Digitial Certificates in ASP

Windows 2003 Server, IIS 6.0, classic ASP

I was provided a digital certificate by an external company to install on my server for authentication/access permissions into their server.  To test the connection, they've provided a ping service which must be accessed over a non-standard port:
https://www.targetCompany.com:9999?ping

If I hit this from my a browser on my server, it prompts me to select my cert, I hit OK, and all is well.  I get the page returned by the ping function.

However, if I hit my ASP script via my website, it hangs till it times out.

http://www.myWebSite.com/foo.asp

*****  foo.asp  *****
<%
Set objXmlHTTP = Server.CreateObject("MSXML2.XMLHTTP")
objXmlHTTP.open "GET", "https://www.targetCompany.com:9999/?ping", false
objXmlHttp.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
objXmlHttp.send

response.write "response: " & objXmlHttp.responseText
%>

To install the certificate (filetype is .p12), I logged into the server with admin priviledges, and clicked thru.

I haven't no stinkin' idea what's failing.  IUSR_[machineName] permissions?

500 points - I need this one pretty bad.

-Steve
LVL 1
BigMonkeyHeadAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

TRACEYMARYCommented:
Did you install the certificate on the server as an SSL ....
on iis you go to default web site and click on directory security and secure communications

then you can run any page
https://

0
davidlars99Commented:
XmlHttp is unreliable when used from within an ASP server-side context. If you attempt to use XmlHttp from within an ASP page for a server-to-server communication, you'll experience unpredictable results that might vary from an incredibly long completion time to random errors to an inability to connect to SSL sites. it seems that MSXML was released without a careful and complete testing cycle. Microsoft admits that XmlHttpRequest was designed and tested only to be used from a client machine. you should try it using some client side script i.e. javascript or vbscript and see if it works and I hate to say this, but I don't think you will be able to get this thing work in ASP. I wish you lots of luck though... :)
0
BigMonkeyHeadAuthor Commented:
TM:  I don't believe SSL is the issue - I've got a thawte cert that the site already uses for SSL extensively.  This cert was issued by the company I'm trying to connect to...As such, I can install it on as many machines as I want.  I had tried the same procedure I outlined above with non-SSL, but since SSL will be required in production, I figured it would be better to focus on getting that worked first.

DL99:  i wrote a quick and dirty javascript using XmlHttpRequest, didn't see anything promising, though i'm not well-versed in js.  I have seen a working example in Java, but since NONE of the site (that I inherited, mind you) is written in Java, I've really never considered trying to implement it.  I'm not ready for a re-write, so a Java solution would have to be able to talk to the rest of the ASP code.

Can Java and ASP co-exist happily?  Or what about an ASP.NET solution, maybe that would play nicer?  Performance considerations?
0
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

davidlars99Commented:
forget about javascript it will give you nothing but a headache with xmlhttp, I got example of it right here

http://www.frozendev.com/temp/xmlhttp.html


in .NET it's a little different, but more reliable and you need to import following dll:  "System.Net"

Dim myReq As HttpWebRequest = CType(WebRequest.Create("http://www.google.com/"), HttpWebRequest)
myReq.ContentType = "application/x-www-form-urlencoded"
myReq.Method = "GET"
Dim myRes As WebResponse = myReq.GetResponse()
Dim respStream As System.IO.Stream = myRes.GetResponseStream()
Dim reader As System.IO.StreamReader = New System.IO.StreamReader(respStream, System.Text.Encoding.ASCII)
Dim strResponse As String = reader.ReadToEnd
Response.Write(strResponse.ToString)
0
davidlars99Commented:
if you use "POST" method than you need to configure IIS like so

http://www.somacon.com/blog/page26.php
0
davidlars99Commented:
sorry I forgot to tell you that you have close response object after everything is done

myRes.Close()
0
BigMonkeyHeadAuthor Commented:
ok, so i'm a complete .net noob.  i put your code into a .aspx file, and i put Imports System.Net as the first line.  apparently this is wrong.

