避免管理员访问 SslStream.AuthenticateAsClient?

发布于 2024-10-01 21:27:45 字数 2163 浏览 7 评论 0原文

我有一个使用 .NET SslStream 类以及客户端和服务器证书的应用程序。该应用程序在 Windows XP 上运行良好。但是,在 Windows 7(也可能是 Vista)上,调用 SslStream.AuthenticateAsClient 时会出现以下异常:

System.ComponentModel.Win32Exception: The credentials supplied to the package were not recognized   
  at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface SecModule, String package, CredentialUse intent, SecureCredential scc)   
  at System.Net.Security.SecureChannel.AcquireCredentialsHandle(CredentialUse credUsage, SecureCredential& secureCredential)   
  at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[]& thumbPrint)   
  at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output)   
  at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count)   
  at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)   
  at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)   
  at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)   
  at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)   
  at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)   
  at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)   
  at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)   
  at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)   
  at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)

如果应用程序在 Windows 7 上以管理员身份“运行”,则一切正常。我猜测这里的根本原因是 AuthenticateAsClient 需要客户端证书的私钥(安装在本地计算机个人证书存储中),并且该操作需要管理员访问权限。

我的问题是有什么办法可以弥补这个问题吗?或者,将 AuthenticateAsClient 与客户端证书一起使用需要管理员权限,这只是生活中的事实吗?

I have an application which uses the .NET SslStream class along with client and server certificates. This application works great on Windows XP. However on Windows 7 (probably Vista too), the below exception appears when calling SslStream.AuthenticateAsClient:

System.ComponentModel.Win32Exception: The credentials supplied to the package were not recognized   
  at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface SecModule, String package, CredentialUse intent, SecureCredential scc)   
  at System.Net.Security.SecureChannel.AcquireCredentialsHandle(CredentialUse credUsage, SecureCredential& secureCredential)   
  at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[]& thumbPrint)   
  at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output)   
  at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count)   
  at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)   
  at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)   
  at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)   
  at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)   
  at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)   
  at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)   
  at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)   
  at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)   
  at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)

If the application is "run as" Administrator on Windows 7, everything works great. I'm guessing the root cause here is that AuthenticateAsClient needs the private key for the client certificate (which is installed in the local machine personal certificate store) and that action requires administrator access.

My question is whether there is anything that can be done to remedy this? Or is it simply a fact of life that the use of AuthenticateAsClient with a client certificate requires administrator privileges?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

旧瑾黎汐 2024-10-08 21:27:45

您是否尝试过使用 WinHttpCertCfg 授予当前用户对证书的访问权限?

类似于:

winhttpcertcfg -g -c LOCAL_MACHINE\My -s MyCertificate -a TESTUSER

有关详细信息,请参阅本文。

Have you tried giving the current user access rights to the certificate using WinHttpCertCfg?

Something like:

winhttpcertcfg -g -c LOCAL_MACHINE\My -s MyCertificate -a TESTUSER

For more information see this article.

心的位置 2024-10-08 21:27:45

Microsoft 管理控制台 (MMC) 使管理员能够将客户端证书导入到本地计算机。但是,导入证书不会自动授予其他帐户对私钥的访问权限。客户端证书身份验证需要此私钥。 Microsoft Windows HTTP 服务 (WinHTTP) 证书配置工具能够在需要时向其他帐户(例如 IWAM 帐户)授予访问权限。

https://msdn.microsoft.com/en-我们/library/aa384088(VS.85).aspx#_using

The Microsoft Management Console (MMC) enables administrators to import client certificates to a local computer. However, importing a certificate does not automatically grant access to the private key for other accounts. This private key is required for client certificate authentication. The Microsoft Windows HTTP Services (WinHTTP) certificate configuration tool provides the ability to grant access to additional accounts, such as the IWAM account, when required.

https://msdn.microsoft.com/en-us/library/aa384088(VS.85).aspx#_using

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文