I am trying to consume webservice over https protocol. I have password-protected p12 file with certificate. After importing this file I can view service methods over browser and I can add service as a ServiceReference in VisualStudio client application. Problem appears while invoking methods of this service. I tried almost everything and still get error 'Could not establish secure channel for SSL/TLS with authority {server_name}'.
What can be wrong?
There are at least few possible causes but I would start by redefining the certificate validation callback:
ServicePointManager.ServerCertificateValidationCallback = (a,b,c,d) => true;
Put this like in your client code before you access the service.
Related
I am in the process of building a WCF client for a SOAP HTTPS webservice in .Net Core 2.1.
The service provider has supplied a .key and a .cert file which I have converted to a .p12 file using openssl. By adding this to a keystore I am able, through SoapUI, to successfully sent a request to the webservice (no other authentication than the certificate is required).
To do the same operation in .Net Core I have added a Connected Service to my project through the WCF wizard in Visual Studio. This service is based on the supplied service contract (WSDL file). I have then installed the .p12 certificate locally on my PC and I am using the following code to make the request. "MyService" is the connected service.
var binding = new BasicHttpsBinding();
binding.Security.Mode = BasicHttpsSecurityMode.Transport;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
binding.Security.Transport.ProxyCredentialType = HttpProxyCredentialType.None;
var endpoint = new EndpointAddress("https://x.x.x.x:8300/MyService.asmx");
var channelFactory = new ChannelFactory<MyService>(binding, endpoint);
channelFactory.Credentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;
channelFactory.Credentials.ServiceCertificate.SslCertificateAuthentication = new X509ServiceCertificateAuthentication()
{
CertificateValidationMode = X509CertificateValidationMode.None,
RevocationMode = X509RevocationMode.NoCheck,
TrustedStoreLocation = StoreLocation.LocalMachine
};
channelFactory.Credentials.ClientCertificate.SetCertificate(
StoreLocation.CurrentUser,
StoreName.My,
X509FindType.FindByIssuerName,
"xxxxxxxxxxxxxxxxxxxxxxxxxx");
var service = channelFactory.CreateChannel();
ExecuteResponse response = service.Execute(new ExecuteRequest());
When running this code I am getting the following error:
System.ServiceModel.Security.MessageSecurityException: 'The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate'.'
The strange thing is that I am allowed to make the request if I use the HttpClientHandler which tells me that there must be a mismatch between the underlying structure of the two implementations.
Anyone who knows how I can fix this error?
The certificate might just be used to establish the trust relationship between the client-side and the server-side.
For making a successful call to the service, we should keep the binding type between the client-side and the server-side consistent. Therefore, I would like to know the automatically generated client-side configuration by Adding service reference, please post the System.servicemodel section located in the appconfig of the client project.
If the server authenticates the client-side with a certificate, the error typically indicates the trust relationship has not established yet between the client-side and the server-side.
On the client-side, we should install the server certificate in the LocalCA. On the server-side, we should install the client certificate in the LocalCA certificate store.
Feel free to let me know if the problem still exists.
I have a p12 certificate for a WebService (I've tested the certificate with SoapUI and it works, and I can access the URL with a WebBrowser).
The problem is that I can't consume the WebService with my c# development. When I try to access the webservice, returns the error message "Cannot create DNS identity probably due to the lack of CN parameter".
How can I override this? I've tried the CreateX509CertificateIdentity, but the error remains.
When you access your webservice on i.e. http://localhost/webservice url then your CN=localhost. If you want to make the webservice available at multiple urls then you need to specify all DNS addresses in subject alternative name (SAN) in the extensions of your certificate. Of course the certificate has to be trusted by client and server.
I have a WSDL file. I want to consume webservice from this WSDL. I have added service reference by using this WSDL and created proxy. I have created required parameter for invoking my service method. Actually webservice is protected by a basic authentication. But in the client proxy no option found to provide the user name and password. How could I invoke webservice?
I want to provide basic authentication credentials.
I am getting the following error when invoking service method without giving credentials.
