"Authentication failed because the remote party has closed the transport stream" for normal users


We figured it out with the help of Getting "Could not establish secure channel for SSL/TLS with authority" even though ServerCertificateValidationCallback returns true as well as winhttpcertcfg giving access to IIS user in Windows 7 too.

The problem was that the certificate was installed for Trusted People for the "computer" account. When running in Admin mode, or as a user that has admin privileges, it worked fine. However, when run as our "service account" (in quotes because it's not a true service account) -- the service account didn't have permission to read the certificate.

We found that digging into the C:\ProgramData\Microsoft\crypto\rsa\machinekeys directory and changing the read permission for the appropriate cert worked.

We didn't like the proposed solution of using icacls to change the read permission of the installed certificate (partially because of the daunting task of actually finding the correct cert entry.)

We figure out that we could run mmc.exe as the service account and then install it to the Trusted People level for that account. And then our non-admin application could read the cert and establish the connection.

John Rocha
Author by

John Rocha

Updated on December 02, 2022


  • John Rocha
    John Rocha about 1 month

    A third party vendor is adding authentication (yay!), but it doesn't always work for us (boo!).

    When the C# application is run "as administrator" it works fine. However, when the application is run as a normal (non-administrator) user it fails with the message

    "Authentication failed because the remote party has closed the transport stream"

    We are explicitly setting to TLS 1.2

    ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

    We are

    • executing a 4.6 .NET C# WCF client
    • that consumes an HTTPS web service
    • using TLS1.2
    • on a Windows Server 2012 platform
    • Tim
      Tim almost 6 years
      Have you talked to the third party vendor? It's their code, so they're best positioned to answer any issues with it.
    • John Rocha
      John Rocha almost 6 years
      They don't know. They point back to something with our environment since it works when running as the ADMIN user but not as any other users.
  • Tim
    Tim almost 6 years
    Glad you found the problem. And thank you for sharing the answer - it will help folks down the road :)