Repost: WebService Client Certificate Problem

[Koan B]

Hi,

I'm attempting to connect to a 3rd party web service (for which they
have supplied client certificates), but with no success.

As far as I can tell, the code below should work, however, I always
get back an HTTP 403 (Forbidden) error returned. (I've also tried
loading the certificate from the certificate store with exactly the
same result.

I'm using a WSDL file as the basis for the interface to a web service
and using the following code (based on MSDN documentation):

/////////////////////////////////////////////////////////////////////
service = new RequestService();

// certificate is the path to a DER encoded x509 certificate
X509Certificate x509 =
X509Certificate.CreateFromCertFile(certificate);
service.ClientCertificates.Add(x509);

// Create a request object
RequestType request = new RequestType();
// Build request

// MakeRequest method of the service
ReplyType reply = service.MakeRequest(request);
/////////////////////////////////////////////////////////////////////

Cheers,

Koan

 

[[MSFT]]

Hi Koan,

Is the client application a ASP .NET app or a Win form app? Additionally,
if you add following code, will it help?

service.Credentials = CredentialCache.DefaultCredentials;



Luke

 

[Koan B]

(e-mail address removed) ([MSFT]) wrote in

Hi Koan,

Is the client application a ASP .NET app or a Win form app?
Additionally, if you add following code, will it help?

service.Credentials =
CredentialCache.DefaultCredentials;

Hi Luke,

First of all, thanks for your prompt reply! Let me take this
opportunity to apologise for whingeing about Microsoft not responding
to my previous post in this newsgroup on this topic; the fault was
mine, for using the wrong posting address. I am more than happy to
admit when I've screwed up. ;-)

Anyway, the client is a WinForm app.

I've tried adding default credentials with the same (Forbidden)
result. I've also tried using the credentials available on a Basic
Authentication connection. Again, with the same result.

Cheers,
Koan

 

[[MSFT]]

Hi Koan,

Is the web service an ASP .NET web service (*.asmx) ? If so, can you access
it in IE? Is there any proxy/firewall between the client and web service
server?

Luke

 

[Koan B]

(e-mail address removed) ([MSFT]) wrote in

Hi Koan,

Is the web service an ASP .NET web service (*.asmx) ? If so, can
you access it in IE? Is there any proxy/firewall between the
client and web service server?

The webservice is actually an IBM WebSphere service.

It is accessible (sort of) from IE. The browser brings up the dialog
requesting me to choose the client certificate (only there's no
certificates to choose from). Using the certificates snap-in I can
see the certificates are there for the current user and using IE also
shows more than one certificate available.

We are not using a proxy or firewall as far as I know. Having spoken
to a guy at the webserver end, he's seen errors logged saying that
the client certificates were not sent during the connection attempt.
This fits with what I've seen in a packet sniffer.

Cheers,
Koan

 

[Adarsh Khare [ MS ]]

How did you install the certificate, certificate need to have private key,
if you want to use for client authentication (e.g. installing from .cer file
would not install private key, you need to hav .pfx file).

--
adarshk [MSFT]
===========================
This posting is provided as-is. It provides no guarantees and confers no
rights

(e-mail address removed) ([MSFT]) wrote in

Hi Koan,

Is the web service an ASP .NET web service (*.asmx) ? If so, can
you access it in IE? Is there any proxy/firewall between the
client and web service server?

The webservice is actually an IBM WebSphere service.

It is accessible (sort of) from IE. The browser brings up the dialog
requesting me to choose the client certificate (only there's no
certificates to choose from). Using the certificates snap-in I can
see the certificates are there for the current user and using IE also
shows more than one certificate available.

We are not using a proxy or firewall as far as I know. Having spoken
to a guy at the webserver end, he's seen errors logged saying that
the client certificates were not sent during the connection attempt.
This fits with what I've seen in a packet sniffer.

Cheers,
Koan

 

[Koan B]

How did you install the certificate, certificate need to have
private key, if you want to use for client authentication (e.g.
installing from .cer file would not install private key, you
need to hav .pfx file).

The certificate was installed from a .pfx file with the private key.
Checking the certificate in the store, it can be seen that the
private key is there.

Cheers,
Koan

 

[[MSFT]]

Is your current user running the app is the installation who installed the
certificate? There is some known issues when there are two different users
here.

Luke

 

[Koan B]

(e-mail address removed) ([MSFT]) wrote in

Is your current user running the app is the installation who
installed the certificate? There is some known issues when
there are two different users here.

A short answer...yes.

Microsoft (in dialogue with one of my colleagues) have mentioned the
fact that the certificate does not have an "Enhanced Key Usage" set
for Client Authentication. The certificate has been set to "Enable
all purposes" which includes Client Authentication, however I don't
know whether this "Enhanced Key Usage" setting is also vital. Does
anyone know anything about this?

Cheers,
Koan

 

[[MSFT]]

Hi Koan,

Based on my experince, "Enhanced Key Usage" wouldn'y cause such a problem.
If you configure client certificate in Local_Machine store so all users can
access it, will this help?

Luke

 

[Koan B]

(e-mail address removed) ([MSFT]) wrote in

Hi Koan,

Based on my experince, "Enhanced Key Usage" wouldn'y cause such
a problem. If you configure client certificate in Local_Machine
store so all users can access it, will this help?

I installed the certificate into Current_User and Local_Machine
stores with the same result.

I am running the app under the same account that I installed the
certificate.

Cheers,
Koan

 

[[MSFT]]

Hi Koan,

Is the connection between server and client based on SSL? Addtionally, from
your previous post:

t is accessible (sort of) from IE. The browser brings up the dialog
requesting me to choose the client certificate (only there's no
certificates to choose from).

It seems IE also can't find the certificate. It should be some problem with
your sertificate store. Have you try this on other clients? You may also
consult the owener of the web service to see if they know more information
about this.

Luke

 

[Koan B]

(e-mail address removed) ([MSFT]) wrote in

Hi Koan,

Is the connection between server and client based on SSL?
Addtionally, from your previous post:

t is accessible (sort of) from IE. The browser brings up the
dialog requesting me to choose the client certificate (only
there's no certificates to choose from).

It seems IE also can't find the certificate. It should be some
problem with your sertificate store. Have you try this on other
clients? You may also consult the owener of the web service to
see if they know more information about this.

Can I ask you to bear with me a little longer; we're testing some
suggestions which Microsoft have suggested through a separate
channel.

Cheers,
Koan

 

[[MSFT]]

No problem. I will keep to monitor this thread for days. If you had made
some progress, please post here. It may benefit more people who may has
same issues.

Thanks,

Luke