X.509 certificates and httpwebrequest

microsoft.public.dotnet.security

28 Mar 2005 6:27 PM

Deepak

We retrieve data from a company called XYZ through httpwebrequest.
The program is coded using VB.NET
They have given a certificate to install.
This certificate is included with the request object.I use httpwebrequest to
retrieve data. The certificate is added to the client certificates
collection.

When this component is called from a windows application, I can retrieve the
data.
When this component is called from a web page, I get the following error
The remote server returned an error 403 forbidden.
we have no special setting in machine.config for the section processmodel.
The aspnet process is running under the username aspnet.
if I deploy my component in COM+, it runs successfully.
we feel it is because of permission issue for the user ASPNET .
I have used winhttpcertcfg tool from microsoft to give access to the private
key for the user ASPNET.
The certificate is installed under local machine account in the folder
Personals(LOCAL_MACHINE\MY).
I have no success even after utilizing winhttpcertcfg . I feel that the
httpwebrequest is somehow not passing the client certificate.
to the server. I donot want to put this component in COM+ or make any
changes to Processmodel section of machine.config files.
I have given permission to the key under C:\Document and
Settings\Allusers\applicationdÂata\microsoft\Crypto\RSA\MachiÂneKeys for the
user ASPNET.
I have had no success even after doing all these steps.
I have tried using LogOnuser API to change the security context but still I
had problems.
In .net framework V1.1, to successfully run LogOnuser API, we have to make
the user ASPNET to act as part of the operating system. This results to
giving high privilege account to the user ASPNET which is against our
security policy.
Environment: windows 2000
..Net framework Version 1.1
IIS 5.0
Programming Language used is VB.NET

give me some insights into the issue

28 Mar 2005 6:44 PM

Michel Gallant

Have a look at this article:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT13.asp
Also see alternate posting to this group on client certificates in last few days.
- Mitch Gallant

Show quoteHide quote

"Deepak" <Dee***@discussions.microsoft.com> wrote in message news:833122FD-0BAB-4BB7-91C8-E30A9B80CDFF@microsoft.com...
> We retrieve data from a company called XYZ through httpwebrequest.
> The program is coded using VB.NET
> They have given a certificate to install.
> This certificate is included with the request object.I use httpwebrequest to
> retrieve data. The certificate is added to the client certificates
> collection.
>
>
> When this component is called from a windows application, I can retrieve the
> data.
> When this component is called from a web page, I get the following error
> The remote server returned an error 403 forbidden.
> we have no special setting in machine.config for the section processmodel.
> The aspnet process is running under the username aspnet.
> if I deploy my component in COM+, it runs successfully.
> we feel it is because of permission issue for the user ASPNET .
> I have used winhttpcertcfg tool from microsoft to give access to the private
> key for the user ASPNET.
> The certificate is installed under local machine account in the folder
> Personals(LOCAL_MACHINE\MY).
> I have no success even after utilizing winhttpcertcfg . I feel that the
> httpwebrequest is somehow not passing the client certificate.
> to the server. I donot want to put this component in COM+ or make any
> changes to Processmodel section of machine.config files.
> I have given permission to the key under C:\Document and
> Settings\Allusers\applicationdata\microsoft\Crypto\RSA\MachineKeys for the
> user ASPNET.
> I have had no success even after doing all these steps.
> I have tried using LogOnuser API to change the security context but still I
> had problems.
> In .net framework V1.1, to successfully run LogOnuser API, we have to make
> the user ASPNET to act as part of the operating system. This results to
> giving high privilege account to the user ASPNET which is against our
> security policy.
> Environment: windows 2000
> .Net framework Version 1.1
> IIS 5.0
> Programming Language used is VB.NET
>
>
> give me some insights into the issue
>
>
>

28 Mar 2005 6:57 PM

Deepak

Thanks for responding.
The article that you have mentioned in the response refers to the creation
of serviced component (Develop a component and put it in COM+). we donot want
to put the component in COM+ or make any changes to processmodel section of
machine.config.
I am looking for a solution which adheres to my constraints as explained
above.

