Akshay Saini

Hi,

My WCF service has following security settings:-

at server side(web.config) :-

<behaviors>

<serviceBehaviors>

<behavior name="myBehaviour" >

<serviceDebug includeExceptionDetailInFaults="true" />

<serviceMetadata httpGetEnabled="true" />

<serviceCredentials>

<serviceCertificate findValue="localhost" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />

</serviceCredentials>

</behavior>

</serviceBehaviors>

</behaviors>

<bindings>

<wsHttpBinding>

<binding name="Binding1"

transactionFlow="true">

<security mode="Message">

<message clientCredentialType="UserName" />

</security>

</binding>

</wsHttpBinding>

</bindings>

At client side(App.config) security settings are :-

<security mode="Message">

<transport clientCredentialType="Windows" proxyCredentialType="None"

realm="" />

<message clientCredentialType="UserName" negotiateServiceCredential="true"

algorithmSuite="Default" establishSecurityContext="true" />

</security>

I have create a root security certificate using :-

makecert -n "CN=TempCA" -r -sv TempCA.pvk TempCA.cer

And create a new certificate signed by a root authority certificate as :-

makecert -sk SignedByCA -iv TempCA.pvk -n "CN=localhost" -ic TempCA.cer SignedByCA.cer -sr LocalMachine -ss My

Now I installed root security certificate in Trusted Root Certification Authorities and signed certificate in Personal folder.

I have also provided Read rights to ASPNET process for the folder( and its parent folders) containing private key file and also to the private key file .

WCF service is hosted in IIS and client ( also .Net application) is running on same machine.

But when i run the service, I am getting this error:-
The certificate 'CN=localhost' must have a private key that is capable of key exchange. The process must have access rights for the private key.

Pls tell what I am missing

Regads

Akshay



Re: Windows Communication Foundation (Indigo) The certificate 'CN=localhost' must have a private key that is capable of key exchange.The process must have access rights for

DavideB

It seems I already experienced this problem in the past.

If I didn't misunderstand your post, I think you granted access to the key file on the disk and that's not necessary, as far as I know.
You have to assign the proper access rights to the private key in the certificate store and WinHttpCertCfg.exe is a tool that let you do this, here's the link to MSDN.

In my scenario, I had to grant access to a specific account as I'm hosting my WCF services in a Windows service, in your case you should grant access to the account used by your ASPNET application.

HTH,
Davide Bedin






Re: Windows Communication Foundation (Indigo) The certificate 'CN=localhost' must have a private key that is capable of key exchange.The process must have access rights for

Akshay Saini

Hi Davide,

Thanks for your reply.I used winhttpcertcfg tool to grant access to private key to ASPNET account and after this i verified th elist of users who has access to certificate private key using :- winhttpcertcfg -l -c LOCAL_MACHINE\My -s localhost

And its show ASPNEt account in the list.Also if i try to grant acces again , i get meessage that access has already granted.

But I still getting the same error :(

Am i missing anything else..

Thanks

Akshay





Re: Windows Communication Foundation (Indigo) The certificate 'CN=localhost' must have a private key that is capable of key exchange.The process must have access rights for

Shalini Joshi MSFT

Hi,

I think you need to mark the certificate key as exchangeable/exportable while creating the certificate using makecert.

So your command will probably look as under:

makecert -sk SignedByCA -iv TempCA.pvk -n "CN=localhost" -ic TempCA.cer SignedByCA.cer -sr LocalMachine -ss My -sky exchange -pe

Hope that helps!

-Shalini.






Re: Windows Communication Foundation (Indigo) The certificate 'CN=localhost' must have a private key that is capable of key exchange.The process must have access rights for

Akshay Saini

Hi Shalini,

Using

makecert -sk SignedByCA -iv TempCA.pvk -n "CN=localhost" -ic TempCA.cer SignedByCA.cer -sr LocalMachine -ss My -sky exchange -pe

give me error :- Can not create the key of the subject ('SignedByCA')

Regards

Akshay





Re: Windows Communication Foundation (Indigo) The certificate 'CN=localhost' must have a private key that is capable of key exchange.The process must have access rights for

Shalini Joshi MSFT

Hi Akshay,

I tried these same commands on my machine and they seem to succeed on a Vista box- so the syntax seems right to me (it's just that the GUI asked me to specify Issuer/Subject passwords as well). Did you try deleting hte already created certificates on your machine first, before trying these out

I'll try to find out more information for you on this as well..

-Shalini.






