CODEWITHSUNDEEP
asp.netweb-servicesiis-7httpwebrequest
Esen
Esen

Reputation: 973

IIS is stripping my certificate when I make http request from aspx page

I have the following code to make a custom webservice call.

    var url = "https://webserviceurl"
    XmlDocument doc = new XmlDocument();
    doc.LoadXml(reqString);
    HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url);

    X509Certificate Cert = X509Certificate.CreateFromCertFile(Server.MapPath("./Cert/Mycert.cer"));
    // ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
    ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(
                                                                    delegate
                                                                    {
                                                                        return true;
                                                                    });
    request.ClientCertificates.Add(Cert);
    request.KeepAlive = false;
    request.ProtocolVersion = HttpVersion.Version10;
    request.ContentType = "text/xml;charset=\"utf-8\"";
    request.Accept = "text/xml";
    request.Method = "POST";

    // add our body to the request
    Stream stream = request.GetRequestStream();
    doc.Save(stream);
    stream.Close();

    var res = new AmericoWebRef.wsdl_UpdateOrderStatusResponseTypeWsdl_UpdateOrderStatusResponseElement();
    using (HttpWebResponse response = (HttpWebResponse)request.GetResponse())
    {
        Stream wStr = response.GetResponseStream();
        StreamReader reader = new StreamReader(wStr);
        string s = reader.ReadToEnd();
        wStr.Flush();
        wStr.Close();
    }

If I call this code from a webpage (.aspx) it works fine if the website is running in my local machine visual studio development server.

When I deploy this code to an IIS server it fails. Webservice server doesn't see the attached certificate in the request.

I tried a sample console application and called this code, it worked.

I verified that the cert location is correct and the cert has security permission read/write for network service, everyone.

Does IIS strip down my certificate from the request? Is there a settings that I can tell IIS not to do that or is there a different way to make custom http request from webpage.

Environment: Windows 2008 R2 IIS 7.5

Upvotes: 1

Views: 252

Answers (1)

Senthilkumar Elangovan
Senthilkumar Elangovan

Reputation: 675

I had similar situation.

Case 1: In my web server where IIS is sitting, I didn't have my cert installed into cert store. I had only cert placed in a folder location. In this case, no change needed it worked as expected on IIS.

Case 2: Another web server, I had my cert installed into cert store as well as copied into a folder location. Even though my code is attaching the cert from the folder location. And the cert in the folder location is given security permission of "Network service". It didn't work. I have to go to my cert store and all tasks, manage private keys then set security permission there as well to make it working.

Make sure you don't have the cert installed on cert store or set permission on your cert store. No matter whether you take your cert from there or not. For some reason IIS does look there if the cert thumbprint match and take the permission from there.

Upvotes: 1

Related Questions