NetworkService - Could not establish secure channel for SSL/TLS

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

hi,

we've got a windows service calling a ssl- and clientcertificate secured
webservice.

running the windows service as administrator works; the webservice-call
succeeds.

switching the logon to the (preferred) 'network service'-user causes a
"Could not establish secure channel for SSL/TLS" error.

---
at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest
request)
at
System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest
request)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String
methodName, Object[] parameters)
---

both users can access the X509Store and load the clientcertificate.

is this a rights-problem? (Win2003SP1, IIS6, .NET 2.0, win/web-service on
same machine)



thanks for your help,
stefan
 
Hello stefan,

Welcome to the MSDN newsgroup.

From your description, I understand you have a .net based windows service
which will access a remote webservice that is protected by SSL/TLS and
require client certificate authentication. The windows service can
currently call the webservice when running under local admin account, but
failed when running under the network service account, correct?

Based on my understanding on this, the problem is still likely a permission
issue specific to the client machine's authentication certificate. As for
SSL/TLS client authentication, it'll require the client-side provide the
full certificate info. So your windows service will need to have sufficient
permission to access the client certificate's private key. I think the
Network Service account doesn't have permission to acccess the private key
of that certain certificate on your problem server. If this is the case,
you can consider using the "winhttpcertcfg.exe" tool to grant the network
servcie account the sufficient permission to access that client-certi's
private key.

#WinHttpCertCfg.exe, a Certificate Configuration Tool
http://msdn.microsoft.com/library/en-us/winhttp/http/winhttpcertcfg_exe__a_c
ertificate_configuration_tool.asp?frame=true

Hope this helps.

Regards,

Steven Cheng
Microsoft Online Community Support


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
hello steven,

thanks for your post! yes, your understanding is absolutely correct.

we've tried the winhttpcertcfg.exe - tool (granted, listed, removed right),
but the problem remains.

how can we ensure that it is a private key access problem? (any special
error-codes?)

are there any other possibilities?

thanks,
stefan
 
Thanks for your response stefan,

I'm not sure on the exact steps you grant private key access to the Network
Service account, I used the following command to grant private key access
right to a certain account or group:

winhttpcertcfg.exe -g-a accountName -c LOCAL_MACHINE\MY -s certSubjectName

Also, for testing, you can consider using the following .net 2.0 code to
read out the certificate's private key:

===================
static void Run()
{
X509Store store = new
X509Store(StoreName.My,StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);

X509Certificate2Collection certs =
store.Certificates.Find(X509FindType.FindBySubjectName, "Certificate
Subject Name", false);

if (certs.Count > 0)
{

Console.WriteLine(certs[0].PrivateKey.ToXmlString(true));
}

store.Close();
}
=================

when the running security context doesn't have sufficient permission to
access the target certificate's private key, the

PrivateKey.ToXmlString(true)

method call won't be able to return the xml format private key value.

Hope this helps.

Regards,

Steven Cheng
Microsoft Online Community Support


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
Hello Stefan,

How are you doing and have you got any further progress on this? Or does my
last reply also make some sense to you? If there is still anything we can
help, please don't hesitate to post here.

Regards,

Steven Cheng
Microsoft Online Community Support


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
hello steven,

thanks again for your help.

although the private key right had been granted to networkservice
(winhttpcertcfg -l) we got the error "Keyset does not exist" when accessing
the PrivateKey-property.

-----
at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters
parameters, Boolean randomKeyContainer)
at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType
keyType, CspParameters parameters, Boolean randomKeyContainer, Int32
dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32
dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
at
System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
-----

we asked the system admin to reinstall the certificate (LOCAL_MACHINE\MY),
called winhttpcertcfg again and ... it worked!

thanks!

stefan
 
That's great Stefan,

Thanks for the followup and let me know that you've got it resolved. If you
meet any new problem or if there is anything else we can help in the
future, please feel free to post here.

Have a good day!

Regards,

Steven Cheng
Microsoft MSDN Online Support Lead


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
Back
Top