The agent which I am developing with the Edustructures ADK (2.3 for .NET, UK version) is connecting to a non-Edustructures ZIS that runs under IIS. I wish to enable the 'Require client certificates' option in IIS and have my agent present such a certificate.
I have set my agent to use the https transport, have set the authenticationLevel property to 2, and have configured the clientCertName property. In the agent's debug log, I can see that the correct certificate is being retrieved from my computer. But when the agent attempts to connect to the ZIS, a 'Forbidden' message is returned.
If I point a web browser at the ZIS and present the same client certificate which my agent is supposed to be using, then I can access the ZIS - so the ZIS must trust the certificate and its issuing CA. This makes me think that my agent is not actually sending my client certificate - is there an option which I've forgotten to enable? Can anyone provide any pointers here?
Thanks in advance,
Phil.
Phil,
To help us track this down, will you turn your logging all the way up and send us the logs that the ADK generates at the time that the agent is selecting certificates? Those logs should contain the every certificate used and not used and indicates the reasons for not using them.
I think that will help us get closer to a solution.
Thanks!
-Jared
Hi Jared,
Thanks for responding.
Here's a (slightly anonymised) extract from my agent log when running with Adk.Debug=AdkDebugFlags.All :
2010-03-01 16:12:41,275 DEBUG [ADK] Using SIF 2.32010-03-01 16:12:41,280 INFO [ADK.Agent] Initializing agent...2010-03-01 16:12:41,288 INFO [ADK.Agent] Agent initialized
2010-03-01 16:12:41,292 DEBUG [ADK.Agent] Setting HTTPS transport property from configuration file: clientCertName = C=GB,S=abc,L=def,O=ghi,OU=SIF,CN=agent.xyz
2010-03-01 16:12:41,546 DEBUG [ADK.Agent] Reading SIF_Request ID cache: C:\Users\phil.INTRA\Documents\Visual Studio 2008\Projects\IdentityPublisher\IdentityPublisher\bin\Debug\work\requests.adk2010-03-01 16:12:41,549 DEBUG [ADK.Agent] Read 0 pending SIF_Request IDs from cache2010-03-01 16:12:41,575 DEBUG [ADK.Agent$PhilTest2] Send SIF_Register2010-03-01 16:12:41,576 DEBUG [ADK.Agent$PhilTest2] MsgId: C36EFBC568284D15BE1F559C9F12DCCA2010-03-01 16:12:41,609 DEBUG [ADK.Agent.transport$https] Using Certificate store CurrentUser / My2010-03-01 16:12:41,618 DEBUG [ADK.Agent.transport$https] Using this certificate for Client Authentication: CERTIFICATE: Format: X509 Name: agent.xyz Issuing CA: TERENA SSL CA Key Algorithm: 1.2.840.113549.1.1.5 Serial Number: 00AB6CD35E9679BAD145BA9C2283004F02 Key Alogrithm Parameters: 0500 Public Key: <hex>
2010-03-01 16:12:41,729 DEBUG [ADK.Agent$PhilTest2] Sending message (1307 bytes)2010-03-01 16:12:41,730 DEBUG [ADK.Agent$PhilTest2] <SIF_Message Version="2.3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.sifinfo.org/uk/infrastructure/2.x"> <SIF_Register> <SIF_Header> <SIF_MsgId>C36EFBC568284D15BE1F559C9F12DCCA</SIF_MsgId> <SIF_Timestamp>2010-03-01T16:12:41.5726382Z</SIF_Timestamp> <SIF_Security> <SIF_SecureChannel> <SIF_AuthenticationLevel>2</SIF_AuthenticationLevel> <SIF_EncryptionLevel>4</SIF_EncryptionLevel> </SIF_SecureChannel> </SIF_Security> <SIF_SourceId>IdentityPublisher</SIF_SourceId> </SIF_Header> <SIF_Name>IdentityPublisher</SIF_Name> <SIF_Version>2.3</SIF_Version> <SIF_Version>1.1</SIF_Version> <SIF_Version>1.5r1</SIF_Version> <SIF_Version>2.0</SIF_Version> <SIF_Version>2.0r1</SIF_Version> <SIF_Version>2.1</SIF_Version> <SIF_Version>2.2</SIF_Version> <SIF_MaxBufferSize>393216</SIF_MaxBufferSize> <SIF_Mode>Pull</SIF_Mode>
<snip> </SIF_Register></SIF_Message>2010-03-01 16:12:41,876 WARN [ADK.Agent$PhilTest2] Error attempting to sleep:Zone is not connectedZone is not connected2010-03-01 16:12:41,878 INFO [ADK.Agent] Shutting down agent...2010-03-01 16:12:41,879 INFO [ADK.Agent$PhilTest2] Shutting down zone...2010-03-01 16:12:41,880 INFO [ADK.Agent$PhilTest2] Shutting down Message Dispatcher2010-03-01 16:12:41,880 INFO [ADK.Agent$PhilTest2] Shutting down Protocol Handler2010-03-01 16:12:41,880 INFO [ADK.Agent$PhilTest2] Zone shutdown complete2010-03-01 16:12:41,880 INFO [ADK.Agent] Shutting down Transports...2010-03-01 16:12:41,881 DEBUG [ADK.Agent] Agent shutdown complete
I don't suppose it's relevant, but I notice that when the certificate is found there's a typo in the logs: "Key Alogrithm Parameters" should be "Key Algorithm Parameters"
I hope this helps,
Hi Phil,
We're not exactly sure what's going wrong here. It looks like the ADK is selecting the right certificate. Do you see any exceptions getting thrown when it calls Zone.Connect()?
For your information, the .NET ADK uses HTTPWebRequest and passes the client certificate to it when it goes to make the connection to the zone. It may be a good idea to contact your ZIS vendor to find out if there are other requirements for connecting over HTTPS at AuthenticationLevel 2. We know that this works with the SIFWorks ZIS so we're wondering if there is some other requirement from the ZIS you're connecting to.
Thanks for the heads up on the misspelling.
I've fixed the problem. I knew it wasn't a ZIS issue, as the 403 error was being presented by IIS rather than the ZIS - in other words, my agent's messages weren't getting as far as the ZIS.
It turned out that my client PC was missing an intermediate certificate. To add to the confusion, a certificate with the same name as the missing intermediate existed on my PC as a Trusted Root CA - but with only "Server Authentication" as an Intended Purpose. So if I examined my client certificate, it appeared to have a valid chain - but no client would present it because "Client Authentication" was not an acceptable Purpose. After adding the missing intermediate certificate, everything sprang into life immediately.
Sorry to have wasted your time with this! (But at least we found that misspelling!)
Thanks Phil,
We're glad you were able to track this down!