Click here to Skip to main content
Click here to Skip to main content

Common Problems while Consuming Web Services over SSL in .NET

, 11 Jul 2009 CPOL
Rate this:
Please Sign up or sign in to vote.
Common problems and solutions while consuming SSL enabled web services in .NET

Introduction

Security is a general concern with web services because SOAP (request and response) messages are exchanged (between web service and client) in a plain text format. Though with WSE 2.0/3.0 and WCF, it is very much possible to encrypt the sensitive information in the message, it is a commonly accepted practice to use SSL (HTTPS) communication.

This article discusses the problems that generally pop-up when a SSL enabled (self-signed/test certificate) service is consumed by a .NET application.

Background

To implement SSL on your web service, you need to get and install a certificate issued by a Certificate Authority (CA) on your web server (IIS). Mostly this certificate is used only in production environments. When it comes to development and test environments, a self-signed certificate (test certificate) is being used. You can generate a test certificate using MakeCert.exe tool (included in the .NET Framework SDK) or using (IIS) 6.0 Resource Kit Tools.

Problem #1

When you try to access an SSL enabled web service from your C# code, you will get the following error....

"The underlying connection was closed: Could not establish trust relationship 
with remote server." 

This is true with a test (self-signed) certificate or a certificate issues by CA where the host name and the name on which the certificate was issued don't match - Perhaps you might be accessing it through an external IP address.

Root Cause of Problem #1

How many times have you observed the following windows in your browsers when browsing an HTTPS web page or a web service?

Internet Explorer 8 displays the following message:

Firefox 3.0.10 displays the following message:

Web_Service_Error_in_FireFox

Google Chrome displays the following message:

All the three browsers (Internet Explorer 8, Firefox 3.0.11 and Chome) are asking the user to choose between closing the window or adding an exception because they couldn't verify that this certificate is being issued from a valid CA.

Solution to Problem #1

When you are accessing the web service through your C# code, you should do the same as what you have done in the browser - Trust the certificate!!. But there is no message window for you to accept it when you are accessing it programmatically. So you just need to simulate the message windows and ask it to trust the certificate.

Here is code to simulate the message window.

Add the following code just before invoking a web service method:

ServicePointManager.ServerCertificateValidationCallback
= delegate(Object obj, X509Certificate certificate, X509Chain
chain, SslPolicyErrors errors) 
return (true); };

Problem #2

Sometimes even after implementing Solution #1, you might get the following error:

Server was unable to process request. ---> Unable to generate a temporary
class (result=1).
error CS2001: Source file 'C:\WINDOWS\TEMP\zezde3bz.0.cs' could not be found
error CS2008: No inputs specified

Root Cause of Problem #2  

Two different settings can cause this problem:

  1. ASPNET and IUSR users in your system do not have read/write access to 'C:\WINDOWS\TEMP\.
  2. Your work station is in a different network domain and its WORKGORUP is different. Trust me on this!! In corporate environments where we work in multiple domains (clients and our employers), it is very much possible that you are logging into the system with your employer domain login credentials and your IP address is in your client domain.

Solution to Problem #2

Needless to say, the solution is straight forward:

  1. The permission problem can be caused by an improper .NET Framework installation. You can re-install the framework or you can just add permissions to ASPNET and IUSR users on 'C:\WINDOWS\TEMP\
  2. In the second case, what worked for me is either you should use a local login and your work station is not in any workgroup or your workstation is in the same workgroup as that of its network domain.

History

  • 11th July, 2009: Initial post

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Kishore Nandagiri
Web Developer Bank of America
India India
No Biography provided

Comments and Discussions

 
QuestionI think this is by pass technic to HTTPS. Pinmemberravirajput85@gmail.com2-Jul-14 0:23 
QuestionThanks nice article Pinmembersunny_mittal28-May-14 12:51 
QuestionMissing { in ServerCertificateValidationCallback code Pinmemberchu2862120-Apr-12 6:31 
QuestionA good article! PinmemberNguyen Thanh Luc11-Oct-11 18:21 
QuestionVery helpful. Pinmemberdaviessolutions5-Aug-11 7:23 
General[My vote of 1] nothing new PinmemberMd. Marufuzzaman11-Jul-09 7:31 
GeneralRe: [My vote of 1] nothing new PinmemberKishore Nandagiri11-Jul-09 19:44 
GeneralRe: [My vote of 1] nothing new PinmemberSathishkumar_P23-Aug-11 1:00 
This is completely new to me and useful my vote 4. (Don't discourage other mate!)

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web03 | 2.8.1411019.1 | Last Updated 11 Jul 2009
Article Copyright 2009 by Kishore Nandagiri
Everything else Copyright © CodeProject, 1999-2014
Layout: fixed | fluid