2

I am developing a Windows service middleware that uses security certificates to perform authentication when it wants to initialize a secure communication channel with remote applications.

The Windows service is a .Net 3.5 application that uses (via a C++/CLI layer) the C++ WinCrypt library in order to load certificates. In particular I am calling the CertFindCertificateInStore method when i accessing the store to load the certificate. The CertFindCertificateInStore uses the “My” system store as store by default.

I have registered my private certificate in the “My” system store either for the current user (the user logged onto the machine) either for the local machine, via the MMC console. Be sure that the certificate is good and it includes my private key.

When i run the Windows service as current user (again the user logged onto the machine) the certificate is correctly loaded, instead the certificate is not loaded when i run the service as “LocalSystem”. The error "Impossible to find object or property", is then raised when I call the CertFindCertificateInStore. I point up that the “My” store instead continues to be accessible.

(NB: When I open a new session using a different user and I run the same Windows service as user for whom I registered the certificates, the certificate is again correctly loaded)

Then I used either the MMC console either the winhttpcertcfg.exe system tool in order to verify that the “LocalSystem” user has the rights to access my certificate. Afterwards either the MMC console and the winhttpcertcfg.exe tool confirm that THEORETICALLY the user “LocalSystem” has the rights to access the certificate.

Do you have any suggestion to help me to solve this problem?

Thank you in advance for your help,

PS: a similar question has been posted here Certificates: Cannot find the certificate and private key for decryption Error when sign

Community
  • 1
  • 1
Marcello Faga
  • 1,134
  • 8
  • 12
  • are the user accounts authenticated against the network (active dir.)? – didierc Nov 07 '12 at 12:26
  • Don't make it a private certificate if you want other user accounts to access it. – Hans Passant Nov 07 '12 at 12:52
  • @didierc : Yes, the user for whom i registered the certificate is authenticated against the network – Marcello Faga Nov 07 '12 at 13:35
  • @HansPassant : when you write "do not make private" do you mean that i do not store the certificate inside of the "My" store? do i have to put it inside of the Root one instead? be sure that i marked as exportable my certificate ase well as i did not enable the extended security on this certificate – Marcello Faga Nov 07 '12 at 13:40
  • LocalAdmin doesn't authenticate with the network, so perhaps it cannot check that the cert is valid, or maybe it needs some network creds to get access to the store? – didierc Nov 07 '12 at 13:55
  • @didierc Yes localadmin is not a network account. No, the certificate would not need network credentials because the certificate is registered also onto the localmachine, as i wrote "I have registered my private certificate in the My system store either for the current user either for the local machine". Thank you in advance to confirm me if you agree – Marcello Faga Nov 08 '12 at 11:09
  • Sorry, I must have skipped that part of your question before. About the `winhttpcertcfg` tool, did you try it when logged as LocalAdmin? – didierc Nov 08 '12 at 12:11
  • Yes, i did it, with the same result. In other words i logged on as LocalAdmin and i set the certificates stores. though when i run the Windows service, keeping on the LocalAdmin session, as “LocalSystem” the certificate is not loaded. If i run the service as the user for whom i registered the service, the certificate is correctly loaded. The behaviour does not change. – Marcello Faga Nov 08 '12 at 12:23
  • Understood. Do you have a [sscce](http://sscce.org/) to show us? – didierc Nov 08 '12 at 12:30

0 Answers0