Care, Share and Grow! : Windows Server 2008

Required permissions when calling a Web service using client certificate for authentication in an ASP.NET Web application

Saurabh Singh — Fri, 03 Jul 2009 04:08:04 GMT

A Web service requiring Client certificate authentication is a common scenario.

You may have a client application which needs to send the Client certificate as part of the web request for accessing the web service.

This client application may be a Windows/Console application or another Web application.

Often you will get into issues wherein you are able to send Client certificate as part of the web request from a windows/console app but not from another web app. The primary reason for this could often be around Web app not being able to send the client cert to the target Web service.

This can happen for multiple reasons, in particular account under which Web app is running doesn't have enough permissions to access the Client cert in its local certificate store.

Refer to this excellent kb for this for more details.

In this post I want to highlight ways in which you can grant access to the Web application account to access the Client certificate in its local machine store.

When we have to send client cert as part of the web service call from a web app we need to ensure that the client cert is installed in the Local Computer -> Personal Store on the local box (where Web app is running). By default you will see the client cert installed in the Local User Store for the user who requested and installed the cert on the machine. You need to ensure first that the client cert is installed on the Local Computer Store instead of the Local User Store and then follow any of the methods below to grant access to the private key for the account (under which your web app is running).

Method 1:

The above article kb gives an example of granting access using the Microsoft Windows HTTP Services Certificate Configuration Tool

> WinHttpCertCfg.exe -g -c LOCAL_MACHINE\MY -s " IssuedToName " -a " AccountName "

for e.g.

> WinHttpCertCfg.exe -g -c LOCAL_MACHINE\MY -s " IssuedToName " -a "Network Service"

There are other ways in which you can achieve the same result. This feature is in fact built in on Windows Server 2008 within the Certificate mmc console.

Method 2:

Using the WSE X509 Certificate tool (This tool has features that can be used to check certificate properties).

You need to download Web Services enhancements (WSE) 2.0+ SP3 for Microsoft.Net and in the install wizard ensure you select Tools as shown below:

Once installed go ahead and launch the tool. It has a clean UI. You have the option to check certificates in the Local Computer/Current user for the available stores like Personal/Trusted/Intermediate Root CA etc. If you click on View Private Key File Properties (shown below) you can directly modify the permission for private key associated with the certificate. Basically this is just a file under C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys on Win2k3 server and C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys on Win2k8 server.

You may want to go ahead and give the Service account under which the web app is running Full permission on this file (modify the permissions from the Security tab).

Method 3:

If you are running the web app on Windows Server 2008/Vista there is a far simpler way built in the Certificate mmc.

Right click on the certificate and go to All Tasks -> Manage Private Keys and then give Full permission for the associated account.

Till next time..

Cheers!

Considering hosting Web based services on IIS 7.0?

Saurabh Singh — Tue, 10 Mar 2009 19:35:54 GMT

If you are contemplating to move over (upgrade) to IIS 7.0 from your existing Web hosting on either IIS 5.0 or 6.0 this is a very useful Technical White Paper link. It talks about various aspects of improvements in IIS 7.0 dealing with Management, Performance, Extensibility, Security and Deployment.

Migrating a Large, High-Volume Web Site to Internet Information Services 7.0

Cheers!

New features in SETSPN.EXE on Windows Server 2008

Saurabh Singh — Fri, 09 Jan 2009 03:05:00 GMT

The version of Setspn.exe that came with Microsoft Windows Server 2000/2003 Support Tools did not have features to detect duplicate SPNs. The new version of Setspn.exe that comes bundled with Windows Server 2008 utilities has some really cool features. For someone dealing with the dreaded Kerberos authentication failure issues on a daily basis like me it's a sigh of relief.

If you try the following command on the Windows Server 2008 you will see the various new options (or switches) available.

Notice the modifiers/switches:

-F = perform the duplicate checking on forestwide level

-S = add arbitrary SPN after verifying no duplicates exist

-Q = query for existence of SPN

-X = search for duplicate SPNs

Searching for duplicate SPNs using Setspn.exe:

D:\>setspn -X http/www.test.com
Processing entry 0
http/www.test.com is registered on these accounts:
    CN=mstest,CN=Users,DC=<some-DC-primary>,DC=<some-DC-secondary>
    CN=<IIS-servername>,OU=Domain Controllers,DC=<some-DC-primary>,DC=<some-DC-secondary> 

found 1 group of duplicate SPNs.

Searching for the existence of an SPN in the domain:

D:\>setspn -Q http/www.test.com
CN=<IIS-servername>,OU=Domain Controllers,DC=<some-DC-primary>,DC=<some-DC-secondary>
    http/www.test.com
    ldap/2334590-45566-113f....
    HOST/<IIS-servername>
    HOST/<IIS-servername.<some-DC-primary>.<some-DC-secondary>
    .......
    .......
CN=mstest,CN=Users,DC=<some-DC-primary>,DC=<some-DC-secondary>
    http/www.test.com 

Existing SPN found!

Adding an arbitrary SPN after verifying no duplicates exist in the domain:

D:\>setspn -S http/www.test.com <IIS-servername>
CN=mstest,CN=Users,.<some-DC-primary>.<some-DC-secondary>
    http/www.test.com 

Duplicate SPN found, aborting operation!

Adding an arbitrary SPN after verifying no duplicates exist in the forest:

D:\>setspn -F -S http/www.test.com <IIS-servername>
Operation will be performed forestwide, it might take a while.
CN=mstest,CN=Users,DC=<some-DC-primary>,DC=<some-DC-secondary>
    http/www.test.com
CN=mstest1,CN=Users,DC=<some-DC-primary>,DC=<some-DC-secondary>
    http/www.test.com 

Duplicate SPN found, aborting operation!

So what does this mean? It means you no longer have to depend upon boggling commands using LDIFDE or your own custom scripts to find out the duplicate SPNs. This is a good news indeed!

*Prior to this using Windows Server 2000/2003 Support Tools we could use commands using LDIFDE to find duplicate SPNs as below:

Syntax:

ldifde -f <filename> -d "<dc=domain-netbiosname,dc=primary-domain>" -l serviceprincipalname -r "(serviceprincipalname=<serviceprincipalname-to-check-for-duplicates>)" -p subtree

For example, if the domain name is test.abcd.com and the site URL is http//test.abcd.com command should be as shown below:

ldifde –f C:\log.txt -d "dc=test, dc=abcd, dc=com"-l serviceprincipalname –r "(serviceprinicpalname=http/test.abcd.com)" -p subtree

With the newer version of Setspn hopefully the dependency on the above command should reduce drastically.

Till next time,

Cheers!