"Authentication failed because the remote party has closed the transport stream" for normal users
We figured it out with the help of Getting "Could not establish secure channel for SSL/TLS with authority" even though ServerCertificateValidationCallback returns true as well as winhttpcertcfg giving access to IIS user in Windows 7 too.
The problem was that the certificate was installed for Trusted People for the "computer" account. When running in Admin mode, or as a user that has admin privileges, it worked fine. However, when run as our "service account" (in quotes because it's not a true service account) -- the service account didn't have permission to read the certificate.
We found that digging into the
C:\ProgramData\Microsoft\crypto\rsa\machinekeys directory and changing the read permission for the appropriate cert worked.
We didn't like the proposed solution of using
icacls to change the read permission of the installed certificate (partially because of the daunting task of actually finding the correct cert entry.)
We figure out that we could run
mmc.exe as the service account and then install it to the Trusted People level for that account. And then our non-admin application could read the cert and establish the connection.
John RochaUpdated on December 02, 2022
John Rocha about 1 month
A third party vendor is adding authentication (yay!), but it doesn't always work for us (boo!).
When the C# application is run "as administrator" it works fine. However, when the application is run as a normal (non-administrator) user it fails with the message
"Authentication failed because the remote party has closed the transport stream"
We are explicitly setting to TLS 1.2
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
- executing a 4.6 .NET C# WCF client
- that consumes an HTTPS web service
- using TLS1.2
- on a Windows Server 2012 platform
Tim almost 6 yearsHave you talked to the third party vendor? It's their code, so they're best positioned to answer any issues with it.
John Rocha almost 6 yearsThey don't know. They point back to something with our environment since it works when running as the ADMIN user but not as any other users.
Tim almost 6 yearsGlad you found the problem. And thank you for sharing the answer - it will help folks down the road :)