
http.send

response.write "response: " & http.responseText
%>

Thanks to all for their help!!

-Steve
0
 
LVL 13

Expert Comment

by:davidlars99
ID: 14688304
wow..! it's great to know that you have finally solved it.. :)

one thing that I want to ask you, do not delete this question, just ask MODS to accept your last comment as an answer and ask for a refund.
0
 
LVL 1

Author Comment

by:BigMonkeyHead
ID: 14688397
mods - could you please accept my comment on 8/16 @ 3:06 PDT as the answer and refund the points?
0
 

Accepted Solution

by:
PAQ_Man earned 0 total points
ID: 14719227
Question Closed, 500 points refunded.
PAQ_Man
Community Support Moderator
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently decide that I needed a way to make my pages scream on the net.   While searching around how I can accomplish this I stumbled across a great article that stated "minimize the server requests." I got to thinking, hey, I use more than one…
Hello, all! I just recently started using Microsoft's IIS 7.5 within Windows 7, as I just downloaded and installed the 90 day trial of Windows 7. (Got to love Microsoft for allowing 90 days) The main reason for downloading and testing Windows 7 is t…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question