I am installing a windows service on a new machine.
The service does various operations over SslStream over TCP, which uses the certificate in problem.
The service has been operating fine with the same code and same certificate on other 2 windows 2003 machines. But, this new machine is Windows 2003 with 64 bit processor too.
I am running into this problem when I am trying to run the service with a 'Service Account' identity. It works fine with my own credentials.
(Again, it works fine on other 2 machines with this service account)
I do not have 'strong protection' enabled while importing the certificate.
Here is the stack trace.
System.ComponentModel.Win32Exception:
The credentials supplied to the
package were not recognized at
System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface
SecModule, String package,
CredentialUse intent, SecureCredential
scc) at
System.Net.Security.SecureChannel.AcquireCredentialsHandle(CredentialUse
credUsage, SecureCredential&
secureCredential) at
System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[]&
thumbPrint) at
System.Net.Security.SecureChannel.GenerateToken(Byte[]
input, Int32 offset, Int32 count,
Byte[]& output) at
System.Net.Security.SecureChannel.NextMessage(Byte[]
incoming, Int32 offset, Int32 count)
at
System.Net.Security.SslState.StartSendBlob(Byte[]
incoming, Int32 count,
AsyncProtocolRequest asyncRequest)
at
System.Net.Security.SslState.ProcessReceivedBlob(Byte[]
buffer, Int32 count,
AsyncProtocolRequest asyncRequest)
at
System.Net.Security.SslState.StartReadFrame(Byte[]
buffer, Int32 readBytes,
AsyncProtocolRequest asyncRequest)
at
System.Net.Security.SslState.StartReceiveBlob(Byte[]
buffer, AsyncProtocolRequest
asyncRequest) at
System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken
message, AsyncProtocolRequest
asyncRequest) at
System.Net.Security.SslState.StartSendBlob(Byte[]
incoming, Int32 count,
AsyncProtocolRequest asyncRequest)
at
System.Net.Security.SslState.ForceAuthentication(Boolean
receiveFirst, Byte[] buffer,
AsyncProtocolRequest asyncRequest)
at
System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult
lazyResult) at
System.Net.Security.SslStream.AuthenticateAsClient(String
targetHost, X509CertificateCollection
clientCertificates, SslProtocols
enabledSslProtocols, Boolean
checkCertificateRevocation)
I found the problem and its solution.
The idea is to grant permissions to the account which is used for service identity.
Need to use a tool WinHttpCertCfg.exe. This is helpful for applications using client certificates to get authorization.
It's nicely explained here.
http://support.microsoft.com/kb/901183
Thanks to Feroze Daud (http://ferozedaud.blogspot.com/), who answered me on a different forum.
I used the solution from this thread - "The credentials supplied to the package were not recognized" error when authenticating as server with certificate generated using BouncyCastle .
Shorly said:
mmc - Add/Remove Snap-in - Certificates - Add
Open menu with your certificates.
All Tasks > Manage Private Keys and set access to Everyone or your App account.
I have had this problem both when running under the ASP.NET account or when using a windows service (under the Local System account). If you're running under ASP.NET, for Windows 2003 you need to use the WinHttpCertCfg.exe tool as described by cdpnet above. Windows 2008 R2 allows you to access the rights using the GUI, which is a nice improvement.
However, when running as a windows service, you need to ensure that the certificate is in the personal certificate store, by going into mmc and adding the certificate snap-in for either the windows service account, or if you are using the 'Local System' account, just get the snap-in for the local computer.
Here is the difference I've found...
If you had installed the personal certificate to your own user's certificate store and copied and pasted it to the local computer store, this doesn't always work. However, if you delete the certificate from the local computer store, personal folder, you can then right click on the personal folder in the local computer store, then import and go through the wizard.
For some reason, this fixes it and assigns the correct permissions for using the certificate. Good luck!
I was doing what is here described for a Win 2003 Serv and still couldnt get it to work because of the mssg "credentials supplied to package not recognized".
I tried all the above solutions with no success.
Finally I got it to work doing the following:
makecert -pe -n "CN=CERT" -ss my -sr LocalMachine -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -in "CERT" -is MY -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 CERT.cer
Using MMC copy from Personal to Trusted Root
Use the certificate generated (.cer) for the X509 call from your service app.
WHY...who knows.....glad it worked for me....hopefully this makes it easier on others
Related
I´ve been trying to connect to a HDFS server protected by Kerberos for days.
I alterady have have Kerberos for windows installed here. And it shows me the valid/active ticket.
But as I run 'Klist' on prompt, I see no tickets
If I run Kinit on prompt, it asks for my password and returns 'Authenticated to Kerberos v5' but still does not show me any klist ticket.
If I create a new tickt, using prompt or Kerberos GUI, it comes back showing me an active/valid ticket, but klist still does not.
