I have a WCF service running under IIS configured to use SSL, with a valid certificate already installed and running.
Visiting the website with
https://my_website/anypage.aspx
I can access the page.
Visiting the url
https://my_website/mywcfservice.svc
I can see the webservice page:
"You have created a service. To test this service, you will need to create a client and use it to call the service(...) ". Note that I'm receiving anyway the warning page saying "There is a problem with this website's security certificate" where I click "Continue to this website".
in server side, the web.config is configured with:
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
...
...
In client side, I'm not using proxy or config file. I'm connecting using code only, like:
this.Channel = new ChannelFactory<T>(binding, new EndpointAddress(serviceUri));
((WSHttpBinding)this.Channel.Endpoint.Binding).Security.Mode = SecurityMode.Transport;
((WSHttpBinding)this.Channel.Endpoint.Binding).Security.Transport.ClientCredentialType = HttpClientCredentialType.None;
this.Channel.CreateChannel();
I have strong rules to connect from client by code so I can't use other way. the channel is well opened but when I'm calling any method I receive error "the remote certificate is invalid according to the validation procedure."
Without https was working ok.
In client side I have a many certificates in "Trusted Root Certification Authorities\Certificates". All of them are also trusted in server side.
Where could be the issue, in client or server side ??
Maybe I need to specify one very precise certificate to use in client side ??
any help appreciate, thanks.
Note that I'm receiving anyway the warning page saying "There is a problem with this website's security certificate" where I click "Continue to this website".
Your client machine does not trust the SSL certificate that you are using on the server. The WCF error you receive is the equivalent to the message that you are getting when you try to hit the service in your browser.
In client side I have a many certificates in "Trusted Root Certification Authorities\Certificates". All of them are also trusted in server side.
You need to configure your client machine to properly trust your SSL certificate. Once you can access the service in your browser with no errors, your client code should work.
Related
I created a message flow having rest request node to connect to an API. API security enabled received the following error:
BIP3165S: An error occurred whilst performing an SSL socket operation.
Operation: connect. Error Text: javax.net.ssl.SSLHandshakeException:
com.ibm.jsse2.util.j: PKIX path building failed:
com.ibm.security.cert.IBMCertPathBuilderException: unable to find
valid certification path to requested target.
How do I solve this issue in my message flow?
I disabled SSL but still received the same error.
What is the SSL client and server endpoints? Assuming this connection is:
WAS (server) <------SSL------> API (Client)
In one-way SSL, the solution is to add the root or intermediate certificate (from the WAS server's chain) to the client's trust store.
"PKIX path building failed" usually indicates that the SSL client was unable to authenticate the SSL server (remote host). To authenticate the server, the client needs to have the server's root or intermediate certificate in its trust store.
If this is happening with traditional WebSphere as the client, we can try to add the signer certificate with retrieve from port.
If mutual authentication is enabled, the issue can be with the server being unable to authenticate the client.
Either way, an SSL exception should not occur with SSL disabled. Maybe the server wasn't re-started after disabling SSL? Maybe SSL wasn't disabled correctly (on both endpoints)? Maybe the API was still trying to use HTTPS with SSL disabled?
Good afternoon,
I'm getting the following error trying to use a BizTalk send port to talk to a web service:
"System.InvalidOperationException: Cannot find the X.509 certificate using the following search criteria: StoreName 'My', StoreLocation 'CurrentUser', FindType 'FindByThumbprint'
The send port is configured as type 'WCF-WShttp', 'Transport' security mode, 'Certificate' credential type.
I have a self signed certificate that has the same thumbprint value as shown in the bizTalk configuration dialog. I've checked the file shows the correct thumbprint and it is not expired.
I've tried installing it in the all the following stores:
"Current User": Personal, Trusted Publishers, Trusted People, Trusted CA's
"Local Computer": Personal, Trusted Publishers, Trusted People, Trusted CA's.
When I go to the wcf send port configuration in the BizTalk management console it allows me to browse available certs. Our cert appears and lets me select it.
I made sure the service account for biztalk is added to the cert permissions.
Any suggestions?
Thanks!
The client certificate needs to be installed in BizTalk host user account certificate "Personal Store", also make sure any root certificate (if any) is in trusted store and then set it on adapter configuration.
Following these procedures should work. https://msdn.microsoft.com/en-us/library/gg634534(v=bts.70).aspx. Probably the most important thing to note is that you must be logged on to the server with the actual account that is running the adapter handler's host instance service. And for a self-signed certificate I think you just need to add it to the Trusted Root CAs for that account too.
Did you copy the thumbprint directly from the mmc to your BizTalk Send Port.
First try to copy it to notepad++ and check if you see any special characters.
If that's the case remove the special characters and then copy that thumbprint to your BizTalk Send Port.
I have installed a renewed SSL certificate on my web server running IIS7.
After installation, I applied website binding to port 443.
My application uses client certificates too, so I have changed the SSL setting to Require 'client certificate'.
Both client and SSL server certificates are valid but still I am not able to access my application. The error I get is:
403 - Forbidden: Access is denied.
I have enabled client certificate mapping in IIS role settings also but still not getting rid of this 403 error.
