I have a C# Web service which is running under IIS 7.5 on Windows Server 2008 R2 using the DefaultAppPool user as the application identity (IIS APPPOOL\DefaultAppPool). The Web service uses IBM Websphere MQ (7.0.1.2) to do it's stuff and uses the SSL certificates stored in a key.kdb setup via IBMs KeyMan utility.
Normally (for C# apps that are not running IIS) I need to label the personal certificate within the kdb so that it's name matches the user that is running the app i.e. the certificate would be labelled as ibmwebspheremqbs6mjb (see http://www-01.ibm.com/support/docview.wss?uid=swg21245474) and this allows the app to successfully access the SSL certificates within the key.kdb.
But..... when running as a Web service and naming the certificate ibmwebspheremqdefaultapppool the application cannot access the SSL certs. If I change the AppPool identity to be bs6mjb then everything works (I'm not allowed to run the app pool as bs6mjb).
I'd prefer not to setup a default certificate as mentioned in the link above, does anyone know what the certificate should be labelled as to work with DefaultAppPool?
For MQ clients the certificate label must have the user name who runs the client. In your case, for example ibmwebspheremqbs6mjb. If the certificate label is something else, the MQ client (actually GSKit libraries) will not find the certificate to connect to queue manager. I think that's what is happening when you have the label as ibmwebspheremqdefaultapppool.
This blog has interesting and useful details. You may want to check under what user IIS runs and create a certificate for that user and do the required SSL setup between client and MQ queue manager.
Related
I have an ASP.NET MVC web application that I deployed to Microsoft Azure as a Web App. In that application I have some Web API endpoints that would be only accessible if the user has the correct certificate with the allowed thumbprint. However, I have other endpoints as well (and of course the website) that would be accessible without a client certificate.
I know there is a possibility to set up the Azure Web App to require client certificate through a HTTPS connection. But if I make the mentioned REST API call
ARMClient PUT subscriptions/{Subscription Id}/resourcegroups/{Resource Group Name}/providers/Microsoft.Web/sites/{Website Name}?api-version=2015-04-01 #enableclientcert.json -verbose
that will cause that only those users can visit my site and use the Web API endpoints who has client certificates.
If I open my locally installed IIS Manager, I will have an option to Accept client certificates, not to require them, as you can see in this image:
My question is how can I set up my Azure Web App to accept (not require) client certificates? I searched over this site and many other forums, but I cannot find a way to set up Web Apps in this way.
Update:
My question is how can I set up my Azure Web App to accept (not require) client certificates?
It seems that it is not supported on azure now. I also find the support optional client certificates for TLS mutual auth feedback. And now it is underview by Azure team. You also can vote it up.
We also could remote to the Azure website using IIS Manager to set up it, you could get the detail steps from this blog.
**Prerequisites**
>On Window client OS - [IIS Manager for Remote Administration][3]
>On Windows Server – Make sure you have installed IIS Management Console.
Refer to step 6 in http://www.iis.net/learn/install/installing-iis-7/installing-iis-on-windows-vista-and-windows-7 - “IIS Management Console” is the required feature.
I Got a solution that contains a C# winform client and a server (Windows Service WCF service, IdentityServer4 and ElasticSearch). Certificate is required when running IdentityServer in production so this will be implemented on all of the services. It will probably only be a one way certificate(function certificate for services).
The production will run a bought certificate.
Is there any reason to buy an certificate for dev or will a dev certificate from a local Windows server be enouth to really test everything like as if it was in production?
A test certificate will work the same way as a bought certificate. Its however possible that you will need to override the check of the certificate on client and service to grant it even if the certificate is not installed in the required service. If you however are able to generate certificate specific for the computers that are running the software, then there will be no need to override the certificate check method.
I'm a not good at Web services and C#. I looked at other threads but I can't seem to find a solution. I think because I'm using SSIS I can't use WSE or WCF approaches.
I'm looking for a solution to exchange data between an application server and a secured web service. Overview:
There is a PFX file present which contains the client certificate and the private key.
The PFX is installed on the application server.
I can't approach the service endpoint through a browser e.g. internet explorer. Even with a certificate.
I received a SOAPUI project with already the bindings and methods defined (Can't insert the URL). I just needed to reference the PFX file in the settings. I compile a test for a method in the form of a SOAP message and I succesfully receive a response.
I need to generate the following SOAP header structure:
Picture
Now in C# how can I realize the same effect as in SOAPUI? At first I tried manually composing the soapmessage and posting it to the service, but I think this is not possible, because I can't seem to generate a security binary token. Now I'm thinking about generating proxy classes. Since I don''t have acces to the URL endpoint, I'll have to use offline versions of the WSDL + XSD's. Can the proxy class approach work with the web service security?
Basically you need to write custom script to consume web service in SSIS. First you need to install certificate on local machine. Then you will be able to consume it. SSIS provide support for web service, so you can use it. SOAPUI request is equivalent to web method.
