PRB: "System.Net.WebException. The Underlying Connection Was Closed. Could Not Establish Trust Relationship with Remote Server." Error Message When You Upgrade the .NET Framework (823177)


The information in this article applies to:

  • Microsoft ASP.NET (included with the .NET Framework) 1.0
  • Microsoft Common Language Runtime (included with the .NET Framework 1.1)
  • Microsoft Common Language Runtime (included with the .NET Framework) 1.0
  • Microsoft ASP.NET (included with the .NET Framework 1.1)
  • Microsoft Web Services (included with the .NET Framework) 1.0

SYMPTOMS

When you install the Microsoft .NET Framework version 1.0 Service Pack 2 or you upgrade to the .NET Framework version 1.1 from the .NET Framework version 1.0, your Web service clients may receive the following error message on a call to a Web service. This error message occurs when you use Secure Socket Layer (SSL).

System.Net.WebException. The underlying connection was closed. Could not establish trust relationship with remote server.

The error message may appear after you install or after you upgrade even though the code works as you expect.

CAUSE

Beginning with the .NET Framework version 1.0 Service Pack 2 and with the .NET Framework version 1.1 and later, the name that is used on the HTTP request must match the name of the server that is issued with the SSL certificate. Earlier SSL certificates may no longer be accepted under certain circumstances. Also, the Certificate Revocation List (CRL) is now examined to make sure that the certificate has not been revoked.

Other scenarios exist also. For example, some networks use a different name-resolution scheme for internal versus external clients. In cases where the certificate is issued to a server with a public URL (such as www.adatum.com) and with intranet applications, the internal Domain Name System (DNS) Server provides a different name for the same server (such as www.internal.corporate.adatum.com). Requests for this Web service over SSL may fail. This change is made to enhance the security of Web services that use SSL.

Note The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, places, or events is intended or must be inferred.

RESOLUTION

You can resolve this problem by using either of the following methods:
  • You can change the name-resolution scheme so that DNS provides the same name for a server. The same name for the server must be used whether the server is referred to from in the company or from outside the company.

    For example, assume that a certificate has been issued to the URL www.adatum.com. Any Web service application that is referred from outside the organization is called by using the external DNS resolution schema (www.adatum.com). When an intranet Web service application is called, the internal DNS translates the name of the site as www.internal.corporate.adatum.com. Therefore, any request for the Web Service over SSL may fail unless you change the name-resolution scheme.
  • The host name that is used when you add a Web reference to a Web service in the Web service client must be the same name as the name that the certificate is issued to.

WORKAROUND

To work around this problem, you can implement ICertificatePolicy. Then you must pass ICertificatePolicy to ServicePointManager.CertificatePolicy before the Web Service method call is made.

The following sample code implements ICertificatePolicy and then accepts every request under SSL:

Microsoft Visual Basic .NET

Import the following two namespaces, and then implement the class:
Imports System.Net
Imports System.Security.Cryptography.X509Certificates
Public Class MyPolicy
  Implements ICertificatePolicy

  Public Function CheckValidationResult(ByVal srvPoint As ServicePoint, _
                ByVal cert As X509Certificate, ByVal request As WebRequest, _
                ByVal certificateProblem As Integer) _
            As Boolean Implements ICertificatePolicy.CheckValidationResult
    'Return True to force the certificate to be accepted.
    Return True
  End Function
End Class
Microsoft Visual C# .NET

Import the following two namespaces, and then implement the class:
using System.Net;
using System.Security.Cryptography.X509Certificates;

public class MyPolicy : ICertificatePolicy {
    public bool CheckValidationResult(
          ServicePoint srvPoint
        , X509Certificate certificate
        , WebRequest request
        , int certificateProblem) {

        //Return True to force the certificate to be accepted.
        return true;

    } // end CheckValidationResult
} // class MyPolicy
Include the following code in the client code. Before you make the Web Service method call from the client code, the following statement (in either Visual Basic .NET or Visual C# .NET, as appropriate) must be executed:

Visual Basic .NET
System.Net.ServicePointManager.CertificatePolicy = New MyPolicy()
Visual C# .NET
System.Net.ServicePointManager.CertificatePolicy = new MyPolicy();

STATUS

This behavior is by design.

MORE INFORMATION

Steps to Reproduce the Problem

  1. Create a server certificate. Assign the server certificate to a computer that is named TestComputer. When you create the server certificate, make sure that TestComputer is not the name that is typed in the Common name field.
  2. Add the certificate of the issuing certification authority to the list of Trusted Root Certificate Authorities if the certificate is self-issued (not issued by a trusted certification authority).

    Note It is not sufficient to add the site to the Trusted Sites zone on the Security tab in Microsoft Internet Explorer.
  3. To add the certificate for the certification authority, follow these steps:
    1. Start Internet Explorer. On the Tools menu, click Internet Options.
    2. Click the Content tab, and then click Certificates.
    3. Click the Trusted Root Certification Authorities tab.
    4. Click Import, and then click Next.
    5. To move to the certificate file of the certification authority, click Browse, and then click Next.
    6. Click Place all certificates in the following store, and then click Browse.
    7. Click Trusted Root Certification Authorities, click OK, click Next, and then click Finish.

      A message appears that indicates that the import is successful.
    8. Click Close, and then click OK.
  4. Create a Microsoft ASP.NET Web service application that is named WebService1. Uncomment the HelloWorld WebMethod in WebService1.
  5. Enable SSL for the WebService1 application.
  6. Create an ASP.NET Web application that is named WebApplication1. Name the BUTTON control Button1.
  7. Add the Web reference to WebService1 in WebApplication1.
  8. In the OnClick event of Button1, call the HelloWorld WebMethod of WebService1.
  9. In WebApplication1, click Button1.

    You can see Button1 in the browser, and you receive the error message that is mentioned in the "Symptoms" section.

REFERENCES

For additional information about ASP.NET security enhancements and SSL, visit the following Microsoft Developer Network (MSDN) Web site:

http://msdn.microsoft.com/vstudio/using/building/default.aspx?pull=/library/en-us/dnnetsec/html/SecNetch04.asp

For additional information about configuring ASP.NET and IIS to use SSL, visit the following Microsoft Developer Network (MSDN) Web site:

http://msdn.microsoft.com/vstudio/using/building/default.aspx?pull=/library/en-us/dnnetsec/html/SecNetHT16.asp?FRAME=true#SetupSSL

For additional information about how to add and how to remove Web references, visit the following Microsoft Developer Network (MSDN) Web site:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vsintro7/html/vxtskaddingremovingwebreferences.asp

Modification Type:MinorLast Reviewed:7/8/2005
Keywords:kbprb kberrmsg kbWebServices kbDev kbCertServices kbSecurity KB823177 kbAudDeveloper kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.