ASP.NET / certificat

[Jerome]

Hi all

I'm trying to access to a virtual directory (web server is a IIS 6.0 on
Windows 2003 server) which requires client
certificate with HttpWebRequest class.
Simplified function code looks like this:

HttpWebRequest httpWebRequest = (HttpWebRequest)WebRequest.Create(url);
httpWebRequest.ClientCertificates.Add(X509Certific ate.CreateFromCertFile(@"c:\dada.cer"));
httpWebRequest.Method = "POST";
httpWebRequest.ContentLength = requestData.Length;
Stream streamWriter = (httpWebRequest.GetRequestStream());
streamWriter.Write(requestData,0,requestData.Lengt h);
streamWriter.Flush();
streamWriter.Close();
HttpWebResponse httpWebResponse =
(HttpWebResponse)httpWebRequest.GetResponse();
StreamReader streamReader = new
StreamReader(httpWebResponse.GetResponseStream());

When I tried this function in .NET Windows form
application (C#) it works OK. But if I try to call the same
function inside .NET ASP application (IIS 5.1 on Windows XP pro) I get
Exception "The
remote server returned an error: (403) Forbidden." when I trying to get
response
(line: HttpWebResponse httpWebResponse =
(HttpWebResponse)httpWebRequest.GetResponse();)

How can I do to configure my environment to allow ASP.NET application access
my virtual directory
Thanks,
Jerome

[Joe Kaplan \(MVP - ADSI\)]

This sounds like the standard problem of not being able to access the
private key for the certificate from the current process. This is probably
a result of it being installed in the user's certificate store. Have you
tried installing it in the machine store?

Joe K.

"Jerome" <Jerome@discussions.microsoft.com> wrote in message
news:D0E2FEEA-7724-4A29-B4D9-6186232DD8FE@microsoft.com...

> Hi all
>
> I'm trying to access to a virtual directory (web server is a IIS 6.0 on
> Windows 2003 server) which requires client
> certificate with HttpWebRequest class.
> Simplified function code looks like this:
>
> HttpWebRequest httpWebRequest = (HttpWebRequest)WebRequest.Create(url);
> httpWebRequest.ClientCertificates.Add(X509Certific ate.CreateFromCertFile(@"c:\dada.cer"));
> httpWebRequest.Method = "POST";
> httpWebRequest.ContentLength = requestData.Length;
> Stream streamWriter = (httpWebRequest.GetRequestStream());
> streamWriter.Write(requestData,0,requestData.Lengt h);
> streamWriter.Flush();
> streamWriter.Close();
> HttpWebResponse httpWebResponse =
> (HttpWebResponse)httpWebRequest.GetResponse();
> StreamReader streamReader = new
> StreamReader(httpWebResponse.GetResponseStream());
>
> When I tried this function in .NET Windows form
> application (C#) it works OK. But if I try to call the same
> function inside .NET ASP application (IIS 5.1 on Windows XP pro) I get
> Exception "The
> remote server returned an error: (403) Forbidden." when I trying to get
> response
> (line: HttpWebResponse httpWebResponse =
> (HttpWebResponse)httpWebRequest.GetResponse();)
>
> How can I do to configure my environment to allow ASP.NET application
> access
> my virtual directory
> Thanks,
> Jerome

[Jerome]

Thanks for your answer

Yes, the client certificat is install in user's certificate store
(mmc -> Certificates (local computer) -> Personal -> Certificates)
Everthing works fine when I use a .NET Windows form application

a another idea?

"Joe Kaplan (MVP - ADSI)" wrote:

> This sounds like the standard problem of not being able to access the
> private key for the certificate from the current process. This is probably
> a result of it being installed in the user's certificate store. Have you
> tried installing it in the machine store?
>
> Joe K.
>
> "Jerome" <Jerome@discussions.microsoft.com> wrote in message
> news:D0E2FEEA-7724-4A29-B4D9-6186232DD8FE@microsoft.com...

