Microsoft KB Archive/318103

= PRB: ASP.NET Page Does Not Send Client Certificates to Web Services =

PSS ID Number: 318103

Article Last Modified on 3/31/2004

-

The information in this article applies to:


 * Microsoft Web Services (included with the .NET Framework) 1.0
 * Microsoft ASP.NET (included with the .NET Framework) 1.0

-



This article was previously published under Q318103



SYMPTOMS
Note The following .NET Framework Class Library namespaces are referenced in this article:

System.Web.Services

System.Security.Cryptography.X509Certificates

When you try to pass a client certificate from an ASP.NET page to a Web service that requires Secure Sockets Layer (SSL) and client certificates, you receive the following error message:

403 Access Denied



CAUSE
A certificate is associated with the user ID of the user who installed the certificate (this is the certificate user); therefore, the certificate is available only when that user profile is loaded. If no one is logged on to the computer, or if a user other than the certificate owner is logged on, the certificate is not accessible.

If you access the Web service .asmx file from a browser that passes the certificates to you, you do not encounter this problem.

The following ASP.NET code fails when calling SimpleServices, which expects a client certificate: public void Submit_HelloWorldClick(Object sender, EventArgs E) { // Instantiate the proxy class for the web service SimpleService service = new SimpleService;

// Pass in credentials using NTLM service.Credentials = CredentialCache.DefaultCredentials;

// Load the client certificate from a file X509Certificate x509 = X509Certificate.CreateFromCertFile(@&quot;c:\user_der.cer&quot;);

service.ClientCertificates.Add(x509);

// Call the service Result.Text = service.HelloWorld; }



RESOLUTION
To resolve this issue, invoke the Web service from a Serviced Component, and use a Microsoft Windows service to automatically load the profile of the certificate user so that the Serviced Component can retrieve the client certificate and then communicate with the Web service over SSL.
 * 1) Create a Windows service program with only one function to run under the certificate user identity.
 * 2) Create a Serviced Component that runs under the identity of the certificate user.
 * 3) Move the authentication code from the ASP.NET application to the Serviced Component. Verify that the Serviced Component runs under the identity of the certificate user.
 * 4) Call the Serviced Component method from the ASP.NET Web application.



STATUS
This behavior is by design.

