I have a service which need to read a cert to get authorized to query a web. The service is scheduled by windows task scheduler in non-interactive mode("Run whether the user is logged on or not".
In this case, where should i install the cert?
For user certificate you need to install that cert under personal store
Related
in the past, we used VSTS build agents, running with domain accounts on on-prem build machines. In such scenario, certificates could be stored into the domain accounts personal store (manually, by logging in once with this account). So a later build could get the certificates by thumbprint for signing e.g. a manifest.
Now, the agents run with "Network Service", because we no longer have a local domain (all moved to Azure AD). All works, except the retrieval of certificates from the store. I already used the mmc snap-in to connect to the service (VSTSAgent), and installed certificates to this personal store, but still the build fails with "Error MSB3323: Unable to find manifest signing certificate in the certificate store.".
If I log-on to the machine and run from within VS, all works well, but of course here I am using a different account (with a different personal store), but this at least tells me that solution & projects are fine. And the pipelines are OK as well, because they still work OK on the "old" build-machines that use a domain account.
So, if anyone has an idea or can point me to some information on how to use the VSTSAgent running as "Network Service" together with signing (from the certificate store), that highly appreciated.
Many thanks, Sebastian
I have a test console app that successfully retrieves a cert from the local computer Cert store and use this cert to get a token from AAD.
However, when I run this inside of a Windows service, AcquireTokenAsync() does not run and breaks the execution, although the cert is retrieved from the store.
I did notice a private key error : PrivateKey = '_certCred.Certificate.PrivateKey' threw an exception of type 'System.Security.Cryptography.CryptographicException'
Any advice would be helpful
It would be good if we have a source code and information about the accounts you are using so we can see where the certificate is stored, but based on your description:
It is possible that the user on which the service account is running does not have access to the certificate you are trying to access.
One possibility is to configure the service to run as System Account and then select the 'Allow the service to interact with Desktop'.
I am writing a Powershell script for renewing user certificates.
I am trying to automate a step in which
I log in to a server using the account's credentials,
Go to mmc,
Right click on the certificate and then renew it.
I have been successful in writing the script for renewal But I am stuck at the login part.
Accessing the server remotely using Enter-PSSession and Invoke-Command doesn't install the user's certificate the way it does in case of a manual login.
Is there any powershell command or any work around that can be used to fetch a user's certificate just like it happens automatically in case of a manual login?
I have a .PXF file used to strongly name several of our .NET assemblies. VS2010/MSBUILD seems to expect this to be in the personal container for the user account running VS2010/MSBUILD. This is all just fine and dandy when working in an interactive user account, but when atempting an automated build via TFS 2010 on the build agent the account used by the build agent (by default) is NT-AUTHORITY/NetworkService.
Since I cannot log in an interacive session as NetworkService I cant just install the PFX from an interactive sessions shell.
So can anyone tell me how I install a PFX certificate in the personal cert store of the NetworkService account?
Answer Courtesey of Richard Reposed from serverfault
You need to open the Network Service certificate store, and add it.
To open the store:
From Start | Run: mmc.exe
File | Add/Remove Snapins and select Certificates then Add.
When prompted for the type of account select Service Account
Select local/remote computer as required
Select any service that's running as Network Service
("Remote Procedure Call (RPC)" run as Network Service by default)
Finish the wizard and OK to close the add/remove dialog.
On the applicable catrgory right click and select add tasks to find the import etc. operations.
I have a need to access an RSA private key from a Windows service running under the NT AUTHORITY\SYSTEM account. I'm able to install the private key on the server, and then make use of that key when running as the user that installed the key. However, the key does not seem to be available from the Windows service. Do I need a machine-level key here (which I understand increases the risk of compromise), or is there a way I can install a key specifically intended for use by the SYSTEM account?
You can do start->run->mmc, load the Certificates snap-in and then choose "Service account" to manage the certificates for a specific service. I am not sure if you can do this for the SYSTEM account. Is this a requirement or are you able to run your service as a custom least privilege account?