This is a mirror of official site: http://jasper-net.blogspot.com/

HTTPS Messaging with Client Side Certificate fails with IIS error 403

| Wednesday, October 27, 2010
Symptoms
We have a Win2k3/Win2k8 Server. We are trying to send HTTPS messages to this Win2k3 Server. The Server Requires Client Side Certificates. The IIS log shows error 403.7 - Client Side Certs Reqd. Also if you enable deadlettering on the messages the messages end up in deadletter queue with HTTP error 403.

Cause
If a Win2k8 Server has this problem then the problem is that the Network Service Account under which MSMQ runs does not access to the Private Key in MSMQ Certificate Store. Here is the error logged in the System log on Win2k8 Server.

Log Name:      System
Source:        Schannel
Date:          8/18/2010 3:15:10 PM
Event ID:      36870
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      ComputerName

Description:
A fatal error occurred when attempting to access the SSL client credential private key. The error code returned from the cryptographic module is 0x8009030d.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
   <Provider Name="Schannel" />
   <EventID Qualifiers="49152">36870</EventID>
   <Level>2</Level>
   <Task>0</Task>
   <Keywords>0x80000000000000</Keywords>
   <TimeCreated SystemTime="2010-08-18T19:15:10.000Z" />
   <EventRecordID>34419</EventRecordID>
   <Channel>System</Channel>
   <Computer>Computer Name</Computer>
   <Security />
 </System>
 <EventData>
   <Data>client</Data>
   <Data>8009030d</Data>
 </EventData>
</Event>

Resolution
On Windows 2008 Server you need to execute the command at command prompt. The command below gives network service account access to the Private Keys for the Certificates.

 certutil.exe -service -service -repairstore MSMQ\My "" D:PAI(A;;GAGR;;;BA)(A;;GAGR;;;SY)(A;;GAGR;;;NS) MSMQ\My

Read more: MSMQ Information and Troubleshooting Blog

Posted via email from .NET Info

0 comments: