none
Client Certificate Authentication - 'Left with 0 client certificates to choose from." RRS feed

  • Question

  • I am working on a client program written in C# for a customer. The program connects to a service that the customer uses which requires a client certificate for authentication (they already have a java client connecting to this service using the same cert). When attempting to establish a connection from the customer box to the service it fails (log below). I do not have direct access to the service we are attempting to connect to, so I test locally best I can, then send customer a version of program to test with.

    Some notes:

    • My code is working locally using self-signed certs for both client and a "mock" server I put together.
    • For the moment I'm using ServicePointManager.ServerCertificateValidationCallback to always accept server cert (temporary / just trying to isolate to client cert issues for the time being).
    • I am using HttpWebRequest.ClientCertificates.Add(...) to set the client cert.
    • The customer is using certificate issued from a CA as their client cert (ie: not a self-signed cert).
    • The client cert is stored in a p12 file, which our program opens directly by file path (ie: not from Windows Certificate Store).
    • Based on some other logging I have the p12 cert is loading OK and has private key.

    Below is the log from the customer system. I'm really not sure how to interpret it. These lines seems important:

    "We have user-provided certificates. The server has specified 6 issuer(s). Looking for certificates that match any of the issuers."

    "Left with 0 client certificates to choose from."

    Does this indicate a problem with the client certificate or server certificate?

    Does this mean the client certificate issuer needs to match one of the issuers the server specified? How can I see what that list is, it doesn't seem to be in the network trace log anywhere (I can see the client cert issuer, but not issuers the server has "specified").

    System.Net Warning: 0 : [1272] The Registry value 'Software\Microsoft\Windows NT\CurrentVersion\InstallationType' was either empty or not a string type.
    System.Net Information: 0 : [1272] Current OS installation type is 'Unknown'.
    System.Net Verbose: 0 : [1272] WebRequest::Create(https://[redacted])
    System.Net Verbose: 0 : [1272] HttpWebRequest#27504314::HttpWebRequest(https://[redacted]#-921164489)
    System.Net Information: 0 : [1272] RAS supported: True
    System.Net Verbose: 0 : [1272] Exiting HttpWebRequest#27504314::HttpWebRequest() 
    System.Net Verbose: 0 : [1272] Exiting WebRequest::Create()     -> HttpWebRequest#27504314
    System.Net Verbose: 0 : [1272] HttpWebRequest#27504314::GetRequestStream()
    System.Net Information: 0 : [1272] Associating HttpWebRequest#27504314 with ServicePoint#46212239
    System.Net Information: 0 : [1272] Associating Connection#13256970 with HttpWebRequest#27504314
    System.Net Information: 0 : [1272] Connection#13256970 - Created connection from [redacted] to [redacted].
    System.Net Information: 0 : [1272] TlsStream#52203868::.ctor(host=[redacted], #certs=1)
    System.Net Information: 0 : [1272] Associating HttpWebRequest#27504314 with ConnectStream#72766
    System.Net Verbose: 0 : [1272] Exiting HttpWebRequest#27504314::GetRequestStream()  -> ConnectStream#72766
    System.Net Verbose: 0 : [1272] ConnectStream#72766::Write()
    System.Net Verbose: 0 : [1272] Data from ConnectStream#72766::Write
    [redacted (xml)]
    System.Net Verbose: 0 : [1272] Exiting ConnectStream#72766::Write() 
    System.Net Verbose: 0 : [1272] ConnectStream#72766::Close()
    System.Net Verbose: 0 : [1272] Exiting ConnectStream#72766::Close() 
    System.Net Verbose: 0 : [1272] HttpWebRequest#27504314::GetResponse()
    System.Net Information: 0 : [1272] HttpWebRequest#27504314 - Request: POST [redacted] HTTP/1.1
    
