You try to call a Web service or another HTTP resource or
HTTPS resource, and the Web service or the resource is security-enhanced by
using a client certificate. If the client certificate is implemented by using
the Microsoft .NET Framework, your code may work when you run it in a Microsoft
Windows Forms application or in a console application. However, the same code
does not work when you run it in the context of Microsoft ASP.NET.
For example, when you run the code in an ASP.NET Web application, you
receive the following error message:
System.Net.WebException. The Underlying Connection Was Closed.
Could Not Establish Trust Relationship with Remote
Server.
This problem occurs because the
System.Net classes look only in the certificate store of the current user.
However, code that is running in the context of a non-interactive account, such
as the ASPNET account or the Network Service account that ASP.NET uses, cannot
access this certificate store.
Apply the following hotfix. After you apply this hotfix, the
System.Net classes will also look in the certificate store of the local
computer. If the certificate is installed, and the correct permissions have
been granted in the certificate store of the local computer, the code will work
as expected.
A
supported hotfix is now available from Microsoft, but it is only intended to
correct the problem that is described in this article. Only apply it to systems
that are experiencing this specific problem. This hotfix may receive additional
testing. Therefore, if you are not severely affected by this problem, we
recommend that you wait for the next .NET Framework 1.0 service pack that
contains this hotfix.
To resolve this problem immediately, contact
Microsoft Product Support Services to obtain the hotfix. For a complete list of
Microsoft Product Support Services telephone numbers and information about
support costs, visit the following Microsoft Web site:
Note In special cases, charges that are ordinarily incurred for
support calls may be canceled if a Microsoft Support Professional determines
that a specific update will resolve your problem. The usual support costs will
apply to additional support questions and issues that do not qualify for the
specific update in question.
The English
version of this hotfix has the file attributes (or later file attributes) that
are listed in the following table. The dates and times for these files are
listed in coordinated universal time (UTC). When you view the file information,
it is converted to local time. To find the difference between UTC and local
time, use the
Time Zone tab in the Date and Time tool in
Control Panel.
Date Time Version Size File name
------------------------------------------------------------------------
02-Apr-2003 05:52 1.0.3705.418 20,480 Perfcounter.dll
02-Apr-2003 06:01 1.0.3705.418 1,175,552 System.dll
02-Apr-2003 05:04 1.0.3705.418 311,296 System.runtime.remoting.dll
02-Apr-2003 05:56 1.0.3705.418 503,808 System.web.services.dll
For information about how to work around this problem
without applying the hotfix, visit the following Microsoft Web site:
Microsoft has confirmed that this is a bug in the Microsoft
products that are listed in the "Applies to"
section.
After this fix is installed, the client certificate must be
installed in the Machine store. Use the MMC Certificate snap-in to add the
certificate in the following location:
Certificates (Local Computer)\Personal\Certificates
Warning You can use the MMC Certificate snap-in to import the certificate
directly to the Certificates (Local Computer) store. However, if you have
already imported the certificate to the current user's store, do not use the
drag-and-drop method in the MMC Certificate snap-in to move the certificate to
the Local Computer store.
For example, earlier, you double-clicked
the certificate (.cer) file and then followed the instructions in the wizard to
import the certificate to the current user's store. If you now use the
drag-and-drop method in the MMC Certificate snap-in to move the certificate to
the Local Computer store, the private key is not copied during the move
operation. The private key is required to complete the certificate
authentication handshake with the server.
For
additional information about this problem, click the following article number
to view the article in the Microsoft Knowledge Base:
837350Â
(http://kbalertz.com/Feedback.aspx?kbNumber=837350/
)
ISA Server 2000 cannot access an imported SSL certificate
The
WinHttpCertCfg utility can be used to put a certificate in the correct store
and to add permissions for the ASP.NET user to access the certificate. For more
information about the WinHttpCertCfg utility, visit the following Microsoft
Developer Network (MSDN) Web site:
To obtain the WinHttpCertCfg utility, visit the following
Microsoft Web site:
After the certificate is in the certificate store, and after the
correct user has been added and has been granted the correct permissions, you
can use the following code to send the certificate as part of the request:
WinHttp.WinHttpRequest
req = new WinHttp.WinHttpRequestClass();
req.Open("GET", <<Https://YourURL>> , false);
req.SetClientCertificate("LOCAL_MACHINE\\Root\\YourCert");
//path of the certificate and the certificate name (for example, Path\certname)For example, for the ASP.NET user, the ASPNET user account must be added
and must be granted the correct permissions.
Note This issue is also fixed in the .NET Framework 1.1 through the
June 2003 ASP.NET hotfix package. For additional
information, click the following article number to view the article in the
Microsoft Knowledge Base:
821156Â
(http://kbalertz.com/Feedback.aspx?kbNumber=821156/
)
ASP.NET 1.1 June 2003 hotfix rollup package
Note You cannot obtain the 1.1 version of this hotfix individually.
You must install the rollup.