Calling https process from ASP Net_问答_开发者

开发者 https://www.devze.com 2022-12-12 05:21 出处：网络

I have an ASP NET web server application that calls another process running on the same box that creates a pdf file and returns it.The second process requires a secure connection via SSL.

I have an ASP NET web server application that calls another process running on the same box that creates a pdf file and returns it. The second process requires a secure connection via SSL.

The second process has issued my ASP NET application with a digital certificate but I still cannot authenticate, getting a 403 error.

The code is a little hard to show but here's a simplified method ...

    X509Certificate cert = X509Certificate.CreateFromCertFile("path\to\cert.cer");
    string URL = "https://urltoservice?params=value";
    HttpWebRequest req = HttpWebRequest.Create(URL) as HttpWebRequest;
    req.ClientCertificates.Add(cert);
    req.Credentials = CredentialCache.DefaultCredentials;
    req.PreAuthenticate = true;
    /// error happens here
    WebResponse resp = req.GetResponse();
    Stream in开发者_高级运维put = resp.GetResponseStream();

The error text is "The remote server returned an error: (403) Forbidden." Any pointers are welcome.

Finally fixed (wasted 6 hours on this *&%$@#&)

I needed to grant access to the private keys on the digi cert to the account that the calling ASP.NET application runs under. This account is NETWORK SERVICE by default although you may want to run under a more restricted account. Access is granted with the winhttpcertcfg tool, here's what got it working for me:

winhttpcertcfg -g -s "cert name" -c "LOCAL_MACHINE\MY" -a "NETWORK SERVICE" where "cert name" is the CN of the digi cert. More info at http://support.microsoft.com/kb/901183

Thanks to all who helped out with pointers on how to get this working :)

A 403 sounds like an authorization problem, not an authentication problem. It might be caused by the NTFS security settings on the files and folders accessed by your PDF service. Maybe it doesn't have permission to create the PDF file in the output folder?

Can you install the client certificate into your browser, and then access your PDF service through the browser? When you do that, do you still get a 403 or does it work?

Can you temporarily configure the PDF service to allow unencrypted HTTP connections? Does that make the problem go away?

From Windows Explorer, can you grant the "Network Service" account full control over the physical folder corresponding to the root of the PDF service site? Also grant it full control over any other directories it accesses. You should lock things down later after you've figured things out.

Or you can change the application pool to run under a different account - e.g. your own account.

Finally: if you're running IIS 7, you can turn on failed request tracing, which should give you a lot more info about why it failed.