Access denied to ASP.NET WebAPI on IIS

Question

I have to ASP.NET applications: one is a Web API and the other a MVC that makes requests to the first.

Everthing works in development (VS with IIS Express) but now I publish both applications to a production server and I can´t have access to the api using the MVC app.

I have CORS enabled on the API:

var cors = new EnableCorsAttribute("*", "*", "*");
config.EnableCors(cors);

On the MVC app, my api base url is set to https://localhost:44351/ and then in the IIS I have this bindings (WEB Api site):

I can make requests to the API with postman but when I run the my MVC app, I can´t make requests (and again, I could make them in development).

Thank you.

EDIT

Controller code example (MVC):

        try
        {
            var client = WebApiHttpClient.GetClient();

            var response = await client.PostAsync("Token", content);
            if (response.IsSuccessStatusCode)
            {
                TokenResponse tokenResponse =
                await response.Content.ReadAsAsync<TokenResponse>();

                WebApiHttpClient.storeToken(tokenResponse);
                return RedirectToAction("Index", "Home");
            }
            else
            {
                return Content("response.StatusCode);
            }
        }
        catch
        {
            return Content("Error");
        }

My HttpClient implementation:

    public const string WebApiBaseAddress = "https://localhost:44351/";

    public static HttpClient GetClient()
    {
        HttpClient client = new HttpClient();
        client.BaseAddress = new Uri(WebApiBaseAddress);
        client.DefaultRequestHeaders.Accept.Clear();
        client.DefaultRequestHeaders.Accept.Add(new
        MediaTypeWithQualityHeaderValue("application/json"));
        return client;
    }

EDIT 2

InnerException message:

the underlying connection was closed could not establish trust relationship for the ssl/tls

What do you mean by "can't make requests"? What kind of response do you get? — Viktors Telle, Dec 13 '16 at 19:14
Please add the Exception in the catch clause to see the actual error. — Viktors Telle, Dec 13 '16 at 19:23
And also you don't need to enable CORS because you are making request from the same domain. — Viktors Telle, Dec 13 '16 at 19:28
I would recommend once you've got to the bottom of this to remove the CORS configuration that you have applied :). It's a safety feature — Luke, Dec 13 '16 at 19:34
When you say it works with Postman, are you running Postman from your development machine? Or are you at the Production machine when you use Postman? — JuanR, Dec 13 '16 at 19:44
CORS was enabled so I can run an simple html page with ajax requests; I'm running Postman from development machine. I haven't tried to run it from my server.; InnerException message added to the question. — Cátia Azevedo, Dec 13 '16 at 19:47
There is an issue with SSL certificate. Please see this post: http://stackoverflow.com/questions/703272/could-not-establish-trust-relationship-for-ssl-tls-secure-channel-soap — Viktors Telle, Dec 13 '16 at 20:02
I'm using a self signed certificate for now. This is not really the production but an test to see if the 2 apps could work together in a production environment. That being said, what could be the problem? — Cátia Azevedo, Dec 13 '16 at 21:03
The problem is most likely related to server certificate validation. Please try add the following line (temporary) in Global.asax: System.Net.ServicePointManager.ServerCertificateValidationCallback = ((sender, cert, chain, errors) => cert.Subject.Contains("YourServerName")); Put your server name accordingly or just localhost. — Viktors Telle, Dec 13 '16 at 21:22
You could temporary add this line to ignore server certificate validation: ServicePointManager.ServerCertificateValidationCallback = ((sender, certificate, chain, sslPolicyErrors) => true); If it works then add a real SSL certificate in production and remove that line. — Viktors Telle, Dec 14 '16 at 06:34
Yap, that made it work. I'll try to get a valid SSL cert then! Thank you! — Cátia Azevedo, Dec 14 '16 at 09:24
Yes, it is. It's a temporary fix but it works for development. The author wrote an answer. I marked it as the right one. Thank you. — Cátia Azevedo, Dec 17 '16 at 12:04

score 2 · Accepted Answer · edited May 23 '17 at 11:45

Just to summarize the discussion in the comments. The problem was due to use of self-signed certificate in IIS for Web API application.

Temporary solution for this problem is to add this line of code in application startup class (Global.asax):

ServicePointManager.ServerCertificateValidationCallback = ((sender, certificate, chain, sslPolicyErrors) => true);

Of course you should not use that line of code in production. In production environment you should have a valid SSL certificate.

More information can be found in this post: Could not establish trust relationship for SSL/TLS secure channel -- SOAP

Access denied to ASP.NET WebAPI on IIS

1 Answers1