Scenario:
A client calls WebService A on the LAN. WebService A is running under an App Pool with Identity "Network Service".
WebService A does some work, prepares to call WebService B.
WebService B requires a client cert (*.cer) and SSL.
WebService A is on a dedicated Windows 2003 server.
Everything works in the Dev environment as it should (but the developer with Administrator privileges is always logged on locally (no surprise!).
The certificates are stored on disk at C:\MyCertificates\
The certificate is being applied at runtime successfully in Dev with this snippet: myWebService.ClientCertificates.Add(new X509Certificate.CreateFromCertFile(certPath));
Problem:
WebService A is calling WebService B, and the returned exception is:
The request failed with HTTP status
403: Forbidden
This really means that the certificate was not sent in the request to WebService B.
I am under the assumption that installing this cert into the browser is not a solution. The browser settings typically are per-user, and I need to give the certificate to the user whose credentials the web service is running under. (e.g. Network Service, System, or whatever is in the IIS AppPool settings).
Question: How can I grant access or association to my certificate living at the specified directory location to the Network Service or other non-user account?
This Microsoft knowledgebase article may be of use:
How to call a Web service by using a client certificate for authentication in an ASP.NET Web application (MS KB901183)
Your web service 'A' would effectively be the ASP.NET application calling the web service as described in the article.
Related
I am using webservice in my .NET based application.The web services are called from control M job which connects to our server where B2B services are hosted and files are fetched. Recently the link between interface and webs service was broken. When I tried to hit the web service in our browser it gave error as SSL certificate got expired.But the website was working fine without any certificate error, and the only certificate bound in the server was not expired. We renewed the certificate and bound it again in IIS, but then we were not able to hit the web service and getting the error page not found. Can anyone tell the reason for it?
We are using WSO2 identity server for identity management for the APIs published on WSO2 API Manager.We have used sample web application(InfoRecoverySample) for recovering account information as suggested in (https://docs.wso2.com/display/IS530/Configuring+Sample+Application+for+Identity+Management).This application has been hosted on a different tomcat server instead of on the same server as WSO2 Identity server. How do we specify the trustStore absolute resource path for trustStorePath in cofiguration?
We have copied the wsocarbon.jks from identity server and pasted in the server where InfoRecoverySample is hosted by providing its absolute path, but in browser we are unable to fetch the CAPTCHA image provided by WSO2 Identity server.
Our company PC machines are connecting to an internal server where a webservice hosted on it further connects to an external webservice in Italy. The certificate provided by the company in Italy to us only has client authentication purposes (thus not allowing us to import the certificate in IIS, right?). From a console application connecting directly to Italy's webservice, the certificate works fine. However the same logic fails when Italy's webservice is requested through our webservice.
Could this be because of the missing server authentication purpose in the certificate?
Thanks,
Justin
I have built a website and a WCF service. The website calls the WCF service (an application underneath the website) to get data. This connection is made using netTcpBinding (it _should be netNamedPipes but for some reason this refuses to work (only) on the deployment server, so I'm using TCP/IP).
In IIS (7.5) I have used IP Address and Domain Restrictions to deny all unspecified clients to the WCF service. I can see the change reflected in my web.config and I am unable to browse to the WCF service (403.6 Forbidden screen appears).
The problem is that the website is able to connect to the WCF service and get data even when I specify NO IP address is allowed i.e. no matter what I change, the website can still call the WCF service.
Why can the website access the WCF service?
Did you make those same IP restrictions on your website? Since your website is the one calling the WCF service, making those same IP restrictions there would make sense also.
I have created a Wcf service with SAML implementation. I am using federation binding for the same. From my client application I'm able to access the services hosted on my WCF web service easily when I'm running both client and host service on same machine. I have used certificates for authentication(SAML implementation).
For your information I have custom module at client side which acts as a identity provider. The host service just has some functions which are exposed using wsfederationbinding.
Now the problem is that when I'm running my WCF service host at a different system and client application(consumer with identity provider) on a different system, I`m getting the following error message
MessageSecurityException: The EncryptedKey clause was not wrapped with the required encryption token 'System.IdentityModel.Tokens.X509SecurityToken'.
Note:I feel there is a something mismatch happening interms of certificates between client and host service.
I have resolved the above problem, actually the root cause for the above error was certificate mismatch.
I read at one of the SAML forum regarding the SAML certificate authentication procedure,which says
The token is encrypted using the Public certificate at client side.
At the server side(Webservice Host in my case) the received token is decrypted using the private key of the certificate.
So,in my case the certificates were different at client side compared to the one's at server side.
Resolution :
Just export the certificates from server side(Webservice host in my case) and import the same at client side.
Note: There exist 2 certificates,client certificate and server certificate at both sides(client side and server side).
so in reality,when a client wants to access the host web service(dynamically), just like downloading apps,we need to create both certificates at service side and deploy those certificates to client upon activation of the client app.this way certificates will be in sync.