.NET windows service fails to start when digitally signed

R

Ralf

Situation: .NET windows service

All works fine until we digitally signed the service exe. After that
starting the service often fails (A timeout was reached (30000 milliseconds)
while waiting for the ... service to connect.). I can reproduce this
behaviour with XP x64.

Looks like windows tries to verify the signature and this take too much
time. When I disconnect the computer from the internet, the service starts.

I am not the only one having this problem:

http://www.codeprof.com/dev-archive/209/12-44-2099945.shtm

http://www.msnewsgroups.net/group/microsoft.public.dotnet.languages.csharp/topic2033.aspx

Any solutions?

Thanks for your help
Ralf
 
S

Steven Cheng[MSFT]

Hi Ralf,

Regarding on the issue you encountered, it is caused by the CLR's
certification revocation list verification for digital signed assemblies.

CLR is taking a long time in verifying the digital signature of the service
executable. If the machine doesn't have internet connection, we can
probably disable CRL revocation checking. Otherwise, it will timeout only
after 60 seconds. But this activity has to be approached from an
Administrator perspective and NOT programmatically. There is no per process
or application setting. I know how to do it for the current user using .NET
Framework SDK tool called setreg as below.(you can execute it in the VS
2005 .net commandline prompt):

setreg.exe 3 FALSE

for disabling CRL revocation checking.

This tool changes the registry settings for the current user account (under
HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust
Providers\Software Publishing\State). The registry key location is not
documented.

Another means you may try is to download the signature file manually and
install them in the system. This is again should be done by system
Administrator.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
 
R

Ralf

Hi Steven,

thanks for your help.
I know how to do it for the current user using .NET
Framework SDK tool called setreg as below.(you can execute it in the VS
2005 .net commandline prompt):

setreg.exe 3 FALSE
Does that work if the service is running in local system context?
This tool changes the registry settings for the current user account
(under
HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust
Providers\Software Publishing\State). The registry key location is not
documented.
I am not really happy with that. Sounds like building a security whole in
the system.
This is again should be done by system Administrator.
That's a problem. We are selling standard software and our customers expect
that they can install and run the software without error messages and
without the need of reconfigure their system.

Thanks
Ralf
 
R

Ralf

Hi Steven,

I tried your suggestions:
Does not work. I assume the reason is that this is a curruent user settung
but the service is running as local system.
Another means you may try is to download the signature file manually and
install them in the system.
Does not work either.I tried different locations in the system certification
store (e.g. "trusted publishers" and "personal").

Another idea?

There must be a solution. We cannot be the only company using .net services
and sign them, are we?

Best regards
Ralf
 
S

Steven Cheng[MSFT]

Thanks for your reply Ralf,

Sure, there does be someones else encountered the same problem. And the
suggestion I provided in previous message just refer to some of the
solutions. Not sure the exactlly reason which cause it not work on your
side. As you mentioned the "Local System" case, have you tried apply it to
a service not running in local sytem context to see whether it works.

I'll do some further research to see whether there is any other settings we
can use. I'll let you know if I get any update on this.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
Subject: Re: .NET windows service fails to start when digitally signed
Date: Tue, 29 Jan 2008 11:43:26 +0100
 
R

Ralf

Hi Steven,

I found out that Microsoft has the same problem with Exchange 2007:
"Exchange 2007 managed code services do not start after you install an
update rollup for Exchange 2007"
http://support.microsoft.com/kb/944752/en-us

60000ms (HKLM\SYSTEM\CurrentControlSet\ServicesPipeTimeout).

I also tried a different approach: Using the .NET-Framework 3.5 and insert
the following section in the appconfig seems to work too, without changing
system timeout values:
<configuration>
<runtime>
<generatePublisherEvidence enabled="false"/>
</runtime>
</configuration>

So I decided to use the .NET-Framework 3.5......and got into the next
trouble.
I can't install the .NET-Framework on several XP machines. The setup shows
an error message (setup encountered a problem) and quits. Grrrrrrrrr. Is
there a working setup for the .NET-Framework 3.5 available?

Regards
Ralf
 
S

Steven Cheng[MSFT]

Hi Ralf,

Glad that you've found a workaround. As for .NET 3.5, you can download it
from the following site:

http://www.microsoft.com/downloads/details.aspx?familyid=333325FD-AE52-4E35-
B531-508D977D32A6&displaylang=en

Also, since .net 3.5 add increment features based on .NET 2.0 and 3.0, I
suggest you install all of them in order.

http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=1560746&SiteID=1

Make sure that you haven't any previously installed beta components of VS
2008(orcas). For potential install problems, here are some existing
articles indicate some of the problems:

http://blogs.msdn.com/astebner/archive/2007/11/01/5826719.aspx

http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=1560746&SiteID=1

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.




--------------------
From: "Ralf" <[email protected]>
Subject: Re: .NET windows service fails to start when digitally signed
Date: Wed, 30 Jan 2008 12:33:16 +0100
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top