Certificate problem with a new machine - credentials supplied to package not recognized

Question

I am installing a windows service on a new machine. The service does various operations over SslStream over TCP, which uses the certificate in problem.

The service has been operating fine with the same code and same certificate on other 2 windows 2003 machines. But, this new machine is Windows 2003 with 64 bit processor too.

I am running into this problem when I am trying to run the service with a 'Service Account' identity. It works fine with my own credentials. (Again, it works fine on other 2 machines with this service account)

I do not have 'strong protection' enabled while importing the certificate.

Here is the stack trace.

System.ComponentModel.Win32Exception: The credentials supplied to the package were not recognized at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface SecModule, String package, CredentialUse intent, SecureCredential scc) at System.Net.Security.SecureChannel.AcquireCredentialsHandle(CredentialUse credUsage, SecureCredential& secureCredential) at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[]& thumbPrint) at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output) at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult) at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)

Answer 1

I found the problem and its solution.

The idea is to grant permissions to the account which is used for service identity.

Need to use a tool WinHttpCertCfg.exe. This is helpful for applications using client certificates to get authorization.

It's nicely explained here. http://support.microsoft.com/kb/901183

Thanks to Feroze Daud (http://ferozedaud.blogspot.com/), who answered me on a different forum.

Answer 2

I have had this problem both when running under the ASP.NET account or when using a windows service (under the Local System account). If you're running under ASP.NET, for Windows 2003 you need to use the WinHttpCertCfg.exe tool as described by cdpnet above. Windows 2008 R2 allows you to access the rights using the GUI, which is a nice improvement.

However, when running as a windows service, you need to ensure that the certificate is in the personal certificate store, by going into mmc and adding the certificate snap-in for either the windows service account, or if you are using the 'Local System' account, just get the snap-in for the local computer.

Here is the difference I've found...

If you had installed the personal certificate to your own user's certificate store and copied and pasted it to the local computer store, this doesn't always work. However, if you delete the certificate from the local computer store, personal folder, you can then right click on the personal folder in the local computer store, then import and go through the wizard.

For some reason, this fixes it and assigns the correct permissions for using the certificate. Good luck!

Answer 3

I was doing what is here described for a Win 2003 Serv and still couldnt get it to work because of the mssg "credentials supplied to package not recognized".

I tried all the above solutions with no success.

Finally I got it to work doing the following:

1. makecert -pe -n "CN=CERT" -ss my -sr LocalMachine -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -in "CERT" -is MY -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 CERT.cer
2. Using MMC copy from Personal to Trusted Root
3. Use the certificate generated (.cer) for the X509 call from your service app.

WHY...who knows.....glad it worked for me....hopefully this makes it easier on others