Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Certificate problem with a new machine - credentials supplied to package not recognized

I am installing a windows service on a new machine. The service does various operations over SslStream over TCP, which uses the certificate in problem.

The service has been operating fine with the same code and same certificate on other 2 windows 2003 machines. But, this new machine is Windows 2003 with 64 bit processor too.

I am running into this problem when I am trying to run the service with a 'Service Account' identity. It works fine with my own credentials. (Again, it works fine on other 2 machines with this service account)

I do not have 'strong protection' enabled while importing the certificate.

Here is the stack trace.

System.ComponentModel.Win32Exception: The credentials supplied to the package were not recognized at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface SecModule, String package, CredentialUse intent, SecureCredential scc) at System.Net.Security.SecureChannel.AcquireCredentialsHandle(CredentialUse credUsage, SecureCredential& secureCredential) at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[]& thumbPrint) at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output) at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult) at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)

like image 506
cdpnet Avatar asked Feb 23 '10 23:02

cdpnet


3 Answers

I used the solution from this thread - "The credentials supplied to the package were not recognized" error when authenticating as server with certificate generated using BouncyCastle .

Shorly said:

  • mmc - Add/Remove Snap-in - Certificates - Add
  • Open menu with your certificates.
  • All Tasks > Manage Private Keys and set access to Everyone or your App account.
like image 199
Anton Semenov Avatar answered Nov 11 '22 02:11

Anton Semenov


I have had this problem both when running under the ASP.NET account or when using a windows service (under the Local System account). If you're running under ASP.NET, for Windows 2003 you need to use the WinHttpCertCfg.exe tool as described by cdpnet above. Windows 2008 R2 allows you to access the rights using the GUI, which is a nice improvement.

However, when running as a windows service, you need to ensure that the certificate is in the personal certificate store, by going into mmc and adding the certificate snap-in for either the windows service account, or if you are using the 'Local System' account, just get the snap-in for the local computer.

Here is the difference I've found...

If you had installed the personal certificate to your own user's certificate store and copied and pasted it to the local computer store, this doesn't always work. However, if you delete the certificate from the local computer store, personal folder, you can then right click on the personal folder in the local computer store, then import and go through the wizard.

For some reason, this fixes it and assigns the correct permissions for using the certificate. Good luck!

like image 31
Alexis Avatar answered Nov 11 '22 03:11

Alexis


I found the problem and its solution.

The idea is to grant permissions to the account which is used for service identity.

Need to use a tool WinHttpCertCfg.exe. This is helpful for applications using client certificates to get authorization.

It's nicely explained here. http://support.microsoft.com/kb/901183

Thanks to Feroze Daud (http://ferozedaud.blogspot.com/), who answered me on a different forum.

like image 12
cdpnet Avatar answered Nov 11 '22 01:11

cdpnet