Re: HELP! WSE Token Manager calling another webservice


Today is a good day since we found the cause of the problems!

It is very well described in the following article
http://blogs.msdn.com/kevinha/archive/2005/02/15/373254.aspx

The problem is that the client, who owns the private key of the
certificate, sends a request to the webservice, passing the
certificate.Then, the webservice wants to pass that certificate to
another webservice but the webservice does NOT have its private key.

Therefore the webservice cannot add the certificate to the request and
the authentication webservice will never receive a certificate. That is
why the second webservice will return an error 403 (Access denied),
More specifically it returns a 403.7 telling us that no client
certificate was supplied.

To solve this we had two options:

First option:
Install the client certificate in the Local Computer\Personal
certificate store on the server hosting the processing webservice. The
certificate must be installed there WITH its private key AND the ASPNET
account (on Windows XP) must be granted the permission to access that
certificate.
We grant the permission using the X509 Certificate Tool from the
WebService Enhancements 2 installation.

That scenario works but is not practical in real deployment scenario's.
However, doing so helped us to determine the real cause of the problem.

Our second option:
The WSE Token manager of the Processing webservice gets the certificate
from the client and then gets its content as a byte array. That byte
array is then passed to the authentication webservice as an extra input
parameter. The Authentication webservice uses the byte array to restore
a real certificate object (ofcourse without the private key) and uses
that to authenticate the user.

The Processing webservice CAN use its own certificate to authenticate
itself to the Authentication webservice. If the authentication
webservice is then set to require a certificate it's more secure.


I hope this article will help you in your development efforts and save
you some of the time we invested in investigating our problem.

Sincerely,
Jeroen Bijleveld

.

Relevant Pages

  • https, certificates, and: The underlying connection was closed: An unexpected error occurred on a s
    ... also gave me a .PFX certificate which ive installed via window's MMC ... //costco webservice proxy object ... ....this works on my Windows XP dev machine, as well as on our Windows ... Matt Del Vecchio ...
    (microsoft.public.dotnet.framework.webservices)
  • Can i cache a WSE X509Certificate ? Is it threadsafe?
    ... I am using WSE2.0 over a secure SSL connection. ... i retreive a certificate from the certificate store. ... To avoid the overhead of retrieving the certificate from the store for each ... // client will invoke the webservice method HelloWorld, ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: ASPNET To Web Service using SSL w/Client Certs
    ... I have gen'd the server cert and applied it to ... webpage or webservice using that machine and user i am prompted for my ... Certificate, i choose the one i gen'd and it works great. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Problem connection to ssl protected web service in .net
    ... We have a Root CA that Issued a Certificate to an Intermediate CA. ... hosting the WebService, and the Client Certificate used in the Windows Forms ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • HELP! WSE Token Manager calling another webservice
    ... There is our Processing Webservice, ... Finally we have our Authentication webservice, ... This client app has to exchange information with the Processing ... which retrieves the client certificate from the ...
    (microsoft.public.dotnet.framework.webservices.enhancements)