0

It is a .NET 6 project. The certificate is imported to the Local Computer store from a pfx file. Using the following code, skipping the irrelevant parts, everything works fine when the service account is added to the local Administrators group.

var certStore = new X509Store(storeName, storeLocation);
certStore.Open(OpenFlags.ReadOnly);
var _clientCertificate = certStore.Certificates
.Find(X509FindType.FindByThumbprint, thumbprint, false)
.FirstOrDefault();
...
BasicHttpsBinding binding = new BasicHttpsBinding(BasicHttpsSecurityMode.Transport);
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;

var client = new Client(binding, endpoint);
client.ClientCredentials.ClientCertificate.Certificate = _clientCertificate;
...

When the account is not in the local Administrators' group the following exception is thrown:

System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority 'other.service.com'.
 ---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
 ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
 ---> System.ComponentModel.Win32Exception (0x8009030D): The credentials supplied to the package were not recognized
   at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
   at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
   at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
   at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)

What am I missing here?

Nafas
  • 183
  • 1
  • 9

1 Answers1

0

As far as I know, there may be the following reasons:

  1. When you say that you are not in the local administrator group, the error will be because of the administrator and general members have different permissions. You can try to put the user in the administrator to try again, if successful, this is the problem.

  2. Validate the Web Sites SSL Certificate is Trusted. If the SSL certificate is not trusted, you will need to install the SSL certificate’s root certificate. You can review the case for more solutions.

Hope it helps.

Jiayao
  • 510
  • 3
  • 7