> > Hi all
> >
> > I'm trying to access to a virtual directory (web server is a IIS 6.0 on
> > Windows 2003 server) which requires client
> > certificate with HttpWebRequest class.
> > Simplified function code looks like this:
> >
> > HttpWebRequest httpWebRequest = (HttpWebRequest)WebRequest.Create(url);
> > httpWebRequest.ClientCertificates.Add(X509Certific ate.CreateFromCertFile(@"c:\dada.cer"));
> > httpWebRequest.Method = "POST";
> > httpWebRequest.ContentLength = requestData.Length;
> > Stream streamWriter = (httpWebRequest.GetRequestStream());
> > streamWriter.Write(requestData,0,requestData.Lengt h);
> > streamWriter.Flush();
> > streamWriter.Close();
> > HttpWebResponse httpWebResponse =
> > (HttpWebResponse)httpWebRequest.GetResponse();
> > StreamReader streamReader = new
> > StreamReader(httpWebResponse.GetResponseStream());
> >
> > When I tried this function in .NET Windows form
> > application (C#) it works OK. But if I try to call the same
> > function inside .NET ASP application (IIS 5.1 on Windows XP pro) I get
> > Exception "The
> > remote server returned an error: (403) Forbidden." when I trying to get
> > response
> > (line: HttpWebResponse httpWebResponse =
> > (HttpWebResponse)httpWebRequest.GetResponse();)
> >
> > How can I do to configure my environment to allow ASP.NET application
> > access
> > my virtual directory
> > Thanks,
> > Jerome

>
>
>

[Joe Kaplan \(MVP - ADSI\)]

Right, did you try installing it in the machine store? Under ASP.NET, the
current user could be either the worker process account or an impersonated
account (if you are impersonating), but in neither of those cases would the
user profile be loaded.

Placing the key in the machine store should allow access to it.

Joe K.

"Jerome" <Jerome@discussions.microsoft.com> wrote in message
news:D905B2EE-0021-4738-B4CF-2D2F5DA66262@microsoft.com...

> Thanks for your answer
>
> Yes, the client certificat is install in user's certificate store
> (mmc -> Certificates (local computer) -> Personal -> Certificates)
> Everthing works fine when I use a .NET Windows form application
>
> a another idea?
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>

>> This sounds like the standard problem of not being able to access the
>> private key for the certificate from the current process. This is
>> probably
>> a result of it being installed in the user's certificate store. Have you
>> tried installing it in the machine store?
>>
>> Joe K.
>>
>> "Jerome" <Jerome@discussions.microsoft.com> wrote in message
>> news:D0E2FEEA-7724-4A29-B4D9-6186232DD8FE@microsoft.com...

>> > Hi all
>> >
>> > I'm trying to access to a virtual directory (web server is a IIS 6.0 on
>> > Windows 2003 server) which requires client
>> > certificate with HttpWebRequest class.
>> > Simplified function code looks like this:
>> >
>> > HttpWebRequest httpWebRequest = (HttpWebRequest)WebRequest.Create(url);
>> > httpWebRequest.ClientCertificates.Add(X509Certific ate.CreateFromCertFile(@"c:\dada.cer"));
>> > httpWebRequest.Method = "POST";
>> > httpWebRequest.ContentLength = requestData.Length;
>> > Stream streamWriter = (httpWebRequest.GetRequestStream());
>> > streamWriter.Write(requestData,0,requestData.Lengt h);
>> > streamWriter.Flush();
>> > streamWriter.Close();
>> > HttpWebResponse httpWebResponse =
>> > (HttpWebResponse)httpWebRequest.GetResponse();
>> > StreamReader streamReader = new
>> > StreamReader(httpWebResponse.GetResponseStream());
>> >
>> > When I tried this function in .NET Windows form
>> > application (C#) it works OK. But if I try to call the same
>> > function inside .NET ASP application (IIS 5.1 on Windows XP pro) I get
>> > Exception "The
>> > remote server returned an error: (403) Forbidden." when I trying to get
>> > response
>> > (line: HttpWebResponse httpWebResponse =
>> > (HttpWebResponse)httpWebRequest.GetResponse();)
>> >
>> > How can I do to configure my environment to allow ASP.NET application
>> > access
>> > my virtual directory
>> > Thanks,
>> > Jerome

>>
>>
>>

[Jerome]

Hi,

I don't know how to install the key in the machine store...
Have you got documentations about this ?

Thanks


"Joe Kaplan (MVP - ADSI)" wrote:

> Right, did you try installing it in the machine store? Under ASP.NET, the
> current user could be either the worker process account or an impersonated
> account (if you are impersonating), but in neither of those cases would the
> user profile be loaded.
>
> Placing the key in the machine store should allow access to it.
>
> Joe K.
>
> "Jerome" <Jerome@discussions.microsoft.com> wrote in message
> news:D905B2EE-0021-4738-B4CF-2D2F5DA66262@microsoft.com...

