CODEWITHSUNDEEP
c#wcfssl
John Rocha
John Rocha

Reputation: 1705

"Authentication failed because the remote party has closed the transport stream" for normal users

A third party vendor is adding authentication (yay!), but it doesn't always work for us (boo!).

When the C# application is run "as administrator" it works fine. However, when the application is run as a normal (non-administrator) user it fails with the message

"Authentication failed because the remote party has closed the transport stream"

We are explicitly setting to TLS 1.2

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

We are

Upvotes: 2

Views: 14517

Answers (2)

John Rocha
John Rocha

Reputation: 1705

We figured it out with the help of Getting "Could not establish secure channel for SSL/TLS with authority" even though ServerCertificateValidationCallback returns true as well as winhttpcertcfg giving access to IIS user in Windows 7 too.

The problem was that the certificate was installed for Trusted People for the "computer" account. When running in Admin mode, or as a user that has admin privileges, it worked fine. However, when run as our "service account" (in quotes because it's not a true service account) -- the service account didn't have permission to read the certificate.

We found that digging into the C:\ProgramData\Microsoft\crypto\rsa\machinekeys directory and changing the read permission for the appropriate cert worked.

We didn't like the proposed solution of using icacls to change the read permission of the installed certificate (partially because of the daunting task of actually finding the correct cert entry.)

We figure out that we could run mmc.exe as the service account and then install it to the Trusted People level for that account. And then our non-admin application could read the cert and establish the connection.

Upvotes: 5

Nick Rubino
Nick Rubino

Reputation: 1045

This may be different than OPs original problem but my issue was that I had my IIS Application using Windows Auth Impersonation so it was trying to access the cert file in C:\ProgramData\Microsoft\crypto\rsa\machinekeys with the impersonated user who did not have the rights to do so.

I changed the design to turn Impersonation off and this issue ceased to exist.

Upvotes: 0

Related Questions