Show quoteHide quote

"Michel Gallant" wrote:

> Have a look at this article:
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT13.asp
> Also see alternate posting to this group on client certificates in last few days.
> - Mitch Gallant
>
> "Deepak" <Dee***@discussions.microsoft.com> wrote in message news:833122FD-0BAB-4BB7-91C8-E30A9B80CDFF@microsoft.com...
> > We retrieve data from a company called XYZ through httpwebrequest.
> > The program is coded using VB.NET
> > They have given a certificate to install.
> > This certificate is included with the request object.I use httpwebrequest to
> > retrieve data. The certificate is added to the client certificates
> > collection.
> >
> >
> > When this component is called from a windows application, I can retrieve the
> > data.
> > When this component is called from a web page, I get the following error
> > The remote server returned an error 403 forbidden.
> > we have no special setting in machine.config for the section processmodel.
> > The aspnet process is running under the username aspnet.
> > if I deploy my component in COM+, it runs successfully.
> > we feel it is because of permission issue for the user ASPNET .
> > I have used winhttpcertcfg tool from microsoft to give access to the private
> > key for the user ASPNET.
> > The certificate is installed under local machine account in the folder
> > Personals(LOCAL_MACHINE\MY).
> > I have no success even after utilizing winhttpcertcfg . I feel that the
> > httpwebrequest is somehow not passing the client certificate.
> > to the server. I donot want to put this component in COM+ or make any
> > changes to Processmodel section of machine.config files.
> > I have given permission to the key under C:\Document and
> > Settings\Allusers\applicationdÂata\microsoft\Crypto\RSA\MachiÂneKeys for the
> > user ASPNET.
> > I have had no success even after doing all these steps.
> > I have tried using LogOnuser API to change the security context but still I
> > had problems.
> > In .net framework V1.1, to successfully run LogOnuser API, we have to make
> > the user ASPNET to act as part of the operating system. This results to
> > giving high privilege account to the user ASPNET which is against our
> > security policy.
> > Environment: windows 2000
> > .Net framework Version 1.1
> > IIS 5.0
> > Programming Language used is VB.NET
> >
> >
> > give me some insights into the issue
> >
> >
> >
>
>
>

28 Mar 2005 7:09 PM

Joe Kaplan (MVP - ADSI)

Hi Deepak,

If you refer to the other thread in this group started by Mitch Galant 2
days ago, you'll see that he's seeing similar problems. He has not been
successful with getting client certificate authentication to work on .NET
1.1 SP1 unless the private key has no strong protection and it is in the
Current User MY store. Putting the key in the machine store doesn't seem to
work.

You guys might want to try to combine forces to try to solve this.

However, if you have success by deploying the HttpWebRequest in COM+ under a
specific identity, I'd suggest you just take that and run with it. I'm not
certain this will get any easier.

Joe K.

Show quoteHide quote

"Deepak" <Dee***@discussions.microsoft.com> wrote in message
news:833122FD-0BAB-4BB7-91C8-E30A9B80CDFF@microsoft.com...
> We retrieve data from a company called XYZ through httpwebrequest.
> The program is coded using VB.NET
> They have given a certificate to install.
> This certificate is included with the request object.I use httpwebrequest
> to
> retrieve data. The certificate is added to the client certificates
> collection.
>
>
> When this component is called from a windows application, I can retrieve
> the
> data.
> When this component is called from a web page, I get the following error
> The remote server returned an error 403 forbidden.
> we have no special setting in machine.config for the section processmodel.
> The aspnet process is running under the username aspnet.
> if I deploy my component in COM+, it runs successfully.
> we feel it is because of permission issue for the user ASPNET .
> I have used winhttpcertcfg tool from microsoft to give access to the
> private
> key for the user ASPNET.
> The certificate is installed under local machine account in the folder
> Personals(LOCAL_MACHINE\MY).
> I have no success even after utilizing winhttpcertcfg . I feel that the
> httpwebrequest is somehow not passing the client certificate.
> to the server. I donot want to put this component in COM+ or make any
> changes to Processmodel section of machine.config files.
> I have given permission to the key under C:\Document and
> Settings\Allusers\applicationdata\microsoft\Crypto\RSA\MachineKeys for
> the
> user ASPNET.
> I have had no success even after doing all these steps.
> I have tried using LogOnuser API to change the security context but still
> I
> had problems.
> In .net framework V1.1, to successfully run LogOnuser API, we have to make
> the user ASPNET to act as part of the operating system. This results to
> giving high privilege account to the user ASPNET which is against our
> security policy.
> Environment: windows 2000
> .Net framework Version 1.1
> IIS 5.0
> Programming Language used is VB.NET
>
>
> give me some insights into the issue
>
>
>