Microsoft KB Archive/817854

= FIX: ASP.NET Web application cannot deliver a client certificate to a security-enhanced Web site =

Article ID: 817854

Article Last Modified on 3/22/2007

-

APPLIES TO


 * Microsoft .NET Framework 1.0

-





SYMPTOMS
You try to call a Web service or another HTTP resource or HTTPS resource, and the Web service or the resource is security-enhanced by using a client certificate. If the client certificate is implemented by using the Microsoft .NET Framework, your code may work when you run it in a Microsoft Windows Forms application or in a console application. However, the same code does not work when you run it in the context of Microsoft ASP.NET.

For example, when you run the code in an ASP.NET Web application, you receive the following error message:

System.Net.WebException. The Underlying Connection Was Closed. Could Not Establish Trust Relationship with Remote Server.



CAUSE
This problem occurs because the System.Net classes look only in the certificate store of the current user. However, code that is running in the context of a non-interactive account, such as the ASPNET account or the Network Service account that ASP.NET uses, cannot access this certificate store.



RESOLUTION
Apply the following hotfix. After you apply this hotfix, the System.Net classes will also look in the certificate store of the local computer. If the certificate is installed, and the correct permissions have been granted in the certificate store of the local computer, the code will work as expected.

A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Only apply it to systems that are experiencing this specific problem. This hotfix may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next .NET Framework 1.0 service pack that contains this hotfix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.   Date         Time   Version       Size       File name 02-Apr-2003 05:52  1.0.3705.418     20,480  Perfcounter.dll 02-Apr-2003 06:01  1.0.3705.418  1,175,552  System.dll 02-Apr-2003 05:04  1.0.3705.418    311,296  System.runtime.remoting.dll 02-Apr-2003 05:56  1.0.3705.418    503,808  System.web.services.dll



WORKAROUND
For information about how to work around this problem without applying the hotfix, visit the following Microsoft Web site:

http://msdn2.microsoft.com/en-us/library/aa302408.aspx



STATUS
Microsoft has confirmed that this is a bug in the Microsoft products that are listed in the &quot;Applies to&quot; section.



MORE INFORMATION
After this fix is installed, the client certificate must be installed in the Machine store. Use the MMC Certificate snap-in to add the certificate in the following location:

Certificates (Local Computer)\Personal\Certificates

Warning You can use the MMC Certificate snap-in to import the certificate directly to the Certificates (Local Computer) store. However, if you have already imported the certificate to the current user's store, do not use the drag-and-drop method in the MMC Certificate snap-in to move the certificate to the Local Computer store.

For example, earlier, you double-clicked the certificate (.cer) file and then followed the instructions in the wizard to import the certificate to the current user's store. If you now use the drag-and-drop method in the MMC Certificate snap-in to move the certificate to the Local Computer store, the private key is not copied during the move operation. The private key is required to complete the certificate authentication handshake with the server.

For additional information about this problem, click the following article number to view the article in the Microsoft Knowledge Base:

837350 ISA Server 2000 cannot access an imported SSL certificate

The WinHttpCertCfg utility can be used to put a certificate in the correct store and to add permissions for the ASP.NET user to access the certificate. For more information about the WinHttpCertCfg utility, visit the following Microsoft Developer Network (MSDN) Web site:

http://msdn2.microsoft.com/en-us/library/aa384088.aspx

To obtain the WinHttpCertCfg utility, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?familyid=c42e27ac-3409-40e9-8667-c748e422833f&displaylang=en

After the certificate is in the certificate store, and after the correct user has been added and has been granted the correct permissions, you can use the following code to send the certificate as part of the request: WinHttp.WinHttpRequest req = new WinHttp.WinHttpRequestClass; req.Open(&quot;GET&quot;, <>, false); req.SetClientCertificate(&quot;LOCAL_MACHINE\\Root\\YourCert&quot;); //path of the certificate and the certificate name (for example, Path\certname) For example, for the ASP.NET user, the ASPNET user account must be added and must be granted the correct permissions.

Note This issue is also fixed in the .NET Framework 1.1 through the June 2003 ASP.NET hotfix package. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

821156 ASP.NET 1.1 June 2003 hotfix rollup package

Note You cannot obtain the 1.1 version of this hotfix individually. You must install the rollup.

Keywords: kbhotfixserver kbqfe kbpubtypekc kbqfe kbnetframe100presp3fix kbfix kbbug KB817854

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.