Can't use HTTPS with ServerXMLHTTP object

Question

I am supporting a Classic ASP application that connects to a payment gateway via HTTPS. Up until recently there have been no issues. A few days ago the latest updates were installed on the server (Windows Server 2003) and caused the site to break. A code snippet is below.

Dim oHttp
Dim strResult
Set oHttp = CreateObject("MSXML2.ServerXMLHTTP")
oHttp.setOption(2) = 13056
oHttp.open "POST", SOAP_ENDPOINT, false
oHttp.setRequestHeader "Content-Type", "application/soap+xml; charset=utf-8"
oHttp.setRequestHeader "SOAPAction", SOAP_NS + "/" & SOAP_FUNCTION
oHttp.send SOAP_REQUEST

Below is a dump of the error object :-

Number: -2147012852 Description: A certificate is required to complete client authentication Message: A certificate is required to complete client authentication

At first I thought it was because the Payment Gateway's SSL certificate was not being authenticated or they needed a client certificate. I tested the URL in a browser on the server and it displayed correctly without errors and confirmed that the Payment Gateway server did not require a client certificate.

I am at a loss. All the research I have done has lead me nowhere. I even tried the following found on Stackoverflow :-

Getting XMLHTTP to work with HTTPS

xmlHttp, XML request,asp

The last one stated that a client certificate is required by XMLHTTP even though the server does not need it and pointed to a KB article on how to install one, but that is outdated and does not work.

Answer 1

Try adding oHttp.setOption 2, 13056

Answer 2

Just found the solution to this which has passed testing on:

• Windows 10 (IIS 10)
• Windows 2012 R2 (IIS 8.5)

It's a client problem. MSXML2.ServerXMLHTTP does indeed require you to use a client certificate when calling an endpoint secured with SSL (even if the endpoint doesn't require it), as the OP noted.

On the webserver, you need to:

1. Create a client certificate
2. Assign permissions to the certificate
3. Set the certificate on the ServerXMLHTTP object

In detail:

1. Create a client certificate

Use the following PowerShell command to create a new self-signed certificate:

New-SelfSignedCertificate -DnsName "ServerXMLHTTP", "ServerXMLHTTP" -CertStoreLocation "cert:\LocalMachine\My"

Note that the certificate created by this command will only be valid for 1 year.

2. Assign permissions to the certificate

Using MMC, view the certificate store for the computer account: How to: View Certificates with the MMC Snap-in

The certificate created above can be found in Certificates (Local Computer)\Personal\Certificates (the "Issued By" and "Issued To" columns display "ServerXMLHTTP").

Right click the ServerXMLHTTP certificate, select "All Tasks" -> "Manage Private Keys" and the permissions dialog will display.

Add the user that the ASP website app pool is running as. By default it will be running as "ApplicationPoolIdentity", but your setup may be using a specific user account. If the app pool is using ApplicationPoolIdentity, the username to add is "IIS AppPool\APP POOL NAME", e.g. IIS AppPool\DefaultAppPool

The user will be added with "Full Control" which can be deselected. Only "Read" permission seems to be required. Click "OK" to confirm the permissions.

3. Set the certificate on the ServerXMLHTTP object

In your ASP code, set the ServerXMLHTTP object to use the certificate created above. For example calling PayPal for an access token:

Dim strAuthToken: strAuthToken = "<Base64 encoded version of ClientId:Secret>"
Dim oHttp: Set oHttp = Server.CreateObject("MSXML2.ServerXMLHTTP")

With oHttp
    Call .Open("POST", "https://api.sandbox.paypal.com/v1/oauth2/token", False)
    Call .SetOption(3, "LOCAL_MACHINE\My\ServerXMLHTTP")
    Call .SetRequestHeader("Content-Type", "application/x-www-form-urlencoded")
    Call .SetRequestHeader("Authorization", "Basic " & strAuthToken)
    Call .Send("grant_type=client_credentials")
End With

Hopefully this is still of assistance.