"Authentication failed because the remote party has closed the transport stream" for normal users

c# wcf ssl
12,523

We figured it out with the help of Getting "Could not establish secure channel for SSL/TLS with authority" even though ServerCertificateValidationCallback returns true as well as winhttpcertcfg giving access to IIS user in Windows 7 too.

The problem was that the certificate was installed for Trusted People for the "computer" account. When running in Admin mode, or as a user that has admin privileges, it worked fine. However, when run as our "service account" (in quotes because it's not a true service account) -- the service account didn't have permission to read the certificate.

We found that digging into the C:\ProgramData\Microsoft\crypto\rsa\machinekeys directory and changing the read permission for the appropriate cert worked.

We didn't like the proposed solution of using icacls to change the read permission of the installed certificate (partially because of the daunting task of actually finding the correct cert entry.)

We figure out that we could run mmc.exe as the service account and then install it to the Trusted People level for that account. And then our non-admin application could read the cert and establish the connection.

Share:
12,523
John Rocha
Author by

John Rocha

Updated on December 02, 2022

Comments

  • John Rocha
    John Rocha over 1 year

    A third party vendor is adding authentication (yay!), but it doesn't always work for us (boo!).

    When the C# application is run "as administrator" it works fine. However, when the application is run as a normal (non-administrator) user it fails with the message

    "Authentication failed because the remote party has closed the transport stream"

    We are explicitly setting to TLS 1.2

    ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

    We are

    • executing a 4.6 .NET C# WCF client
    • that consumes an HTTPS web service
    • using TLS1.2
    • on a Windows Server 2012 platform
    • Tim
      Tim about 7 years
      Have you talked to the third party vendor? It's their code, so they're best positioned to answer any issues with it.
    • John Rocha
      John Rocha about 7 years
      They don't know. They point back to something with our environment since it works when running as the ADMIN user but not as any other users.
  • Tim
    Tim about 7 years
    Glad you found the problem. And thank you for sharing the answer - it will help folks down the road :)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

server certificate is not configured properly with HTTP.SYS in the HTTPS case
Error: Cannot obtain Metadata from http ......?wsdl
Getting "Could not establish secure channel for SSL/TLS with authority" even though ServerCertificateValidationCallback returns true
A call to SSPI failed, see inner exception when running the call a second time?
IIS hosted WCF with SSL security -"The HTTP request was forbidden with client authentication scheme 'Anonymous'" error
SSL WCF "Could not establish trust relationship for the SSL/TLS secure channel with authority 'localhost'
How to enable HTTPS on WCF RESTful Service?
WCF service returning 404 on method requests
Is TLS 1.1 and TLS 1.2 enabled by default for .NET 4.5 and .NET 4.5.1?
consuming webservice using https protocol