locked
HttpClient and Client-Certificate - WebSEAL - Debugging

    Question

  • Hi everybody,

    I am working on a Windows Store App that is supposed to do an authentication against a WebSEAL. The idea is very simple:

    1. Retrieve the client-certificate,
    2. attach that client-certificate to an HTTP-Request,
    3. peform a GET against the server (WebSEAL), and
    4. reuse the session cookies if the GET is successful.

    Here is my implementation so far:

    // retrieve the certificate, the first is the proper one
    IReadOnlyList<Certificate> certificates = await CertificateStores.FindAllAsync();
    var certificate = certificates[0];
    // set up the filter and attach certificate
    HttpBaseProtocolFilter filter = new HttpBaseProtocolFilter();
    filter.UseProxy = true;
    filter.ClientCertificate = certificate;
    filter.IgnorableServerCertificateErrors.Add(ChainValidationResult.Untrusted);
    filter.IgnorableServerCertificateErrors.Add(ChainValidationResult.Expired);
    filter.IgnorableServerCertificateErrors.Add(ChainValidationResult.IncompleteChain);
    filter.IgnorableServerCertificateErrors.Add(ChainValidationResult.WrongUsage);
    filter.IgnorableServerCertificateErrors.Add(ChainValidationResult.InvalidName);
    filter.IgnorableServerCertificateErrors.Add(ChainValidationResult.RevocationInformationMissing);
    filter.IgnorableServerCertificateErrors.Add(ChainValidationResult.RevocationFailure);
    filter.AllowAutoRedirect = true;
    filter.AllowUI = true;
    // create a client
    var httpClient = new Windows.Web.Http.HttpClient(filter);
    // send request
    try
    {
        var uri = new Uri(...);
        HttpResponseMessage response = await httpClient.GetAsync(uri);
    }
    catch (Exception exception)
    {
    }

    Unfortunately this yields an exception:

    WinRT information: An error occurred in the secure channel support
     
    https://… exception The text associated with this error code could not be found.
     
    An error occurred in the secure channel support
     
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
       at VolkswagnWebSealTest.MainPage.<WebSealTest>d__6.MoveNext()
    'VolkswagnWebSealTest.exe' (CLR v4.0.30319: Immersive Application Domain): Loaded 'C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualStudio.Debugger.Runtime\12.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Debugger.Runtime.DLL'.

    As you can see the exception output is not very helpful.

    I have two questions:
    1. Is this the right way to do a client-certificate-authentication against a WebSEAL (or some other similar server), an
    2. how can I debug this properly?

    I would like to get some details while debugging about "An error occurred in the secure channel support", which is kinda vague...

    Best wishes!

    Tristan

    Wednesday, May 21, 2014 6:11 AM

All replies

  • Hi,

    Your code appears to be correct - you are correctly creating the HttpBaseProtocolFilter (BPF), and attaching the client certificate with it and then using the BPF with the HttpClient.

    Do you see a HResult property in the thrown exception (or check for inner exceptions in the thrown exception and check for the HResult of any/each such Inner Exception) and report them?

    One possible reason for not sending the client certificate in the request is if your target Web Server only returns back a list of "trusted" issuers when negotiating the secure channel. If this list does not include the issuer of your client certificate or if it is too large, then the client certificate will not be sent. Here's an explanation to what I am referring to: http://support.microsoft.com/kb/933430/en-us

    Thanks,

    Prashant


    Windows Store Developer Solutions, follow us on Twitter: @WSDevSol|| Want more solutions? See our blog

    Wednesday, May 21, 2014 11:15 PM
    Moderator
  • Hi an thanks for your help!

    Indeed, I get an HResult. It is -2147012839.

    There is no inner exception and it seems like there is no human readable string in the runtime that matches the error code.

    I will have a look at your article. Thanks!

    Any ideas, how this could be debugged?

    Monday, May 26, 2014 5:22 AM
  • That error maps to a server certificate revocation problem:

    C:\>err -2147012839
    # anonymous HRESULT: Severity: FAILURE (1), Facility 0x7, Code 0x2f19
    # for decimal 12057 / hex 0x2f19
      ERROR_WINHTTP_SECURE_CERT_REV_FAILED                           winhttp.h
      ERROR_INTERNET_SEC_CERT_REV_FAILED                             wininet.h
    # 2 matches found for "-2147012839"

    But as per your code above, you are already bypassing revocation errors, so we need to collect WinINet traces to understand why the error happens. Can you collect a WinINet trace and share it via OneDrive?

    The steps are as follows.

    From an elevated command prompt, type:

    1. netsh trace start scenario=InternetClient_dbg capture=yes correlation=no
    2. <repro>
    3. netsh trace stop

    When you start/stop the trace the location of the ETL file will be echoed back to you. Please zip and share that file using your favorite file sharing mechanism.

    Thanks.


    Windows Store Developer Solutions, follow us on Twitter: @WSDevSol|| Want more solutions? See our blog

    Tuesday, May 27, 2014 5:03 PM
    Moderator
  • This looks very promising! Thanks again!

    I have managed to generate the ETL file. Unfortunately, I am employed by a company that has very high security standards. Thus, I cannot provide you with the ETL file. Sorry for that.

    I am new to reading ETL files. Would it be possible to give me a hint where to look at what in that file? That would be very appreciated. 

    Monday, June 2, 2014 7:42 AM
  • Totally understand that you cannot provide the trace file over the forums...The InternetClient_dbg scenario captures more information than a typical InternetClient scenario and requires private symbols, but there is public information captured too. You can open the ETL trace using Microsoft Network Monitor ( http://www.microsoft.com/en-us/download/details.aspx?id=4865 ) and then use a "Display Filter" such as: "protocol.WinINet_MicrosoftWindowsWinINet" to show only WinInet level information. Based on what you see there, you can apply other filters as necessary.

    If you cannot figure out the issue yourself, I would suggest you to open a dedicated support case - if you can share the trace with a dedicated support engineer.

    Steps to open a case:

    1. Visit: http://aka.ms/storesupport and login to the site using your Developer account (Microsoft Account). 2. Under “App Development”, choose the “Building Apps” link.
    3. When the support option opens, choose the appropriate Problem Type & Category ("Technical Support for Windows Store and Windows Phone App Development", "Networking") and then choose “Email with Microsoft” or “Request a call” channel. The call needs to happen during normal Business hours.


    Windows Store Developer Solutions, follow us on Twitter: @WSDevSol|| Want more solutions? See our blog

    Monday, June 2, 2014 8:30 PM
    Moderator
  • Thanks again!

    Sorry for being silent for a while. I did some deeper investigations with my colleages. There are now two guesses...

    1. There is a problem with the certificate. The certificate itself comes from a smartcard. The private key - which is extremely important for the SSL-authentication-challenge - never leaves the card. It might be possible that accessing the private key does not really work.

    2. When the HTTP-Request is performed, the wrong certificate is used although specified otherwise.

    What do you think? Do you have an idea how to debug that?

    Friday, June 20, 2014 11:17 AM
  • Can you emulate the same behavior from Internet Explorer? That is one way you can isolate the issue...The access to the Private Key should be given to your application package, but as long as you have the "Shared User Certificate" capability enabled, it should do the necessary permission checks for you.

    Windows Store Developer Solutions, follow us on Twitter: @WSDevSol|| Want more solutions? See our blog

    Thursday, July 3, 2014 6:56 PM
    Moderator