Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Client certificate authentication and CA certificate in Azure

Tags:

certificate

azure-web-roles

client-certificates

azure

I need to authenticate requests to Azure Cloud Service Web Role using client certificates. How to put the Certification Authority (CA) root certificate in a right trusted store?

I tried to upload it in Management Portal and then defining it in service definition file with AuthRoot store name:

<Certificate name="RootCA" storeLocation="LocalMachine" storeName="AuthRoot" />

What's really strange is that it works... but only sometimes. It may work after an instance reboot, but may not work after a service update or another instance reboot. It seems like a bug in Azure.

When I say "works" I mean server successfully accepts the client certificate and processes the request. When I say "doesn't work" I mean server doesn't negotiate a connection after certificate checks and "The request was aborted: Could not create SSL/TLS secure channel." exception is thrown on a client side.

How to make it working stable?

UPD:

Found this record in System Windows Event Log (source is Schannel):

When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.

like image 793
alexey Avatar asked Feb 11 '13 12:02

alexey

1 Answers

The exact problem is described here: http://support.microsoft.com/kb/2801679.

After December 2012 Windows update a lot of certificates were added to AuthRoot store. So we have to remove them to solve the problem.

To make it I use PowerShell startup task:

Get-ChildItem -Path Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates | Where-Object {$_.Name -notlike "*\<YOUR_CERTIFICATE_THUMBPRINT>"} | Remove-Item

To run it from CMD startup task:

PowerShell -ExecutionPolicy Unrestricted .\Startup.ps1
exit /b %errorlevel%

And in ServiceDefinition.csdef:

<WebRole name="Web">
  <Startup>
    <Task commandLine="Startup.cmd" executionContext="elevated" taskType="simple" />
  </Startup>
  <!-- ... ->
</WebRole>
like image 94
alexey Avatar answered Oct 02 '22 00:10

alexey
Sign in to Comment

Related questions

Azure purge script from Azure DevOps
Azure SQL failover group, what does the grace period mean?
ASP.NET Core 3.1 web API (versioning) and Swagger UI fails due to MvcJsonOptions once published to Azure
How to know the previous step result in Azure DevOps build Pipe line?
Limiting Azure Functions Rate of Service Bus Message Intake
How to install a nuget package from another package source in azure devops pipeline?
Where are auto generated SSH keys stored in Windows using azure cli --generate-ssh-keys
Azure Application Insights log severity levels
Timer Trigger with Azure Functions V3 (.NET 5)
Retrieve Response Headers in Silverlight?
Windows Azure & ASP.NET session
Switching from one connectionstring to another when moving from development to cloud
Windows Azure Basic Authentication
Azure BLOB storage - Pricing and speed "Within the data center"
validateRequest="false" not working, even with requestValidationMode="2.0"
Azure ports required?
relay WebHttpRelayBinding to webapi service
Windows Azure Emulator "Invalid access to memory location."
When should I use LongRunning Task Creation option?
Trouble getting Caching working inside Azure Web Sites

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!