The certificate 'CN=localhost' must have a private key that is capable of key exchange.The process must have access rights for

Hi,

My WCF service has following security settings:-

at server side(web.config) :-

<behaviors>

<serviceBehaviors>

<behavior name="myBehaviour" >

<serviceDebug includeExceptionDetailInFaults="true" />

<serviceMetadata httpGetEnabled="true" />

<serviceCredentials>

<serviceCertificate findValue="localhost" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />

</serviceCredentials>

</behavior>

</serviceBehaviors>

</behaviors>

Hi Davide,

Thanks for your reply.I used winhttpcertcfg tool to grant access to private key to ASPNET account and after this i verified th elist of users who has access to certificate private key using :- winhttpcertcfg -l -c LOCAL_MACHINE\My -s localhost

And its show ASPNEt account in the list.Also if i try to grant acces again , i get meessage that access has already granted.

But I still getting the same error :(

Am i missing anything else..

Thanks

Akshay

Hi,

I think you need to mark the certificate key as exchangeable/exportable while creating the certificate using makecert.

So your command will probably look as under:

makecert -sk SignedByCA -iv TempCA.pvk -n "CN=localhost" -ic TempCA.cer SignedByCA.cer -sr LocalMachine -ss My -sky exchange -pe

Hope that helps!

-Shalini.

Hi Shalini,

Using

makecert -sk SignedByCA -iv TempCA.pvk -n "CN=localhost" -ic TempCA.cer SignedByCA.cer -sr LocalMachine -ss My -sky exchange -pe

give me error :- Can not create the key of the subject ('SignedByCA')

Regards

Akshay

Hi Shalini,

Thax for your inputs.It works ,if I set ClientCredentialType as Windows i.e

<bindings>

<wsHttpBinding>

<binding name="Binding1"

transactionFlow="true">

<security mode="Message">

<message clientCredentialType="Windows" />

</security>

</binding>

</wsHttpBinding>

</bindings>

But if I set ClientCredentialType as UserName then I get the error.

Any idea why is it

I have implemented a STS and obviously a STS has to be configured with a certificate.

My STS works fine using windows authentication. But I do not want to use windows authentication, because the STS will be running outside of a domain.

What I want to do is to let the client send through a username and password which can then be validated against an ADAM store. I would have thought that I could configure the clientCredentialType as UserName and then use that username and password to authenticate the credentials agains the ADAM store, so that I can build up a claimset for that user based on his ientity.

What you're saying, Todd, that this isn't possible Do I now need to embed some extra data in my RST in order to know who is doing the request. I think it's extremely weird that the binding behaves like that...

No,

I guess I might've confused the issue by mentioning too much of my design in regards to federated security.

Let me summarize my problem:

I have a service (HomeSts) which I configure with a serviceCertificate. I would like to configure this service¡¯s wsHttp binding with message security. The message security should be configured to ¡°UserName¡±.

The way I interpreted the binding is that it will expect a username password token in the request message from the client, but when I want to start the service I get the same error as the originator of this thread.

If I do not configure my service with the certificate, I manage to get my username/password validator to work. But a soon as I configure my service behavior with a certificate, I get the error.

Additional info:

I have to configure the service with a certificate, because it¡¯s a STS service. All the examples that I¡¯ve seen for authenticating someone in a STS service was configured with Windows (Kerberos) security, but I want to use a username/password solution, in order to authenticate against ADAM.

Question:

Is it possible to secure my service using a username/password validator and still have my service behavior configured to with a cert

Ah, I managed to narrow down my issue. I wrote some batch files that I use to generate certs using the makecert utility. I was using the wrong batch file to generate the cert, it did not specify -sky exchange.

When I read your post about the clientCredentials value causing the cert to be validated, I interpreted it incorrectly, I guess.

I should've just RTFS :)

I'm running into the same issue. Can you provide the makcert command line