views:

640

answers:

1

Scenario:

  • A client calls WebService A on the LAN. WebService A is running under an App Pool with Identity "Network Service".
  • WebService A does some work, prepares to call WebService B.
  • WebService B requires a client cert (*.cer) and SSL.
  • WebService A is on a dedicated Windows 2003 server.
  • Everything works in the Dev environment as it should (but the developer with Administrator privileges is always logged on locally (no surprise!).
  • The certificates are stored on disk at C:\MyCertificates\
  • The certificate is being applied at runtime successfully in Dev with this snippet: myWebService.ClientCertificates.Add(new X509Certificate.CreateFromCertFile(certPath));

Problem: WebService A is calling WebService B, and the returned exception is:

The request failed with HTTP status 403: Forbidden

This really means that the certificate was not sent in the request to WebService B.

I am under the assumption that installing this cert into the browser is not a solution. The browser settings typically are per-user, and I need to give the certificate to the user whose credentials the web service is running under. (e.g. Network Service, System, or whatever is in the IIS AppPool settings).

Question: How can I grant access or association to my certificate living at the specified directory location to the Network Service or other non-user account?

+1  A: 

This Microsoft knowledgebase article may be of use:

How to call a Web service by using a client certificate for authentication in an ASP.NET Web application (MS KB901183)

Your web service 'A' would effectively be the ASP.NET application calling the web service as described in the article.

Kev
That was the missing piece of the puzzle. Thanks Kev!
p.campbell