ASP.NET / certificat

[Jerome]

Hi all

I'm trying to access to a virtual directory (web server is a IIS 6.0 on
Windows 2003 server) which requires client
certificate with HttpWebRequest class.
Simplified function code looks like this:

HttpWebRequest httpWebRequest = (HttpWebRequest)WebRequest.Create(url);
httpWebRequest.ClientCertificates.Add(X509Certificate.CreateFromCertFile(@"c:\dada.cer"));
httpWebRequest.Method = "POST";
httpWebRequest.ContentLength = requestData.Length;
Stream streamWriter = (httpWebRequest.GetRequestStream());
streamWriter.Write(requestData,0,requestData.Length);
streamWriter.Flush();
streamWriter.Close();
HttpWebResponse httpWebResponse =
(HttpWebResponse)httpWebRequest.GetResponse();
StreamReader streamReader = new
StreamReader(httpWebResponse.GetResponseStream());

When I tried this function in .NET Windows form
application (C#) it works OK. But if I try to call the same
function inside .NET ASP application (IIS 5.1 on Windows XP pro) I get
Exception "The
remote server returned an error: (403) Forbidden." when I trying to get
response
(line: HttpWebResponse httpWebResponse =
(HttpWebResponse)httpWebRequest.GetResponse()

How can I do to configure my environment to allow ASP.NET application access
my virtual directory
Thanks,
Jerome

 

[Joe Kaplan \(MVP - ADSI\)]

This sounds like the standard problem of not being able to access the
private key for the certificate from the current process. This is probably
a result of it being installed in the user's certificate store. Have you
tried installing it in the machine store?

Joe K.

 

[Jerome]

Thanks for your answer

Yes, the client certificat is install in user's certificate store
(mmc -> Certificates (local computer) -> Personal -> Certificates)
Everthing works fine when I use a .NET Windows form application

a another idea?

 

[Joe Kaplan \(MVP - ADSI\)]

Right, did you try installing it in the machine store? Under ASP.NET, the
current user could be either the worker process account or an impersonated
account (if you are impersonating), but in neither of those cases would the
user profile be loaded.

Placing the key in the machine store should allow access to it.

Joe K.

 

[Jerome]

Hi,

I don't know how to install the key in the machine store...
Have you got documentations about this ?

Thanks

 

[Joe Kaplan \(MVP - ADSI\)]

I don't have documentation unfortunately. You should be able to do this by
opening the certificates MMC (start | run | mmc, then choose snap-ins and
add certificates for the local machine store) and importing the P12 file for
the certificate and private key into the personal store.

Perhaps if someone else has done this recently, they can provide more
details.

Joe K.

 

[Jerome]

Yes, I think everything is ok in the machine store.

But I ask me some question about ASP.NET application access rights

In the "HttpWebRequest.ClientCertificates Property" page
(http://msdn.microsoft.com/library/d...ttpwebrequestclassclientcertificatestopic.asp)
I can the read the following remarks:
"...The application must have the same access rigths of the entity that
issued the certificate"

The probleme can be cause by ASP.NET application access rights???

I don't have documentation unfortunately. You should be able to do this by
opening the certificates MMC (start | run | mmc, then choose snap-ins and
add certificates for the local machine store) and importing the P12 file for
the certificate and private key into the personal store.

Perhaps if someone else has done this recently, they can provide more
details.

Joe K.

.....

 

[Joe Kaplan \(MVP - ADSI\)]

Depending on what the current security context is, you would need to make
sure that you do have access to the private key too. This might be a bit
hard to debug though. If you think an ACL issue might be the problem, using
filemon to discover what file is being accessed and then using object access
auditing in Windows is probably the best way to find out if you are being
denied access to the private key file.

Joe K.