I have a MVC 4.0 application with a web service as reference. The web service is installed on third party remote server will SSL. Also the web service requires client certificate authentication. I installed the certificate that issued by the 3rd party to our test server on Personal store, Trusted Root Certificate Authorities and Third-Party Root Certificate Authorities. Same to my local computer. The application is able to access the remote server and get response on my local development server, but always failed on our test server. Our test server is win 2003 and IIS 6.0. The error I got is "Client Certificate Required". It looks like the remote server either reject or cannot take the certificate we pass.
Here is my code:
var svc = new webservcie();
svc.ClientCertificates.Add(X509Certificate.CreateFromCertFile("c:\clientcert.cer"));
svc.Credentials = new NetworkCredential(username, password);
svc.url = "https://www.thirdparty.com/WMServices";
svc.givemedata()
I have tried many ways to fix this issue, but cannot. I think the issue is that our test server is not able to access the client certification. I read an article about grant Networkservice access to the certificate, but not sure if it is right or not.
Could someone please help me out? Thanks!
I found more detail error from server application event log:
Failed auto update retrieval of third-party root list sequence number from: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt with error: This network connection does not exist.
Thanks!
Related
I'm running a Windows 2012 R2 environment that hosts a website in IIS. The website currently requires a client certificate (which is validated) to access the website.
The client certificate is checked to ensure that it is valid and has not been revoked, not for identification by the operating system. If the user presents a valid certificate, the information on the certificate is used to authenticate and identify the user in the application code (the actual authentication is Forms Authentication). There is no mapping of the client certificate to an individual user (e.g. the client certificates does not map to an active directory account).
The site currently utilizes an additional piece of software to pass the client certificate to an external OCSP to verify the certificate status.
My goal is to remove that additional piece of software and be left with an IIS only (or Windows Server only) solution, but the documentation has me confused. I'm not sure if I need to install the OCSP role on the IIS server or our AD server, or if there is a way in IIS to configure a URL to check the certificate.
If the client certificate is pointing to an OCSP server in its extension, IIS will automatically validate it. You might check the CAPI2\Operational event log to see what happens during the validation.
For testing purposes I would like to enable the 'Incoming Client Certificates' option in my Azure App Service (running a WCF webservice), and see if my Client application can still connect to the webservice. Since I am still in a testing phase, my app service still has the .azurewebsites.net domain name.
However, I can't seem to figure out how to get a proper client certificate that the server will accept (without switching to a custom domain name, which I know will work).
Currently, I see 2 possible routes to a solution:
Somehow get my hands on .cer that is signed by a CA trusted by the App Service server.
Generate a self-signed .pfx and .cer with my own self-signed CA. Import the pfx on the App Service and install the .cer on the client.
Both directions have not yielded any success so far. Does anyone have any experience with this?
Per my understanding, the client certificate is used by client systems to make authenticated requests to a remote server. In this case, your webservice is the remote server in a C/S mode. As you point out, "validating this certificate is the responsibility of the web app. So this means that any certificate will be valid as long as you don't validate anything". It does not effect on whether you have a custom domain or not in your web app service.
If you want to use client cert authentication with Azure app, you can refer to How To Configure TLS Mutual Authentication for Web App.
If the server has requested client certificate in its server hello and the client cert has signing capability, then it is expected to send the CertificateVerify message to the server. It contains signed hash of all messages from Client Hello till that point which are buffered on the server side. The server TLS layer will decrypt this using the client public key (which is in the Client certificate received earlier) and compare with its calculated hash. It will call back to application layer if this fails.
The application needs to handle it at that point and return its own error or continue with the session. https://www.rfc-editor.org/rfc/rfc5246#section-7.4.8
One example of this with Wolfssl library is https://github.com/wolfSSL/wolfssl/blob/14ef517b6113033c5fc7506a9da100e5e341bfd4/wrapper/CSharp/wolfSSL-Example-IOCallbacks/wolfSSL-Example-IOCallbacks.cs#L145
I am having problems correctly installing the OAuth certificate required for Xero partner integration on IIS 7.5 on Windows Server 2008 R2. There used to be guidance from Xero on this at http://developer.xero.com/documentation/advanced-docs/using-partner-applications-with-iis/ but the page just 404s now.
I've installed the certificate to the Trusted Root Certifications Store as per the prior Xero advice, and my code can retrieve the certificate (using its serial number); but when I try to access the private key, I get a CryptographicException: Keyset does not exist error, which other SO posts suggest is a permissions error (my application runs under a dedicated service account), but all those posts assume the certificate is installed in the personal certificate store - the TRC store does not give me the option of granting permissions to the service accounts or any other account.
I think that page used to give information about installing an Entrust client certificate as partner applications in the past needed to use one.
You don't need to use a client certificate these days and partners should instead direct their traffic to "https://api.xero.com" instead of "https://api-partner.network.xero.com".
You also don't need to install your oAuth certificate as that certificate is used only for signing your requests.
I'm trying to add a .pfx certificate to Websphere8 server to establish a connection to an IIS server.
I tried to add the certificate to the deaultkeystore as a personal certificate and added the same as a signing certificate to the defaulttrustkeystore.
When ever I send a request through my application I'm getting a 401 unauthorized error.
I checked the communication b/w servers using Wireshark but there is no FINISHED message from either client or server.
So I wan't to know exact procedure to install a certificate on websphere server to get authenticated and thereby send the XML as a part of HTTPS Post request.
I contacted the web service provider, he said me that other users, or people who already implemented the client for this service, convert the pfx to .cer and send it along with the request. I also want to know how that is possible. I'm coding using Java 6.
Thanks for the help.
I'm contacting a web service using a certificate stored in Machine and in user space "myUser".
When I contact the web service impersonating "myUser" from a win application all works well.
But when I contact this using Sharepoint context (I have only 1 frontend) I have only sometimes the following error:
Could not establish trust relationship
for the SSL/TLS secure channel with
authority 'server.host:4443'
I verified that the web service is invoked using user "myUser" as expected but in Sharepoint context sometimes this method crashes.
I don't know what can be the problem. It seems related to Sharepoint/ASP.NET security context but all seems to be ok. Any suggestion?
I think that the only sometimes is the important point here.
Since it works most of the time it is actually setup and configured ok.
The machine that you are sending the certificate to must be able to validate the certificate. My guess is that something is going wrong sometimes. Things that could cause this are:
a network problem, firewall ...
AD server down (I am assuming a self issued certificate)
AD server too busy
Check the event logs of your AD and Sharepoint server.
Have you granted access to the certificate for the asp.net worker process under which SharePoint is running?
In Windows 2008, you need to open the certificates mmc (Start -> Run -> MMC -> File -> Add/Remove SnapIn -> Certificates. Be sure to select "Computer Account" when prompted for how certificates will be managed. Locate the certificate, right-click on it, select "All Tasks". There should be an option in there that allows you to manage permissions to the certificate. You will need to grant read access to the account under which the application pool for SharePoint is running.
Note: if you are running Windows Server 2003, you will need to use winhttpcertcfg.exe to configure certificate permissions.
Try this:
System.Net.ServicePointManager.ServerCertificateValidationCallback = ((sender, certificate, chain, sslPolicyErrors) => true);
Before you make any calls.