CODEWITHSUNDEEP
c#asp.netweb-servicesauthenticationcertificate
Gnot
Gnot

Reputation: 141

HTTP status 403: Forbidden exception using certificate to authenticate ASP.NET web service

I posted days ago about access control to web service (Access control to web service). In short, I have an ASP.NET web service deployed on //service/webservice and I want my ASP.NET web application (app1) on the //web1 to access the web service with certificate authentication. I keep getting System.Net.WebException: The request failed with HTTP status 403: Forbidden exception. The following is my setup:

On certificate export;

Setup on //service/webservice:

Setup on //web1/app1

using System.Security.Cryptography.X509Certificates;
    using System.Net;
        WService.WebService ws = new WService.WebService();
        ServicePointManager.ServerCertificateValidationCallback = delegate(Object sender1, X509Certificate cert, X509Chain chain, System.Net.Security.SslPolicyErrors errors) { return true; };
//I was a bit confused here on which certificate I should use so I have tried both service.cer and web1.cer but still got the same error
        X509Certificate x509 = X509Certificate.CreateFromCertFile(@"C:\Certificates\service.cer"); 
        ws.ClientCertificates.Add(x509);
        ws.DoSomething();

I went to https://service/webservice/WebService.asmx and was prompted to provide a client certificate and after that I was through. But if I went to https://web1/app1/default.aspx (which would call the web service) and I would get the HTTP status 403 exception.

What did I miss? I would assume the problem is because //web1/app1/default.aspx.cs failed to transmit the certificate across. If that's the problem, how do I do that? I built both the asmx and aspx on VS 2008 and ASP.NET 3.5.

Upvotes: 2

Views: 29713

Answers (4)

ccook
ccook

Reputation: 5959

Sounds like the SSL certificate is failing to authenticate for the web service client. A good check is if you go to the service from the client’s machine and get an alert in the browser about an SSL certificate your service will not authenticate with the certificate (certificate is not trusted). It’s not that the certificate doesn’t work, it’s just not trusted.

If the service is across machines you might have to setup a certificate authority (this might help http://www.petri.co.il/install_windows_server_2003_ca.htm) and add it as a trusted publisher on the client machine. This might also help http://support.microsoft.com/kb/901183.

Another option is to simple not validate the SSL, see: http://geekswithblogs.net/jwhitehorn/archive/2006/09/20/91657.aspx

Upvotes: 2

Hugh Jeffner
Hugh Jeffner

Reputation: 2946

When I had this problem it turns out the client certificate/key pair I was using was signed by an intermediate CA which was in the current user store instead of the local machine store. It all looked good if you examined the cert while logged in but the IIS worker process could not see the intermediate CA. Thus, the web service call was not supplying the certificate with the request. You can verify this by checking the server web log for a 403 7 5 response.

Upvotes: 1

rick schott
rick schott

Reputation: 20617

Make sure the users that are impersonating have access to the certificate store being used.

Upvotes: 0

Abiel
Abiel

Reputation:

Make sure your client certificate was requested as a 'Computer' template certificate for 'Client Authentication' otherwise it will not work.

Upvotes: 2

Related Questions