The request was aborted: Could not create SSL/TLS secure channel
This error can occur if you are working on an application which will securely connect with another application using SSL/TLS certificate. The error “The request was aborted: Could not create SSL/TLS secure channel” look straight but can waste a good amount of time. Environment on which I was facing this issue was Windows 2016 Server, IIS10 and .Net application developed in .Net Framework 4.7. The other application was developed in JAVA so the .Net application was trying to access the java application securely. The strange thing which was happening with me that if I used the standard user in the application pool identity under IIS pools, everything worked perfectly and even with local system and NetworkService but the application was not working with default settings (ApplicationPoolIdentity). The application requirement was to use the ApplicationPoolIdentity.
There are plenty of posts available which claim the solution of this problem. There are multiple options involved to solve this issue which may or may not work for you. However, I followed under listed instructions to solve this problem and it worked perfectly well. I recommend to check this setting before wasting your time on other areas.
Solution!! Load User Profile
IIS doesn’t load the Windows user profile, but certain applications might take advantage of it anyway to store temporary data. SQL Express is an example of an application that does this. However, a user profile has to be created to store temporary data in either the profile directory or in the registry hive. The user profile for the Network Service account was created by the system and was always available. However, with the switch to unique Application Pool identities, no user profile is created by the system. Only the standard application pools (DefaultAppPool and Classic .NET AppPool) have user profiles on disk. No user profile is created if the Administrator creates a new application pool.
However, if you want, you can configure IIS application pools to load the user profile by setting the LoadUserProfile attribute to “true”. Actually my application was developed in a way that it wanted to have a user profile to store temporary data.
If you already have this option true you can check under listed security settings of your private:
Note: Before making the under listed changes Make sure that the certificate trust chain is complete and there is no certificate trust related error available.
Note: This didn’t worked for me and I don’t recommend to change the default security settings of private key.
- Purchase and Import the certificate into the “Local Computer” account. Best to use Certificates MMC. You need to check “Allow private key to be exported”. To change the security settings based upon the version of IIS and the Application Pool’s identity use one of the following.
- If the Website is running under ApplicationPoolIdentity. Open MMC => Add Certificates (Local computer) snap-in => Certificates (Local Computer) => Personal => Certificates => Right click the certificate of interest => All tasks => Manage private key => Add IIS AppPool\AppPoolName and grant it Full control. Replace “AppPoolName” with the name of your application pool (sometimes IIS_IUSRS)
- If the Website is running under NETWORK SERVICE. Using Certificates MMC, added “NETWORK SERVICE” to Full Trust on certificate in “Local Computer\Personal”.
- If the Website is running under “MyIISUser” local computer user account. Using Certificates MMC, added “MyIISUser” (a new local computer user account) to Full Trust on certificate in “Local Computer\Personal”.
Note: if you’re on a domain, your domain will be selected by default in the ‘from location box’. Make sure to change that to “Local Computer” to view the app pool identities.