System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
Please help me
Try this:
client.ClientCredentials.UserName.UserName = "xxxxxx";
client.ClientCredentials.UserName.Password = "xxxxx";
https://msdn.microsoft.com/en-us/LIbrary/ms733775.aspx
I have a service hosted over http/https on my local machine. When I consume the service over http it works perfectly. It also works when I make https request on ajax. But it's not work, when I try to consume it from code behind of client app. It shows the an error message as follows:
"The remote certificate is invalid according to the validation procedure"
Can somebody help me out?
This is because, the certificate you use on your local IIS, is a virtual one.
Probably, you will not get it in real time.
There are several hacks available to make it work locally.
NOTE: Never ever do this on production...
Add following code segment(an event handler), before calling any method of service.
ServicePointManager.ServerCertificateValidationCallback +=
EasyCertCheck;
bool EasyCertCheck(object sender, X509Certificate cert,
X509Chain chain, System.Net.Security.SslPolicyErrors error)
{
return true;
}
I posted days ago about access control to web service (Access control to web service). In short, I have an ASP.NET web service deployed on //service/webservice and I want my ASP.NET web application (app1) on the //web1 to access the web service with certificate authentication. I keep getting System.Net.WebException: The request failed with HTTP status 403: Forbidden exception. The following is my setup:
On certificate export;
I exported a server certificate issued to //service from LocalMachine store and saved it as service.cer.
I also exported a client certificate issued to //web1 from LocalMachine store and saved it as web1.cer
Setup on //service/webservice:
On Directory Security, unchecked Anonymous Access and all Authentication Access (Integrated Windows Access, Digest Authentication and Basic Authentication).
On Secure communications, checked Required secure channel(SSL), Require 128-bit encyption, Require client certificate, and Enable client certificate mapping. I then mapped web1.cer to an AD account MyDomain/user which has access right to //service/webservice
For //service/webservice/WebService.asmx, set <authentication mode="Windows" /> on web.config
Setup on //web1/app1
Set <authentication mode="Windows" /> and <identity impersonate="true" /> on web.config
In VS2008, I added the web reference to //service/webservice/WebService.asmx and named it WService
In //web1/app1/default.aspx.cs, I had this:
using System.Security.Cryptography.X509Certificates;
using System.Net;
WService.WebService ws = new WService.WebService();
ServicePointManager.ServerCertificateValidationCallback = delegate(Object sender1, X509Certificate cert, X509Chain chain, System.Net.Security.SslPolicyErrors errors) { return true; };
//I was a bit confused here on which certificate I should use so I have tried both service.cer and web1.cer but still got the same error
X509Certificate x509 = X509Certificate.CreateFromCertFile(#"C:\Certificates\service.cer");
ws.ClientCertificates.Add(x509);
ws.DoSomething();
I ran WinHttpCertCfg.exe to grant access to both certificates in LocalMachine for ASPNET account
I went to https://service/webservice/WebService.asmx and was prompted to provide a client certificate and after that I was through. But if I went to https://web1/app1/default.aspx (which would call the web service) and I would get the HTTP status 403 exception.
What did I miss? I would assume the problem is because //web1/app1/default.aspx.cs failed to transmit the certificate across. If that's the problem, how do I do that? I built both the asmx and aspx on VS 2008 and ASP.NET 3.5.
Make sure your client certificate was requested as a 'Computer' template certificate for 'Client Authentication' otherwise it will not work.
Sounds like the SSL certificate is failing to authenticate for the web service client. A good check is if you go to the service from the client’s machine and get an alert in the browser about an SSL certificate your service will not authenticate with the certificate (certificate is not trusted). It’s not that the certificate doesn’t work, it’s just not trusted.
If the service is across machines you might have to setup a certificate authority (this might help http://www.petri.co.il/install_windows_server_2003_ca.htm) and add it as a trusted publisher on the client machine. This might also help http://support.microsoft.com/kb/901183.
Another option is to simple not validate the SSL, see:
http://geekswithblogs.net/jwhitehorn/archive/2006/09/20/91657.aspx
When I had this problem it turns out the client certificate/key pair I was using was signed by an intermediate CA which was in the current user store instead of the local machine store. It all looked good if you examined the cert while logged in but the IIS worker process could not see the intermediate CA. Thus, the web service call was not supplying the certificate with the request. You can verify this by checking the server web log for a 403 7 5 response.
Make sure the users that are impersonating have access to the certificate store being used.