There are many versions of this question on stackoverflow. I have tried a lot of the solutions suggested there - but none of these work for me.
I have a VB ASP.NET application running on IIS on Windows Server 2008. It calls a webservice. The Server running the Web Service has a self signed certificate. I have imported the Cert into the Trust Store of the IIS machine. I can see the certificate in IE->Options->Content->Certificates->Trusted Root Certification Authorities.
When the webservice is called, an exception is thrown
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
The same IIS VB ASP.NET Application runs fine on another machine with a similar setup.
These are the different basic things I have checked
The URL used to call the webservice is the same as the CN on the Cert imported into the Trusted Root CA.
Time is synced between the calling machine and the webservice host
The Cert isn't expired.
The IIS machine has Proxy settings in IIS, but Webservice Host machine as added to list of exceptions where Proxy should not be used.
I wrote a small command line test program in VB.NET calling the same webservice which runs fine.
After importing the Cert into the Trusted CA store, I have done a iisreset.
Only thing I haven't tried yet is rebooting the IIS machine - this is production machine & I cannot reboot it for at least a couple of days.
What else can I try?
Internet Explorer certificate settings apply only to the current user. It's highly unlikely that the same user you're logged in as when operating IE is the same as the one being used to host the IIS application. You could add the certificate to the trusted certs for the appropriate service account, but a simpler approach would be to add it to the "Local Computer" trusted certs.
Run Microsoft Management Console (type "mmc" in run dialog) File > Add / Remove Snap-Ins > Certificates, chose "Computer account" for the certificates to manage. This way, any user or service account on the server will see the certificate as trusted.
Alternatively, depending on how you're accessing the web-service, you could add an exception within the application itself. I would recommend code that checks the thumbprint / hash of the certificate though, as opposed to allowing it to connect to any un-trusted certificate.
Related
I am facing the following issue.
1 - I have deployed WCF service with SSL enabled on remote IIS machine and trying to use it from my web client.The problem is my browser is not allowing this service to be called.Before using my web client i have to hit the service url from my browser directly and then allow the certificate.
2- Got suggestion from somewhere to export the certificate on the machine where WCF is deployed and include that certificate file in Trusted certificates group on my machine.After I did that I got same problem when tried to access web service from web client.So I hit the service url from browser and got the same page which needs me to trust the certificate with a different message that "You attempted to reach 111.121.196.226(ip address of the WCF machine), but instead you actually reached a server identifying itself as "WMSvc-domain" where "WMSvc-domain" is the value of "Issued To" field in the certificate.
I hope I have made myself clear.Waiting for suggestions.Thank you.
WMSvc-machinename is the IIS Windows Management Service which runs by default on 8172/tcp and is used for remotely managing iis. When installed the default is to create a self-signed certificate. That wouldn't trusted. It could be replaced with a "proper" CA signed cert through the Management Service icon in IIS Manager.
I am trying to connect to our sql server with the following connection string
<add name="siteDB" connectionString="Data Source=xxxxx\sql_2005;Initial Catalog=Intranet;User ID=username;Password=password" providerName="System.Data.SqlClient"/>
but I am getting this error
A connection was successfully established with the server, but then an error occurred during the pre-login handshake
this is only a problem when the Web app is compiled as .net 4, .net 2 seems to work fine
I have tried the following with no success
TrustServerCertificate=True
in the connection string.. no joy
also tried
TCP/IP protocols enabled
named pipes enabled
using a newly set up account with the correct permissions
any ideas?
thanks
nat
You can try this or
this (worked for me once):
1) Remove all SSL certificates and encryption options from IIS – both at the website level (for example from the “Default Web Site”) and at virtual directory level. Basically if you enabled encryption put all the settings back to their original non-encrypted settings.
2) Remove all SSL self-signed certificates from the server. These are the certificates that SelfSSL generated for you. Your server may have genuine certificates – don’t touch these as they may be used by other software and anyway should be harmless.
These certificates need to be removed from all certificates stores. To do this start MMC and (one at a time) add the Certificate Manager snap-in to “My user account”, “Service account” and “Computer account”. Locate every single copy of the self-signed certificates wherever they may be (Personal, Trusted Root Certificates Authorities, etc) and delete them.
3) Now, although you have deleted the actual certificates, SQL Server still continues to use encryption. This is because it has created a copy of the certificate in the registry. You need to locate these and delete them.
