Client Certificate and Code Access Security

[Jürgen Laude]

Hi,

I am implementing a IIS deployed client (Windows Forms) that accesses a web
service on the same server. I want to use client certificates for
authentication.
My problem is, when I call the web service with CAS "Internet" permissions,
I'm receiving a SecurityException in a thread that seems to create the
connection. The user selects the certificate with a OpenFileDialog configured
for working with "Internet" permissions. I can verify the loading of the
certificate and assigning it to the web service proxy works without problems.
Running the same with "Full Trust" works perfect, but my customers require
"Internet" permissions only.
What do I need to do to work arround that? If not, why is using a client
certificate that the user manually selects a security risk (it is no problem
for Internet Explorer to do that)?

Thank you in advance,

Jürgen

 

[Dilip Krishnan]

Hello Jürgen,
Basically yr having a client application that your trying to run as a
downloaded interenet application. Such applications are security sandboxed
as "internet" applications. Which have restricted permissions as far as loading
things from the hard disk etc. Assuming yr using ssl a client cert cannot
get access to your certificate in your local stores. Giving just appropriate
permissions should solve this problem

HTH
Regards,
Dilip Krishnan
MCAD, MCSD.net
dkrishnan at geniant dot com
http://www.geniant.com

 

[Jürgen Laude]

Hello Dilip,

Changing permissions on the client side is not an option for my customers.
Why am I able to use client side certificates in the internet zone with my
default internet explorer settings for web pages, but not from a .NET
application for web services? Browsing the asmx page works with the client
certificate, because IE is pulling it from the store. I understand that a
..NET app should not be allowed to access a users certificate store without
his knowledge, but the client is receiving the certificate from a user
selected file, so it is users intention to provide it to the application for
his authentication.

Thanks,
Jürgen

 

[Dilip Krishnan]

Hello Jürgen,

Yes IE can access it because its a program running on yr local machine
(read trusted). But since yr .net client is running under "Internet" permissions,
it doesnt have permissions to do the same function as IE. Think of it as
a java applet (read "Internet" permissioned app) running on yr browser, it
will not have access to delete a file on your hard drive would it?

HTH
Regards,
Dilip Krishnan
MCAD, MCSD.net
dkrishnan at geniant dot com
http://www.geniant.com

 

[Jürgen Laude]

Hello Dilip,

I can open any file for read access under "Internet" permissions if I use
the OpenFileDialog and ask the user to select one for me. This way I would be
able to read and use whatever the user allows me to. Why is that less
dangerous then using a client certificate from a file (exported from the
local certificate store)?
Reading the documentation about the WebService.htc I am supposed to be able
to use client certificates if I call the web service from DHTML without
changing settings on my IE.
Is there a way to share the already established SSL connection from IE with
my .NET client?

Thanks,
Jürgen