重启后wcf证书Keyset不存在问题
一个 VS 解决方案中有两个项目:客户端(wpf 应用程序)和 wcf 服务库。
我在服务器端使用消息安全性和自定义 AspNetMembershipPrivider 来验证用户名和通行证。
由于我没有使用 Windows 安全性,因此我必须在服务器上使用证书来建立安全通道,我做了什么:
- 打开我的本地 IIS 管理器并添加名为 likemy dev machine 的自签名证书。
- 检查此证书是否出现在个人证书下的证书管理单元中
- 配置 wcf .config 以指向该证书。
- 在 VS 中启动了我的客户端应用程序(VS 还为我的 wcf 库启动了 wcfhost 应用程序)
一切都很好,wcfhost 工作正常,我的服务工作正常,直到我重新启动。 重新启动后,wcfhost 抱怨道:
The certificate 'CN=xxx' must have a private key that is capable of key exchange. The process must have access rights for the private key. ---> System.Security.Cryptography.CryptographicException: Keyset does not exist
唯一有帮助的是重新创建我的证书,然后再次重新创建,直到重新启动。 正如我上面所说,我的服务在我的用户帐户(本地管理员)下运行,所以我不认为我的 c:\Users\xxx\AppData\Roaming\Microsoft\Crypto\RSA\ 文件的权限是问题。< br>
我使用 iis 管理器创建证书而不是 makesert 等的原因是因为我想确保一切都将在我拥有的共享 osting 帐户上正常工作(托管面板中有一个创建自签名证书的选项)。< br>
有人可以帮忙吗? 谢谢
There are two projects in one VS solution: client(wpf app) and а wcf service lib.
I'm using Message security and a custom AspNetMembershipPrivider on th server side to validate username and pass.
As i'm not using Windows security, I had to use certificate on server to establish secure chanell, and what i did:
- opened my local IIS manager and added self-signed certificate named likemy dev machine.
- checked that this certificate appeared in Certificates snap-in under Personal-Certificates
- configured wcf .config to point to that certificate.
- started my client app in VS (and VS also started wcfhost app for my wcf lib)
Everything was fine, wcfhost worked fine and my services worked ok until I rebooted. After reboot wcfhost stated complaining:
The certificate 'CN=xxx' must have a private key that is capable of key exchange. The process must have access rights for the private key. ---> System.Security.Cryptography.CryptographicException: Keyset does not exist
Only thing what helpes is recreating my certificate, and again until reboot.
As i stated above my service is running under my user account(local admin), so I don't think that permissions to my c:\Users\xxx\AppData\Roaming\Microsoft\Crypto\RSA\ files is the issue.
The reason I'm using iis manager to create certificated and not makesert etc. is because I want tobe sure everything will be working on my shared osting account I have (there is on option in hosting panel of creating self-signed certificates).
Can anyone assist with this? Thanks
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
根据我的经验,证书是相当困难的(我相信其他人也已经经历过)。 看到你已经让它工作了,看起来你已经快成功了,所以我的建议围绕以不同的方式设置证书:
让我知道你是否有运气!
Certificates are pretty difficult from my experience (i'm sure others have strolled through it). Seeing as you've had it working, it seems like you're almost there, so my reccomendations revolve around setting certs up in a different way:
Let me know if you have any luck!
我解决了这个问题。
我在我的开发盒上运行 Vista,并启用了 UAC。 大约一周前,我改变了启动 Visual Studio 的方式,显然我没有注意到我在 VS 中工作时没有选择“以管理员身份运行”。 所以VS推出的WcfHost也有有限的权限。 不好的是,我很少重新启动 VS,通常的做法是让 VS 运行一两周,例如同时运行 unreal3。
顺便说一句,有人可以说我在具有消息安全性的共享主机(IIS7)上的证书访问权限会出现问题吗? 或者我应该以运输安全为目标。
I solved the issue.
I'm running Vista on my dev box with UAC on. A week or so ago I changed the way I start Visual Studio and apparently I didn't notice that I was working in VS started without an option "Run as administrator". Thats why WcfHost lounched by VS also had limited rights. My bad, I rarely restart VS, it is common practice having a VS running for a week or two with for example unreal3 lunched simultaniosly.
By th way can anyone say will I have problems with access rights for the certificates on a shared hosting(IIS7) with Message security? or shall I target Transport security.
以管理员身份运行将淹没证书上的保护,这是有效的。 但解决方案是将运行服务器的用户名授予证书。 在管理单元中,右键单击证书并执行所有任务 -> 管理私钥-> 添加组或用户名。 对于 IIS,将位置更改为本地计算机,用户名为“IIS AppPool/xxxxx”,其中 xxxxx 是要使用证书的应用程序正在其中运行的 IIS 应用程序池的名称。 如果你做对了,“检查”按钮就会告诉你。 我也在 IIS Express 中摸索过它,但不太记得我做了什么! 我必须启动 IIS Express,在任务管理器中找到它,然后使用详细信息列查看它的用户名。 希望这可以帮助。 为我工作。
Running as administrator will overwhelm the protections on the certificate, which works. But the solution is to grant the username under which your server is running to the certificate. In the snap-in, right-click the certificate and take all tasks -> manage private keys -> Add a group or user name. For IIS, change the location to your local machine, and the user name is "IIS AppPool/xxxxx" where xxxxx is the name of the IIS application pool in which the application that wants to use the certificate is running. If you get it right the 'check' button will tell you so. I also fumbled through it in IIS Express but don't clearly remember what I did! I had to fire IIS Express up, find it in the task manager, and use the details column to see what username it was under. Hope this helps. Worked for me.