tags:

views:

143

answers:

2
+1  Q: 

Calling https process from ASP Net

I have an ASP NET web server application that calls another process running on the same box that creates a pdf file and returns it. The second process requires a secure connection via SSL.

The second process has issued my ASP NET application with a digital certificate but I still cannot authenticate, getting a 403 error.

The code is a little hard to show but here's a simplified method ...

    X509Certificate cert = X509Certificate.CreateFromCertFile("path\to\cert.cer");
    string URL = "https://urltoservice?params=value";
    HttpWebRequest req = HttpWebRequest.Create(URL) as HttpWebRequest;
    req.ClientCertificates.Add(cert);
    req.Credentials = CredentialCache.DefaultCredentials;
    req.PreAuthenticate = true;
    /// error happens here
    WebResponse resp = req.GetResponse();
    Stream input = resp.GetResponseStream();

The error text is "The remote server returned an error: (403) Forbidden." Any pointers are welcome.

A: 

A 403 sounds like an authorization problem, not an authentication problem. It might be caused by the NTFS security settings on the files and folders accessed by your PDF service. Maybe it doesn't have permission to create the PDF file in the output folder?

Can you install the client certificate into your browser, and then access your PDF service through the browser? When you do that, do you still get a 403 or does it work?

Can you temporarily configure the PDF service to allow unencrypted HTTP connections? Does that make the problem go away?

From Windows Explorer, can you grant the "Network Service" account full control over the physical folder corresponding to the root of the PDF service site? Also grant it full control over any other directories it accesses. You should lock things down later after you've figured things out.

Or you can change the application pool to run under a different account - e.g. your own account.

Finally: if you're running IIS 7, you can turn on failed request tracing, which should give you a lot more info about why it failed.

Richard Beier  2009-11-25 04:42:38
403 can be both authorization and authentication: 403.7 - Client certificate required. 403.16 - Client certificate is untrusted or invalid. 403.17 - Client certificate has expired or is not yet valid.
Gonzalo  2009-11-25 16:02:29
Thanks for the leads. I've added network service with full rights to the pdf server directory and enabled tracing. Turning off https "fixes" the problem but is not suitable for a live site.More ...
David M  2009-11-25 20:35:50
Here's the steps I've followed.1. Our CA issued a client cert for the "reporting user"2. On my PC opened IE, entered the URL for the pdf report server, was prompted for a cert so chose the one from above.3. The pdf is displayed !So there are no problems with it working interactively.Turning back to the web server - I wrote the code as above, allowing it to programatically create an httprequest object but am stilling getting the 403 error.The tracing shows it is a 403.7 "Access is denied" error.I'll keep working on it and post any progress - in the meantime all help is appreciated.
David M  2009-11-25 20:36:39
+1  A: 

Finally fixed (wasted 6 hours on this *&%$@#&)

I needed to grant access to the private keys on the digi cert to the account that the calling ASP.NET application runs under. This account is NETWORK SERVICE by default although you may want to run under a more restricted account. Access is granted with the winhttpcertcfg tool, here's what got it working for me:

winhttpcertcfg -g -s "cert name" -c "LOCAL_MACHINE\MY" -a "NETWORK SERVICE" where "cert name" is the CN of the digi cert. More info at http://support.microsoft.com/kb/901183

Thanks to all who helped out with pointers on how to get this working :)

David M  2009-11-26 04:04:32

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps