Service Fabric: Authenticating with Azure KeyVault via cert: “KeySet does not exist”

▼魔方 西西 提交于 2021-02-08 15:15:05

问题


This is the scenario I am trying to enable:

I wish to authenticate to an azure keyvault from my web service application (azure service fabric) via a client certificate.

These are the steps I'm following:

  1. Add a certificate to my keyvault in azure (self signed)
  2. Download certificate via azure powershell (pfx)
  3. Create Azure App Instance to identify my app
  4. Associate certificate with app
  5. Create service principal for the azure app
  6. Give principal access to keyvault

All looks good. When I spin up my service (local service fabric cluster), and try to connect to keyvault to retrieve a secret key+value that I have stored inside, I get error:

CryptographicException: "KeySet does not exist"

When I try to examine PrivateKey property value of the X509Certificate2 object at runtime, it throws the same exception.

The certificate is found, and the private key exists (I verified this via MMC as well as some command line tools).

What can I be missing? Only cause I can think of for this failure is that service fabric user context (Network Service, I think) does not have permission to look at private key? It is stored in "LocalMachine" certificate store, under Personal" folder (also referred to as "My"). From what I know, applications should be able to read from LocalMachine store without special permissions?


回答1:


An alternative easier way to grant NETWORK SERVICE user permission on certificate private key (easier than my other answer):

  1. Open certificate snap-in in MMC: WIN + R -> type mmc -> File -> Add/Remove Snap-in -> Add Certificates (Computer Account).
  2. Find your certificate -> Right click and choose All Tasks/Manage Private Keys
  3. Grant Read Permission for NETWORK SERVICE user



回答2:


Ok, my suspicion was correct. I explicitly granted Network Service user (the user context under which local service fabric cluster runs) access to private key file. Now I can authenticate with keyvault.

cacls.exe "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\{private-key-filename}" /e /g "Network Service":R

I found private key location via a tool program "FindPrivateKey.exe"

findprivatekey.exe My LocalMachine -t "{thumbprint}" -a

Tool can be obtained from https://www.microsoft.com/en-us/download/confirmation.aspx?id=21459

(It is a source code sample located in directory \WCF\Setup\FindPrivateKey\CS\FindPrivateKey.sln, you need to build it yourself)




回答3:


I ran into the same problem and granting read permission to Network Service worked for me. There is also another way to run run high-privilege service as Local System user described here:

https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-run-script-at-service-startup

You can modify your Service Fabric ApplicationManifest.xml to

  1. define a service principal corresponding to local machine
  2. use that service principal to run the service fabric package created

final ApplicationManifest.xml would look something like:

<?xml version="1.0" encoding="utf-8"?>
<ApplicationManifest xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  ...
  <ServiceManifestImport>
    ...
    <Policies>
      <RunAsPolicy CodePackageRef="Code" UserRef="LocalSystemUser" /> <!-- 2. run service fabric as defined principal -->
    </Policies>
  </ServiceManifestImport>

  <Principals>
    <Users>
      <User Name="LocalSystemUser" AccountType="LocalSystem" /> <!-- 1. define principal -->
    </Users>
  </Principals>
</ApplicationManifest>


来源:https://stackoverflow.com/questions/46964941/service-fabric-authenticating-with-azure-keyvault-via-cert-keyset-does-not-ex

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!