> > Thanks for your answer
> >
> > Yes, the client certificat is install in user's certificate store
> > (mmc -> Certificates (local computer) -> Personal -> Certificates)
> > Everthing works fine when I use a .NET Windows form application
> >
> > a another idea?
> >
> > "Joe Kaplan (MVP - ADSI)" wrote:
> >

> >> This sounds like the standard problem of not being able to access the
> >> private key for the certificate from the current process. This is
> >> probably
> >> a result of it being installed in the user's certificate store. Have you
> >> tried installing it in the machine store?
> >>
> >> Joe K.
> >>
> >> "Jerome" <Jerome@discussions.microsoft.com> wrote in message
> >> news:D0E2FEEA-7724-4A29-B4D9-6186232DD8FE@microsoft.com...
> >> > Hi all
> >> >
> >> > I'm trying to access to a virtual directory (web server is a IIS 6.0 on
> >> > Windows 2003 server) which requires client
> >> > certificate with HttpWebRequest class.
> >> > Simplified function code looks like this:
> >> >
> >> > HttpWebRequest httpWebRequest = (HttpWebRequest)WebRequest.Create(url);
> >> > httpWebRequest.ClientCertificates.Add(X509Certific ate.CreateFromCertFile(@"c:\dada.cer"));
> >> > httpWebRequest.Method = "POST";
> >> > httpWebRequest.ContentLength = requestData.Length;
> >> > Stream streamWriter = (httpWebRequest.GetRequestStream());
> >> > streamWriter.Write(requestData,0,requestData.Lengt h);
> >> > streamWriter.Flush();
> >> > streamWriter.Close();
> >> > HttpWebResponse httpWebResponse =
> >> > (HttpWebResponse)httpWebRequest.GetResponse();
> >> > StreamReader streamReader = new
> >> > StreamReader(httpWebResponse.GetResponseStream());
> >> >
> >> > When I tried this function in .NET Windows form
> >> > application (C#) it works OK. But if I try to call the same
> >> > function inside .NET ASP application (IIS 5.1 on Windows XP pro) I get
> >> > Exception "The
> >> > remote server returned an error: (403) Forbidden." when I trying to get
> >> > response
> >> > (line: HttpWebResponse httpWebResponse =
> >> > (HttpWebResponse)httpWebRequest.GetResponse();)
> >> >
> >> > How can I do to configure my environment to allow ASP.NET application
> >> > access
> >> > my virtual directory
> >> > Thanks,
> >> > Jerome
> >>
> >>
> >>

>
>
>

[Joe Kaplan \(MVP - ADSI\)]

I don't have documentation unfortunately. You should be able to do this by
opening the certificates MMC (start | run | mmc, then choose snap-ins and
add certificates for the local machine store) and importing the P12 file for
the certificate and private key into the personal store.

Perhaps if someone else has done this recently, they can provide more
details.

Joe K.

"Jerome" <Jerome@discussions.microsoft.com> wrote in message
news:D8800890-C852-43D8-9C25-EF547AA0AA71@microsoft.com...

> Hi,
>
> I don't know how to install the key in the machine store...
> Have you got documentations about this ?
>
> Thanks
>
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>

>> Right, did you try installing it in the machine store? Under ASP.NET,
>> the
>> current user could be either the worker process account or an
>> impersonated
>> account (if you are impersonating), but in neither of those cases would
>> the
>> user profile be loaded.
>>
>> Placing the key in the machine store should allow access to it.
>>
>> Joe K.
>>
>> "Jerome" <Jerome@discussions.microsoft.com> wrote in message
>> news:D905B2EE-0021-4738-B4CF-2D2F5DA66262@microsoft.com...

