Re: ASPNET To Web Service using SSL w/Client Certs

From: Cowboy \(Gregory A. Beamer\) (NoSpamMgbworld_at_comcast.netNoSpamM)
Date: 04/27/04 

Date: Tue, 27 Apr 2004 09:55:01 -0500

First, a couple of URLs
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconsecuringaspnetwebservices.asp
the above link is also in the help file (has code samples)

This one is mobile dev, but the concepts still apply:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT13.asp

Now that we have theory out of the way, here is a good sample code
(scroll down to "Web Services Security with C#")
http://docs.msdnaa.net/ark_new3.0/cd3/content/Type_Sample%20Applications.htm

NOTE: You can speed this talking process up with Remoting (web services that
do not use ASAMX, are not tied to HTTP and can use any port -- okay, rather
simplistic explanation, but it works). Perf is not everything, however, so
assess your needs before changing, as Remoting is a bit more involved in the
current .NET architecture. 

-- 
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA
**********************************************************************
Think Outside the Box!
**********************************************************************
"Tim Burris" <tburris@colletonprep.org> wrote in message
news:0D2289C3-334A-4ED4-B4A0-09FBA2F0238E@microsoft.com...
> At the top here i will put a quick description of my problem followed by
the long description. This way you want get bored reading! :)
>
> short version:
> what is the best/recommended way for ASPNET apps to call web services that
REQUIRE Client Certificates via SSL?
>
> long version:
> our company has new requirements, all servers must REQUIRE SSL and
Server/client certificates.
> i have setup a test Win2003 server to issue certs so i have a full test
environment on my machine.  I have gen'd the server cert and applied it to
my IIS secure site.  I have issued 2 client certs, one for web browser one
advanced and issued a "localmachine" cert. all this is done using
http://myserver/certsvr tool. one to a seperate machine which as installed
my test server's root authority chain and the client cert. if i hit a
webpage or webservice using that machine and user i am prompted for my
Certificate, i choose the one i gen'd and it works great. i can see webpages
and get webservice data.
> The other Cert that I gen'd is installed in the localmachine section of my
2003 server in the hope that my ASPNet code could use that client
certificate to call the webservice that reside on the same machine.  I added
a reference to microsoft.web.services and used the x509 certificate objects
from that dll to get the local machine store and find my certificate. that
works great.  I put the certificate in my webservice object's
clientcertificate collection and call the webservice but i still get a 403
access forbidden error.  I use the certificate plugin in MMC to see that the
cert installed in Local machine DOES have a private key associated with it.
I THINK that the problem is that somehow my ASPNET account cannot access the
private key to property send my cert to the webservice.  i've, reluctantly,
given ASPNET full access to the \app data\Microsoft\Crypto\RSA folder.
Ideas? suggestions?
> this is extremely urgent as NONE of our 20+ servers can run any of our
.NET applications now that they have made this SSL certificate changes

Relevant Pages

  • Re: Web Certificate for IIS Server on SBS Domain
    ... Before your reply, I actually ran across rapidssl myself, and have ordered and installed the free 30-day certificate on my site. ... I explained what you'd told me about putting my existing configuration at risk by installing Cert Services, and he said he didn't know that. ... Again, if you're just needing a cert to install on your web server to provide SSL connectivity for remote users, go with an external third-party provider. ... When you add Certificate Services on an internal network, lots of internal communications will start using pieces provided by the Cert Server instead of the defaults from Server 2003, and when things blow up, they can blow up gloriously. ...
    (microsoft.public.windows.server.sbs)
  • Re: Activesync between Windows Mobile 5 and SBS2003 gives error
    ... If you don't find a cert here that matches the URL for OWA, you need to re-run the CEICW wizard on the SBS box and re-create the self signed cert. ... I exported the certificate straight from the server. ... Treo 700wx running Windows Mobile 5. ...
    (microsoft.public.windows.server.sbs)
  • Re: Terminal Services over a VPN
    ... Create a certificate request and submit it to godaddy in order to obtain a public cert. ... You can use the wizard in IIS Manager for this by creating a new website that matches the above name (on your TS server), right-click and choose properties, directory security tab, server certificate button. ... After the install you can stop or delete the website created above since you don't need it for anything. ...
    (microsoft.public.windows.terminal_services)
  • Re: SBS 2003 Premium and Cert Services
    ... that philosphy got blown out of the equation when SBS included Exchange OWA ... "Small Business Server" which is MS claim as to why the risk of exposing the ... the Certificate Server on another server, ... >> Cert, or you could edit the properties of your Certification Authority to ...
    (microsoft.public.windows.server.sbs)
  • Re: Web Certificate for IIS Server on SBS Domain
    ... and installed the free 30-day certificate on my site. ... instructions to install Certificate Services. ... If I can find a way to issue my own cert without risking my SBS setup, ... > Server instead of the defaults from Server 2003, and when things blow up, ...
    (microsoft.public.windows.server.sbs)