RE: NetworkService - Could not establish secure channel for SSL/TL

hello steven,

thanks for your post! yes, your understanding is absolutely correct.

we've tried the winhttpcertcfg.exe - tool (granted, listed, removed right),
but the problem remains.

how can we ensure that it is a private key access problem? (any special
error-codes?)

are there any other possibilities?

thanks,
stefan





"Steven Cheng[MSFT]" wrote:

Hello stefan,

Welcome to the MSDN newsgroup.

From your description, I understand you have a .net based windows service
which will access a remote webservice that is protected by SSL/TLS and
require client certificate authentication. The windows service can
currently call the webservice when running under local admin account, but
failed when running under the network service account, correct?

Based on my understanding on this, the problem is still likely a permission
issue specific to the client machine's authentication certificate. As for
SSL/TLS client authentication, it'll require the client-side provide the
full certificate info. So your windows service will need to have sufficient
permission to access the client certificate's private key. I think the
Network Service account doesn't have permission to acccess the private key
of that certain certificate on your problem server. If this is the case,
you can consider using the "winhttpcertcfg.exe" tool to grant the network
servcie account the sufficient permission to access that client-certi's
private key.

#WinHttpCertCfg.exe, a Certificate Configuration Tool
http://msdn.microsoft.com/library/en-us/winhttp/http/winhttpcertcfg_exe__a_c
ertificate_configuration_tool.asp?frame=true

Hope this helps.

Regards,

Steven Cheng
Microsoft Online Community Support


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)





.

Relevant Pages

  • RE: NetworkService - Could not establish secure channel for SSL/TLS
    ... failed when running under the network service account, ... issue specific to the client machine's authentication certificate. ... full certificate info. So your windows service will need to have sufficient ...
    (microsoft.public.dotnet.framework)
  • Access control of Windows Service and Interop
    ... I have another client account with very little permission. ... We want to write a GUI program to communicate with the Windows Service from ...
    (microsoft.public.win2000.security)
  • Re: Cannot request computer certificate.
    ... >problem since you can not request a certificate while logged onto the CA. ... Verify that you can ping it by name and IP address from the client ... >> Kerberos, or dns. ... >> List of NetBt transports currently bound to the Redir ...
    (microsoft.public.windows.server.security)
  • Re: The message must contain a wsa:To header
    ... My client app is not generating a trace file. ... the client is not applying the WSE policy at all because of an ... at ApplicationMessagingWS.Dispatch(String messageType, String ... look for a certificate with this subject name in the certificate store ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: L2TP/IPSec from XP client to Windows 2003 Server
    ... ie no valid cert found on client - contacted Microsoft ... Windows Server 2003 Certificate Authority running ... The next step is to install Certificate Services on the Windows Server ... From Networks Connections on the client, ...
    (microsoft.public.security)