>> > Thanks for your answer
>> >
>> > Yes, the client certificat is install in user's certificate store
>> > (mmc -> Certificates (local computer) -> Personal -> Certificates)
>> > Everthing works fine when I use a .NET Windows form application
>> >
>> > a another idea?
>> >
>> > "Joe Kaplan (MVP - ADSI)" wrote:
>> >
>> >> This sounds like the standard problem of not being able to access the
>> >> private key for the certificate from the current process. This is
>> >> probably
>> >> a result of it being installed in the user's certificate store. Have
>> >> you
>> >> tried installing it in the machine store?
>> >>
>> >> Joe K.
>> >>
>> >> "Jerome" <Jerome@discussions.microsoft.com> wrote in message
>> >> news:D0E2FEEA-7724-4A29-B4D9-6186232DD8FE@microsoft.com...
>> >> > Hi all
>> >> >
>> >> > I'm trying to access to a virtual directory (web server is a IIS 6.0
>> >> > on
>> >> > Windows 2003 server) which requires client
>> >> > certificate with HttpWebRequest class.
>> >> > Simplified function code looks like this:
>> >> >
>> >> > HttpWebRequest httpWebRequest =
>> >> > (HttpWebRequest)WebRequest.Create(url);
>> >> > httpWebRequest.ClientCertificates.Add(X509Certific ate.CreateFromCertFile(@"c:\dada.cer"));
>> >> > httpWebRequest.Method = "POST";
>> >> > httpWebRequest.ContentLength = requestData.Length;
>> >> > Stream streamWriter = (httpWebRequest.GetRequestStream());
>> >> > streamWriter.Write(requestData,0,requestData.Lengt h);
>> >> > streamWriter.Flush();
>> >> > streamWriter.Close();
>> >> > HttpWebResponse httpWebResponse =
>> >> > (HttpWebResponse)httpWebRequest.GetResponse();
>> >> > StreamReader streamReader = new
>> >> > StreamReader(httpWebResponse.GetResponseStream());
>> >> >
>> >> > When I tried this function in .NET Windows form
>> >> > application (C#) it works OK. But if I try to call the same
>> >> > function inside .NET ASP application (IIS 5.1 on Windows XP pro) I
>> >> > get
>> >> > Exception "The
>> >> > remote server returned an error: (403) Forbidden." when I trying to
>> >> > get
>> >> > response
>> >> > (line: HttpWebResponse httpWebResponse =
>> >> > (HttpWebResponse)httpWebRequest.GetResponse();)
>> >> >
>> >> > How can I do to configure my environment to allow ASP.NET
>> >> > application
>> >> > access
>> >> > my virtual directory
>> >> > Thanks,
>> >> > Jerome
>> >>
>> >>
>> >>

>>
>>
>>

[Jerome]

Yes, I think everything is ok in the machine store.

But I ask me some question about ASP.NET application access rights

In the "HttpWebRequest.ClientCertificates Property" page
([url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfsystemnethttpwebrequestclassclientcertificate stopic.asp[/url])
I can the read the following remarks:
"...The application must have the same access rigths of the entity that
issued the certificate"

The probleme can be cause by ASP.NET application access rights???


"Joe Kaplan (MVP - ADSI)" wrote:

> I don't have documentation unfortunately. You should be able to do this by
> opening the certificates MMC (start | run | mmc, then choose snap-ins and
> add certificates for the local machine store) and importing the P12 file for
> the certificate and private key into the personal store.
>
> Perhaps if someone else has done this recently, they can provide more
> details.
>
> Joe K.
>
> "Jerome" <Jerome@discussions.microsoft.com> wrote in message
> news:D8800890-C852-43D8-9C25-EF547AA0AA71@microsoft.com...

> > Hi,
> >

.....

[Joe Kaplan \(MVP - ADSI\)]

Depending on what the current security context is, you would need to make
sure that you do have access to the private key too. This might be a bit
hard to debug though. If you think an ACL issue might be the problem, using
filemon to discover what file is being accessed and then using object access
auditing in Windows is probably the best way to find out if you are being
denied access to the private key file.

Joe K.

"Jerome" <Jerome@discussions.microsoft.com> wrote in message
news:840BADCF-366B-4C71-ABCE-4E585D2D7C0B@microsoft.com...

> Yes, I think everything is ok in the machine store.
>
> But I ask me some question about ASP.NET application access rights
>
> In the "HttpWebRequest.ClientCertificates Property" page
> ([url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfsystemnethttpwebrequestclassclientcertificate stopic.asp[/url])
> I can the read the following remarks:
> "...The application must have the same access rigths of the entity that
> issued the certificate"
>
> The probleme can be cause by ASP.NET application access rights???
>
>