These are located in:
HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Microsoft SQL
Server\MSSQL.x\MSSQLServer\SuperSocketNetLib
AND/OR
HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Microsoft SQL
Server\MSSQL.x\Client\SuperSocketNetLib
4) Restart the server and this should have fixed the initial error and you will find that SQL agent is running and things are back to normal.
As found here.
I am trying to use SSL and certificates with a web service (IIS 7, Windows 2008, .NET framework 3.5 SP1). I followed the basic instructions (http://learn.iis.net/page.aspx/144/how-to-set-up-ssl-on-iis-7/) and was able to get the site running soon. However, I can only connect to it from a client if the client has the web server's certificate in its Trusted Root Certification Authorities/Certificates store. If I don't add the certificate on the client site, I get the error "Could not establish trust relationship for the SSL/TLS secure channel with authority" on trying to connect to the service from client.
That's the correct behavior if you're just using self-signed test certificates. In a public/production environment, your server's certificate would be issued by a common CA like GoDaddy or VeriSign, which you have to pay to obtain.
Most (client) machines already have a large list of updated CA in their trusted root such as GoDaddy, and so a server certificate signed by them for your site will validate as a valid certificate on most* machines (without you needing to provide your cert as a trusted root).
*Most, meaning that there are browsers & operating systems which may be missing (or need updates) on common certificate authorities in their trusted root store.
Where did you get this certificate? If it's not a child of one of the certificates in the root authority already I sure hope you didn't pay money for it. If you're generating them yourself this isn't surprising because nobody trusts your CA server.
I have an ASP.NET website that is contacting a webservice. Everything works fine connecting via http but when I try https:// it can't connect. I don't seem to get any error from the website and the webservice logs show nothing, meaning nothing has connected to it.
I can connect to my https:// webservice from a site like soapclient.com and request information, so the webservice and ports are working.
Is there anything special I should be doing in order to connect to a https:// webservice over a normal http:// one in .NET? All I am doing at the moment is changing the URL it is connecting to to my secure one instead.
I am using
ASP.NET 2, IIS7
Thanks in advance.
EDIT: Just found the actual error message: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel - Which in my eyes tells me I haven't added my self signed certificate to the installed certs on the server ... but I have ...
You need to add your self-signed certificate under Trusted Root Certificate Authorities in the Local Computer store of the server running the ASP.NET website.
Export the certificate from the webservice server as a .cer file, and copy it to the server running the ASP.NET website. Then, on that server:
Double-click the .cer file and Install Certificate
In the wizard, choose the store as the Local Computer folder under Trusted Root Certificate Authorities.
You might have to restart IIS, or the server
There are some good instructions towards the bottom of this page, under "Installing the self-signed certificate on client computers": http://webhelp.esri.com/arcgisserver/9.3/dotNET/index.htm#setting_up_ssl.htm
It looks like your client encounters a certificate validation error, because your server certificate is self-signed.
Try including the following line (C#) in your web site code, before calling the web service. This will tell .NET to ignore all certificate validation errors:
ServicePointManager.ServerCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => { return true; };
This should obviously not be used in a production environment :)
Here's the desired setup:
Service with wsHttpBinding is on IIS 6 on Machine 1 behind the firewall.
Client is front end website on IIS 6 on Machine 2 on a DMZ.
We are currently able to authenticate the client using Windows authentication, but with impersonation
<identity impersonate="true" userName="OurCompany\Me" password="Blahblahblah" />
since the website would use the "ASPNET" as username, which is not in the domain.
We now want to move away from this method, because of safety issue; we don't want to expose this kind of info on the DMZ.
Is there any way to get authenticated properly without using
the impersonate on the client
config?
If we changed so that we use
certificate authentication, would it
affect service operations that
require impersonations (needed
impersonations for file access on
the network for example)?
thanks.
This has been resolved now, and I think it'd be constructive to share the solutions.
In terms of my original question - whether it's able to do impersonation without setting it explicitly in the config or in the front end code. As mentioned by the above, the App Pool method does work, but only when both the client and server are on the same domain.
Since the web site client being situated in the DMZ has no access of the local network at all, meaning we are unable to impersonate any network user (this is a flaw in my original question, saying the impersonation works - it was actually not working).
So the only way to go was using certificate. Since this is internal communications, I have generated a test certificate on each of the server / client sides with the makecert. Using peer trust certificate authentications, I am able to get the communication working between the client and the server. This will ensure that no Windows / network user account information is presented in the DMZ zone.