|
dev
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
NetworkService - Could not establish secure channel for SSL/TLSwe've got a windows service calling a ssl- and clientcertificate secured webservice. running the windows service as administrator works; the webservice-call succeeds. switching the logon to the (preferred) 'network service'-user causes a "Could not establish secure channel for SSL/TLS" error. --- at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request) at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request) at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) --- both users can access the X509Store and load the clientcertificate. is this a rights-problem? (Win2003SP1, IIS6, .NET 2.0, win/web-service on same machine) thanks for your help, stefan Hello stefan,
Welcome to the MSDN newsgroup. From your description, I understand you have a .net based windows service which will access a remote webservice that is protected by SSL/TLS and require client certificate authentication. The windows service can currently call the webservice when running under local admin account, but failed when running under the network service account, correct? Based on my understanding on this, the problem is still likely a permission issue specific to the client machine's authentication certificate. As for SSL/TLS client authentication, it'll require the client-side provide the full certificate info. So your windows service will need to have sufficient permission to access the client certificate's private key. I think the Network Service account doesn't have permission to acccess the private key of that certain certificate on your problem server. If this is the case, you can consider using the "winhttpcertcfg.exe" tool to grant the network servcie account the sufficient permission to access that client-certi's private key. #WinHttpCertCfg.exe, a Certificate Configuration Tool http://msdn.microsoft.com/library/en-us/winhttp/http/winhttpcertcfg_exe__a_c ertificate_configuration_tool.asp?frame=true Hope this helps. Regards, Steven Cheng Microsoft Online Community Support ================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. Get Secure! www.microsoft.com/security (This posting is provided "AS IS", with no warranties, and confers no rights.) hello steven,
thanks for your post! yes, your understanding is absolutely correct. we've tried the winhttpcertcfg.exe - tool (granted, listed, removed right), but the problem remains. how can we ensure that it is a private key access problem? (any special error-codes?) are there any other possibilities? thanks, stefan Show quote "Steven Cheng[MSFT]" wrote: > Hello stefan, > > Welcome to the MSDN newsgroup. > > From your description, I understand you have a .net based windows service > which will access a remote webservice that is protected by SSL/TLS and > require client certificate authentication. The windows service can > currently call the webservice when running under local admin account, but > failed when running under the network service account, correct? > > Based on my understanding on this, the problem is still likely a permission > issue specific to the client machine's authentication certificate. As for > SSL/TLS client authentication, it'll require the client-side provide the > full certificate info. So your windows service will need to have sufficient > permission to access the client certificate's private key. I think the > Network Service account doesn't have permission to acccess the private key > of that certain certificate on your problem server. If this is the case, > you can consider using the "winhttpcertcfg.exe" tool to grant the network > servcie account the sufficient permission to access that client-certi's > private key. > > #WinHttpCertCfg.exe, a Certificate Configuration Tool > http://msdn.microsoft.com/library/en-us/winhttp/http/winhttpcertcfg_exe__a_c > ertificate_configuration_tool.asp?frame=true > > Hope this helps. > > Regards, > > Steven Cheng > Microsoft Online Community Support > > > ================================================== > > When responding to posts, please "Reply to Group" via your newsreader so > that others may learn and benefit from your issue. > > ================================================== > > > This posting is provided "AS IS" with no warranties, and confers no rights. > > > > Get Secure! www.microsoft.com/security > (This posting is provided "AS IS", with no warranties, and confers no > rights.) > > > > > Thanks for your response stefan,
I'm not sure on the exact steps you grant private key access to the Network Service account, I used the following command to grant private key access right to a certain account or group: winhttpcertcfg.exe -g-a accountName -c LOCAL_MACHINE\MY -s certSubjectName Also, for testing, you can consider using the following .net 2.0 code to read out the certificate's private key: =================== static void Run() { X509Store store = new X509Store(StoreName.My,StoreLocation.LocalMachine); store.Open(OpenFlags.ReadOnly); X509Certificate2Collection certs = store.Certificates.Find(X509FindType.FindBySubjectName, "Certificate Subject Name", false); if (certs.Count > 0) { Console.WriteLine(certs[0].PrivateKey.ToXmlString(true)); } store.Close(); } ================= when the running security context doesn't have sufficient permission to access the target certificate's private key, the PrivateKey.ToXmlString(true) method call won't be able to return the xml format private key value. Hope this helps. Regards, Steven Cheng Microsoft Online Community Support ================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. Get Secure! www.microsoft.com/security (This posting is provided "AS IS", with no warranties, and confers no rights.) Hello Stefan,
How are you doing and have you got any further progress on this? Or does my last reply also make some sense to you? If there is still anything we can help, please don't hesitate to post here. Regards, Steven Cheng Microsoft Online Community Support ================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. Get Secure! www.microsoft.com/security (This posting is provided "AS IS", with no warranties, and confers no rights.) hello steven,
thanks again for your help. although the private key right had been granted to networkservice (winhttpcertcfg -l) we got the error "Keyset does not exist" when accessing the PrivateKey-property. ----- at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize) at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey() ----- we asked the system admin to reinstall the certificate (LOCAL_MACHINE\MY), called winhttpcertcfg again and ... it worked! thanks! stefan That's great Stefan,
Thanks for the followup and let me know that you've got it resolved. If you meet any new problem or if there is anything else we can help in the future, please feel free to post here. Have a good day! Regards, Steven Cheng Microsoft MSDN Online Support Lead ================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. Get Secure! www.microsoft.com/security (This posting is provided "AS IS", with no warranties, and confers no rights.)  |
|||||||||||||||||||||||
Other interesting topics