Avoiding administrator access for SslStream.AuthenticateAsClient?

喜夏-厌秋 提交于 2020-01-13 06:54:10

问题


I have an application which uses the .NET SslStream class along with client and server certificates. This application works great on Windows XP. However on Windows 7 (probably Vista too), the below exception appears when calling SslStream.AuthenticateAsClient:

System.ComponentModel.Win32Exception: The credentials supplied to the package were not recognized   
  at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface SecModule, String package, CredentialUse intent, SecureCredential scc)   
  at System.Net.Security.SecureChannel.AcquireCredentialsHandle(CredentialUse credUsage, SecureCredential& secureCredential)   
  at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[]& thumbPrint)   
  at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output)   
  at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count)   
  at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)   
  at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)   
  at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)   
  at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)   
  at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)   
  at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)   
  at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)   
  at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)   
  at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)

If the application is "run as" Administrator on Windows 7, everything works great. I'm guessing the root cause here is that AuthenticateAsClient needs the private key for the client certificate (which is installed in the local machine personal certificate store) and that action requires administrator access.

My question is whether there is anything that can be done to remedy this? Or is it simply a fact of life that the use of AuthenticateAsClient with a client certificate requires administrator privileges?


回答1:


Have you tried giving the current user access rights to the certificate using WinHttpCertCfg?

Something like:

winhttpcertcfg -g -c LOCAL_MACHINE\My -s MyCertificate -a TESTUSER

For more information see this article.




回答2:


The Microsoft Management Console (MMC) enables administrators to import client certificates to a local computer. However, importing a certificate does not automatically grant access to the private key for other accounts. This private key is required for client certificate authentication. The Microsoft Windows HTTP Services (WinHTTP) certificate configuration tool provides the ability to grant access to additional accounts, such as the IWAM account, when required.

https://msdn.microsoft.com/en-us/library/aa384088(VS.85).aspx#_using



来源:https://stackoverflow.com/questions/4151401/avoiding-administrator-access-for-sslstream-authenticateasclient

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!