Re: Windows Communication Foundation (Indigo) The certificate 'CN=localhost' must have a private key that is capable of key exchange.The process must have access rights for

Akshay Saini

Hi Shalini,

Thax for your inputs.It works ,if I set ClientCredentialType as Windows i.e

<bindings>

<wsHttpBinding>

<binding name="Binding1"

transactionFlow="true">

<security mode="Message">

<message clientCredentialType="Windows" />

</security>

</binding>

</wsHttpBinding>

</bindings>

But if I set ClientCredentialType as UserName then I get the error.

Any idea why is it





Re: Windows Communication Foundation (Indigo) The certificate 'CN=localhost' must have a private key that is capable of key exchange.The process must have access rights for

Shalini Joshi MSFT

Cool - but I am afraid I am no expert on this issue or even why it works with one credential type and not the other - I'll go ahead and forward this thread to someone who might know more, though ..

-Shalini.






Re: Windows Communication Foundation (Indigo) The certificate 'CN=localhost' must have a private key that is capable of key exchange.The process must have access rights for

Todd West

The ClientCredential property is confusingly named.  It controls both the client and service credentials.  Specifying Windows results in SSPI (either NTLM or Kerberos) authentication, which does not use a certificate to identify the service.  Hence, no error.  Specifying UserName results in UserNameOverTransport, UserNameForCertificate, or UserNameForSslNegotiated, depending on which way turn the security mode and negotiate service credential knobs.  All of these identify the service with a certificate, hence the error (though you won't hit WCF's private key check if https is used as the transport since the http.sys SSL port registrations are used in that case).



Re: Windows Communication Foundation (Indigo) The certificate 'CN=localhost' must have a private key that is capable of key exchange.The process must have access rights for

hendrik swanepoel

I have implemented a STS and obviously a STS has to be configured with a certificate.

My STS works fine using windows authentication. But I do not want to use windows authentication, because the STS will be running outside of a domain.

What I want to do is to let the client send through a username and password which can then be validated against an ADAM store. I would have thought that I could configure the clientCredentialType as UserName and then use that username and password to authenticate the credentials agains the ADAM store, so that I can build up a claimset for that user based on his ientity.

What you're saying, Todd, that this isn't possible Do I now need to embed some extra data in my RST in order to know who is doing the request. I think it's extremely weird that the binding behaves like that...





Re: Windows Communication Foundation (Indigo) The certificate 'CN=localhost' must have a private key that is capable of key exchange.The process must have access rights for

Todd West

I don't understand the question. Are you having a problem plugging in a custom username/password validator which checks against ADAM



Re: Windows Communication Foundation (Indigo) The certificate 'CN=localhost' must have a private key that is capable of key exchange.The process must have access rights for

hendrik swanepoel

No,

I guess I might've confused the issue by mentioning too much of my design in regards to federated security.

Let me summarize my problem:

I have a service (HomeSts) which I configure with a serviceCertificate. I would like to configure this service¡¯s wsHttp binding with message security. The message security should be configured to ¡°UserName¡±.

The way I interpreted the binding is that it will expect a username password token in the request message from the client, but when I want to start the service I get the same error as the originator of this thread.

If I do not configure my service with the certificate, I manage to get my username/password validator to work. But a soon as I configure my service behavior with a certificate, I get the error.

Additional info:

I have to configure the service with a certificate, because it¡¯s a STS service. All the examples that I¡¯ve seen for authenticating someone in a STS service was configured with Windows (Kerberos) security, but I want to use a username/password solution, in order to authenticate against ADAM.

Question:

Is it possible to secure my service using a username/password validator and still have my service behavior configured to with a cert





Re: Windows Communication Foundation (Indigo) The certificate 'CN=localhost' must have a private key that is capable of key exchange.The process must have access rights for

hendrik swanepoel

Ah, I managed to narrow down my issue. I wrote some batch files that I use to generate certs using the makecert utility. I was using the wrong batch file to generate the cert, it did not specify -sky exchange.

When I read your post about the clientCredentials value causing the cert to be validated, I interpreted it incorrectly, I guess.

I should've just RTFS :)





Re: Windows Communication Foundation (Indigo) The certificate 'CN=localhost' must have a private key that is capable of key exchange.The process must have access rights for

Todd West

OK, cool. For the record, client username/password authentication to a service is orthogonal to both service authentication to a client via certificate as well as federated RST/RSTRs.



Re: Windows Communication Foundation (Indigo) The certificate 'CN=localhost' must have a private key that is capable of key exchange.The process must have access rights for

Amer Gill

I'm running into the same issue. Can you provide the makcert command line