?
Solved

Client certificate not found using HttpWebRequest in ASP.NET

Posted on 2005-03-15
9
Medium Priority
?
2,169 Views
Last Modified: 2008-01-09
In my ASP page I'm using the following code:

  Dim webRequest As HttpWebRequest
  webRequest = WebRequest.Create(url)
  webRequest.Method = "POST"
  webRequest.ContentType = "text/xml"
  webRequest.AllowAutoRedirect = False
  webRequest.KeepAlive = False
  webRequest.ContentLength = data.Length

  Dim publicCert As X509Certificate = X509Certificate.CreateFromCertFile(fullPath)

  webRequest.ClientCertificates.Add(publicCert)

  Dim str As Stream = webRequest.GetRequestStream()

On the last line the following error is generated:

[Win32Exception (0x80004005): The message received was unexpected or badly formatted]

[WebException: The underlying connection was closed: Could not establish secure channel for SSL/TLS.]
   System.Net.HttpWebRequest.CheckFinalStatus() +673

After turning on logging to the event queue (HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging = 7), the following message is logged:

The remote server has requested SSL client authentication, but no suitable client certificate could be found. An anonymous connection will be attempted. This SSL connection request may succeed or fail, depending on the server's policy settings.

The fullPath references (I checked it) the correct public *.DER certificate. I added the private key (*.pfx) to the Local Computer Personal Certificate Store using:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q310178

I'm using IIS 5 on windows 2000 and the .NET Framework 1.1 and I do NOT want to use a serviced component as described in:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT13.asp

The ASP page (IIS) seems to be running aspnet_wp.exe as local user ASPNET.

Also I downloaded Microsoft WSE 2.0 SP3 and used the X509 Certificate Tool to set full access permissions for user ASPNET on the private key file and changed the directory permissions on C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA and MachineKeys subdirectory to allow full access to the ASPNET user.

Still the errormessage remains the same...

Does anybody know how to use a client certificate from ASP.NET without using a serviced component?

Thanks in advance,


Martijn Beelen
0
Comment
Question by:martijnbeelen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
9 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13545049
So when they get the cert, is the connection then moving to port 443? (aka httpS) ?
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/all/techref/en-us/w2k3tr_schan_tools.asp
I'm no ASP developer.. might try a different forum here at EE:
http://www.experts-exchange.com/Web/Web_Languages/ASP/
You can leave a note in community support to have the question moved http://www.experts-exchange.com/Community_Support/
-rich
0
 

Author Comment

by:martijnbeelen
ID: 13553215
Rich,

The connection moves to https on port 4443, because the connection is double-sided SSL. I verified that the problem is not with the server certificate and a single-sided SSL connection works. Only when using a client certificate to authenticate the (ASP) client, IIS reports it cannot find a private key an tries to start an anonymous connection, which fails (since the server won't accept it).

I'll leave a note in the Community Support to move the question to the ASP forum.

Thanks,

Martijn
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13554699
sorry I couldn't be of more help, I hope someone there will be able to help you better.
-rich
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:martijnbeelen
ID: 13609968
I found the solution:

It is necessary to install the private key in the personal certificate store of the ASPNET user. Problem: the ASPNET user has no login.

Do this:
- Change the password of the local ASPNET user, update the machine.config as described in:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT01.asp
- Change the local security policy to not deny the login of the ASPNET user (Administrative tools - Local security Policy)
- Login as ASPNET local user
- Add the certificate using the mmc as described in:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q310178
- Logout and login as administrator again
- Change back the local security setting (deny login)

And now it works!

Greetings,

Martijn Beelen
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13611515
You can have the question closed and points refunded if you go to the community support tab of EE, leave a question there and they will get to it asap.
Glad to hear you found the solution! http://www.experts-exchange.com/Community_Support/
-rich
0
 

Author Comment

by:martijnbeelen
ID: 13612435
Thanks Rich,

I asked a question for refund of the points and I'm glad to have finally found a solution too ;-)

Martijn
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13618103
No objections.
-rich
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 13619520
PAQ-ing the question and refunding 500  points

Thanks richrumble !

modulo

Community Support Moderator
Experts Exchange
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was asked about the differences between classic ASP and ASP.NET, so let me put them down here, for reference: Let's make the introductions... Classic ASP was launched by Microsoft in 1998 and dynamically generate web pages upon user interact…
This demonstration started out as a follow up to some recently posted questions on the subject of logging in: http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/Q_28634665.html and http://www.experts-exchange.com/Programming/…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question