MSDN Documentation: Call a Web service by using a client certificate for authentication.
Frequently, Web services must authenticate applications that call the Web services. The Web services must perform authentications of calling applications before the Web services can perform authorizations. One authentication technique is to require applications that call the Web service to present a client certificate.
When an ASP.NET Web application tries to call a Web service that uses
certificate authentication, you may receive an "access denied" error
message. When a console application or a Microsoft Windows Forms
application calls the same Web service, you do not receive an error
message.
This behavior occurs because the computer maintains two different
certificate stores: The local machine store: An ASP.NET Web
application looks in this store to locate client certificates. The
local user store: An interactive user application looks in this store
to locate client certificates. Typically, when an interactive user
application installs a client certificate, the client certificate is
installed in the local user store. Therefore, the client certificate
works for interactive user applications. However, the client
certificate does not work for ASP.NET Web applications.
To enable an ASP.NET Web application to use a client certificate, you
must install the client certificate in the local machine store. When
you install a client certificate in the local machine store, the
client certificate is only available for user accounts in the
Administrators group and for the user who installed the client
certificate. Therefore, you must grant access to the client
certificate for the user account that is used to run the ASP.NET Web
application.
Note You must have the Microsoft .NET Framework 1.1 Service Pack 1
(SP1) installed to use client certificates in the local machine store.
Additionally, when the ASP.NET Web application calls the Web service,
the application must export the client certificate from the
certificate store and then add the client certificate to the Web
service call.
Below are resources which would provide some starting point.
HOW TO: Write a Simple Web Service by Using Visual C# .NET
How to call a Web service by using a client certificate for authentication
Client certificate authentication with web services in .NET
Using authentication certificates to connect to web service
Accessing a web service and a HTTP interface using certificate authentication
Creating and Using C# Web service over HTTPS – SSL
I created a self hosted HTTPS WCF web service running on my Localhost machine. Now i make a request to this web service from a GWT based application hosted on some domain.
I use self-signed X.509certificate which is not approved yet. Whenever my GWT application make requests, It shows an error because of untrusted Certificate. Can i bypass this error from my GWT client code or suggest me an alternative solutions ?
Is there are any other protocol which supports WCF service that we can use for communication and will not trigger the security alert from browser?
Updated
Whole scenario:
You installed a exe in your system, which take cares of WCF web service and importing certificate to your local machine.
You open a GWT based website from your browser. Let's say some.com
some.com continuously polling a request to his/her local machine. Let's say on https://localhost:8098/{someendpoint}
But because of this HTTPS and untrusted certificate. It is not able to make request.
since you said
Let's start with local testing
How about installing your self signed certificate onto the machine on which you are testing the GWT ?
You should be able to double click the certificate and follow the prompts/wizard to install it.
This applies to development only (for production you'd need a proper certificate)
I have a web application set up on our intranet that uses windows authentication (successfully) that I am trying to link to a database running on a separate server.
The problem that I am having however, is that when I try to use a trusted connection to log in to the sql server, instead of passing the domain/username of the person using the website the application is passing NT AUTHORITY\ANONYMOUS LOGON.
I checked that the authentication was working by having the website display a greeting that does identify my username correctly when I log on to the site, so it isn't an anonymous access issue. I think it is an impersonation issue somehow despite the fact that set in the web.config file for the application.
Curiously, the web application works fine when I run it on either my dev machine or even locally through remote desktop on the production server. I'm not sure what's going on here.
Finally, I'm running iis 7.5, windows server 2008 r2 and sql server 2008
This is called Constrained Delegation. Basically what that means is that an impersonated context by default cannot be delegated to authenticate with a resource on the network. If constrained delegation would not be in place anyone could create a web site in the enterprise and expose some benign application. But underneath, once the user authenticated with the site, it could impersonate that user to do anything, like read his mail, sale stock on his behalf, give raises to site developer, *anything. This is why impersonated contexts are not trusted outside the machine that impersonated the user.
To allow an impersonated context to connect to a remote resource (like a file share, or a database server) the domain administrator has to explicitly set up Constrained Delegation, which allows the impersonated context to authenticate with one specific resource.
There are numerous articles describing the problem and the solution:
How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0
Protocol Transition with Constrained Delegation Technical Supplement
How To: Connect to SQL Server Using Windows Authentication in ASP.NET 2.0
Configuring Servers for Delegation (IIS 6.0)
How to: Use Protocol Transition for Impersonating and Delegating the Original Caller in WCF
it is a known behavior called double-hop issue. See http://weblogs.asp.net/owscott/archive/2008/08/22/iis-windows-authentication-and-the-double-hop-issue.aspx
If your web application tries to access your database it does it with the account under which the IIS w3wp.exe process is running (networkservice by default).
If you want to change this, you will need to use impersonation.
This document explains it pretty good.
As the document also explains depending on your application, you might want to use trusted subsystem instead of impersonation.