Reputation: 2785
Azure Key Vault configuration issue when deploying a .Net Core 6 Worker App as a Windows Service
I have a Net Core 6 worker app which I am deloying as a Windows Service. My App uses Azure Key Vault which works OK during development, but once I publish the app and try to run it from a Windows Service, the service fails to start unless the service is configured to Log on using a specific Windows user account with saved credentials.
I've been following the MS Docs https://learn.microsoft.com/en-us/dotnet/core/extensions/windows-service
The MS docs example doesn't seem to use a particular account to run the service, they use the local system account instead. This was evident from the fact that the example powershell commands in the docs used for creating the service, doesn't refer to any specific Windows user account.
After a while of head scratching, I eventually realised this issue has something to do with the fact it's unable to locate the certificate I installed in Windows that's used for connecting with Azure KeyVault.
When realising this, I modified the X509Store location in Net Core to use the LocaLMachine store instead of the CurrentUser store. I then re-installed the certificate into that new store location and tried again, but the Windows Service still doesnt start.
The code sample below does work OK if the app uses the CurrentUser cert store but I'm trying to figure out a way that I can deploy the app and have Windows Service start the service using the Local System Account:
IHost host = Host.CreateDefaultBuilder(args)
.UseWindowsService(options =>
{
// See https://learn.microsoft.com/en-us/dotnet/core/extensions/windows-service
options.ServiceName = "My Service Name";
})
.ConfigureServices(services =>
{
var configuration = new ConfigurationBuilder()
.AddJsonFile("appsettings.json")
.Build();
// Add my services here...
})
.ConfigureAppConfiguration((context, config) => // Azure KeyVault Configuration
{
if (context.HostingEnvironment.IsDevelopment() | context.HostingEnvironment.IsProduction())
{
// See https://learn.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-6.0
// See https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/security/key-vault-configuration/samples/3.x/SampleApp/Startup.cs
var root = config.Build();
using var x509Store = new X509Store(StoreLocation.LocalMachine); // *WONT WORK USING LOCALMACHINE* only CurrentUser
x509Store.Open(OpenFlags.ReadOnly);
var x509Certificate = x509Store.Certificates
.Find(
X509FindType.FindByThumbprint,
root["AzureADCertThumbprint"],
validOnly: false)
.OfType<X509Certificate2>()
.Single();
config.AddAzureKeyVault(
new Uri($"https://{root["KeyVaultName"]}.vault.azure.net/"),
new ClientCertificateCredential(
root["AzureADDirectoryId"],
root["AzureADApplicationId"],
x509Certificate));
}
})
.Build();
So when starting up the service by having the configuraton set to search the cetificate store using LocalMachine, I get the following errors shown below:
On which line 87 refers to an issue encountered with the X609Store
It's a little odd though the fact that the error message is referring to the code from the project location on my Google Drive, despite the fact that the published project directory is actually stored on the root of C Drive. I use my G Drive for storing all my VS projects but the actual production test deployment was pubslished and copied to my C Drive. But the second error message of the two shown in Windows event viewer does in fact point to the correct location of the published project on C Drive. The first error message is talking about the .NET Runtime, not sure why its resolving this from my project folder location when considering I deloyed/published the app as a self contained one which to me should mean it's using its own self contained runtime instance for .NET
Anyhow, I only have this issue once I set the X509Store to "StoreLocation.LocalMachine", as soon as I change it back to "StoreLocation.CurrentUser" then everything works OK. I had also checked that I have the certificate installed in both the current user & local machine cert stores correctly, placed in the store as shown below:
Upvotes: 0
Views: 1039
Answers (1)
Reputation: 21
I was struggling with the same issue last 2 days and finally it worked after placing my certificate in Local Computer/ Personal store.
Upvotes: 1
Related Questions
- Net core Key vault configuration using Azure.Security.KeyVault.Secrets
- Authentication to Azure Key Vault from an app service fails
- Azure App Config, Key Vault & Managed Service Identity (.NET Core 3.1)
- Azure Key Vault Certificate: the key was not found
- Azure Key Vault with App Service connection error
- Accessing Azure Key Vault from ASP.NET Core application hosted in Azure Service Fabric
- net core app fails to access azure key vault
- Accessing the Azure Key Vault from a .Net Application - getting DefaultAzureCredential authentication failed
- Azure App Service Container Managed Identity Key Vault in.NET Core C#
- Implementing Azure Key Vault with .Net Core 3.0 & IHostBuilder