Reputation: 57
How do I use a certificate called from a Windows Service program with the Network Service account?
I'm using the Trans Union New Access system to run credit reports. I'm doing this on my Windows 7 64 bit development machine.
I have a Web Application (web forms) project that uses the system. In one button, I have the following code:
CreditReportRequestXML requestXMLSupplier = new CreditReportRequestXML();
requestXMLSupplier.RunPendingRequests();
This code calls a method in another project that I coded myself. The code constructs XML that is posted to Transunion. I get perfectly good responses.
I have another project that's a Windows service project. The relevant code in this project is:
CreditReportRequestXML requestXMLSupplier = new CreditReportRequestXML();
requestXMLSupplier.RunPendingRequests();
When the account that the service runs under is my account, this works just fine. The service is installed as a service and can be started and stopped with the Services console.
So far, so good.
Here's the bad. When I configure the service to run under the Network Service account, I get the following error:
Could not create SSL/TLS secure channel.
I've been trying to use winhttpcertcfg to fix the problem. I've tried -
winhttpcertcfg -g -c LOCAL_MACHINE\My -s ******** -a "Network Service"
(where ******** is the subject name of the certificate. I can see this name when I debug my service using ?clientCertificate.SubjectName.Name)
I've also tried
winhttpcertcfg -i certfile.p12 -c LOCAL_MACHINE\My -a "Network Service" -p pwforcert
(where certfile is the file name - note that the file I have is a p12 file, not a PFX file; pwforcert is the password I used to create the system client on the Trans Union site.)
The service fails with the message above after trying both commands. When I list accounts that should have access to the private key using
winhttpcertcfg -l -c LOCAL_MACHINE\My -s MyCertificate
the output shows the correct matching certificate, and says 'Additional accounts and groups with access to the private key include:', and lists NT AUTHORITY\NETWORK SERVICE as one of the accounts.
The reason I want to use Network Service to run the service is that my boss wants me to do this. I talked with our network guys today, and they don't have an account on our servers that has administrative privileges.
What am I missing? Or, is there some other way around this problem?
Upvotes: 0
Views: 499
Answers (1)
Reputation: 57
I wound up exporting one of the certificates to a PFX file, including the Private Key and all related certificates. This could only be done from one or two of the certificates on my machine. I then deleted all TU certificates. The winhttpcertcfg -i filename.pfx -c LOCAL_MACHINE\My -a "NETWORK SERVICE" -p **** was used. That worked.
Upvotes: 1
Related Questions
- How to invoke a Web Service which requires a certificate in C#?
- Connecting to a Web Service using Client Certificate authentication
- Service account cannot load the X509Certificate from windows certificate store
- Calling service using certificate :Error - "Keyset does not exist"
- How to give permission to Network service to install certificate in certificate store
- Using certificate file to connect to webservice over SSL
- How to get a certificate from the services certificates store in .net 4
- WCF service reference with certificate authentication
- Calling a web service with a certificate
- Access x509 certificates in windows service certificate stores with C#