Certificate problem with a new machine - credentials supplied to package not recognized

cdpnet picture cdpnet · Feb 24, 2010 · Viewed 16.7k times · Source

I am installing a windows service on a new machine. The service does various operations over SslStream over TCP, which uses the certificate in problem.

The service has been operating fine with the same code and same certificate on other 2 windows 2003 machines. But, this new machine is Windows 2003 with 64 bit processor too.

I am running into this problem when I am trying to run the service with a 'Service Account' identity. It works fine with my own credentials. (Again, it works fine on other 2 machines with this service account)

I do not have 'strong protection' enabled while importing the certificate.

Here is the stack trace.

System.ComponentModel.Win32Exception: The credentials supplied to the package were not recognized at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface SecModule, String package, CredentialUse intent, SecureCredential scc) at System.Net.Security.SecureChannel.AcquireCredentialsHandle(CredentialUse credUsage, SecureCredential& secureCredential) at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[]& thumbPrint) at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output) at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult) at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)

Answer

cdpnet picture cdpnet · Feb 24, 2010

I found the problem and its solution.

The idea is to grant permissions to the account which is used for service identity.

Need to use a tool WinHttpCertCfg.exe. This is helpful for applications using client certificates to get authorization.

It's nicely explained here. http://support.microsoft.com/kb/901183

Thanks to Feroze Daud (http://ferozedaud.blogspot.com/), who answered me on a different forum.