From ASP.NET web site I'm calling web service (which requires certificate). When I testing it on localhost (debugging) it works, but on IIS 6 (windows server 2003) it does not works and throws an exception:
The request failed with HTTP status
403: Forbidden.
Here is the code, how I'm calling web service:
Service service = new Service();
service.ClientCertificates.Add(new X509Certificate("certificate path", "password"));
service.Credentials = System.Net.CredentialCache.DefaultNetworkCredentials;
ServicePointManager.ServerCertificateValidationCallback = new System.Net.Security.RemoteCertificateValidationCallback(ValidationCallBack);
Result res = service.GetResult();
private static bool ValidationCallBack(object sender, X509Certificate cert, X509Chain chain, System.Net.Security.SslPolicyErrors error)
{
return true;
}
What is the reason of this error and how can I avoid this?
I've tried web service call with winForms and it works fine on server. So I think it is IIS problem...
Thanks!
To resolve this you should look at this link
403 - Forbidden. You can receive this
generic 403 status code if the Web
site has no default document set, and
the site is not set to allow Directory
Browsing. For more information about
how to resolve this problem, click the
following article number to view the
article in the Microsoft Knowledge
Base: 320051 How to
configure the default document in
Internet Information Services
403.7 - Client certificate required. You have configured the server to
require a certificate for client
authentication, but you do not have a
valid client certificate
installed. 186812 PRB:
Error Message: 403.7 Forbidden: Client
Certificate Required
You should enable tracing on the server side for a better understanding os this issue. You will see a better exception message or something that will give you a clue.
Related
I am moving an application that communicates with a WCF service from .net 4.8 to net5 i ran the utility SvcUtil.exe (importing a WDSL File) which generated the Reference.cs file which created the classes and object from the WSDL file. In net5 it is now using the System.ServiceModel.ClientBase class to interact with the WCF Service, where as in net48 it was using 'System.Web.Services.Protocols.SoapHttpClientProtocol'. Code compiles but there remains two problems that I'm experiencing right now that i cannot seem to find the answer for using the new 'System.ServiceModel.ClientBase' implementation generated by the SvcUtil.exe tool.
When the connection is trying to be established i am always getting the following Exception:
{"Could not establish trust relationship for the SSL/TLS secure channel with authority 'xxx.xxx.xxx.xxx'."} InnerException => {"The SSL connection could not be established, see inner exception."} InnerException => {"The remote certificate is invalid according to the validation procedure: RemoteCertificateNameMismatch, RemoteCertificateChainErrors"}
Also the in the net48 version i store the cookie in the cookie container like So:
Cookie cookie = new Cookie(cookieParts[0], cookieParts[1],
serviceUri.LocalPath, serviceUri.Host);
cookie.Expires = DateTime.Now.AddHours(1);
_xieServiceRef.CookieContainer = new CookieContainer();
_xieServiceRef.CookieContainer.Add(serviceUri, cookie);
My problem is that for one in net48 to tell the service to ignore all cert errors we execute the following code
ServicePointManager.ServerCertificateValidationCallback +=
(sender, cert, chain, sslPolicyErrors) => { return true; }
From anywhere in the app and we bypass those errors. But in net5 you have to approach it differently and the only example is given using the HttpClient class and you create the HttpClient with a defined HttpClientHandler callback as in the example below this will ignore the CERT errors just as the code above for net48.
var EndPoint = "https://192.168.0.1/api";
var httpClientHandler = new HttpClientHandler();
httpClientHandler.ServerCertificateCustomValidationCallback = (message, cert, chain, sslPolicyErrors) =>
{
return true;
};
httpClient = new HttpClient(httpClientHandler) { BaseAddress = new Uri(EndPoint) };
In using the SvcUtil.exe generated code with the use of the ClientBase class as a means of interaction with the WCF Service, I cannot find methods or example similar to the above code to ignore the CERT errors. I also cannot find the Cookie Container for the ClientBase either. Do I need to skip using the generated code from SvcUtil.exe and switch to the HttpClient instead of the ClientBase. Or are there similar ways to store the generated cookie and ignore the CERT errors. We don't control the API we are calling and there is no REST version of the API and none coming soon so we are stuck working with what we have.
Any advice would be greatly appreciated and also thank you ahead of time
UPDATE
So i did some more research and digging and i have found that using the following code:
//Right Here we are creating the Service Object
XIEserviceClient _xieServiceRef = null;
_xieServiceRef = new XIEserviceClient();
_xieServiceRef.ChannelFactory.Credentials.ServiceCertificate.SslCertificateAuthentication = new X509ServiceCertificateAuthentication()
{
CertificateValidationMode = X509CertificateValidationMode.None,
RevocationMode = X509RevocationMode.NoCheck
};
_xieServiceRef.ChannelFactory.Credentials.UserName.UserName = CalderaConfiguration.SelectedOS4000ApiConnection.Username;
_xieServiceRef.ChannelFactory.Credentials.UserName.UserName = CalderaConfiguration.SelectedOS4000ApiConnection.Password;
We are now able to bypass the cert errors.
