| Groups | Blog | Home |
asp.net security : Could not establish trust relationship with remote server
I've got two web services both running on the same web server. Both web services are accesses via https and the same root level domain. I wrote the client application which post information to one of the web services and depending on which method was invoked calls the second web service for additional functionality. I received the following error when I first wrote the client application: The underlying connection was closed: Could not establish trust relationship with remote server To correct this I implemented the ICertificatePolicy interface and forced the method to always return true. I then set the ServicePointManager's CertificatePolicy property to an instance of the class which implements the interface. This resolved the problem from client perspective. However, when the web service calls into the other web service, I get the error as well. My resolution was to do the same from which in the primary web service. When I call the second web service (from the primary web service), I create an instance of the same class and set the ServicePointManager's property. This however does not solve the problem the same was that it does when the client application encounters this error. These web service are hosted within an ASP environment. I'm no expert here, so it there some way the environment could be setup that some security boundry is preventing the two web services from communicating correctly? Many thanks Al
ah... i spent weeks with this annoying message in the past!
i am sure you read all the standard causes of this issue already. 2 additional things to check for: 1. One odd and interesting cause of this for me that took forever to figure out, was that the user running the website had insufficient rights to access the registry, which apparently is needed to retrieve the trusted certificate, or something having to do with above process. to troubleshoot you could make the user running the website application that is throwing this exception ( aspnet or nt authority etc) admin, and if that fixes it, remove the admin right, than go to run>regedt32>edit>permissions, and add read rights for your iis user there. 2. another (non standard) problem that caused this for me in the past, was that the server running behind a firewall, and the IIS user did not attempt to go through the proxy server. the proxy settings can be applied in registry, but to quickly test if this is the case perform the following test: - create a console app that consumes the remote https service - open a website directly to that https service to ensure that you can access it - run the console app and see if it is successful. - what is happening here, is that you are running that app as you, and it is using the same proxy server you have setup in MSIE to make your browser hit the proxy. if you discovered that your app is working, hopefuly you have a skilled systems group [as we did] that will apply apropriate proxy settings to your internet user. this can be done in registry, or you can login as that user ( you may need to change local logon policy so he's allowed to logon ) and than change proxy settings in msie. this get's written to registry current_user node and will be available for the furture for that user. hope that helps. - Rafal [quoted text, click to view] AL wrote:
> Hi > > I've got two web services both running on the same web server. Both web > services are accesses via https and the same root level domain. > > I wrote the client application which post information to one of the web > services and depending on which method was invoked calls the second web > service for additional functionality. > > I received the following error when I first wrote the client application: > > The underlying connection was closed: Could not establish trust relationship > with remote server > > To correct this I implemented the ICertificatePolicy interface and forced > the method to always return true. I then set the ServicePointManager's > CertificatePolicy property to an instance of the class which implements the > interface. > > This resolved the problem from client perspective. > > However, when the web service calls into the other web service, I get the > error as well. My resolution was to do the same from which in the primary web > service. > > When I call the second web service (from the primary web service), I create > an instance of the same class and set the ServicePointManager's property. > This however does not solve the problem the same was that it does when the > client application encounters this error. > > These web service are hosted within an ASP environment. I'm no expert here, > so it there some way the environment could be setup that some security > boundry is preventing the two web services from communicating correctly? > > Many thanks > > Al
Hi
Thanks for the feedback In regard to point 1. The web service which make the call is impersonating and the only user allowed is a "service user". I assume I will need to grant this user rights in the registry. Can you provide me with detail on which registry keys I need to give rights to? Many thanks Al [quoted text, click to view] "sonic" wrote:
> ah... i spent weeks with this annoying message in the past! > i am sure you read all the standard causes of this issue already. > 2 additional things to check for: > 1. > One odd and interesting cause of this for me that took forever to > figure out, was that the user running the website had insufficient > rights to access the registry, which apparently is needed to retrieve > the trusted certificate, or something having to do with above process. > to troubleshoot you could make the user running the website application > that is throwing this exception ( aspnet or nt authority etc) admin, > and if that fixes it, remove the admin right, than go to > run>regedt32>edit>permissions, and add read rights for your iis user > there. > 2. > another (non standard) problem that caused this for me in the past, was > that the server running behind a firewall, and the IIS user did not > attempt to go through the proxy server. the proxy settings