Re: getting 403: forbidden when attempt to access SSL secured webservice

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: JerryK (jerryk_at_nospam.com)
Date: 03/11/05 

Date: Thu, 10 Mar 2005 18:17:20 -0800

Trevor,

Thanks for the reply.

I added the code that adds the certificates to the clientCertificate
collection and that seems to work for the WinForm version. It did not
however, effect the ASP.Net version.

I did as you suggested added the certificates using the MMC. When I
launched the snap in it came up with a dialog that Says, this snap in will
always manage certificates for: My user account, Service Account, or
Computer account. I added the snap in 3 times, once for My User Account,
Computer Account, and Service Account. For the Service Account is asked me
the service name, and I selected the Machine Debugger Account.

I do not have a single certificate but rather three certificates that are
designed to be in 3 different stores. At least that is what the guy who
gave them to me said. We have a root certificate, that resides in the
Trusted Root Certificate Authority. Then there is a intermediate
certificate that resides in the Intermediate Certificate Authorities.
Finally there is a Personal Certificate that resides in the Personal
Certificate Authority. The Personal Certificate's path points to the
Intermediate Certificate, which in turn points to the Root Certificate.

I placed each of these certificates in the appropriate stores for the User,
Service, and Computer accounts. However, I am still generating the 403:
Forbidden error from the asp.net page. I thought this might be an account
issue, but I do have impressionation enabled and am using the administrator
account, which works with the WinForms version.

Any thoughts?

jerrry

"Trevor Pinkney" <tpinkney@cyence.com> wrote in message
news:4367632460479641665970@news.microsoft.com...
> You need to export the certficate (without private key) from IE into a
> .cer file.
>
> Then you need to open MMC, add the certificates Snap-In and import the
> certificate into the trusted root authorities. (also known as the machine
> store)
>
> Finally, you need to attach the certificate to the request
>
> serviceProxy.ClientCertificates.Add(System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromCertFile("c:\\yourCert.cer");
>
> -Trevor
>
>
> Hello JerryK,
>
>> BTW, the error is also generated on a VB.net winform app.
>>
>> "JerryK" <jerryk@nospam.com> wrote in message
>> news:OMLCgkRIFHA.2984@TK2MSFTNGP15.phx.gbl...
>>
>>> Hi,
>>>
>>> I have an ASP.net page, written in VB.net. In that code I want to
>>> access a validator web services that is secured via SSL. I have
>>> installed the certificate, via a .pfx file, on the system. I can
>>> browse to the service and appear to be getting through However, from
>>> my server page I cannot access the web service. The call to the
>>> service generates the exception "Request failed with HTTP status 403:
>>> Forbidden".
>>>
>>> I had previously received this error when I attempted to access the
>>> service via IE. But specifying the appropriate Client Certificate
>>> when asked seemed to fix the problem. I read that I need to do
>>> something similar in code so I implemented the ICertificatePolicy
>>> class's member CheckValidationResult() returning true. The code I
>>> use to do this is:
>>>
>>> Public Class NetPolicy implements ICertificatePolicy
>>>
>>> Public Function CheckValidationResult (....) as boolean
>>> Return True
>>> End Function
>>> End Class
>>>
>>> The code that calls the webservice ValidateWS() is:
>>>
>>> Function Validate(id as integer) as boolean
>>>
>>> dim result as boolean
>>>
>>> System.Net.ServicePointManager.CertificatePolicy = new NetPolicy
>>> result =WebServer.ValidateWS(id) ' this is where the exception is
>>> generated
>>> return result
>>> End function
>>>
>>> Any thoughts or pointers?
>>>
>>> Thanks,
>>>
>>> Jerry
>>>
>
>
>

Relevant Pages

  • Re: IIS 6 Directory Services Mapping ACL Problems
    ... It would appear that you can not delegate Certificate based credentials. ... IIS does not have the user's password, so it can't just logon to the remote ... file server as the user directly. ... Lastly - if you want to see what account is being used to access the remote ...
    (microsoft.public.inetserver.iis.security)
  • Re: How do I deal with "Password Synchronization is not supported"
    ... It just means that you need to select a local account (an account local to ... You can not allocate an SSL Certificate to a single folder. ... and then click Default Web Site. ... In the Anonymous User Account dialog box, ...
    (microsoft.public.inetserver.iis.security)
  • Re: Protecting Directories
    ... If you do, then only your account, and an optionally ... If you select to use EFS, then you should be certain that you ... For this your machine needs a smart card ... an issueing authority for the certificate on the card. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: X509 digital certificate for offline solution
    ... > license blind signatures at that time (great that the patent expired now ... giving the person's current account balance (at the time the ...
    (microsoft.public.dotnet.security)
  • Re: EFS and transparent file sharing on XP pro
    ... As the account is an admin it has two ways available to ... EFS encrypted files of that account. ... then the next attempt to encrypt a file ... XP pro added a new> certificate for EFS for my userid. ...
    (microsoft.public.windows.server.security)