问题
I have an application which uses the .NET SslStream class along with client and server certificates. This application works great on Windows XP. However on Windows 7 (probably Vista too), the below exception appears when calling SslStream.AuthenticateAsClient:
System.ComponentModel.Win32Exception: The credentials supplied to the package were not recognized
at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface SecModule, String package, CredentialUse intent, SecureCredential scc)
at System.Net.Security.SecureChannel.AcquireCredentialsHandle(CredentialUse credUsage, SecureCredential& secureCredential)
at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[]& thumbPrint)
at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output)
at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
If the application is "run as" Administrator on Windows 7, everything works great. I'm guessing the root cause here is that AuthenticateAsClient needs the private key for the client certificate (which is installed in the local machine personal certificate store) and that action requires administrator access.
My question is whether there is anything that can be done to remedy this? Or is it simply a fact of life that the use of AuthenticateAsClient with a client certificate requires administrator privileges?
回答1:
Have you tried giving the current user access rights to the certificate using WinHttpCertCfg?
Something like:
winhttpcertcfg -g -c LOCAL_MACHINE\My -s MyCertificate -a TESTUSER
For more information see this article.
回答2:
The Microsoft Management Console (MMC) enables administrators to import client certificates to a local computer. However, importing a certificate does not automatically grant access to the private key for other accounts. This private key is required for client certificate authentication. The Microsoft Windows HTTP Services (WinHTTP) certificate configuration tool provides the ability to grant access to additional accounts, such as the IWAM account, when required.
https://msdn.microsoft.com/en-us/library/aa384088(VS.85).aspx#_using
来源:https://stackoverflow.com/questions/4151401/avoiding-administrator-access-for-sslstream-authenticateasclient