I guess client certificate is not able to handshake with server certificate. Please help!
In certificate Store verified all server certificate and client cert with its authority hierarchy are available.
also cross check below settings
Application Authentication: Anonymous
Application SSL Setting: Require SSL/ Accept
ApplicationHost.config: enabled OnetoOneMapping under iisClientCertificateMappingAuthentication also added base64 certificate mapped with service accounts
Also based on my past experience we need to ensure we have SChannel registry setting as mentioned in below post.
https://support.microsoft.com/en-us/kb/2464556
Simplest workaround just discovered this today. In IIS for your application, Go to Edit Bindings and change your port number. 443 to 4431 or 44301. Any variation you want. In your client computer, type in the new URL using new port number and you will establish a fresh connection to application. Make sure you SSL Settings for IIS Application is set to "Accept" instead of "Require". This means you can click "Cancel" when the pop up asks you to select a certificate you can simply hit "Cancel" and still hit the site. No 403 Error.
Do not spend hours trying to mess with your certificate store, just simply change the port on IIS Server and you'll be fine.
I have a wcf application (standalone service self hosted). This is NOT hosted in IIS and hosting it in IIS is not an option.
The service exposes a WCF service. I know that the service contract works because it works with HTTP as transport.
Now, I need to move to https. The intent is to secure the transport only. Client authentication is not required as we assume that anybody connecting to service is within the network.
After making changes to app.config to access httpsTransport in and updating the URLs across board, i started working on associating cert with port. The explanation is in http://msdn.microsoft.com/en-us/library/ms733791.aspx I followed instructions under section "To bind an SSL certificate to a port number". This worked nicely within the local machine. Note that root certificate and development certificate is generated using makecert.exe
When i host the same service in Windows server 2003, all hell breaks loose. The clients do not even get to see the endpoint (note that it's not firewalled as http works). I have followed the steps outlined in the document mentioned above (using httpcfg.exe). This does not work. OpenSSL mentions that server did not provide a certificate.
What can be the problem?
Did your server start correctly on 2003?
Did you configure your client to look for the server's certificate like following snippet? Pleaes check you didn't mistype the name of the certficate.
<endpoint binding="netTcpBinding" bindingConfiguration="DirectConnection"
behaviorConfiguration="Behavior"
contract="AContract"
name="ServiceContract" >
<identity>
<dns value="ServerCertificate.Com" />
</identity>
Turned out that using self signed certificates could not be used on windows 2003 server (this particular instance). I am guessing it's being treated as untrusted cert. Once we got the official certs, things just worked with no changes.
I am testing a web service with an external partner using 2 way SSL under IIS 7.5. I am requiring SSL, requiring a client cert, and using one to one mapping to authenticate to a domain account. I have configured everything and it works fine on our network (I am able to provide a client cert, get authenticated and invoke the service from browser and test harness).
From outside of our network (in most cases, see below), I am getting a 403.7 error. I have gone through the machine level certificate store and made sure the certificates and CAs are trusted.
Here's the weird thing. I obtained a Type I cert to test from home (and got 403.7 like our intended partner is). So I setup Fiddler to debug SSL and send my certificate, and this works for some reason. I setup a test harness to pass the exact same certificate, and got 403.7. I test in my browser (IE 9), don't get a prompt for a client cert, and get 403.7.
Any help appreciated.
Bill
Last time I checked, IIS was using re-negotiation (by default) to get the client certificate: there is a first handshake where the server doesn't request a client certificate, followed by another handshake (encrypted this time) where the server requests the certificate (via a TLS CertificateRequest message). This will prevent you from seeing anything from Wireshark, unless you configure it to use the server's private key and decipher the traffic (note that this only works with some cipher suites).
One way to see the client-certificate negotiation is to configure IIS to use initial client certificate negotiation, using netsh and clientcertnegotiation=true (which is about initial negotiation). At least the CertificateRequest and the certificate will be sent in clear during the handshake, so you should be able to see this with Wireshark.
If the client isn't sending a certificate to the server as a response to the CertificateRequest, you'll still see an empty Certificate message from the client.
If you don't export the private key with the certificate to use with Fiddler or whichever other client, there is no chance that it will be able to use the certificate. It may at best try to send the certificate, but the handshake will fail (since the CertificateVerify message needs to be signed by the client's private key).
I guess you may encounter a problem whereby:
not presenting a certificate is accepted by the server (it's effectively optional),
presenting an invalid certificate makes it fail and causes this 403.7 status code (many servers and SSL/TLS stacks would implement this as a fatal error, but TLS specification doesn't say that unsupported_certificate, certificate_revoked, certificate_expired, certificate_unknown should be fatal, so this is at the server's discretion).
Are you using the same physical machine to test both the in-network and external-network connections? If not, are you sure that the external-network client has the private key accessible?
I have not configured Fiddler client authentication before. Does it read the client certificate and key from the standard certificate stores? Does it read directly from a PKCS12?
One other thing that may be helpful is inspecting the TLS handshake in WireShark. Specifically, check out the Server's "Certificate Request" message, as the data here clues the client (IE9) which client certificates it should display in the prompt. Compare this for the internal and external connections.