I am trying to connect to hdfs using KerberosClient, but as I connect, somehow it does not "see" my active ticked (as klist too), so I got a connection denial.
I´ve setup the KRB5_CONFIG and KRB5CCNAME system variables to the folder exposed above.
What am I doing wrong?
Your system has two Kerberos libraries (MIT KfW & Windows SSPI) and two different klist tools:
the Windows klist.exe, which only shows the Windows LSA in-memory ticket cache that will be used by "Windows native" SSPI-based applications;
the MIT Kerberos klist.exe, which shows the file-based $KRB5CCNAME ticket cache that will be used by MIT "gssapi32.dll" GSSAPI-based applications.
(sometimes also the Java JRE klist.exe as well!)
If your HDFS client uses $KRB5CCNAME (e.g. if it uses GSSAPI via gssapi32.dll), then you need to run the MIT KfW klist.exe specifically. Use where.exe kinit to find out where it's located, then run it by full path.
On the other hand, if your HDFS client uses SSPI, then MIT KfW won't help you much – it can access tickets in the "MSLSA:" cache, but as far as I know it cannot put new tickets there. (It is possible to easily make SSPI acquire tickets for non-AD Kerberos services, but that's a different topic.)
I am trying to sign a simple script to show my students. When I sign the script, which I created in Notepad, I get an unknown error using Set-AuthicodeSignature. When I look at the script after trying to sign in Notepad is shows a signature block. When I try to run it says the PowerShell says the script is not signed. I am using an executionpolicy of AllSigned. Any suggestions? The script runs fine if I set the executionpolicy of Unrestricted.
For the error in Set-AuthenticodeSignature, Chances are your character encoding is not in UTF-8. You can change the character encoding to UTF-8 within notepad and things will work just fine. This is the most common cause of the "unknown error"
Regarding the next issue, of getting the script to run. From Get-Help about_Execution_Policies the AllSigned policy:
- Scripts can run.
- Requires that all scripts and configuration files
be signed by a trusted publisher, including scripts
that you write on the local computer.
We have a couple of options here. We could trust the certificate that we created at a higher level (by adding it to a trusted store), we can use a different certificate from a root CA, also trusted at a higher level and lastly, we could use a different ExecutionPolicy. Also from Get-Help about_Execution_Policies you may want to try using "RemoteSigned" as that will allow you to run self-signed scripts you wrote on your own machine, as well as trusted scripts downloaded from the internet:
RemoteSigned
- Scripts can run. This is the default execution
policy in Windows Server 2012 R2.
- Requires a digital signature from a trusted
publisher on scripts and configuration files that
are downloaded from the Internet (including
e-mail and instant messaging programs).
- Does not require digital signatures on scripts that
you have written on the local computer (not
downloaded from the Internet).
- Runs scripts that are downloaded from the Internet
and not signed, if the scripts are unblocked, such
as by using the Unblock-File cmdlet.
- Risks running unsigned scripts from sources other
than the Internet and signed, but malicious, scripts.
We have purchased Thawte code signing certificate and am able to sign scripts with that. In all signed execution policy mode, powershell still asks for confirmation on servers before running the code. I need to run this code as scheduled job on many servers and was wondering if their is any workaround this.
In my search it seems like that the certificate needs to be in trusted publisher before execution of scripts. I could not find any scripts that can place certificate in TrustedPublisher on a remote server.
Thank you for all the help you can provide.
PowerShell Help about execution policies easily found by PS C:\>help about_Execution_Policies shows that in AllSigned mode it will Prompt you before running scripts from Publishers that you have not yet classified as trusted or untrusted. You can try RemoteSigned or try this wonderfully explainedby Scott Hanselman http://www.hanselman.com/blog/SigningPowerShellScripts.aspx
Signed scripts can be transported by exporting (from original
computer) and importing (to the new computer) the Powershell
certificates found in the Trusted Root Certification Authorities
container. Optionally, the Trusted Publishers can also be moved to
prevent the first-time prompt.
Final note on the blog
Note that Powershell will prompt you the first time it’s run unless
you also import the Trusted Publishers certificate.
I have some code that uses appfabric and was getting server unavailability errors. Following the instructions at http://msdn.microsoft.com/en-us/library/ff921031.aspx I found that my cache cluster was down. I opened up powershell as an administrator and ran Start-CacheCluster. After a few minutes I receive an error message:
Start-CacheCluster : Could not start cluster: ErrorCode<ERRCAdmin025>:SubStatus
<ES0001>:Time-out occurred in starting the cluster.
