NetworkService - Could not establish secure channel for SSL/TLS

G

Guest

hi,

we've got a windows service calling a ssl- and clientcertificate secured
webservice.

running the windows service as administrator works; the webservice-call
succeeds.

switching the logon to the (preferred) 'network service'-user causes a
"Could not establish secure channel for SSL/TLS" error.

---
at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest
request)
at
System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest
request)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String
methodName, Object[] parameters)
---

both users can access the X509Store and load the clientcertificate.

is this a rights-problem? (Win2003SP1, IIS6, .NET 2.0, win/web-service on
same machine)



thanks for your help,
stefan
 
S

Steven Cheng[MSFT]

Hello stefan,

Welcome to the MSDN newsgroup.

From your description, I understand you have a .net based windows service
which will access a remote webservice that is protected by SSL/TLS and
require client certificate authentication. The windows service can
currently call the webservice when running under local admin account, but
failed when running under the network service account, correct?

Based on my understanding on this, the problem is still likely a permission
issue specific to the client machine's authentication certificate. As for
SSL/TLS client authentication, it'll require the client-side provide the
full certificate info. So your windows service will need to have sufficient
permission to access the client certificate's private key. I think the
Network Service account doesn't have permission to acccess the private key
of that certain certificate on your problem server. If this is the case,
you can consider using the "winhttpcertcfg.exe" tool to grant the network
servcie account the sufficient permission to access that client-certi's
private key.

#WinHttpCertCfg.exe, a Certificate Configuration Tool
http://msdn.microsoft.com/library/en-us/winhttp/http/winhttpcertcfg_exe__a_c
ertificate_configuration_tool.asp?frame=true

Hope this helps.

Regards,

Steven Cheng
Microsoft Online Community Support


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
G

Guest

hello steven,

thanks for your post! yes, your understanding is absolutely correct.

we've tried the winhttpcertcfg.exe - tool (granted, listed, removed right),
but the problem remains.

how can we ensure that it is a private key access problem? (any special
error-codes?)

are there any other possibilities?

thanks,
stefan
 
S

Steven Cheng[MSFT]

Thanks for your response stefan,

I'm not sure on the exact steps you grant private key access to the Network
Service account, I used the following command to grant private key access
right to a certain account or group:

winhttpcertcfg.exe -g-a accountName -c LOCAL_MACHINE\MY -s certSubjectName

Also, for testing, you can consider using the following .net 2.0 code to
read out the certificate's private key:

===================
static void Run()
{
X509Store store = new
X509Store(StoreName.My,StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);

X509Certificate2Collection certs =
store.Certificates.Find(X509FindType.FindBySubjectName, "Certificate
Subject Name", false);

if (certs.Count > 0)
{

Console.WriteLine(certs[0].PrivateKey.ToXmlString(true));
}

store.Close();
}
=================

when the running security context doesn't have sufficient permission to
access the target certificate's private key, the

PrivateKey.ToXmlString(true)

method call won't be able to return the xml format private key value.

Hope this helps.

Regards,

Steven Cheng
Microsoft Online Community Support


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
S

Steven Cheng[MSFT]

Hello Stefan,

How are you doing and have you got any further progress on this? Or does my
last reply also make some sense to you? If there is still anything we can
help, please don't hesitate to post here.

Regards,

Steven Cheng
Microsoft Online Community Support


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
G

Guest

hello steven,

thanks again for your help.

although the private key right had been granted to networkservice
(winhttpcertcfg -l) we got the error "Keyset does not exist" when accessing
the PrivateKey-property.

-----
at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters
parameters, Boolean randomKeyContainer)
at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType
keyType, CspParameters parameters, Boolean randomKeyContainer, Int32
dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32
dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
at
System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
-----

we asked the system admin to reinstall the certificate (LOCAL_MACHINE\MY),
called winhttpcertcfg again and ... it worked!

thanks!

stefan
 
S

Steven Cheng[MSFT]

That's great Stefan,

Thanks for the followup and let me know that you've got it resolved. If you
meet any new problem or if there is anything else we can help in the
future, please feel free to post here.

Have a good day!

Regards,

Steven Cheng
Microsoft MSDN Online Support Lead


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Web service - Large dataset problem 3
Could not establish secure channel for SSL/TLS 0
"The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure 2
Problem with SSL/TLS Secure Channel 2
Could not establish secure channel for SSL/TLS 2
SSL/TLS System.NotSupportedException 1
C#.NET Application - Could not establish secure channel for SSL/TL 3
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure 4

Top