RE: NetworkService - Could not establish secure channel for SSL/TLS

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Hello stefan,

Welcome to the MSDN newsgroup.

From your description, I understand you have a .net based windows service
which will access a remote webservice that is protected by SSL/TLS and
require client certificate authentication. The windows service can
currently call the webservice when running under local admin account, but
failed when running under the network service account, correct?

Based on my understanding on this, the problem is still likely a permission
issue specific to the client machine's authentication certificate. As for
SSL/TLS client authentication, it'll require the client-side provide the
full certificate info. So your windows service will need to have sufficient
permission to access the client certificate's private key. I think the
Network Service account doesn't have permission to acccess the private key
of that certain certificate on your problem server. If this is the case,
you can consider using the "winhttpcertcfg.exe" tool to grant the network
servcie account the sufficient permission to access that client-certi's
private key.

#WinHttpCertCfg.exe, a Certificate Configuration Tool
http://msdn.microsoft.com/library/en-us/winhttp/http/winhttpcertcfg_exe__a_c
ertificate_configuration_tool.asp?frame=true

Hope this helps.

Regards,

Steven Cheng
Microsoft Online Community Support


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)




.

Relevant Pages

  • RE: NetworkService - Could not establish secure channel for SSL/TL
    ... I understand you have a .net based windows service ... Based on my understanding on this, the problem is still likely a permission ... issue specific to the client machine's authentication certificate. ...
    (microsoft.public.dotnet.framework)
  • Re: Authorizing a EAP-TLS client
    ... Windows 2003 IAS online help documents the requirements for the client ... IAS should be able to find mapped certs within its own forest (a forest can ... > Given that a client has a certificate that contains specific information ... > Could I create a 'user' account in Active Directory for the 'serial ...
    (microsoft.public.internet.radius)
  • Client certificate authentication in HTTP send port - 403 forbidde
    ... I'm stuggling to get a simple HTTP send port working using client ... certificate authentication, and wondered if anyone could tell me what I'm ... account the "BizTalkServerApplication" host runs as. ... On the web server, the target URL has all authentication methods unchecked. ...
    (microsoft.public.biztalk.general)
  • Re: links for Cross realm
    ... I have followed the same for cross realm authentication between two realms. ... please guide let me know if there is any mistake in the requests send from client. ... And it looks like the user account cac_user_1 is not found in the AD. ... the certificate had to be issued with a subjectAltName OtherName ...
    (comp.protocols.kerberos)
  • SSL over SQL Server
    ... I have exported a certificate from the Certificate Server which was stored in Local Computer Account. ... When iam enabling protocol encryption from the server side the encryption is working fine.But when i am enabling protocol encryption from client side the encryption is not working.It say"SSL Security Error". ...
    (microsoft.public.sqlserver.security)