Getting "Could not establish secure channel for SSL/TLS with authority" even though ServerCertificateValidationCallback returns true

c# wcf windows-7 ssl-certificate ssl
29,265

Solution 1

Took a couple hours on the phone with a Microsoft engineer, but the problem is solved. Since this is the exact same error message you see with some server certificate problems, I assumed that must be the issue. As it turned out, the test account did not have access to the client certificate private key. This should be resolvable using winhttpcertcfg (like in winhttpcertcfg giving access to iiS user in Windows 7)

Solution 2

This is the root of the problem: ... I have the server cert in the Personal store and the CA cert in the Trusted Root Certificate Authorities store.

If you install the server cert under the test account's personal store it should resolve it, i think the command for cmd prompt should be something like

winhttpcertcfg.exe -g -c LOCALMACHINE\MY -s "certtype" "testuseraccountname"

or use the mmc snap in. (i'm not too sure how reliable this is though, I use the above tool)

Share:
29,265
laindir
Author by

laindir

I'm a programmer with a maths background I'm average at javascript and bash Above average at C, C#, AWK, and Makefiles Damn good at SQL I can write x86, python, ruby, and go, but it won't be idiomatic, performant, or good, so don't ask me about it I can read ARM, Forth, Erlang, and lua, well enough to know what's supposed to happen but I won't see the bug I'm interested in O(n) algorithms and sketches I love Linux, git, ssh, and anything with a command line ed is the standard text editor

Updated on February 12, 2020

Comments

  • laindir
    laindir about 4 years

    I'm working with a vendor who has set up a WCF service (WebHttpBinding) using Transport security with Certificate authentication. I host a similar service for the vendor which is working correctly, so I have a basic idea how this is supposed to work.

    Running on Windows 7, when I consume the service under my own account, everything works fine, and I get a response back. When I consume it under a test account, I get an exception in mscorlib that it "Could not establish secure channel for SSL/TLS with authority X.X.X.X". If I add the test account to the built in Administrators group, it works fine.

    The certificate for the server is self-signed with the subject field set as CN=X.X.X.X, and I have the server cert in the Personal store and the CA cert in the Trusted Root Certificate Authorities store.

    Additionally, if I try setting the System.Net.ServicePointManager.ServerCertificateValidationCallback to print a diagnostic and return true, I get some interesting behavior. Running under my account, the callback is called twice, and then the WCF call succeeds. Running under the test account, it is called once, returns, and then I get the exception above.

    My best guess is that this is related to some privilege the test account lacks, but I don't understand how Windows handles certificates well enough to know for sure, and I don't know where to start looking.

  • laindir
    laindir almost 12 years
    Sorry, that was a poor choice of wording. When I said "the Personal store", I meant Local Machine\Personal in the mmc snap-in... which is LOCALMACHINE\MY. If I add it to MY for the test account, I still see the same error.
  • laindir
    laindir almost 12 years
    Also, that command would grant access for the account to the private key--something that should not exist on a client.
  • Aviad P.
    Aviad P. over 11 years
    Worked for me, thanks a lot!! Just one thing, it should be -c LOCAL_MACHINE\MY -s "certname" and -a "testuseraccountname" :)
  • nullPainter
    nullPainter about 7 years
    The simpler approach is to use MMC and choose All Tasks -> Manage private keys. As I noted in a comment on the linked post, this only works (on Windows Server 2008, at least) if the certificate is in the Personal store. If it needs to reside somewhere else, move it to the Personal store, set the permissions then move it back again.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

"Authentication failed because the remote party has closed the transport stream" for normal users
server certificate is not configured properly with HTTP.SYS in the HTTPS case
C# SSL secure sockets
Error: Cannot obtain Metadata from http ......?wsdl
Windows 7 64-bit SSL untrusted certificate error when visiting any SSL website
How do I import certificate (.CER) in IIS
Expired web/SSL certificate error on only one computer
Trust SSL certificate to local system account
WCF Self signed certificate is not trusted on the client
Using certificate file to connect to webservice over SSL