.Net client and SSL mutual authentication : 403 Forbidden, client certificate not sent

[Mfenetre]

Hello all,

I'm trying to build a .Net client connecting to a Web service and I
want to use SSL with mutual authentication. The web service is designed
to require a client certificate.

I use .Net Framework v1.1.4322, IIS 6.0, Windows 2003 Srv and Visual
Studio.

So far I've been able to set SSL with just server authentication and I
can't succeed in writing a C# client using a client certificate.

I've a client certificate installed in the Personnal Store of the
Administrator and I'm trying to use it with this piece of code :

//opening the current user store
X509CertificateStore store =
X509CertificateStore.CurrentUserStore(X509CertificateStore.MyStore);
store.OpenRead();

//looking for the right certificate
X509CertificateCollection col=
(X509CertificateCollection)store.FindCertificateByKeyIdentifier(Convert.FromBase64String("dUvy6QHZTkuzfwQFqh2ZvYE6gdE="));
X509Certificate cert =null;
cert = col[0];

//my proxy to the web service
CreditCardWebServiceMutAuth.CreditCardWebServiceMutAuth ws = new
CreditCardWebServiceMutAuth.CreditCardWebServiceMutAuth();

//adding the client certificate
ws.ClientCertificates.Add(cert);

[some personal code]

//getting the result
string resultString =
ws.analyzeCreditCard(creditCardNumberString,typeString,ownerString,expirationDateString);

And here it fails, I get a 403 error : Forbidden. It seems that the
client certificate is not sent/used by the .Net client.

What I am sure :
# the certificate is the current user store, Personal Store (I've tried
with Local Machine store, but no success)
# I've the private key and I've granted access to this private key to
anyone
# I can access to my web service as long as I don't require a client
certificate

Can you help me ? Do you have any clue ?

Thanks in advance,
Regards,

Alexis.

 

[Dominick Baier [DevelopMentor]]

Hello Mfenetre,

have you tried to access the WS with the browser and supply the same client
cert - does that work??

 

[Mfenetre]

Hello Dominick,

Yes it works with IE or Firefox.
That's what makes me think that in my .Net client the client
certificate is not used/sent.
Perhaps it doesn't have access to the private key but I've followed
this article :

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT13.asp

and granted access to the "Network Service" :

WinHttpCertCfg.exe -g -c LOCAL_MACHINE\MY -s "CreditCardClientSSL" -a
"Network Service"

 

[Peter Jakab]

Hi,
Did you try debugging your code?

At the
cert = col[0];

line is there anything in the col[0] ?

Is your client an asp .Net web application?

If so, is its application pool running as network service identity?

Was the access grant with winhttpcertcfg successful? (the command you
mentioned works only when the cert is installed in the local_machine store!)

If your client is an asp.net code, are you sure, that impersonation is not
set?


I have this ideas at the moment.

You could also try loading the cert from file instead of loading from store
with WSE 2.0.

You should try with a console or a windows app first, if that works you
could get 1 step forth...

Regards

Peter

 

[Joe Kaplan \(MVP - ADSI\)]

Try using Filemon and Regmon (sysinternals) to figure out what access is
being denied when the access to the private key occurs. Hopefully that will
work.

These things can be a huge pain to debug, but if you go with the machine
store and do the cert config thing you showed, you should be able to get
this to work.

Also, make sure the private key is not password protected as IIS obviously
can't deal with that.

Joe K.

 

[Dominick Baier [DevelopMentor]]

Hello Mfenetre,

So your client is running as network service? this means that the cert has
to be in the Local Machine/MY store - is that the case?

 

[Mfenetre]

Hello all,

Thanks for all your answers, so let me answer all of these questions :

Try using Filemon and Regmon (sysinternals)

Ok I don't know these tools but I'll do that

Also, make sure the private key is not password protected as IIS obviously can't deal with that.

No password

So your client is running as network service?

Yes, i'm sure, I'm printing the identity on screen just to be sure

this means that the cert has to be in the Local Machine/MY store - is that the case?

Yes that's the case.

is there anything in the col[0] ?

Yes, I did debugging and I checked that the right certificate was found

Was the access grant with winhttpcertcfg successful?

Yes, I granted access to the private key for the user "Network Service"

If your client is an asp.net code, are you sure, that impersonation is not set?

