|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
httpwebrequest failure with .net servicerunning Hi,
I have a .net 2.0 service that periodically needs to access a web site on the same 2003 server machine that is configured to use https . The only way I can get this working is to run the service with the administrator login , no other account (system, local service, or account that is a member of the administrators group ). the failure is 2148074254 - No credentials are available in the security package and the message is The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel any ideas on how to proceed ? thanks, chaz Do you know if SSL client certificate authentication is being performed? It
may be the case that the server is requesting client cert auth and only the admin account on your box has permissions to access the private key for the client cert that is being used (which may actually be the server's own SSL cert since it is the same box). Joe K. -- Show quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "chaz" <chaz@newsgroup.nospam> wrote in message news:22D2686D-2462-4E56-8F53-CD2BAC888EE1@microsoft.com... > running Hi, > I have a .net 2.0 service that periodically needs to access a web site on > the same 2003 server machine that is configured to use https . > The only way I can get this working is to run the service with the > administrator login , no other account (system, local service, or account > that is a member of the administrators group ). > > the failure is 2148074254 - No credentials are available in the security > package > and the message is > The underlying connection was closed: Could not establish trust > relationship for the SSL/TLS secure channel > > any ideas on how to proceed ? > > thanks, > chaz > > > > Hell,
if the root certificate of your SSL certificate is not in the trusted root certificate store, you get this error. The best way to deal with this is to add it to that store.If you can't do this for whatever reason, you can disable the check using this line of code, which you should rould once during the start of your program: ServicePointManager.ServerCertificateValidationCallback = delegate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { return true; }; Kind regards, Henning Show quote "chaz" <chaz@newsgroup.nospam> wrote in message news:22D2686D-2462-4E56-8F53-CD2BAC888EE1@microsoft.com... > running Hi, > I have a .net 2.0 service that periodically needs to access a web site on > the same 2003 server machine that is configured to use https . > The only way I can get this working is to run the service with the > administrator login , no other account (system, local service, or account > that is a member of the administrators group ). > > the failure is 2148074254 - No credentials are available in the security > package > and the message is > The underlying connection was closed: Could not establish trust > relationship for the SSL/TLS secure channel > > any ideas on how to proceed ? > > thanks, > chaz > > > > Hi,
Thanks to you both of you for the valuble feedback. I've implemented your work-around Henning and this works well with "ignore certificates" or "accept certificates" . Eventualy I will want to figure out the issue but for now I can move on to the next issue which is - "require certificates" . Joe started me thinking that this may just work if the windows service could use the web-sites server certificate as a client certificate when making the HTTPS request . Do either of you have suggestions regarding this issue . Are client certificates for services/processes ( or machines for that matter) routinely generated ? If so how would one map theses ? Any pointers , ideas would be appreciated . thanks, chaz Show quote "Henning Krause [MVP - Exchange]" wrote: > Hell, > > if the root certificate of your SSL certificate is not in the trusted root > certificate store, you get this error. > > The best way to deal with this is to add it to that store.If you can't do > this for whatever reason, you can disable the check using this line of code, > which you should rould once during the start of your program: > > ServicePointManager.ServerCertificateValidationCallback = delegate(object > sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors > sslPolicyErrors) { return true; }; > > Kind regards, > Henning > > "chaz" <chaz@newsgroup.nospam> wrote in message > news:22D2686D-2462-4E56-8F53-CD2BAC888EE1@microsoft.com... > > running Hi, > > I have a .net 2.0 service that periodically needs to access a web site on > > the same 2003 server machine that is configured to use https . > > The only way I can get this working is to run the service with the > > administrator login , no other account (system, local service, or account > > that is a member of the administrators group ). > > > > the failure is 2148074254 - No credentials are available in the security > > package > > and the message is > > The underlying connection was closed: Could not establish trust > > relationship for the SSL/TLS secure channel > > > > any ideas on how to proceed ? > > > > thanks, > > chaz > > > > > > > > > > So, it sounds like you ARE trying to do client certificate authentication if
you are planning to require client certificates. As such, the key to this is to make sure you have an appropriate client certificate available for your client and make sure the identity that is running your code has permissions to access the private key for that certificate. I think that was the original problem you were having, as the admin account had access to the private key for the cert you were using but no other account did (which is normal). Joe K. -- Show quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "chaz" <chaz@newsgroup.nospam> wrote in message news:072EE075-A935-46CE-A357-4DFF0EFF0376@microsoft.com... > Hi, > Thanks to you both of you for the valuble feedback. > I've implemented your work-around Henning and this works well with "ignore > certificates" or "accept certificates" . Eventualy I will want to figure > out > the issue but for now I can move on to the next issue which is - "require > certificates" . > Joe started me thinking that this may just work if the windows service > could use the web-sites server certificate as a client