避免管理员访问 SslStream.AuthenticateAsClient?
我有一个使用 .NET SslStream 类以及客户端和服务器证书的应用程序。该应用程序在 Windows XP 上运行良好。但是,在 Windows 7(也可能是 Vista)上,调用 SslStream.AuthenticateAsClient 时会出现以下异常:
System.ComponentModel.Win32Exception: The credentials supplied to the package were not recognized
at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface SecModule, String package, CredentialUse intent, SecureCredential scc)
at System.Net.Security.SecureChannel.AcquireCredentialsHandle(CredentialUse credUsage, SecureCredential& secureCredential)
at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[]& thumbPrint)
at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output)
at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
如果应用程序在 Windows 7 上以管理员身份“运行”,则一切正常。我猜测这里的根本原因是 AuthenticateAsClient 需要客户端证书的私钥(安装在本地计算机个人证书存储中),并且该操作需要管理员访问权限。
我的问题是有什么办法可以弥补这个问题吗?或者,将 AuthenticateAsClient 与客户端证书一起使用需要管理员权限,这只是生活中的事实吗?
I have an application which uses the .NET SslStream class along with client and server certificates. This application works great on Windows XP. However on Windows 7 (probably Vista too), the below exception appears when calling SslStream.AuthenticateAsClient:
System.ComponentModel.Win32Exception: The credentials supplied to the package were not recognized
at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface SecModule, String package, CredentialUse intent, SecureCredential scc)
at System.Net.Security.SecureChannel.AcquireCredentialsHandle(CredentialUse credUsage, SecureCredential& secureCredential)
at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[]& thumbPrint)
at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output)
at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
If the application is "run as" Administrator on Windows 7, everything works great. I'm guessing the root cause here is that AuthenticateAsClient needs the private key for the client certificate (which is installed in the local machine personal certificate store) and that action requires administrator access.
My question is whether there is anything that can be done to remedy this? Or is it simply a fact of life that the use of AuthenticateAsClient with a client certificate requires administrator privileges?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您是否尝试过使用 WinHttpCertCfg 授予当前用户对证书的访问权限?
类似于:
有关详细信息,请参阅本文。
Have you tried giving the current user access rights to the certificate using WinHttpCertCfg?
Something like:
For more information see this article.
Microsoft 管理控制台 (MMC) 使管理员能够将客户端证书导入到本地计算机。但是,导入证书不会自动授予其他帐户对私钥的访问权限。客户端证书身份验证需要此私钥。 Microsoft Windows HTTP 服务 (WinHTTP) 证书配置工具能够在需要时向其他帐户(例如 IWAM 帐户)授予访问权限。
https://msdn.microsoft.com/en-我们/library/aa384088(VS.85).aspx#_using
The Microsoft Management Console (MMC) enables administrators to import client certificates to a local computer. However, importing a certificate does not automatically grant access to the private key for other accounts. This private key is required for client certificate authentication. The Microsoft Windows HTTP Services (WinHTTP) certificate configuration tool provides the ability to grant access to additional accounts, such as the IWAM account, when required.
https://msdn.microsoft.com/en-us/library/aa384088(VS.85).aspx#_using