Server Error in '/' Application.
The resource cannot be found.

what do i need to do to get the application configured?  where do i import system.net?  big apologies for not understanding this...:)
0
davidlars99Commented:
no apologies BigMonkeyHead, we're all here to learn, so take your time and review...  :) by the way, you can put <script> block anywhere in the page to write stuff out, but directives must be at the top of everything


<%@ Import Namespace="System.Net" %>
<%@ Page Language="vb" Debug="true" %>
<HTML>
<HEAD>
<Script Language="vb" Runat="server">
Sub Page_Load()
      Dim myReq As HttpWebRequest = CType(WebRequest.Create("http://www.google.com/"), HttpWebRequest)
      myReq.ContentType = "application/x-www-form-urlencoded"
      myReq.Method = "GET"
      Dim myRes As WebResponse = myReq.GetResponse()
      Dim respStream As System.IO.Stream = myRes.GetResponseStream()
      Dim reader As System.IO.StreamReader = New System.IO.StreamReader(respStream, System.Text.Encoding.ASCII)
      Dim strResponse As String = reader.ReadToEnd
      Response.Write(strResponse.ToString)
End Sub
</Script>
<TITLE></TITLE>
</HEAD>
<BODY>
<form id="form1" runat="server">
<p> &nbsp; </p>
</form>
</BODY>
</HTML>


when you're done go to IIS window and click folder in which this *.aspx file will be located and click on "Create", IIS needs to create application in order to compile it properly
0
davidlars99Commented:
maybe you just need to create an application directory in IIS, try last step first and if it doesn't work than try the whole thing
0
fruhjCommented:
BMH,

I think this discussion is getting off track,

You were given a client certificate by targetcompany.

The client cert got registered/used by IE, but you haven't specified any code to use it in your connection you initiate from ASP.

try this:

*****  foo.asp  *****
<%
const SXH_OPTION_SELECT_CLIENT_SSL_CERT=3
const certname="" 'certname when left blank pulls your first client certificate

'I changed this:
Set objXmlHTTP = Server.CreateObject("Msxml2.ServerXMLHTTP.4.0")

'I added this:
objXMLhttp.setoption(SXH_OPTION_SELECT_CLIENT_SSL_CERT, certname)


objXmlHTTP.open "GET", "https://www.targetCompany.com:9999/?ping", false
objXmlHttp.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
objXmlHttp.send

response.write "response: " & objXmlHttp.responseText
%>

Note that I changed the object you were using to the server version of the file.
Also note that how you call that object depends on what version you install(the Msxml2.ServerXMLHTTP.4.0 might be differnt for your install)

lastly you might need to upgrade your MSXML to the latest version - when you do, it will install a help file and add it to your start menu, which is where Im getting my info from.

Hope this is the answer you need!

- Jack
0
BigMonkeyHeadAuthor Commented:
Thanks for the help guys!  I'll hit this from both ways, my boss won't feed me until I get this working.  ;)

DL99:
code is failing on      Dim myRes As WebResponse = myReq.GetResponse()
"The underlying connection was closed: An unexpected error occurred on a receive.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive."

Jack:
Access is Denied.  
It's failing on objXmlHttp.send  I also tried specifying the cert in certname as well - same result.

-----

I think that both of these are the same type of failure.  Is there a way to see what cert the code thinks it's trying to use?  One of the things I was concerned about was the IUSR_machineName acct having access to the certificate (since I installed it as admin) - is this a "real" concern?

-Steve
0
davidlars99Commented:
if you think that it's a admin account issue than create file named "web.config" in the same directory where ".aspx" file is and put this code inside it. Note, that you have to impersonate that particular windows account which certificate was installed with by putting username and password for the attributes of <identity> element

<configuration>
     <system.web>
        <authentication mode="Windows" />
      <identity impersonate="true" username="username" password="password" />
     </system.web>
</configuration>
0
davidlars99Commented:
I found some great info on ASP issue, there are two resolution for the above mentioned problem and I'm sure if you follow the instructions you'll get it to work, but please just do me a favor and try ASP.NET way as well I'm just curious about it

thanks


http://support.microsoft.com/default.aspx?scid=kb;EN-US;q302080
0
fruhjCommented:
Hey BMH, I think you're getting closer.

Check this article to see if your certificate is installed right http://support.microsoft.com/kb/301429/EN-US/

Also make sure you have the latest MSXML installed, they've fixed a few bugs related to this.

Also as a side note, when you do your testing, make sure you are hitting the real server.

I used MSXML to retrieve a page from my own server for caching once, it worked fine on my workstation, and failed on the server.
As it turned out, on the workstation, I had debugging enabled, which caused all tasks to run one after the other so my script waited for the result. On the production server where debugging was off, it tried to fetch the page concurrently and the exact same script failed - Can't tell you how much time I spent troubleshooting that one...
0
BigMonkeyHeadAuthor Commented:
ok, now i'm really hosing things up!!  followed this Microsoft links (i had seen them before, but didn't know if that was the right path).  i tried to reset the IWAM_machineName password, now i can't access large parts of my site.

i was following the instructions at http://support.microsoft.com/kb/269367 and i'm getting the 80110414 error when trying to run synciwam....HELP!!
0
davidlars99Commented:
FOUND THE SOLUTION!!!!