certificate when > making the HTTPS request . Do either of you have suggestions regarding > this > issue . Are client certificates for services/processes ( or machines > for > that matter) routinely generated ? If so how would one map theses ? > > Any pointers , ideas would be appreciated . > thanks, > chaz > > > > "Henning Krause [MVP - Exchange]" wrote: > >> Hell, >> >> if the root certificate of your SSL certificate is not in the trusted >> root >> certificate store, you get this error. >> >> The best way to deal with this is to add it to that store.If you can't do >> this for whatever reason, you can disable the check using this line of >> code, >> which you should rould once during the start of your program: >> >> ServicePointManager.ServerCertificateValidationCallback = delegate(object >> sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors >> sslPolicyErrors) { return true; }; >> >> Kind regards, >> Henning >> >> "chaz" <chaz@newsgroup.nospam> wrote in message >> news:22D2686D-2462-4E56-8F53-CD2BAC888EE1@microsoft.com... >> > running Hi, >> > I have a .net 2.0 service that periodically needs to access a web site >> > on >> > the same 2003 server machine that is configured to use https . >> > The only way I can get this working is to run the service with the >> > administrator login , no other account (system, local service, or >> > account >> > that is a member of the administrators group ). >> > >> > the failure is 2148074254 - No credentials are available in the >> > security >> > package >> > and the message is >> > The underlying connection was closed: Could not establish trust >> > relationship for the SSL/TLS secure channel >> > >> > any ideas on how to proceed ? >> > >> > thanks, >> > chaz >> > >> > >> > >> > >> >> Joe,
The original problem was/is with the web-server certificate verification on the client . The web site was not requiring client certificate nor was there any client certificates installed anywhere . This is still an open issue I'm investigating meanwhile using the work around . Thanks for the pointers on using client certificates however as I will need the service to use different logons such as local service or network service. -chaz Show quote "Joe Kaplan" wrote: > So, it sounds like you ARE trying to do client certificate authentication if > you are planning to require client certificates. As such, the key to this > is to make sure you have an appropriate client certificate available for > your client and make sure the identity that is running your code has > permissions to access the private key for that certificate. I think that > was the original problem you were having, as the admin account had access to > the private key for the cert you were using but no other account did (which > is normal). > > Joe K. > > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services Programming" > http://www.directoryprogramming.net > -- > "chaz" <chaz@newsgroup.nospam> wrote in message > news:072EE075-A935-46CE-A357-4DFF0EFF0376@microsoft.com... > > Hi, > > Thanks to you both of you for the valuble feedback. > > I've implemented your work-around Henning and this works well with "ignore > > certificates" or "accept certificates" . Eventualy I will want to figure > > out > > the issue but for now I can move on to the next issue which is - "require > > certificates" . > > Joe started me thinking that this may just work if the windows service > > could use the web-sites server certificate as a client certificate when > > making the HTTPS request . Do either of you have suggestions regarding > > this > > issue . Are client certificates for services/processes ( or machines > > for > > that matter) routinely generated ? If so how would one map theses ? > > > > Any pointers , ideas would be appreciated . > > thanks, > > chaz > > > > > > > > "Henning Krause [MVP - Exchange]" wrote: > > > >> Hell, > >> > >> if the root certificate of your SSL certificate is not in the trusted > >> root > >> certificate store, you get this error. > >> > >> The best way to deal with this is to add it to that store.If you can't do > >> this for whatever reason, you can disable the check using this line of > >> code, > >> which you should rould once during the start of your program: > >> > >> ServicePointManager.ServerCertificateValidationCallback = delegate(object > >> sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors > >> sslPolicyErrors) { return true; }; > >> > >> Kind regards, > >> Henning > >> > >> "chaz" <chaz@newsgroup.nospam> wrote in message > >> news:22D2686D-2462-4E56-8F53-CD2BAC888EE1@microsoft.com... > >> > running Hi, > >> > I have a .net 2.0 service that periodically needs to access a web site > >> > on > >> > the same 2003 server machine that is configured to use https . > >> > The only way I can get this working is to run the service with the > >> > administrator login , no other account (system, local service, or > >> > account > >> > that is a member of the administrators group ). > >> > > >> > the failure is 2148074254 - No credentials are available in the > >> > security > >> > package > >> > and the message is > >> > The underlying connection was closed: Could not establish trust > >> > relationship for the SSL/TLS secure channel > >> > > >> > any ideas on how to proceed ? > >> > > >> > thanks, > >> > chaz > >> > > >> > > >> > > >> > > >> > >> > > > Hi! Chaz:
I am also having same problem. My problems is: I am using SQL Server 2005 reporting services. Reporting services website is using SSL. I could only open reporting services webservice using admin logon. If I try to open reports with any other account, I get: "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS Secure Channel." error. Did you find any workaround for this problem? If so, please help. Regards SSR Hi! Chaz:
I am also having same problem. My problems is: I am using SQL Server 2005 reporting services. Reporting services website is using SSL. I could only open reporting services webservice using admin logon. If I try to open reports with any other account, I get: "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS Secure Channel." error. Did you find any workaround for this problem? If so, please help. Regards SSR  |
|||||||||||||||||||||||
Other interesting topics