1

For the last 5 months+ we were able to do XMLHTTP requests from our web server to the Concur API via server.Createobject("MSXML2.ServerXMLHTTP") no problem, but now we are getting this error message:

msxml3.dll error '80072f0c'

A certificate is required to complete client authentication

Can you think of a security change the server receiving these requests might have made to not allow these API requests to work anymore via ServerXMLHTTP? Or anything we could do on sending server side to make it work? We can still hit other API's from our sending server no problem.

From my local computer, I am able to do a Postman request to this same API that is generating the "certificate is required" message and Postman processes it no problem.

Our TLS certificate supports both client and server authentication according to its "Enhanced Key Usage". The error occurs on our Windows 2008R2 server where the certificate is stored and on a sandbox Windows 2012 server with no client certificate. Here's the vbscript snippet:

EndPoint = "https://us.api.concursolutions.com/oauth2/v0/otp"
Payload = "client_id=" & consumerKey & "&client_secret=" & consumerSecret & "&channel_handle=" & Email & "&channel_type=email"
Payload = Payload & "&link=" & link & "&name=" & name & "&company=" & company
Dim xmlhttp
Set xmlhttp = Createobject("MSXML2.ServerXMLHTTP.6.0")
'Get error message with or without the next 3 lines
XMLhttp.setOption(2) = 13056
strCert = "Friendly Name"
XMLhttp.setOption(3)= "LOCAL_MACHINE\My\" & strCert
XMLhttp.Open "POST",EndPoint,false    
XMLhttp.setRequestHeader "User-Agent","HTTP/1.1"
XMLhttp.setRequestHeader "Content-Type", "application/x-www-form-urlencoded; charset=utf-8"
XMLhttp.setRequestHeader "Accept", "application/json"
XMLhttp.setRequestHeader "Host", "us.api.concursolutions.com"
XMLhttp.setRequestHeader "Connection", "close"
XMLhttp.setRequestHeader "Content-Length", "437"
XMLhttp.send Payload
KBr
  • 139
  • 2
  • 11
  • Without details of the API, it would be rather hard for us to know. Is it Paypal? If so, see this question & comments in to the answer. https://stackoverflow.com/questions/18719807/msxml3-dll-error-80072f0c-a-certificate-is-required-to-complete-client-authent – Dijkgraaf Jun 11 '17 at 20:28
  • Similar to this http://microsoft.public.xml.narkive.com/Y6hHVF79/msxml-posting-soap-message-with-client-certificate Which recommends looking to see if the IIS User has access to the certificate. – Dijkgraaf Jun 12 '17 at 09:15
  • Thanks for pointing me to that article. I did manage to get a different error when I changed setOption(3) to show our domain name instead of our friendly name (it was in the registry in the right place already). That new error is msxml6.dll error '80072f9a' System error: -2147012710. – KBr Jun 12 '17 at 19:21
  • The exact thing that this questions asked about https://stackoverflow.com/questions/22402615/paypal-classic-asp-msxml-error-on-windows-server-2008 Does have one answer, but not accepted or upvoted. But I see you already found that one – Dijkgraaf Jun 12 '17 at 21:39
  • Thanks for your help. After they made some configuration changes on the Concur side late today it did work with just the code for SetOption(2)=13056 included and SetOption(3) commented out. They apparently did not intend to require a client certificate to begin with and they apparently were changing API gateway providers over the weekend. – KBr Jun 12 '17 at 23:25

0 Answers0