I have an ASP.NET website that is contacting a webservice. Everything works fine connecting via http but when I try https:// it can't connect. I don't seem to get any error from the website and the webservice logs show nothing, meaning nothing has connected to it.
I can connect to my https:// webservice from a site like soapclient.com and request information, so the webservice and ports are working.
Is there anything special I should be doing in order to connect to a https:// webservice over a normal http:// one in .NET? All I am doing at the moment is changing the URL it is connecting to to my secure one instead.
I am using
ASP.NET 2, IIS7
Thanks in advance.
EDIT: Just found the actual error message: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel - Which in my eyes tells me I haven't added my self signed certificate to the installed certs on the server ... but I have ...
You need to add your self-signed certificate under Trusted Root Certificate Authorities in the Local Computer store of the server running the ASP.NET website.
Export the certificate from the webservice server as a .cer file, and copy it to the server running the ASP.NET website. Then, on that server:
Double-click the .cer file and Install Certificate
In the wizard, choose the store as the Local Computer folder under Trusted Root Certificate Authorities.
You might have to restart IIS, or the server
There are some good instructions towards the bottom of this page, under "Installing the self-signed certificate on client computers": http://webhelp.esri.com/arcgisserver/9.3/dotNET/index.htm#setting_up_ssl.htm
It looks like your client encounters a certificate validation error, because your server certificate is self-signed.
Try including the following line (C#) in your web site code, before calling the web service. This will tell .NET to ignore all certificate validation errors:
ServicePointManager.ServerCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => { return true; };
This should obviously not be used in a production environment :)
Related
I have an asp.net web app deployed on IIS7. I call the webapp AOps and When I try accessing the web app over https it just crashes saying "Security sertificate required to access this resource is invalid" (first image).
When I try over http the download works fine.
When I access the default IIS app over both http and https it works fine - except that it complains that the address is mismatched.
I have added a .pfx certificate in the certificate store with the same host name as my host, so the certificate should be fine. Any idea where to start reviewing my configuration?
I am used to apache and tomcat but IIS is a different animal. I looked in the IIS log but it's pretty much a black box. Any help would be greatly appreciated.
The certificate error is generated by your browser not the server. There are 3 things the browser cares about.
The name on the certificate needs to match the url you are using. So in your case, the browser wants a certificate issued to "localhost"
The certificate has to be issued by a trusted certificate authority (not self-signed)
The certificate cannot be expired
To solve 1, use a host entry in /etc/hosts. To solve 2, you need to add the certificate to trusted CA store on your local machine. And 3 is pretty obvious.
I'm using BizTalk server 2010.
I'm using the client certificate where I have imported that in IIS as well as Trusted root certificate store. Im using httpsTransport with customBinding. When I try to browse in BizTalk server with https, I'm able to browse, but in the client side, they are not able to browse and they get
403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied."
Is there anything that needs to be set in BizTalk or the settings should be done at the client end?
Is it related to anti virus that is blocking?
It sounds as though you are requiring Client Certificate Authentication when a client attempts to query the web resource, but no certificate is being presented. This is not an anti-virus issue.
You already have the certificate (and Root Authority) on your server which is why you can retrieve the resource successfully from the BizTalk Server.
To resolve this issue on your clients, install the certificate on each client that needs to connect (plus the Root Authority certificate if this is one you have created yourself) - the Client Certificate needs to be placed into the Personal Certificate Store for the user that is attempting to request the resource. Then when you connect from your client, the correct certificate will be presented to the server and Client Certificate Authentication will be performed, resolving your '403 - Access Denied' error.
If you have a large number of clients and you don't want to go through this trouble, simple disable Client Certificate Auth in IIS; your traffic will still be secured through SSL/TLS.
I am facing the following issue.
1 - I have deployed WCF service with SSL enabled on remote IIS machine and trying to use it from my web client.The problem is my browser is not allowing this service to be called.Before using my web client i have to hit the service url from my browser directly and then allow the certificate.
2- Got suggestion from somewhere to export the certificate on the machine where WCF is deployed and include that certificate file in Trusted certificates group on my machine.After I did that I got same problem when tried to access web service from web client.So I hit the service url from browser and got the same page which needs me to trust the certificate with a different message that "You attempted to reach 111.121.196.226(ip address of the WCF machine), but instead you actually reached a server identifying itself as "WMSvc-domain" where "WMSvc-domain" is the value of "Issued To" field in the certificate.
I hope I have made myself clear.Waiting for suggestions.Thank you.
WMSvc-machinename is the IIS Windows Management Service which runs by default on 8172/tcp and is used for remotely managing iis. When installed the default is to create a self-signed certificate. That wouldn't trusted. It could be replaced with a "proper" CA signed cert through the Management Service icon in IIS Manager.
There are many versions of this question on stackoverflow. I have tried a lot of the solutions suggested there - but none of these work for me.
I have a VB ASP.NET application running on IIS on Windows Server 2008. It calls a webservice. The Server running the Web Service has a self signed certificate. I have imported the Cert into the Trust Store of the IIS machine. I can see the certificate in IE->Options->Content->Certificates->Trusted Root Certification Authorities.
When the webservice is called, an exception is thrown
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
The same IIS VB ASP.NET Application runs fine on another machine with a similar setup.
These are the different basic things I have checked
The URL used to call the webservice is the same as the CN on the Cert imported into the Trusted Root CA.
Time is synced between the calling machine and the webservice host
The Cert isn't expired.
The IIS machine has Proxy settings in IIS, but Webservice Host machine as added to list of exceptions where Proxy should not be used.
I wrote a small command line test program in VB.NET calling the same webservice which runs fine.
After importing the Cert into the Trusted CA store, I have done a iisreset.
Only thing I haven't tried yet is rebooting the IIS machine - this is production machine & I cannot reboot it for at least a couple of days.
What else can I try?
Internet Explorer certificate settings apply only to the current user. It's highly unlikely that the same user you're logged in as when operating IE is the same as the one being used to host the IIS application. You could add the certificate to the trusted certs for the appropriate service account, but a simpler approach would be to add it to the "Local Computer" trusted certs.
Run Microsoft Management Console (type "mmc" in run dialog) File > Add / Remove Snap-Ins > Certificates, chose "Computer account" for the certificates to manage. This way, any user or service account on the server will see the certificate as trusted.
Alternatively, depending on how you're accessing the web-service, you could add an exception within the application itself. I would recommend code that checks the thumbprint / hash of the certificate though, as opposed to allowing it to connect to any un-trusted certificate.
I hosted an ASP.NET Web API project in my Windows 7(IIS7) developer machine on HTTPS(443) and SSL Required ticked with Require Option true.
For testing I give its host header value : www.certtest.com, and the same I add in host file of local machine.
Also we have a W2k3 machine where we've configured the CA and obtain test certificates from it.
We import same certificate in IIS7.0 for client authentication.
When we try access site, the first time it asks me for certificate and after that certificate get installed with root certificate in my local store but i see 403.7 Forbidden error immediately.
Also, I tried with self signed certificate.
Same problem with that too.
Do we require a valid trial certificate for client authentication by Thwate type CA to accomplish this?
Yes this is a case where we don't have valid certificates, for testing you can set SSL Settings as Accept and see if things work fine for you.
However you will need valid certificates for the same.