tags:

views:

729

answers:

3
+1  Q: 

Passing a client certificate only works on my machine

I have a web service that is protected by requiring the consuming third party application to pass a client certificate. I have installed the certificate on the providing web service in production and on the client as well. This process is currently working fine for other clients with a similar setup. The current version is written in .NET 3.5 and works perfectly on my development machine under cassini (and running standalone), but refuses to work on my production machine with the same code and certificate setup. I have confirmed that the provider web service accepts the certificate installed on the client through the browser, but when the cert is added to a webservice call programatically, I get a 403, access is denied. I output the fingerprint of the certificate added to the call before it makes the request to the protected webservice, and it is indeed the correct certificate attached. My thinking is that somewhere along the line, it does not have access to the private key portion of the certificate.

Any ideas?

Note: I've given the IIS process access to the relevant ~/crypto directories.

This is C# and .NET 3.5

+2  A: 

I had this kind of problem a couple of weeks ago. The solution in my case was to use impersonation in order to gain appropriate access to the certificate store. By default, the IIS worker thread was running as a system user, and as such had no access to the appropriate store. Adding the certificate to a specific user store, and impersonating that user solved all the issues.

I shall continue to watch this question, though, as I am aware that impersonation is not a magic bullet fix, and that there will be issues arising from it in this scenario.

ZombieSheep  2008-10-27 14:06:43
Your post got me headed in the right direction. Thanks ZombieSheep!
Chris Ballance  2008-10-29 19:54:49
A: 
T.E.D.  2008-10-27 14:43:59
If I could run this machine in production, then I'd definitely have a solution!
Chris Ballance  2008-10-27 18:20:04
A: 

There's a distinct reason it did not work on my machine. When running within Visual Studio, it runs with my credentials, which were used to install the certificate. Thus automatically has permission to access the private key store on the machine. However when running outside of cassini (in the IDE), the IIS process did not have permissions to access to the private key store.

Temporary solution: Run the app-domain as Local System. Bad for security, but it gets the application up and running (albeit band-aided) until I can work out a more permanent solution.

Chris Ballance  2008-10-29 00:28:20

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?