HTTP status 403: Forbidden exception using certificate to authenticate ASP.NET web service

Question

I posted days ago about access control to web service (http://stackoverflow.com/questions/390853/access-control-to-web-service). In short, I have an ASP.NET web service deployed on //service/webservice and I want my ASP.NET web application (app1) on the //web1 to access the web service with certificate authentication. I keep getting System.Net.WebException: The request failed with HTTP status 403: Forbidden exception. The following is my setup:

On certificate export;

• I exported a server certificate issued to //service from LocalMachine store and saved it as service.cer.
• I also exported a client certificate issued to //web1 from LocalMachine store and saved it as web1.cer

Setup on //service/webservice:

• On Directory Security, unchecked Anonymous Access and all Authentication Access (Integrated Windows Access, Digest Authentication and Basic Authentication).
• On Secure communications, checked Required secure channel(SSL), Require 128-bit encyption, Require client certificate, and Enable client certificate mapping. I then mapped web1.cer to an AD account MyDomain/user which has access right to //service/webservice
• For //service/webservice/WebService.asmx, set <authentication mode="Windows" /> on web.config

Setup on //web1/app1

• Set <authentication mode="Windows" /> and <identity impersonate="true" /> on web.config
• In VS2008, I added the web reference to //service/webservice/WebService.asmx and named it WService
• In //web1/app1/default.aspx.cs, I had this:

using System.Security.Cryptography.X509Certificates;
    using System.Net;
        WService.WebService ws = new WService.WebService();
        ServicePointManager.ServerCertificateValidationCallback = delegate(Object sender1, X509Certificate cert, X509Chain chain, System.Net.Security.SslPolicyErrors errors) { return true; };
//I was a bit confused here on which certificate I should use so I have tried both service.cer and web1.cer but still got the same error
        X509Certificate x509 = X509Certificate.CreateFromCertFile(@"C:\Certificates\service.cer"); 
        ws.ClientCertificates.Add(x509);
        ws.DoSomething();

• I ran WinHttpCertCfg.exe to grant access to both certificates in LocalMachine for ASPNET account

I went to https://service/webservice/WebService.asmx and was prompted to provide a client certificate and after that I was through. But if I went to https://web1/app1/default.aspx (which would call the web service) and I would get the HTTP status 403 exception.

What did I miss? I would assume the problem is because //web1/app1/default.aspx.cs failed to transmit the certificate across. If that's the problem, how do I do that? I built both the asmx and aspx on VS 2008 and ASP.NET 3.5.

Answer 1

Sounds like the SSL certificate is failing to authenticate for the web service client. A good check is if you go to the service from the client’s machine and get an alert in the browser about an SSL certificate your service will not authenticate with the certificate (certificate is not trusted). It’s not that the certificate doesn’t work, it’s just not trusted.

If the service is across machines you might have to setup a certificate authority (this might help http://www.petri.co.il/install_windows_server_2003_ca.htm) and add it as a trusted publisher on the client machine. This might also help http://support.microsoft.com/kb/901183.

Another option is to simple not validate the SSL, see: http://geekswithblogs.net/jwhitehorn/archive/2006/09/20/91657.aspx

Answer 2

Make sure your client certificate was requested as a 'Computer' template certificate for 'Client Authentication' otherwise it will not work.

Answer 3

Hope this help.

http://support.microsoft.com/kb/901183