I tried impersonation with the user "Administrator", just to use the
Current User Store instead of Local Machine Store but no luck...

You could also try loading the cert from file instead of loading from store with WSE 2.0.

I did it but no luck too...

You should try with a console or a windows app first, if that works you could get 1 step forth...

Good idea. I'll try that. So far I know it works with a browser.

Anyway, thank you Joe, Dominick and Peter for all your answers.

regards,
Alexis.

 

[Peter Jakab]

One more thing:
You should check if there is a problem with the cert switching logging on
for schannel:

http://support.microsoft.com/?id=260729

and one more question:

with IE did you get any notifications about the server certificate that you
had to bypass manually( for example site is not trusted, the cert and site
urls dont match, or cert is expired) ?
In this case you can do this trick in development environment:
http://weblogs.asp.net/jan/archive/2003/12/04/41154.aspx

Best regards

Peter

Hello all,

Thanks for all your answers, so let me answer all of these questions :

Try using Filemon and Regmon (sysinternals)

Ok I don't know these tools but I'll do that

Also, make sure the private key is not password protected as IIS obviously
can't deal with that.

No password

So your client is running as network service?

Yes, i'm sure, I'm printing the identity on screen just to be sure

this means that the cert has to be in the Local Machine/MY store - is that
the case?

Yes that's the case.

is there anything in the col[0] ?

Yes, I did debugging and I checked that the right certificate was found

Was the access grant with winhttpcertcfg successful?

Yes, I granted access to the private key for the user "Network Service"

If your client is an asp.net code, are you sure, that impersonation is not
set?

I tried impersonation with the user "Administrator", just to use the
Current User Store instead of Local Machine Store but no luck...

You could also try loading the cert from file instead of loading from
store with WSE 2.0.

I did it but no luck too...

You should try with a console or a windows app first, if that works you
could get 1 step forth...

Good idea. I'll try that. So far I know it works with a browser.

Anyway, thank you Joe, Dominick and Peter for all your answers.

regards,
Alexis.

 

[Mfenetre]

Well, I've switched logging on and apprently there is somethin strange.
When I try to do a single connection, I see many events in 'Event
Viewer' :

"Creating an SSL client credential." -> 2 times : why 2 times ?
"The remote server has requested SSL client authentication, but no
suitable client certificate could be found." -> well ok, apparently no
client certificate is provided.

But what is strange is that is see this :

An SSL client handshake completed successfully. The negotiated
cryptographic parameters are as follows.

Protocol: SSL 3.0
Cipher: RC4
Cipher strength: 128
MAC: MD5
Exchange: RSA
Exchange strength: 1024

How is this possible ? A successfull client handshake ? Then why do I
have a 403 : Forbidden error ?

 

[Joe Kaplan \(MVP - ADSI\)]

Is it possible that the server doesn't trust the client certificate you are
trying to use?

Typically what happens during client certificate authentication is that the
server sends down to the client a list of the CAs it trusts (depending on
what trusted roots are configured on the server). Then the client looks
through this list and checks to see if the certificate matches that list.
If it does not, it will not be used.

Based on the first error, that might be the problem.

One other thing--impersonating the administrator does not load the
administrator's profile automatically, so the process would not necessarily
have access to the admin's personal certificate store.

Joe K.

 

[Mfenetre]

Hello all,

So finally I've been able to solve my problem.

I had checked that root certifications authorities were installed on
client and server side, that the client had the right (I mean the
ASPNET or "Network Service" process) to use the private key of the
client certificate, that the client certificate was in the
LOCAL_MACHINE\MY store, but I still had the 403 : Forbidden error.

And finally the solution turned out to be the installation of the .Net
Framework SP1, which apprently I had not installed. And then, magic,
the error disappears, without changing a single line of code or
configuration...

How disappointing and not satisfying this solution can be... But, well,
it works now.

Thank you all again for your efforts,

Regards,
Alexis.

 

[Joe Kaplan \(MVP - ADSI\)]

There were some changes to how SSL client certificates work in SP1 of 1.1.
As I recall, they changed the behavior to allow access to the machine store
as well as MY store, but I can't remember for sure.

Sorry we didn't mention this before. I honestly didn't know people ran with
the service pack these days. It has been out for a long time and fixes a
bunch of important stuff...

Joe K.