can be > applied in registry, but to quickly test if this is the case perform > the following test: > - create a console app that consumes the remote https service > - open a website directly to that https service to ensure that you > can access it > - run the console app and see if it is successful. > - what is happening here, is that you are running that app as you, and > it is using the same proxy server you have setup in MSIE to make your > browser hit the proxy. > if you discovered that your app is working, hopefuly you have a skilled > systems group [as we did] that will apply apropriate proxy settings to > your internet user. this can be done in registry, or you can login as > that user ( you may need to change local logon policy so he's allowed > to logon ) and than change proxy settings in msie. this get's written > to registry current_user node and will be available for the furture for > that user. > > hope that helps. > - Rafal > > > AL wrote: > > Hi > > > > I've got two web services both running on the same web server. Both web > > services are accesses via https and the same root level domain. > > > > I wrote the client application which post information to one of the web > > services and depending on which method was invoked calls the second web > > service for additional functionality. > > > > I received the following error when I first wrote the client application: > > > > The underlying connection was closed: Could not establish trust relationship > > with remote server > > > > To correct this I implemented the ICertificatePolicy interface and forced > > the method to always return true. I then set the ServicePointManager's > > CertificatePolicy property to an instance of the class which implements the > > interface. > > > > This resolved the problem from client perspective. > > > > However, when the web service calls into the other web service, I get the > > error as well. My resolution was to do the same from which in the primary web > > service. > > > > When I call the second web service (from the primary web service), I create > > an instance of the same class and set the ServicePointManager's property. > > This however does not solve the problem the same was that it does when the > > client application encounters this error. > > > > These web service are hosted within an ASP environment. I'm no expert here, > > so it there some way the environment could be setup that some security > > boundry is preventing the two web services from communicating correctly? > > > > Many thanks > > > > Al >
hi,
to save your self some time, and if you are sure which user is running the web service, make that user an administrator and see if that fixes the problem. if it does, than you can cnofigure his rights regarding to specific registry nodes. i am not sure which node it was exactly right now, but im pretty sure it was read access . you can assign these rights by running regedt32 [quoted text, click to view] AL wrote:
> Hi > > Thanks for the feedback > > In regard to point 1. The web service which make the call is impersonating > and the only user allowed is a "service user". I assume I will need to grant > this user rights in the registry. Can you provide me with detail on which > registry keys I need to give rights to? > > Many thanks > > Al > > "sonic" wrote: > > > ah... i spent weeks with this annoying message in the past! > > i am sure you read all the standard causes of this issue already. > > 2 additional things to check for: > > 1. > > One odd and interesting cause of this for me that took forever to > > figure out, was that the user running the website had insufficient > > rights to access the registry, which apparently is needed to retrieve > > the trusted certificate, or something having to do with above process. > > to troubleshoot you could make the user running the website application > > that is throwing this exception ( aspnet or nt authority etc) admin, > > and if that fixes it, remove the admin right, than go to > > run>regedt32>edit>permissions, and add read rights for your iis user > > there. > > 2. > > another (non standard) problem that caused this for me in the past, was > > that the server running behind a firewall, and the IIS user did not > > attempt to go through the proxy server. the proxy settings can be > > applied in registry, but to quickly test if this is the case perform > > the following test: > > - create a console app that consumes the remote https service > > - open a website directly to that https service to ensure that you > > can access it > > - run the console app and see if it is successful. > > - what is happening here, is that you are running that app as you, and > > it is using the same proxy server you have setup in MSIE to make your > > browser hit the proxy. > > if you discovered that your app is working, hopefuly you have a skilled > > systems group [as we did] that will apply apropriate proxy settings to > > your internet user. this can be done in registry, or you can login as > > that user ( you may need to change local logon policy so he's allowed > > to logon ) and than change proxy settings in msie. this get's written > > to registry current_user node and will be available for the furture for > > that user. > > > > hope that helps. > > - Rafal > > > > > > AL wrote: > > > Hi > > > > > > I've got two web services both running on the same web server. Both web > > > services are accesses via https and the same root level domain. > > > > > > I wrote the client application which post information to one of the web > > > services and depending on which method was invoked calls the second web > > > service for additional functionality. > > > > > > I received the following error when I first wrote the client application: > > > > > > The underlying connection was closed: Could not establish trust relationship > > > with remote server > > > > > > To correct this I implemented the ICertificatePolicy interface and forced > > > the method to always return true. I then set the ServicePointManager's > > > CertificatePolicy property to an instance of the class which implements the > > > interface. > > > > > > This resolved the problem from client perspective. > > > > > > However, when the web service calls into the other web service, I get the > > > error as well. My resolution was to do the same from which in the primary web > > > service. > > > > > > When I call the second web service (from the primary web service), I create > > > an instance of the same class and set the ServicePointManager's property. > > > This however does not solve the problem the same was that it does when the > > > client application encounters this error. > > > > > > These web service are hosted within an ASP environment. I'm no expert here, > > > so it there some way the environment could be setup that some security > > > boundry is preventing the two web services from communicating correctly? > > > > > > Many thanks > > > > > > Al > > > >