    System.Net Information: 0 : [1272] SecureChannel#5894079::.ctor(hostname=[redacted], #clientCertificates=1, encryptionPolicy=RequireEncryption)
    System.Net Information: 0 : [1272] Enumerating security packages:
    System.Net Information: 0 : [1272]     Negotiate
    System.Net Information: 0 : [1272]     Kerberos
    System.Net Information: 0 : [1272]     NTLM
    System.Net Information: 0 : [1272]     Schannel
    System.Net Information: 0 : [1272]     Microsoft Unified Security Protocol Provider
    System.Net Information: 0 : [1272]     WDigest
    System.Net Information: 0 : [1272]     DPA
    System.Net Information: 0 : [1272]     Digest
    System.Net Information: 0 : [1272]     MSN
    System.Net Information: 0 : [1272] SecureChannel#5894079 - Attempting to restart the session using the user-provided certificate: [Version]
      V3
    
    [Subject]
      CN=[redacted]
      Simple Name: [redacted]
      DNS Name: [redacted]
    
    [Issuer]
      CN=[redacted]
      Simple Name: [redacted]
      DNS Name: [redacted]
    
    [Serial Number]
      [redacted]
    
    [Not Before]
      5/8/2013 9:34:17 AM
    
    [Not After]
      4/28/2015 9:34:17 AM
    
    [Thumbprint]
      [redacted]
    
    [Signature Algorithm]
      [redacted]
    
    [Public Key]
      Algorithm: RSA
      Length: 2048
      Key Blob: [redacted]
    System.Net Information: 0 : [1272] SecureChannel#5894079 - Left with 1 client certificates to choose from.
    System.Net Information: 0 : [1272] SecureChannel#5894079 - Trying to find a matching certificate in the certificate store.
    System.Net Information: 0 : [1272] SecureChannel#5894079 - Locating the private key for the certificate: [Version]
      V3
    
    [Subject]
      CN=[redacted]
      Simple Name: [redacted]
      DNS Name: [redacted]
    
    [Issuer]
      CN=[redacted]
      Simple Name: [redacted]
      DNS Name: [redacted]
    
    [Serial Number]
      [redacted]
    
    [Not Before]
      5/8/2013 9:34:17 AM
    
    [Not After]
      4/28/2015 9:34:17 AM
    
    [Thumbprint]
      [redacted]
    
    [Signature Algorithm]
      [redacted]
    
    [Public Key]
      Algorithm: RSA
      Length: 2048
      Key Blob: [redacted]
    System.Net Information: 0 : [1272] SecureChannel#5894079 - Certificate is of type X509Certificate2 and contains the private key.
    System.Net Information: 0 : [1272] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent  = Outbound, scc     = System.Net.SecureCredential)
    System.Net Information: 0 : [1272] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = [redacted], inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
    System.Net Information: 0 : [1272] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=77, returned code=ContinueNeeded).
    System.Net Information: 0 : [1272] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 1e5098:1962c68, targetName = [redacted], inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
    System.Net Information: 0 : [1272] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=CredentialsNeeded).
    System.Net Information: 0 : [1272] SecureChannel#5894079 - We have user-provided certificates. The server has specified 6 issuer(s). Looking for certificates that match any of the issuers.
    System.Net Information: 0 : [1272] SecureChannel#5894079 - Left with 0 client certificates to choose from.
    System.Net Information: 0 : [1272] Using the cached credential handle.
    System.Net Information: 0 : [1272] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 1e5098:1962c68, targetName = [redacted], inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
    System.Net Information: 0 : [1272] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=317, returned code=ContinueNeeded).
    System.Net Information: 0 : [1272] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 1e5098:1962c68, targetName = [redacted], inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
    System.Net Information: 0 : [1272] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=CertUnknown).
    System.Net Error: 0 : [1272] Exception in the HttpWebRequest#27504314:: - The request was aborted: Could not create SSL/TLS secure channel.
    System.Net Error: 0 : [1272] Exception in the HttpWebRequest#27504314::GetResponse - The request was aborted: Could not create SSL/TLS secure channel.

    Monday, May 5, 2014 2:59 PM

Answers

  • Hi,

    From the error message, it seems that the certificate in the chain is not placed in the appropriate position. See a post for similar issue.

    The problem also could be you haven't granted permission to the correct application pool identity, please try temporary grant read access to everyone on the certificate's private key. As a reference: http://social.msdn.microsoft.com/Forums/vstudio/en-US/e2a2fc05-17c9-45ad-a532-7eb80cdb4626/

    Regards.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Wednesday, May 7, 2014 2:29 AM
    Moderator