At line:1 char:19
+ Start-CacheCluster <<<<
+ CategoryInfo : NotSpecified: (:) [Start-CacheCluster], DataCach
eException
+ FullyQualifiedErrorId : ERRCAdmin025,Microsoft.ApplicationServer.Caching
.Commands.StartCacheClusterCommand
Checking the event logs reveals this:
Service cannot be started. System.TypeInitializationException: The type initializer for 'Microsoft.ApplicationServer.Caching.ConfigManager' threw an exception. ---> System.TypeInitializationException: The type initializer for 'Microsoft.Fabric.Common.ConsoleSink' threw an exception. ---> System.Configuration.ConfigurationErrorsException: Configuration system failed to initialize ---> System.Configuration.ConfigurationErrorsException: An error occurred loading a configuration file: Access to the path 'C:\Windows\System32\AppFabric\DistributedCacheService.exe.config' is denied. (C:\Windows\System32\AppFabric\DistributedCacheService.exe.config) ---> System.UnauthorizedAccessException: Access to the path 'C:\Windows\System32\AppFabric\DistributedCacheService.exe.config' is denied.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBU...
Has anyone with more AppFabric experience seen this before?
-Thanks
Try Microsoft, Windows, Application Server-System Services and Admin log. Sometimes this log will give you some more info that is not present in the regular eventlog. For more information about cache cluster monitoring see Health Monitoring Tools.
Regarding your issue. The only think I would say is that after starting the cache cluster it loads configuration and because it fails, it will eventually crash the AppFabric Caching Service (you will see that information in the eventlog mentioned above).
Make sure you have AppFabric Caching Service configured to run under an account that has access to the configuration file DistributedCacheService.exe.config as well as to the configuration repository (Velocity configuration DB or configuration XML).
You need to run the "Caching administration Windows PowerShell" as Administrator.
Have you checked that the AppFabricCachingService logon has read access to DistributedCacheService.exe.config?
In my case, I am using an XML provider and have a config share named "CacheConfig". My server is not joined to a domain so I have configured a local "AppFabric" user for the cache host. I am using PowerShell to script the config:
Register-CacheHost -Provider XML -ConnectionString "\\MY-HOST\CacheConfig" -Account "AppFabric" -CachePort 22233 -ClusterPort 22234 -ArbitrationPort 22235 -ReplicationPort 22236 -HostName MY-HOST
Add-CacheHost -Provider XML -ConnectionString "\\MY-HOST\CacheConfig" -Account "AppFabric"
#...
Start-CacheCluster
#...
When I ran the script the Start-CacheCluster statement failed with the same access denied error as in your question. I then checked the AppFabricCachingService logon and found it was set to NETWORK SERVICE. When I checked the file permissions on C:\Windows\System32\AppFabric\DistributedCacheService.exe.config, I found that there was a read permission for the AppFabric user, but no permissions for NETWORK SERVICE. This indicates to me that the Register-CacheHost or Add-CacheHost applet assumes that the cache host account and the service account will be the same.
In my case I added a read permission to the file for NETWORK SERVICE and that fixed the problem.
The following isn't your exact problem, but may help: http://social.msdn.microsoft.com/Forums/en-US/velocity/thread/4fd844f6-3530-4115-8982-d7562e699627/#6bf2825a-cd1d-4659-b6ce-375a0fb0ab38
I also ran into the problem since my AppFabric server suffered something unknown. I spent much time for finding the solution. Finally the only way I tried successfully is to uninstall / re-install the AppFabric. And configure the settings once again. Hope this helps !
I had same issue cause I installed appfabric cache service more than one times. Each times hostId was changed it must be same hostId with ClusterConfig.xml and DistributedCacheService.exe.config file
Does any one how to tell what folders are trusted when the ExecutionPolicy is set to RemotedSigned? I want to run a number of Powershell script of our network share (which is not mapped, hence using the full unc), but i do not want to have to digitally signed them all.
Any help would be great.
Thanks.
We have done this in the past by adding a registry key under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains that names the server where the share resides. Under the EscDomains key, add a key that is the server name. Under that key, add a DWORD value with the name "file" and the value 2.
You need to do this on each machine that will run scripts from the server, but you can do that via group policy. There are security implications to this beyond running PowerShell scripts. I don't know if this will work if your computers are not in a domain. If there are better solutions, I look forward to learning about them.
For more information, see this KB article.
So, what happens when you run a script from UNC Path?
With RemoteSigned, you should be able to run all scripts written & run locally without a digital signature.
RemoteSigned
- Scripts can run.
- Requires a digital signature from a trusted
publisher on scripts and configuration files that
are downloaded from the Internet (including
e-mail and instant messaging programs).
- Does not require digital signatures on scripts that you have run
and that you have written on the local computer (not
downloaded from the Internet).
- Risks running unsigned scripts from sources other
than the Internet and signed, but malicious, scripts.
Unrestricted
- Unsigned scripts can run. (This risks running malicious
scripts.)
- Warns the user before running srcipts and configuration
files that are downloaded from the Internet.