Now I'm just trying to I'm to figure out the whole cookie/authentication error, I now get the following Exception:
"The content type text/html of the response message does not match the content type of the binding (text/xml; charset=utf-8)
This i believe, according to Fiddler, appears to be an authentication issue because it appears that a login page is being returned from the service i believe this is the cookie issue I'm still looking into....
There are a few things to consider :
Do you have DNS and line-of-sight to the server?
Are you using the correct name from the certificate?
Is the certificate still valid?
Is a badly configured load balancer messing things up?
Does the new server machine have the clock set correctly (i.e. so that the UTC time is correct [ignore local time, it is largely irrelevent]) - this certainly matters for WCF, so may impact regular SOAP?
Is there a certificate trust chain issue? if you browse from the server to the soap service, can you get SSL?
Related to the above - has the certificate been installed to the correct location? (you may need a copy in Trusted Root Certification Authorities)
is the server's machine-level proxy set correctly? (which different to the user's proxy);see proxycfg for XP / 2003 (not sure about Vista etc)
I am facing an issue with consuming my locally hosted Web API from my web site. The API works perfectly via Swagger.
The exceptions I got:
"The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."
"The remote certificate is invalid according to the validation procedure."
Code:
I am on Windows 10 with .Net Fx 4.8
PS: I do not want to bypass the validation using the following code:
ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;
I am guessing some sort of configuration change is what I need to do.
Edit 1:
Here's my Postman output:
Help Please :)
That it can be a Windows Update problem.
That update caused the problem: https://support.microsoft.com/en-us/help/4489899/windows-10-update-kb4489899
To fix it you need to do some steps:
Uninstall all chain certificates "Root Certification Authorities
Reliable" (Some certificates can't be excluded, ignore them)
Reinstall the chain certificates from here
I had the problem with some clients and that solve the problem.
I don't know if it will fix your especific problem, but I hope so.
I'm using HttpClient from System.Net.Http on nuget to make a request from a module (assembly) written in c#. This needs to work with a legacy application in Windows XP so we're using .Net Framework 4.0.
I can successfully send a https request to our server from my Windows 10 machine; however, when I test it from Windows XP in a VM, I get a fault. I can request websites like https://google.com but our https site causes a fault. On top of all this, the res.StackTrace is null! The Message I get from obj.Exception.InnerException is An error ocurred while sending the request. I can however get to our site in a browser in the VM without trouble. So why can't I get a StackTrace? Could this be some kind of ssl trust issue (our site has an ssl certificate from godaddy)?
var client = new HttpClient();
client.BaseAddress = new Uri(SERVER_BASE_URL); // https://...
// Works when BaseAddress="https://google.com" but not our https site
return client.GetAsync("/").ContinueWith(res =>
{
if (res.IsFaulted)
// res.StackTrace is empty >:(
MessageBox.Show("Faulted");
else
MessageBox.Show("Success");
});
I had a problem trying to reach HTTPS web reference service in c# .Net project.
I got this message when i trying to send request to web service.
The underlying connection was closed: Could not establish trust
relationship for the SSL/TLS secure channel
Then i found solution check the answer.
I put this code to my web service class constructor.
ServicePointManager.ServerCertificateValidationCallback +=
(mender, certificate, chain, sslPolicyErrors) => true;
It solves the problem.
I am having an issue with my WCF application when connecting a client from Windows 8.1. I've been going crazy over this the last couple of days, and cannot get to the bottom of it. Here is the scenario:
My WCF service is fairly straight forward. It uses a basicHttpBinding, with TransportCredentialOnly security mode, and digest client credential type. (The web.config file is here: http://pastebin.com/LsWmcfTs). It does it this way as I need the windows identity on the server side.
My client is a console application, the failure happens when it attempts to invoke the 'Ping' method in my service (which simply returns the text 'Pong') The code used to connect to the service is below:
var basicBinding = new BasicHttpBinding(BasicHttpSecurityMode.TransportCredentialOnly);
basicBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Digest;
var client = new TestExecutionEngineClient(basicBinding, new EndpointAddress(uri));
client.Open();
client.Ping();
This has been working for over a year on all connecting clients All except for Windows 8.1 that is, where it never has worked.
When it hits client.Ping(); I get the exception below:
Exception:
The HTTP request is unauthorized with client authentication scheme 'Digest'. The authentication header received from the server was 'Digest qop="auth",algorithm=MD5-sess,nonce="+Upgraded+v1c1d404aaeb7edbba8daf132fea97aa12243033a0f40acf01376892331a408411c85513f482eab750b18498cb2d420b2fb99998b5b8b071a2",charset=utf-8,realm="Digest"'.
Inner Exception:
The remote server returned an error: (401) Unauthorized.
Base Exception:
No credentials are available in the security package
From what i can tell, it looks like server side is requesting digest (correctly) and the client is authenticating in digest, but it won't accept it.....
Any and all help would be greatly appreciated.
Thanks
The problem is that Microsoft have enhanced the security in the LSAS in 8.1 / 2012 R2. BasicHttpBinding is no longer supported for sending the users identity information over the network. You must use WSHttpBinding instead.
This solved my problem