HTTP status 403: Forbidden exception using certificate to authenticate ASP.NET web service

Question

I posted days ago about access control to web service ( Access control to web service ). In short, I have an ASP.NET web service deployed on //service/webservice and I want my ASP.NET web application (app1) on the //web1 to access the web service with certificate authentication. I keep getting System.Net.WebException: The request failed with HTTP status 403: Forbidden exception. The following is my setup:

On certificate export;

• I exported a server certificate issued to //service from LocalMachine store and saved it as service.cer.
• I also exported a client certificate issued to //web1 from LocalMachine store and saved it as web1.cer

Setup on //service/webservice :

• On Directory Security, unchecked Anonymous Access and all Authentication Access (Integrated Windows Access, Digest Authentication and Basic Authentication).
• On Secure communications, checked Required secure channel(SSL), Require 128-bit encyption, Require client certificate, and Enable client certificate mapping. I then mapped web1.cer to an AD account MyDomain/user which has access right to //service/webservice
• For //service/webservice/WebService.asmx , set <authentication mode="Windows" /> on web.config

Setup on //web1/app1

• Set <authentication mode="Windows" /> and <identity impersonate="true" /> on web.config
• In VS2008, I added the web reference to //service/webservice/WebService.asmx and named it WService
• In //web1/app1/default.aspx.cs , I had this:

using System.Security.Cryptography.X509Certificates;
    using System.Net;
        WService.WebService ws = new WService.WebService();
        ServicePointManager.ServerCertificateValidationCallback = delegate(Object sender1, X509Certificate cert, X509Chain chain, System.Net.Security.SslPolicyErrors errors) { return true; };
//I was a bit confused here on which certificate I should use so I have tried both service.cer and web1.cer but still got the same error
        X509Certificate x509 = X509Certificate.CreateFromCertFile(@"C:\Certificates\service.cer"); 
        ws.ClientCertificates.Add(x509);
        ws.DoSomething();

• I ran WinHttpCertCfg.exe to grant access to both certificates in LocalMachine for ASPNET account

I went to https://service/webservice/WebService.asmx and was prompted to provide a client certificate and after that I was through. But if I went to https://web1/app1/default.aspx (which would call the web service) and I would get the HTTP status 403 exception.

What did I miss? I would assume the problem is because //web1/app1/default.aspx.cs failed to transmit the certificate across. If that's the problem, how do I do that? I built both the asmx and aspx on VS 2008 and ASP.NET 3.5.

Answer 1

Sounds like the SSL certificate is failing to authenticate for the web service client. A good check is if you go to the service from the client's machine and get an alert in the browser about an SSL certificate your service will not authenticate with the certificate (certificate is not trusted). It's not that the certificate doesn't work, it's just not trusted.

If the service is across machines you might have to setup a certificate authority (this might help http://www.petri.co.il/install_windows_server_2003_ca.htm ) and add it as a trusted publisher on the client machine. This might also help http://support.microsoft.com/kb/901183 .

Another option is to simple not validate the SSL, see: http://geekswithblogs.net/jwhitehorn/archive/2006/09/20/91657.aspx

Answer 2

确保将您的客户端证书请求为“客户端身份验证”的“计算机”模板证书，否则将无法使用。

Answer 3

When I had this problem it turns out the client certificate/key pair I was using was signed by an intermediate CA which was in the current user store instead of the local machine store. It all looked good if you examined the cert while logged in but the IIS worker process could not see the intermediate CA. Thus, the web service call was not supplying the certificate with the request. You can verify this by checking the server web log for a 403 7 5 response.

Answer 4

确保要模拟的用户有权访问所使用的证书存储。