Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / February 2005

Tip: Looking for answers? Try searching our database.

Cannot access web server after enable FIPS compliant cryptography

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Jener Silva - 06 Feb 2005 19:14 GMT
I have a Windows 2003 Enterprise server hosting my web service and it has
the System cryptography set to run in FIPS complaint mode.
When I try to run my asp.net application, which resides on another 2003
server, I get an exception:

The underlying connection was closed: Could not extablish secure channel for
SSL/TLS.

If we disable FIPS compliant cryptography, the application works fine.
Those servers are within the same network, there is no firewall between
them.

When I try to add a web reference to a new asp.net project, VS.NET 2003
shows the initial page in the wizard, but the button to add the reference is
disabled and a message shows up that says:

There was an error downloading 'https://servername/webservice.asmx'.

The underlying connection was closed: Could not establish secure channel for
SSL/TLS.

Can anyway tell me what's wrong?
Thanks.
Reply to this Message
[MSFT] - 07 Feb 2005 03:12 GMT
Can you browse a HTML page or ASP.NET web page on the Windows 2003 Server
after enable FIPS compliant cryptography, for example, from your
application server?

Luke
Reply to this Message
Jener Silva - 07 Feb 2005 03:49 GMT
Yes!!!
If I launch IE and browse to https://myserver/myservice.asmx , I see the web
service page.

> Can you browse a HTML page or ASP.NET web page on the Windows 2003 Server
> after enable FIPS compliant cryptography, for example, from your
> application server?
>
> Luke
Reply to this Message
[MSFT] - 07 Feb 2005 07:06 GMT
I suggest you may test the web service with a win form app first. I suspect
the problem may be caused by that the account your ASP.NET app used cannot
access the client certificates or the certificate has been installed well.

Luke
Reply to this Message
Jener Silva - 07 Feb 2005 16:52 GMT
I created a WinForm application and added a web reference to the web
service.
To do that I had to disable FIPS compliant cryptography on the server.
The WinForm application behaves just like the ASP.NET application:  the
service can be called if the web server is not operating in FIPS mode.
When I enable FIPS compliant cryptography, I get the same exception:

The underlying connection was closed: Could not establish secure channel for
SSL/TLS.

>I suggest you may test the web service with a win form app first. I suspect
> the problem may be caused by that the account your ASP.NET app used cannot
> access the client certificates or the certificate has been installed well.
>
> Luke
Reply to this Message
[MSFT] - 08 Feb 2005 06:15 GMT
I think the suggestion of Chris should be helpful on this issue. You may
take a try. Following is also an article about this issue:

PRB: "System.Net.WebException. The Underlying Connection Was Closed. Could
Not Establish Trust Relationship with Remote Server." Error Message When
You Upgrade the .NET Framework
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q823177

Luke
Reply to this Message
Chris Botha - 07 Feb 2005 18:51 GMT
I'm not familiar with FIPS, but can tell you that if IE prompts you to
accept the certificate, for example if it is a test certificate, etc, then
you will have this problem. In this case write a class that implements the
ICertificatePolicy interface. Give it a shot in any case. For an example,
have a look at
http://weblogs.asp.net/jan/archive/2003/12/04/41154.aspx

>I have a Windows 2003 Enterprise server hosting my web service and it has
>the System cryptography set to run in FIPS complaint mode.
[quoted text clipped - 19 lines]
> Can anyway tell me what's wrong?
> Thanks.
Reply to this Message
Jener Silva - 10 Feb 2005 14:22 GMT
No, IE does not prompt me to accept the certificate.
There is nothing wrong with the certificate.
The web service works fine if I disable FIPS cryptography in the Local
Security Policy of the server.

> I'm not familiar with FIPS, but can tell you that if IE prompts you to
> accept the certificate, for example if it is a test certificate, etc, then
[quoted text clipped - 26 lines]
>> Can anyway tell me what's wrong?
>> Thanks.
Reply to this Message
Chris Botha - 10 Feb 2005 15:28 GMT
Sorry, as I said, I am not familiar with FIPS, but know that the
ICertificatePolicy works when regular certificates cause problems. Give it a
shot and see if it works.

> No, IE does not prompt me to accept the certificate.
> There is nothing wrong with the certificate.
[quoted text clipped - 31 lines]
>>> Can anyway tell me what's wrong?
>>> Thanks.
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.