Install client certificate for IIS App Pool account

iisSecurityssl-certificateweb servicesx509certificate

Scenario:

A client calls WebService A on the LAN. WebService A is running under an App Pool with Identity "Network Service".
WebService A does some work, prepares to call WebService B.
WebService B requires a client cert (*.cer) and SSL.
WebService A is on a dedicated Windows 2003 server.
Everything works in the Dev environment as it should (but the developer with Administrator privileges is always logged on locally (no surprise!).
The certificates are stored on disk at C:\MyCertificates\
The certificate is being applied at runtime successfully in Dev with this snippet: myWebService.ClientCertificates.Add(new X509Certificate.CreateFromCertFile(certPath));

Problem:
WebService A is calling WebService B, and the returned exception is:

The request failed with HTTP status
403: Forbidden

This really means that the certificate was not sent in the request to WebService B.

I am under the assumption that installing this cert into the browser is not a solution. The browser settings typically are per-user, and I need to give the certificate to the user whose credentials the web service is running under. (e.g. Network Service, System, or whatever is in the IIS AppPool settings).

Question: How can I grant access or association to my certificate living at the specified directory location to the Network Service or other non-user account?

Best Answer

This Microsoft knowledgebase article may be of use:

How to call a Web service by using a client certificate for authentication in an ASP.NET Web application (MS KB901183)

Your web service 'A' would effectively be the ASP.NET application calling the web service as described in the article.

Related Solutions

C# – Passing a client certificate only works on the machine

I had this kind of problem a couple of weeks ago. The solution in my case was to use impersonation in order to gain appropriate access to the certificate store. By default, the IIS worker thread was running as a system user, and as such had no access to the appropriate store. Adding the certificate to a specific user store, and impersonating that user solved all the issues.

I shall continue to watch this question, though, as I am aware that impersonation is not a magic bullet fix, and that there will be issues arising from it in this scenario.

C# – Using client certificate not in certificate store

What type of file is PathToCertificate? If it's just a .cer file, it will not contain the private key for the certificate and trying to use that certificate for SSL/TLS will fail.

However, if you have a PKCS7 or PKCS12 file that includes the public and private key for the certificate, your code will work (you might need to use the overload that takes a password if the private key has one).

To test this, I went to http://www.mono-project.com/UsingClientCertificatesWithXSP and created my client.p12 file following those instructions. I also created a simple HTTPS server using HttpListener for testing.

Then I compiled the following program into 'client.exe' and run like:

 client.exe https://<MYSSLSERVER>/ client.p12 password

where client.p12 is the PKCS12 file generated before and 'password' is the password I set for the private key of the certificate.

using System;
using System.IO;
using System.Net;
using System.Security.Cryptography.X509Certificates;
using System.Text;

public class HttpWebRequestClientCertificateTest : ICertificatePolicy {

    public bool CheckValidationResult (ServicePoint sp, X509Certificate certificate,
            WebRequest request, int error)
    {
            return true; // server certificate's CA is not known to windows.
    }

    static void Main (string[] args)
    {
            string host = "https://localhost:1234/";
            if (args.Length > 0)
                    host = args[0];

            X509Certificate2 certificate = null;
            if (args.Length > 1) {
                    string password = null;
                    if (args.Length > 2)
                            password = args [2];
                    certificate = new X509Certificate2 (args[1], password);
            }

            ServicePointManager.CertificatePolicy = new HttpWebRequestClientCertificateTest ();

            HttpWebRequest req = (HttpWebRequest) WebRequest.Create (host);
            if (certificate != null)
                    req.ClientCertificates.Add (certificate);

            WebResponse resp = req.GetResponse ();
            Stream stream = resp.GetResponseStream ();
            StreamReader sr = new StreamReader (stream, Encoding.UTF8);
            Console.WriteLine (sr.ReadToEnd ());
    }
}

Let me know if you want me to upload the server code and the certificates used on both sides of the test.

Related Topic