HighTechTalks DotNet Forums  

Re: Capturing a Client Cert and Passing it to a Secure Web Service

Go Back HighTechTalks DotNet Forums Dotnet Dotnet Security Re: Capturing a Client Cert and Passing it to a Secure Web Service

Dotnet Security microsoft.public.dotnet.security


Discuss Re: Capturing a Client Cert and Passing it to a Secure Web Service in the Dotnet Security forum.



Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old   
Joe Kaplan
 
Posts: n/a

Default Re: Capturing a Client Cert and Passing it to a Secure Web Service - 08-28-2007 , 06:08 PM





It doesn't work that way. SSL client certificate authentication involves
the client with the client certificate signing part of the request with the
private key for the certificate in question in order to assert ownership of
the private key for the certificate. You won't have that private key on the
server side of the request, so you can't "forward" or "delegate" the user's
client certificate authentication to another service.

If you want to do delegation, you probably need to look at an authentication
protocol that supports delegation like Kerberos.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"hepsubah" <doug (AT) dastanley (DOT) com> wrote

Quote:
I'm trying to capture a client cert in my ASP.NET application, and use
that cert as the client cert for a call to secure web service.

I've used the following code, but am getting a 403 error on the
invocation of the service. All the service is supposed to do is
return the subject of the passed cert (I'll do more with it later)

-----------------------------------------------------------------------------------------------------------------------------------------
protected void Page_Load(object sender, EventArgs e)
{
// Capture Client Certificate
HttpClientCertificate cs = Request.ClientCertificate;
string svcres;

try
{

// Create X509 Cert from Client Cert
X509Certificate x509 = new
X509Certificate(cs.Certificate);

// Instantiate the Servive
TestCertService.Service ts = new
TestCertService.Service();

// Add the Captured Cert
ts.ClientCertificates.Add(x509);

// Invoke the Service
svcres = ts.CertSubject();

Response.Write("<br><br><br>Cert from Service<br>");

Response.Write("-------------------------------------------------------
br>");
Response.Write("Subject = " + svcres + "<br>");
}
catch (Exception ex)
{
if (ex is WebException)
{
WebException we = ex as WebException;

Response.Write("WebError Invoking Service = Message:"
+ we.Message + "<br>");
}
else
{
Response.Write("Error Invoking Service = Message:" +
ex.Message + "<br>");
}
}
-------------------------------------------------------------------------------------------------------------------------------------------------

Is this approach sound?

Is this a security issue?

Any help would be appreciated



Reply With Quote
  #2  
Old   
hepsubah
 
Posts: n/a

Default Re: Capturing a Client Cert and Passing it to a Secure Web Service - 08-28-2007 , 06:51 PM





On Aug 28, 3:08 pm, "Joe Kaplan"
<joseph.e.kap... (AT) removethis (DOT) accenture.com> wrote:
Quote:
It doesn't work that way. SSL client certificate authentication involves
the client with the client certificate signing part of the request with the
private key for the certificate in question in order to assert ownership of
the private key for the certificate. You won't have that private key on the
server side of the request, so you can't "forward" or "delegate" the user's
client certificate authentication to another service.

If you want to do delegation, you probably need to look at an authentication
protocol that supports delegation like Kerberos.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net
--"hepsubah" <d... (AT) dastanley (DOT) com> wrote in message

news:1188333518.117323.265320 (AT) g4g2000hsf (DOT) googlegroups.com...

I'm trying to capture a client cert in my ASP.NET application, and use
that cert as the client cert for a call to secure web service.

I've used the following code, but am getting a 403 error on the
invocation of the service. All the service is supposed to do is
return the subject of the passed cert (I'll do more with it later)

-----------------------------------------------------------------------------------------------------------------------------------------
protected void Page_Load(object sender, EventArgs e)
{
// Capture Client Certificate
HttpClientCertificate cs = Request.ClientCertificate;
string svcres;

try
{

// Create X509 Cert from Client Cert
X509Certificate x509 = new
X509Certificate(cs.Certificate);

// Instantiate the Servive
TestCertService.Service ts = new
TestCertService.Service();

// Add the Captured Cert
ts.ClientCertificates.Add(x509);

// Invoke the Service
svcres = ts.CertSubject();

Response.Write("<br><br><br>Cert from Service<br>");

Response.Write("-------------------------------------------------------
br>");
Response.Write("Subject = " + svcres + "<br>");
}
catch (Exception ex)
{
if (ex is WebException)
{
WebException we = ex as WebException;

Response.Write("WebError Invoking Service = Message:"
+ we.Message + "<br>");
}
else
{
Response.Write("Error Invoking Service = Message:" +
ex.Message + "<br>");
}
}
-------------------------------------------------------------------------------------------------------------------------------------------------

Is this approach sound?

Is this a security issue?

Any help would be appreciated
Thanks



Reply With Quote
  #3  
Old   
hepsubah
 
Posts: n/a

Default Re: Capturing a Client Cert and Passing it to a Secure Web Service - 08-28-2007 , 06:51 PM


On Aug 28, 3:08 pm, "Joe Kaplan"
<joseph.e.kap... (AT) removethis (DOT) accenture.com> wrote:
Quote:
It doesn't work that way. SSL client certificate authentication involves
the client with the client certificate signing part of the request with the
private key for the certificate in question in order to assert ownership of
the private key for the certificate. You won't have that private key on the
server side of the request, so you can't "forward" or "delegate" the user's
client certificate authentication to another service.

If you want to do delegation, you probably need to look at an authentication
protocol that supports delegation like Kerberos.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net
--"hepsubah" <d... (AT) dastanley (DOT) com> wrote in message

news:1188333518.117323.265320 (AT) g4g2000hsf (DOT) googlegroups.com...

I'm trying to capture a client cert in my ASP.NET application, and use
that cert as the client cert for a call to secure web service.

I've used the following code, but am getting a 403 error on the
invocation of the service. All the service is supposed to do is
return the subject of the passed cert (I'll do more with it later)

-----------------------------------------------------------------------------------------------------------------------------------------
protected void Page_Load(object sender, EventArgs e)
{
// Capture Client Certificate
HttpClientCertificate cs = Request.ClientCertificate;
string svcres;

try
{

// Create X509 Cert from Client Cert
X509Certificate x509 = new
X509Certificate(cs.Certificate);

// Instantiate the Servive
TestCertService.Service ts = new
TestCertService.Service();

// Add the Captured Cert
ts.ClientCertificates.Add(x509);

// Invoke the Service
svcres = ts.CertSubject();

Response.Write("<br><br><br>Cert from Service<br>");

Response.Write("-------------------------------------------------------
br>");
Response.Write("Subject = " + svcres + "<br>");
}
catch (Exception ex)
{
if (ex is WebException)
{
WebException we = ex as WebException;

Response.Write("WebError Invoking Service = Message:"
+ we.Message + "<br>");
}
else
{
Response.Write("Error Invoking Service = Message:" +
ex.Message + "<br>");
}
}
-------------------------------------------------------------------------------------------------------------------------------------------------

Is this approach sound?

Is this a security issue?

Any help would be appreciated
Thanks



Reply With Quote
Reply

« Previous Thread | Next Thread »



Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.


Contact Us - HighTechTalks DotNet Forums - Archive - Top