locked
Client Certificate Authentication Fail RRS feed

  • Question

  • User1286574292 posted

    Hi Everyone,

    I am consuming soap web service developed in Java using asp.net. Here is the scenario:

    1. Initially, the Server Web Service is setup without client authentication
    2. In asp.net Website, adding Service Reference to the server Web Service. Proxy class generated.
    3. Call the web service method without any issues.
    4. Server Web Service enable the Client Certificate Authentication.
    5. By using OpenSSL, generate the private key (client.key), then, generated the Certificate Signing Request (CSR) with the client private key for signing.
    6. At server end, generated the client certificate (client.crt) with the Root CA (root.CA) by using Java KeyTool.
    7. At client PC, generated PFX file (client.p12) with the original "client.key" and the signed "client.crt" certificate by using openSSL.
    8. Install the client.p12 into the personal store certificate at the Ms IE browser, and access the server web service, browser prompt for the client certificate, select the certificate and no issue at all to access it.
    9. Install the client.p12 into the local machine\personal store by using MMC snap in.
    10. Grant the "Network Service" account to access the client certificate, the "Network Service" account is configured to run the asp.net client application.
    11. Try attached the client certification by web.config setting, but failed.
    12. Try to using code as following:

      Dim cert As X509Certificate2 = New X509Certificate2(File.ReadAllBytes(Request.MapPath("~/app_data/client.p12")), "xxxxxx")
      fsCardworksClient.ClientCredentials.ClientCertificate.Certificate = cert

    13. Both methods above return the following error:

      Could not establish secure channel for SSL/TLS with authority 'server.web.service:4000'.
      InnerException = {"The request was aborted: Could not create SSL/TLS secure channel."}

    I have been cracking head for this issue few days, yet can't find good solution. Anyone has experienced same situation?

    One more thing, when i using httpwebrequest to connect to the web service, no error as following:

    Dim client As HttpWebRequest = HttpWebRequest.Create("https://server.web.service:4000/maa/dev/cws/services/devworks")

    Dim cert As X509Certificate2 = New X509Certificate2(File.ReadAllBytes(Request.MapPath("~/app_data/client.p12")), "xxxxxx")
    client.ClientCertificates.Add(cert)

    Dim resp As String = New StreamReader(client.GetResponse().GetResponseStream()).ReadToEnd()
    Response.Write(resp)

    Any idea why the proxy class generated from the "Add Service Reference" can't work?

    Thanks.

    Edward

    Friday, January 13, 2017 4:46 AM

All replies

  • User1286574292 posted

    Finally, i manage to get it works after changing the following in the web.config:

    FROM:

    <bindings>
        <basicHttpBinding>
    <binding name="CardworksSoapBinding">
    <security mode="Transport">
    <message clientCredentialType="Certificate"/>
    </security>
    </binding>
    <binding name="CardworksSoapBinding1" />
    </basicHttpBinding>
    </bindings>

    TO:

    <bindings>
    <basicHttpBinding>
    <binding name="CardworksSoapBinding">
    <security mode="Transport">
    <transport clientCredentialType="Certificate"></transport>
    </security>
    </binding>
    <binding name="CardworksSoapBinding1" />
    </basicHttpBinding>
    </bindings>

    Not sure why, perhaps i am not so good about the binding. Hope this help someone facing the same issue.

    Friday, January 13, 2017 7:10 AM