M
MCFH
I have two servers running Windows Server 2016 and both are hosting IIS (one on AWS but I think that is a detail)
My IIS hosted website establishes a connection to a third party socket using a client certificate. In order to do this I have the certificate stored in the LOCAL_MACHINE\MY store and grant access to the private key using the MMC snap in to the AppPoolIdentity account.
I should also say the certificate in question is authorised by reference to another root certificate also stored in the same store and for which I do not have the private key.
I am finding that, when I run my website using the AppPool identity I get the following error:
The credentials supplied to the package were not recognized (HRESULT: -8x)
atSystem.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED scc)
at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED secureCredential)
at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(X509Certificate certificate, SslProtocols protoco...
If I run the same site with the LocalSystem account it all works fine.
Where else do I need to change permissions to allow this key to be used? Specific files? Something on the root certificate or the certificate store? What can I change in logging to get greater insight?
Thanks
Mark
Continue reading...
My IIS hosted website establishes a connection to a third party socket using a client certificate. In order to do this I have the certificate stored in the LOCAL_MACHINE\MY store and grant access to the private key using the MMC snap in to the AppPoolIdentity account.
I should also say the certificate in question is authorised by reference to another root certificate also stored in the same store and for which I do not have the private key.
I am finding that, when I run my website using the AppPool identity I get the following error:
The credentials supplied to the package were not recognized (HRESULT: -8x)
atSystem.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED scc)
at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED secureCredential)
at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(X509Certificate certificate, SslProtocols protoco...
If I run the same site with the LocalSystem account it all works fine.
Where else do I need to change permissions to allow this key to be used? Specific files? Something on the root certificate or the certificate store? What can I change in logging to get greater insight?
Thanks
Mark
Continue reading...