Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Can't connect to internal web server via application

Posted on 2013-05-12
11
Medium Priority
?
509 Views
Last Modified: 2014-04-03
I have a connection for an external customer on an external web server to an internal web server via https (443) using web services. Both are recently created Windows 2008 R2 64bit servers using IIS7. I can't get the certificate to install correctly by installing it from the certificate error page. I thought i could install it using the servers certificate.
The external server in an a workgroup and in the internal web server is in a domain.

However my knowledge of certificates is weak and I just can't get it to connect correctly.

see error:
System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure............
0
Comment
Question by:pyrosdav
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 39161463
It's unclear to me what the connection path is here.  Also unclear is who issued the certificate, and to whom it was issued.

If I understand correctly the path is ...
     client -> https connection -> external server -> web service connection -> internal server
...and you're trying to make the connection secure by taking a certificate issued to the internal server, and installing it on the external server - is that right?
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39162203
when you install the cert, you have to add it to the ROOT store, not the default "put it whereever I think it should go"
0
 

Author Comment

by:pyrosdav
ID: 39162286
Currently  we are trying to get the connection directly from the external web server to the internal web server via 443 before we open up access to the customers on the outside world.

I am remoted in to the external web server and trying to hit the localhost webpage on the external server : https://localhost/carrierhub/Login/Login.aspx?ReturnUrl=%2fCarrierHub%2fStandardApps%2fUserProfile.aspx

This prompts a certificate warning and the option to continue (not recommended)

I continue logging in with the admin acct and can get to the webpage, but i get back an error message when the webpage is trying to pull the data from the internal web server.

I tried to click on the mismatch certificate error on that page to get rid of the first certificate warning and install it to Trusted Root Certification Authorites. it installed, but I continue to get prompted for the certificate warning.

The main page shows the original error i posted, but anywhere i try to click on the webpage i get "The remote certificate is invalid according to the validation procedure. " The stack trace shows the 2 main exceptions:

AuthenticationException: The remote certificate is invalid according to the validation procedure.]................

[WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.].....................
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39162427
I'm not a cert expert by any means, but usually when I see that sort of thing, it's because the cert isn't chained up to a root authority. I'll let someone else get into it deeper, but I'm pretty sure you are on the right track.
0
 
LVL 25

Expert Comment

by:Coralon
ID: 39163448
Try putting the cert in the Machine store as a Trusted Person.  You avoid the need for the chain of trust for that cert.  

it's not the perfect solution, but it is a good test.  If it is, then you need to put the entire chain in the machine store.  You'll have the root cert, one (or more) possible intermediate chain cert(s), and then the cert itself.  When you look at the certification path, all steps should show as Ok.

Coralon
0
 

Author Comment

by:pyrosdav
ID: 39173103
I have tried placing it everywhere. For some reason the website that i connect to says "https://server-5/CarrierHub-WebServices/WebServices.asmx" but the certificate comes over as "WMSvc-server-5. I have checked the certificate store in IIS7 on server-5 and i can't seem to find where this certificate is located on server-5. no matter what i do, i just can't get the site to not warn me.

This is causing some type of ssl trusted error so the data will not transmit and our firewall team will not open port 80 to simply solve this issue.
0
 
LVL 25

Expert Comment

by:Coralon
ID: 39173321
Ok, you need to attach that cert on server-5 to the correct website.  Put it in the trusted certs on that machine, and then go into IIS, and bind that cert to the site.

Coralon
0
 

Author Comment

by:pyrosdav
ID: 39175054
I see where to create self-signed certificates, but I am failing to see where in II7 to attach it to the correct website under the Default web Site. There are a couple and I do not want to break the other sites that are not using https yet
0
 
LVL 25

Accepted Solution

by:
Coralon earned 2000 total points
ID: 39178032
You put the certificates in as local trusted certs.  That is not IIS itself.
Once you get into IIS, you will create a binding for your site using the SSL cert.  The key is that when a site is bound with SSL, you cannot use any other sites with it.  Your combination of IP address & port must be unique for SSL.

Example:
10.0.0.1   Site1 443
10.0.0.2   Site2 443
10.0.0.1   Site3 444
10.0.0.2   Site4 444

If you *only* have a Default website, then you can only have 1 SSL site for them, assuming that you have 1 IP Address, and you want it on 443.  You can either bind more IP addresses, or more TCP ports, but you will require separate websites, not merely subsites.

Coralon
0
 

Author Closing Comment

by:pyrosdav
ID: 39976383
Due to lack of experience, we did finally get this working.
We setup new external IP addresses and internal IP addresses and restricted access over 443 between the external web server and internal web server.
They created a self generated certificate and bound it to each internal IP on the internal web server. The largest issue was getting the vendor of the application to understand what we were trying to accomplish and change the config files on the IIS internal and external to communicate correctly. Once we completed that, it worked. Now customers will hit a new external IP and the web server queries the internal web\appl server database server which then queries the SQL server for the requested info. Secure on the outside https, https communication between the external web and internal web servers is done.

Sorry it took so long to complete this, i had forgotten about the case. Thanks for your guidance.
0
 
LVL 25

Expert Comment

by:Coralon
ID: 39977157
You're welcome, and I'm glad you got it working :-)

Coralon
0

Featured Post

Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question