|
 |
 |
 |
|
Microsoft Knowledge Base Article
This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved. Terms
of Use |
Trademarks
PRB: "System.Net.WebException. The Underlying Connection Was Closed. Could Not Establish Trust Relationship with Remote Server." Error Message When You Upgrade the .NET FrameworkWhen you install the Microsoft .NET Framework version 1.0 Service Pack 2 or you upgrade
to the .NET Framework version 1.1 from the .NET Framework version 1.0, your Web service clients may receive
the following error message on a call to a Web service. This error message occurs when you use Secure
Socket Layer (SSL). System.Net.WebException. The
underlying connection was closed. Could not establish trust relationship with
remote server. The error message may appear after you install or after you upgrade even though
the code works as you expect.
Beginning with the .NET
Framework version 1.0 Service Pack 2 and with the .NET
Framework version 1.1 and later, the name that is used on the HTTP request must match
the name of the server that is issued with the SSL certificate. Earlier
SSL certificates may no longer be accepted under certain circumstances. Also, the
Certificate Revocation List (CRL) is now examined to make sure that the
certificate has not been revoked. Other scenarios exist also. For example,
some networks use a different name-resolution scheme for internal versus
external clients. In cases where the certificate is issued to a server
with a public URL (such as www.adatum.com) and with intranet applications,
the internal Domain Name System (DNS) Server provides a different name for the same server (such as
www.internal.corporate.adatum.com). Requests for this Web service over SSL
may fail. This change is made to enhance the security of Web services that use
SSL. Note The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, places, or events is intended or must be inferred. You can resolve this problem by using either of the following methods: - You can change the name-resolution scheme so that DNS
provides the same name for a server. The same name for the server must be used whether the server is referred to from in the company
or from outside the company.
For example, assume that a
certificate has been issued to the URL www.adatum.com. Any Web service
application that is referred from outside the organization is called by using the
external DNS resolution schema (www.adatum.com). When an intranet Web
service application is called, the internal DNS translates the name of the
site as www.internal.corporate.adatum.com. Therefore, any request for the Web
Service over SSL may fail unless you change the name-resolution scheme. - The host name that is used when you add a Web reference to a Web
service in the Web service client must be the same name as the name that the
certificate is issued to.
To work around this problem, you can implement
ICertificatePolicy. Then you must pass ICertificatePolicy to ServicePointManager.CertificatePolicy
before the Web Service method call is made. The following code sample is implemented in the client application. The code forces the client application to accept every certificate that the server provides. This method weakens the security of the application because the authentication of the server is bypassed. To safely work around this problem, make sure that the certificate of the server contains the expected name before you allow the connection to continue. The following sample code implements
ICertificatePolicy and then accepts every request under SSL: Microsoft Visual Basic .NETImport the following two namespaces, and then implement the class: Imports System.Net
Imports System.Security.Cryptography.X509Certificates
Public Class MyPolicy
Implements ICertificatePolicy
Public Function CheckValidationResult(ByVal srvPoint As ServicePoint, _
ByVal cert As X509Certificate, ByVal request As WebRequest, _
ByVal certificateProblem As Integer) _
As Boolean Implements ICertificatePolicy.CheckValidationResult
'Return True to force the certificate to be accepted.
Return True
End Function
End ClassImport the following two namespaces, and then implement the class: using System.Net;
using System.Security.Cryptography.X509Certificates;
public class MyPolicy : ICertificatePolicy {
public bool CheckValidationResult(
ServicePoint srvPoint
, X509Certificate certificate
, WebRequest request
, int certificateProblem) {
//Return True to force the certificate to be accepted.
return true;
} // end CheckValidationResult
} // class MyPolicy
Include the following code in the client code. Before you make the Web Service method call from the client code, the following statement (in either Visual Basic .NET or Visual C# .NET, as appropriate) must be executed: Visual Basic .NETSystem.Net.ServicePointManager.CertificatePolicy = New MyPolicy() System.Net.ServicePointManager.CertificatePolicy = new MyPolicy();
This behavior is by design. Steps to Reproduce the Problem- Create a server certificate. Assign the server certificate to a computer
that is named TestComputer. When you create the server certificate, make sure that TestComputer is not the name that is typed in the
Common name field.
- Add the certificate of the issuing certification authority to
the list of Trusted Root Certificate Authorities if the certificate is self-issued (not issued by
a trusted certification authority).
Note It is not sufficient to add the site to the Trusted Sites
zone on the Security tab in Microsoft Internet Explorer. - To add the certificate for the certification authority, follow these steps:
- Start Internet Explorer. On the
Tools menu, click Internet
Options.
- Click the Content tab, and then click
Certificates.
- Click the Trusted Root Certification
Authorities tab.
- Click Import, and then click
Next.
- To move to the certificate file of the certification authority, click Browse, and then click Next.
- Click Place all certificates in the following
store, and then click Browse.
- Click Trusted Root Certification
Authorities, click OK, click Next, and then click Finish.
A message appears that indicates that the
import is successful. - Click Close, and then click
OK.
- Create a Microsoft ASP.NET Web service application that is named
WebService1. Uncomment the HelloWorld WebMethod in WebService1.
- Enable SSL for the WebService1 application.
- Create an ASP.NET Web application that is named
WebApplication1. Name the BUTTON
control Button1.
- Add the Web reference to WebService1 in WebApplication1.
- In the OnClick event of Button1, call the HelloWorld
WebMethod of WebService1.
- In WebApplication1, click Button1.
You can see Button1 in the browser, and you receive the error message that is mentioned in the "Symptoms" section.
For additional information about ASP.NET security enhancements and SSL, visit the following Microsoft Developer Network (MSDN) Web site: For
additional information about configuring ASP.NET and IIS to use SSL, visit the following Microsoft Developer Network (MSDN) Web site: For
additional information about how to add and how to remove Web references, visit the following Microsoft Developer Network (MSDN) Web site: Article ID: 823177 - Last Review: March 22, 2007 - Revision: 4.5 APPLIES TO- Microsoft ASP.NET 1.0
- Microsoft Common Language Runtime (included with the .NET Framework 1.1)
- Microsoft Common Language Runtime (included with the .NET Framework) 1.0
- Microsoft ASP.NET 1.1
- Microsoft Web Services (included with the .NET Framework) 1.0
| kbprb kberrmsg kbwebservices kbdev kbcertservices kbsecurity KB823177 |
Community Feedback System
Very often, it takes hours to solve a problem. Very often, you've looked high
and low, and have tried a lot of solutions. When you finally found it, chances
are, it was because someone else helped you. Here's your chance to give back.
Use our community feedback tool to let others know what worked for you and what
didn't.
Please also understand that the community feedback system is not warranted to be
correct, it's simply a system that we've built to let people try and help each
other. If something in a feedback response doesn't make sense to you, or you're
not comfortable making changes that the feedback talks about (like registry
edits), please consult a professional.
Thank you for using kbAlertz.com Feedback System.
-- Scott Cate
|
|
 |
|
 |
|
|
|
| |