Why do I get Cryptography_CSP_NoPrivateKey when using IIS but not when using VS development server?

StackOverflow https://stackoverflow.com/questions/681991

Question

I'm doing a web application that utilizes an external web service. This external web service requires me to sign each of my requests. So I'm using WebServicesClientProtocol class and .NET 2.0 by first consuming the external web service and then manually edit the Reference.cs file and change the extended class from System.Web.Services.Protocols.SoapHttpClientProtocol to Microsoft.Web.Services2.WebServicesClientProtocol. Then in the Page_Load method I have the following code:

try
{
    // Create the ws endpoint
    var uriServiceAddress = new Uri("urn:something-wse:something_NNNN");
    var uribuilderViaRouter = new UriBuilder("http://xx.xxx.xx/SrvXXX_NNNN/Test.asmx");
    var endpointReference = new EndpointReference(uriServiceAddress, uribuilderViaRouter.Uri);

    // Create the ws client
    var client = (WebServicesClientProtocol) new Test.Something();
    client.Destination = endpointReference;

    // Read the certificate from MyStore on LocalMachine
    X509CertificateStore localStore = X509CertificateStore.LocalMachineStore(X509CertificateStore.MyStore);
    X509SecurityToken securityToken = null;
    if (!localStore.OpenRead()) throw new Exception("Unable to open localstore for read");
    X509CertificateCollection certificateCollection = localStore.FindCertificateBySubjectString("email@subject.test");
    if (certificateCollection.Count == 0) throw new Exception("Unable to obtain security token.");
    securityToken = new X509SecurityToken(certificateCollection[0]);
    localStore.Close();

    // Attach the security toekn to the client request
    client.RequestSoapContext.Security.Tokens.Add(securityToken);
    client.RequestSoapContext.Security.Elements.Add(new MessageSignature(securityToken));

    // Set the timeouts
    client.RequestSoapContext.Security.Timestamp.TtlInSeconds = 2 * 60;
    client.Timeout = 60 * 10 * 1000;    // 10 mínútur ættu að duga í flest.

    // Call the test function
    DataSet set = ((Test.Something)client).searchMethod("Parameter 1", "Parameter 2");
    Label1.Text = User.Identity.Name+ " worked! " + set.Tables.Count + " tables!";
}
catch (Exception exc)
{
    Label1.Text = User.Identity.Name + " exception: " + exc.ToString();
}

This works fine when I run this using the Visual Studio Development Server but when I change to IIS it stops working and I get the ugly Cryptography_CSP_NoPrivateKey exception.

1) I have already read the Certificate properly into LocalMachine/MyStore using MMC and then I change the private key permissions using WSE 2.0 SP3 so that Everyone has full access to it. You can see this from here:

alt text http://www1.ruedenet.is/files/CertError1.png

2) I also set the property so that the Visual Studio Development Server is used when I debug the application:

alt text http://www1.ruedenet.is/files/CertError2.png

3) Then I run it and get a nice result:

alt text http://www1.ruedenet.is/files/CertError3.png

4) However, when I change the property to use IIS (and have VS create the Virtual Directory) like this:

alt text http://www1.ruedenet.is/files/CertError4.png

5) I also change the authentication method in IIS so that I get logged on (no reason for this really):

alt text http://www1.ruedenet.is/files/CertError5.png

6) So I get asked for a windows logon:

alt text http://www1.ruedenet.is/files/CertError6.png

7) And then my page runs and produces the error:

alt text http://www1.ruedenet.is/files/CertError7.png

If you could help me with this I would surely appreciate it. I have already spent hours on it and I don't want to spend more time if I'm making a fundamental error that you guys can see. BTW: I'm developing using Visual Studio 2008 on Windows Server 2008 with UAC turned off :-)

Really looking forward to hearing from you guys. Thanks.

Was it helpful?

Solution

:-)

I have solved this issue in a couple of steps:

1) I changed the user of the Default Application Pool to my username ...

alt text http://www1.ruedenet.is/files/ErrorFix1.png

... and that worked. I changed the user of the application pool back to NETWORK SERVICE and it didn't work again. This told me that the problem had something to do with the NETWORK SERVICE user. So I went back to looking for what could be the problem with the permissions of this user.

2) When browsing and reading the web I found Tim Jacobs' blogpost App-V 4.5 Certificate Galore at http://timjacobs.blogspot.com/2008/11/app-v-45-certificate-galore.html. Well, there wasn't anything new in it until at the end where he talks about the storage location of the private key on the disk. So I ran the FindPrivateKey.exe tool, ...

C:\MyTools>FindPrivateKey.exe My LocalMachine -t "8c 1a e6 1b 6d f2 f8 18 c8 26 b6 fa cd 60 fd 94 c7 a1 96 58"
Private key directory:
C:\Users\alfred\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3612370315-2559787 071-3412320394-1135
Private key file name:
b3765d4123902371ea91c5c9a521932e_96ce3a90-5634-44e6-8aa2-acb123b8b3bf

... which tells me that the location of the private key is in the C:\Users\alfred\... directory and the NETWORK SERVICE user probably doesn't have access in to this directory!!!

3) I therefore followed Tim's suggestion to use MMC to export the certificate & private key from the Local Computer/Personal/Certificates and then import it into Local Computer/Trusted Root Certificate Authorities/Certificates. After having exported, FindPrivateKey.exe reported, ...

C:\MyTools>FindPrivateKey.exe My LocalMachine -t "8c 1a e6 1b 7d f1 f8 18 c8 26 b6 fa cd 60 fd 94 c7 a1 96 58"
FindPrivateKey failed for the following reason: No certificates with key '8c 1a e6 1b 7d f1 f8 18 c8 26 b6 fa cd 60 fd 94 c7 a1 96 58' found in the store.

... which tells me the export worked. After importing and copy pasting it back to Local Computer/Personal/Certificates I get...

C:\MyTools>FindPrivateKey.exe My LocalMachine -t "8c 1a e6 1b 7d f1 f8 18 c8 26 b6 fa cd 60 fd 94 c7 a1 96 58"
Private key directory:
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
Private key file name:
b3765d4d5a902371ea91c5c9a521932e_96ce3a90-5634-44e6-8aa2-acbaccb8b3bf

...and now the private key is in a public place, the C:\ProgramData\... directory. I then changed the private key permissions of the NETWORK SERVICE user to Full Access using the X509 Certificate Tool as I had done before.

And now it works!!!

I just can't thank you enough for your blogpost Tim. Thank you.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top