Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Client certificate not found using HttpWebRequest in ASP.NET

Posted on 2005-03-15
Medium Priority
Last Modified: 2008-01-09
In my ASP page I'm using the following code:

  Dim webRequest As HttpWebRequest
  webRequest = WebRequest.Create(url)
  webRequest.Method = "POST"
  webRequest.ContentType = "text/xml"
  webRequest.AllowAutoRedirect = False
  webRequest.KeepAlive = False
  webRequest.ContentLength = data.Length

  Dim publicCert As X509Certificate = X509Certificate.CreateFromCertFile(fullPath)


  Dim str As Stream = webRequest.GetRequestStream()

On the last line the following error is generated:

[Win32Exception (0x80004005): The message received was unexpected or badly formatted]

[WebException: The underlying connection was closed: Could not establish secure channel for SSL/TLS.]
   System.Net.HttpWebRequest.CheckFinalStatus() +673

After turning on logging to the event queue (HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging = 7), the following message is logged:

The remote server has requested SSL client authentication, but no suitable client certificate could be found. An anonymous connection will be attempted. This SSL connection request may succeed or fail, depending on the server's policy settings.

The fullPath references (I checked it) the correct public *.DER certificate. I added the private key (*.pfx) to the Local Computer Personal Certificate Store using:

I'm using IIS 5 on windows 2000 and the .NET Framework 1.1 and I do NOT want to use a serviced component as described in:

The ASP page (IIS) seems to be running aspnet_wp.exe as local user ASPNET.

Also I downloaded Microsoft WSE 2.0 SP3 and used the X509 Certificate Tool to set full access permissions for user ASPNET on the private key file and changed the directory permissions on C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA and MachineKeys subdirectory to allow full access to the ASPNET user.

Still the errormessage remains the same...

Does anybody know how to use a client certificate from ASP.NET without using a serviced component?

Thanks in advance,

Martijn Beelen
Question by:martijnbeelen
  • 4
  • 3
LVL 38

Expert Comment

by:Rich Rumble
ID: 13545049
So when they get the cert, is the connection then moving to port 443? (aka httpS) ?
I'm no ASP developer.. might try a different forum here at EE:
You can leave a note in community support to have the question moved http://www.experts-exchange.com/Community_Support/

Author Comment

ID: 13553215

The connection moves to https on port 4443, because the connection is double-sided SSL. I verified that the problem is not with the server certificate and a single-sided SSL connection works. Only when using a client certificate to authenticate the (ASP) client, IIS reports it cannot find a private key an tries to start an anonymous connection, which fails (since the server won't accept it).

I'll leave a note in the Community Support to move the question to the ASP forum.


LVL 38

Expert Comment

by:Rich Rumble
ID: 13554699
sorry I couldn't be of more help, I hope someone there will be able to help you better.
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.


Author Comment

ID: 13609968
I found the solution:

It is necessary to install the private key in the personal certificate store of the ASPNET user. Problem: the ASPNET user has no login.

Do this:
- Change the password of the local ASPNET user, update the machine.config as described in:
- Change the local security policy to not deny the login of the ASPNET user (Administrative tools - Local security Policy)
- Login as ASPNET local user
- Add the certificate using the mmc as described in:
- Logout and login as administrator again
- Change back the local security setting (deny login)

And now it works!


Martijn Beelen
LVL 38

Expert Comment

by:Rich Rumble
ID: 13611515
You can have the question closed and points refunded if you go to the community support tab of EE, leave a question there and they will get to it asap.
Glad to hear you found the solution! http://www.experts-exchange.com/Community_Support/

Author Comment

ID: 13612435
Thanks Rich,

I asked a question for refund of the points and I'm glad to have finally found a solution too ;-)

LVL 38

Expert Comment

by:Rich Rumble
ID: 13618103
No objections.

Accepted Solution

modulo earned 0 total points
ID: 13619520
PAQ-ing the question and refunding 500  points

Thanks richrumble !


Community Support Moderator
Experts Exchange

Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have helped a lot of people on EE with their coding sources and have enjoyed near about every minute of it. Sometimes it can get a little tedious but it is always a challenge and the one thing that I always say is:   The Exchange of informatio…
Have you ever needed to get an ASP script to wait for a while? I have, just to let something else happen. Or in my case, to allow other stuff to happen while I was murdering my MySQL database with an update. The Original Issue This was written…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses
Course of the Month12 days, 12 hours left to enroll

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question