Hi
The administrators on the ASP (application service provider) managed to fix the problem. It related to the DNS entries for the secure site being registered externally only. Once the internal entries were made the problem was resolved. Thanks for the pointers :) Al [quoted text, click to view] "sonic" wrote:
> hi, > to save your self some time, and if you are sure which user is running > the web service, make that user an administrator and see if that fixes > the problem. > if it does, than you can cnofigure his rights regarding to specific > registry nodes. i am not sure which node it was exactly right now, but > im pretty sure it was read access . > you can assign these rights by running regedt32 > > AL wrote: > > Hi > > > > Thanks for the feedback > > > > In regard to point 1. The web service which make the call is impersonating > > and the only user allowed is a "service user". I assume I will need to grant > > this user rights in the registry. Can you provide me with detail on which > > registry keys I need to give rights to? > > > > Many thanks > > > > Al > > > > "sonic" wrote: > > > > > ah... i spent weeks with this annoying message in the past! > > > i am sure you read all the standard causes of this issue already. > > > 2 additional things to check for: > > > 1. > > > One odd and interesting cause of this for me that took forever to > > > figure out, was that the user running the website had insufficient > > > rights to access the registry, which apparently is needed to retrieve > > > the trusted certificate, or something having to do with above process. > > > to troubleshoot you could make the user running the website application > > > that is throwing this exception ( aspnet or nt authority etc) admin, > > > and if that fixes it, remove the admin right, than go to > > > run>regedt32>edit>permissions, and add read rights for your iis user > > > there. > > > 2. > > > another (non standard) problem that caused this for me in the past, was > > > that the server running behind a firewall, and the IIS user did not > > > attempt to go through the proxy server. the proxy settings can be > > > applied in registry, but to quickly test if this is the case perform > > > the following test: > > > - create a console app that consumes the remote https service > > > - open a website directly to that https service to ensure that you > > > can access it > > > - run the console app and see if it is successful. > > > - what is happening here, is that you are running that app as you, and > > > it is using the same proxy server you have setup in MSIE to make your > > > browser hit the proxy. > > > if you discovered that your app is working, hopefuly you have a skilled > > > systems group [as we did] that will apply apropriate proxy settings to > > > your internet user. this can be done in registry, or you can login as > > > that user ( you may need to change local logon policy so he's allowed > > > to logon ) and than change proxy settings in msie. this get's written > > > to registry current_user node and will be available for the furture for > > > that user. > > > > > > hope that helps. > > > - Rafal > > > > > > > > > AL wrote: > > > > Hi > > > > > > > > I've got two web services both running on the same web server. Both web > > > > services are accesses via https and the same root level domain. > > > > > > > > I wrote the client application which post information to one of the web > > > > services and depending on which method was invoked calls the second web > > > > service for additional functionality. > > > > > > > > I received the following error when I first wrote the client application: > > > > > > > > The underlying connection was closed: Could not establish trust relationship > > > > with remote server > > > > > > > > To correct this I implemented the ICertificatePolicy interface and forced > > > > the method to always return true. I then set the ServicePointManager's > > > > CertificatePolicy property to an instance of the class which implements the > > > > interface. > > > > > > > > This resolved the problem from client perspective. > > > > > > > > However, when the web service calls into the other web service, I get the > > > > error as well. My resolution was to do the same from which in the primary web > > > > service. > > > > > > > > When I call the second web service (from the primary web service), I create > > > > an instance of the same class and set the ServicePointManager's property. > > > > This however does not solve the problem the same was that it does when the > > > > client application encounters this error. > > > > > > > > These web service are hosted within an ASP environment. I'm no expert here, > > > > so it there some way the environment could be setup that some security > > > > boundry is preventing the two web services from communicating correctly? > > > > > > > > Many thanks > > > > > > > > Al > > > > > > >
[quoted text, click to view]
> The administrators on the ASP (application service provider) managed to fix > the problem. > > It related to the DNS entries for the secure site being registered > externally only. Once the internal entries were made the problem was resolved. argh.. i assumed you tried going directly to the service url in a browser and that worked. that is always good to check first.
Don't see what you're looking for? Try a search.
|
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |