views:

143

answers:

2

I have an ASP NET web server application that calls another process running on the same box that creates a pdf file and returns it. The second process requires a secure connection via SSL.

The second process has issued my ASP NET application with a digital certificate but I still cannot authenticate, getting a 403 error.

The code is a little hard to show but here's a simplified method ...

    X509Certificate cert = X509Certificate.CreateFromCertFile("path\to\cert.cer");
    string URL = "https://urltoservice?params=value";
    HttpWebRequest req = HttpWebRequest.Create(URL) as HttpWebRequest;
    req.ClientCertificates.Add(cert);
    req.Credentials = CredentialCache.DefaultCredentials;
    req.PreAuthenticate = true;
    /// error happens here
    WebResponse resp = req.GetResponse();
    Stream input = resp.GetResponseStream();

The error text is "The remote server returned an error: (403) Forbidden." Any pointers are welcome.

A: 

A 403 sounds like an authorization problem, not an authentication problem. It might be caused by the NTFS security settings on the files and folders accessed by your PDF service. Maybe it doesn't have permission to create the PDF file in the output folder?

Can you install the client certificate into your browser, and then access your PDF service through the browser? When you do that, do you still get a 403 or does it work?

Can you temporarily configure the PDF service to allow unencrypted HTTP connections? Does that make the problem go away?

From Windows Explorer, can you grant the "Network Service" account full control over the physical folder corresponding to the root of the PDF service site? Also grant it full control over any other directories it accesses. You should lock things down later after you've figured things out.

Or you can change the application pool to run under a different account - e.g. your own account.

Finally: if you're running IIS 7, you can turn on failed request tracing, which should give you a lot more info about why it failed.

Richard Beier
403 can be both authorization and authentication: 403.7 - Client certificate required. 403.16 - Client certificate is untrusted or invalid. 403.17 - Client certificate has expired or is not yet valid.
Gonzalo
Thanks for the leads. I've added network service with full rights to the pdf server directory and enabled tracing. Turning off https "fixes" the problem but is not suitable for a live site.More ...
David M
Here's the steps I've followed.1. Our CA issued a client cert for the "reporting user"2. On my PC opened IE, entered the URL for the pdf report server, was prompted for a cert so chose the one from above.3. The pdf is displayed !So there are no problems with it working interactively.Turning back to the web server - I wrote the code as above, allowing it to programatically create an httprequest object but am stilling getting the 403 error.The tracing shows it is a 403.7 "Access is denied" error.I'll keep working on it and post any progress - in the meantime all help is appreciated.
David M
+1  A: 

Finally fixed (wasted 6 hours on this *&%$@#&)

I needed to grant access to the private keys on the digi cert to the account that the calling ASP.NET application runs under. This account is NETWORK SERVICE by default although you may want to run under a more restricted account. Access is granted with the winhttpcertcfg tool, here's what got it working for me:

winhttpcertcfg -g -s "cert name" -c "LOCAL_MACHINE\MY" -a "NETWORK SERVICE" where "cert name" is the CN of the digi cert. More info at http://support.microsoft.com/kb/901183

Thanks to all who helped out with pointers on how to get this working :)

David M