I created https site and I was unable to access it with either msxml or .NET all I had to was enable anonimous access to that directory where htts protocol was registered
0
BigMonkeyHeadAuthor Commented:
ok...i fixed by 7:02 freakout.  had to reset the IUSR password too.

enable anonymous access eh?  so if i've got my script at /webroot/myscript.asp, i should enable anon access to /webroot via iis?
0
davidlars99Commented:
so you need to call those poeple and tell them to enable anonimous access to that directory or grant access to your IP address, I just did both and they worked
0
davidlars99Commented:
without enabling anonimous access to the SSL protected directory it is impossible to do things like that
0
davidlars99Commented:
>  ok...i fixed by 7:02 freakout.  had to reset the IUSR password too.

so I was wrong than...?  :)
0
BigMonkeyHeadAuthor Commented:
dl99 (3:31 PST):  including those items in the web.config had no affect.  username should be userName, but otherwise, i did it just as you showed.

fruhj:  my 45 min of insanity earlier tonite was while i was trying to get the IWAM and IUSR passwords sync'ed up across the system.  i needed to reset the IWAM password in order to install the cert while logged in as IWAM.  unfortunately, i'm operating remotely tonite and IWAM is not allowed remote login permissions...i'll mess with that some more, or just log in on site, so i can install the cert as IWAM w/ admin permissions.

dl99 (7:43 PST and subs): i've got another script in the same directory that hits a different remote server under SSL.  so i know that things work on my end to enable this - I've got a Thawte cert - i believe that's what allows it to tick.  however, i'm not sure that have the target server grant anon access will make it work.  otherwise, i wouldn't be able to hit their server from the browser on my server, right?
0
fruhjCommented:
BMH, DL99:

  assuming the company who owns the remote server was willing to enable anon access, then no client certificate would be needed for authentication, since they would have just opened up the site to everyone.

  BMH is going through all this because the company requires him to have a client certificate.

 DL99: I'm not sure you're getting the distinction between a Server SSL certificate, and a Client Access certificate. (found in IE under tools -> internet options -> content tab -> Certificates -> personal. The test you said you performed would have nothing to do with the scenario BMH has descirbed.
   
0
davidlars99Commented:
> DL99: I'm not sure you're getting the distinction between a Server SSL certificate..........

I think I also said the following
> without enabling anonimous access to the SSL protected directory it is impossible to do things like that

than lets just consider that you cannot access SSL with MSXML or HttpWebRequest because both use anonim access and that's the end of it!!!

0
davidlars99Commented:
this article doesn't exactly tell you that MSXML uses anonim access, but it's easy to guess by reading the entire thing

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q315909
0
davidlars99Commented:
and again I might be wrong about the whole thing but that's how the problem suggests itself, but anyway I have a good solution which I'm not gonna reveal until tomorrow morning, right now I really need a nice goodnight sleeeeeee..........p.....
0
BigMonkeyHeadAuthor Commented:
my existing functional code that uses SSL successfully uses the Microsoft.XmlHttp object.  i'm leaning towards the IWAM install solution...

i appreciate everyone's help here, i think we're real close!!
0
davidlars99Commented:
I got .NET code working

        Dim cert As System.Security.Cryptography.X509Certificates.X509Certificate
        cert = System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromCertFile("c:\clientcert.cer")

        Dim myReq As HttpWebRequest = CType(WebRequest.Create("https://URL/"), HttpWebRequest)
        myReq.ClientCertificates.Add(cert)
        myReq.ContentType = "application/x-www-form-urlencoded"
        myReq.Method = "GET"

        Dim myRes As WebResponse = myReq.GetResponse()
        Dim respStream As System.IO.Stream = myRes.GetResponseStream()
        Dim reader As System.IO.StreamReader = New System.IO.StreamReader(respStream, System.Text.Encoding.ASCII)
        Dim strResponse As String = reader.ReadToEnd
        myRes.Close()
        Response.Write(strResponse.ToString)
0
fruhjCommented:
David,
  Thanks for the .net post.  What was the final verdict on the Anonymous access? Were you able to get around it?
0
davidlars99Commented:
yes,  myReq.ClientCertificates.Add(cert) gets around the problem easily... is that what you asked...?  :)
0
BigMonkeyHeadAuthor Commented:
DL99:  I don't have a .cer file - the original cert was provided in a .p12 format - I think it's buried in a system config somewhere (like a DB? or Local Certificate Store?), and not necessarily in a separte file.  I did, however, find an article http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/http/winhttpcertcfg_exe__a_certificate_configuration_tool.asp that gives details on a cert config tool - looks promising, though it only refers to .pfx files....

