Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
FIX: ASP.NET Web application cannot deliver a client certificate to a security-enhanced Web site
Article ID: 817854 - View products that this article applies to.
You try to call a Web service or another HTTP resource or HTTPS resource, and the Web service or the resource is security-enhanced by using a client certificate. If the client certificate is implemented by using the Microsoft .NET Framework, your code may work when you run it in a Microsoft Windows Forms application or in a console application. However, the same code does not work when you run it in the context of Microsoft ASP.NET.
For example, when you run the code in an ASP.NET Web application, you receive the following error message:
System.Net.WebException. The Underlying Connection Was Closed. Could Not Establish Trust Relationship with Remote Server.
This problem occurs because the System.Net classes look only in the certificate store of the current user. However, code that is running in the context of a non-interactive account, such as the ASPNET account or the Network Service account that ASP.NET uses, cannot access this certificate store.
Apply the following hotfix. After you apply this hotfix, the System.Net classes will also look in the certificate store of the local computer. If the certificate is installed, and the correct permissions have been granted in the certificate store of the local computer, the code will work as expected.
A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Only apply it to systems that are experiencing this specific problem. This hotfix may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next .NET Framework 1.0 service pack that contains this hotfix.
To resolve this problem immediately, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=supportNote In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Date Time Version Size File name ------------------------------------------------------------------------ 02-Apr-2003 05:52 1.0.3705.418 20,480 Perfcounter.dll 02-Apr-2003 06:01 1.0.3705.418 1,175,552 System.dll 02-Apr-2003 05:04 1.0.3705.418 311,296 System.runtime.remoting.dll 02-Apr-2003 05:56 1.0.3705.418 503,808 System.web.services.dll
For information about how to work around this problem without applying the hotfix, visit the following Microsoft Web site:
Microsoft has confirmed that this is a bug in the Microsoft products that are listed in the "Applies to" section.
After this fix is installed, the client certificate must be installed in the Machine store. Use the MMC Certificate snap-in to add the certificate in the following location:
Certificates (Local Computer)\Personal\CertificatesThe WinHttpCertCfg utility can be used to put a certificate in the correct store and to add permissions for the ASP.NET user to access the certificate. For more information about the WinHttpCertCfg utility, visit the following Microsoft Developer Network (MSDN) Web site:
Warning You can use the MMC Certificate snap-in to import the certificate directly to the Certificates (Local Computer) store. However, if you have already imported the certificate to the current user's store, do not use the drag-and-drop method in the MMC Certificate snap-in to move the certificate to the Local Computer store.
For example, earlier, you double-clicked the certificate (.cer) file and then followed the instructions in the wizard to import the certificate to the current user's store. If you now use the drag-and-drop method in the MMC Certificate snap-in to move the certificate to the Local Computer store, the private key is not copied during the move operation. The private key is required to complete the certificate authentication handshake with the server.
For additional information about this problem, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/837350/ )ISA Server 2000 cannot access an imported SSL certificate
http://msdn2.microsoft.com/en-us/library/aa384088.aspxTo obtain the WinHttpCertCfg utility, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?familyid=c42e27ac-3409-40e9-8667-c748e422833f&displaylang=enAfter the certificate is in the certificate store, and after the correct user has been added and has been granted the correct permissions, you can use the following code to send the certificate as part of the request:
For example, for the ASP.NET user, the ASPNET user account must be added and must be granted the correct permissions.
Note This issue is also fixed in the .NET Framework 1.1 through the June 2003 ASP.NET hotfix package. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
821156Note You cannot obtain the 1.1 version of this hotfix individually. You must install the rollup.
(http://support.microsoft.com/kb/821156/ )ASP.NET 1.1 June 2003 hotfix rollup package