8

I'm using appsettings.json to configure Kestrel in a .netcore3.1 app. Here's the relevant bits from appsettings.json

  "Kestrel": {
    "Certificates": {
      "Default": {
        "Subject": "certificate name",
        "Store": "MY",
        "Location": "LocalMachine",
        "AllowInvalid": true
      }
    }
  },
  "AllowedHosts": "*",
  "Urls": "http://*:5010;https://*:5011"

If I start the application it comes up on both ports. However, accessing it through HTTPS gets this exception dumped to the console of my app

Microsoft.AspNetCore.Server.Kestrel[0] Unhandled exception while processing 0HLT41KHBJ13T. System.ComponentModel.Win32Exception (0x8009030D): The credentials supplied to the package were not recognized at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED scc)

However, if I start the application with administrative permissions, it works. So, the cert is fine (it has the required private key), but things still don't work. Just for the fun of it, I imported the certificate into the LocalUser store where the app should most definitely have access to even without admin privileges, but no joy.

Any ideas what could make this fail if not running with administrative permissions? The cert as you can see is in the certificate store, not in the file system, which rules out file permission issues.

Trisped
  • 5,705
  • 2
  • 45
  • 58
Stephan Steiner
  • 1,043
  • 1
  • 9
  • 22
  • Did you find a solution for this? – FredArters Apr 16 '20 at 19:48
  • 1
    Yes, I followed the instructions in this thread [link](https://stackoverflow.com/questions/40046916/how-to-grant-permission-to-user-on-certificate-private-key-using-powershell). And then implemented the whole in thing in c# so my installer can run it (what a PITA.) – Stephan Steiner Apr 16 '20 at 19:55

1 Answers1

6

Just a head up on this; users need permission to read certificates too, just like reading a file. Typically, SYSTEM account has read permission by default, but a developer will not have read permission to certificates in the local machine store unless they are a member of a privileged group that does.

You can go into the certificate store and add the permissions.

Open the store, right click the certificate. Select "All Tasks" | "Manage Private Keys" and add the users read permission, just like adding file permissions in Explorer. You could also create a Developer group and grant and revoke permissions to developer certificates that way, only managing the certificate permissions directly, once.

Antony Booth
  • 413
  • 4
  • 5
  • Instruction on how to get to the certificate store can be found [here](https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-view-certificates-with-the-mmc-snap-in) for Windows. – Trisped Aug 11 '22 at 19:15