I'd have tried your method if I could, but for now it looks like I have to log in as IUSR/IWAM and install, or attempt the config tool.

Any other ideas?
0
BigMonkeyHeadAuthor Commented:
oh, and that link came from this one, which directly speaks of ASP.NET's inability to do just that.  http://support.microsoft.com/default.aspx?scid=kb;en-us;817854
0
davidlars99Commented:
hahaaa.... ASP.NET has better ways to deal with this kind of issues...  :)
0
davidlars99Commented:
by the way you can do same thing in ASP.NET too, you just have reference "msxml4.dll" in your project

Dim xmlhttp As MSXML2.ServerXMLHTTP40Class = New MSXML2.ServerXMLHTTP40Class
xmlhttp.setOption(MSXML2.SERVERXMLHTTP_OPTION.SXH_OPTION_SELECT_CLIENT_SSL_CERT, "CertName_or_just_zero")
xmlhttp.open("GET", "https://ssl_site/", False)
xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded")
xmlhttp.send()
Response.Write(xmlhttp.responseText)
0
davidlars99Commented:
BigMonkeyHead, when you said about ASP.NET's inability you're not quite right on that one, ASP.NET cannot do this under ASPNET user which default user, but you can do this by impersonating one of admin accounts as I showed you before
0
BigMonkeyHeadAuthor Commented:
Sorry I've been away from this one - my boss is willing to wait a bit on it, but I'm sure I'll be back in a week or so.

I did log on the IUSR acct while physically at the server, but was not allowed to install the cert.  I couldn't log in as IWAM at all.  Maybe there's a permission I can tweak that will allow me to do this, but I'm not sure what it is.

David, I'll try the ASP.NET method soon and see what happens.  

Admin - I'd like to leave this open for a couple weeks if possible.  I'll be hitting this situation again at that time, and hit it till we find a solution!

Thanks for all your help so far.
0
fruhjCommented:
BMH - any update?
0
davidlars99Commented:
BMH, how did this end up..?
0
BigMonkeyHeadAuthor Commented:
sorry guys, no update yet.  I did get a hold of a code example from the vendor.  The example uses a COM object from nSoftware.com...unfortunately it runs about $400, but it does allow easier control of the http request when a digital cert is present.

here's the gist of the code:

    'declare the IPWorks HTTPS1 control
    'withEvents is needed as this how the control
    'sends back information
    Private WithEvents https1 As HTTPS

    https1.SSLCertStoreType = sstPFXFile
    'next, identify the store
    https1.SSLCertStore = "C:\_foo\ns_export.TestCert.p12"
    'put in the password
    https1.SSLCertStorePassword = "myPassword"
    'there are 3 keys in the file (discovered using the "CertMgr" control)
    'by experimenting and trying all 3 keys I discovered which one to use
    '(figuring out this part took forever!)
    https1.SSLCertSubject = "Key1""Key2""Key3"

    'szData will be built by events
    szData = ""

    https1.Get "https://www.targetURL.com?" & Replace(szRequestString, " ", "%20")

and the results are in szData
0
davidlars99Commented:
this is .NET, and you can view the source code of that COM object in .NET Reflector, check it out http://www.aisto.com/roeder/dotnet/
0
BigMonkeyHeadAuthor Commented:
Problem solved!!!
Here are the steps:
Log in as admin, install certificate
Download Windows Resource Kits, use winhttpcertcfg.exe to grant access to the private key to the IWAM_machinename and Network Service accounts
> winhttpcertcfg.exe -g -a IWAM_machinename -c LOCAL_MACHINE\My -s "TransUnion Net Access Client Production"
> winhttpcertcfg.exe -g -a "Network Service" -c LOCAL_MACHINE\My -s "TransUnion Net Access Client Production"

This script works using the WinHttp object:
<%
Set htpp = Server.CreateObject("MSXML2.XMLHTTP")
http.open "GET", "https://www.targetCompany.com:9999/?ping", false
http.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
http.setClientCertificate "LOCAL_MACHINE\My\[certificate name]"
http.send

response.write "response: " & http.responseText
%>

Thanks to all for their help!!

-Steve
0
davidlars99Commented:
wow..! it's great to know that you have finally solved it.. :)

one thing that I want to ask you, do not delete this question, just ask MODS to accept your last comment as an answer and ask for a refund.
0
BigMonkeyHeadAuthor Commented:
mods - could you please accept my comment on 8/16 @ 3:06 PDT as the answer and refund the points?
0
PAQ_ManCommented:
Question Closed, 500 points refunded.
PAQ_Man
Community Support Moderator
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.