none
SslStream.IsMutuallyAuthenticated returns true in Console application but returns false in Windows Service RRS feed

  • Question

  • I have this code:

    X509Certificate clientCertificate = new X509Certificate(certificationFilePath, certificateFilePassword);
    
    TcpClient client = new TcpClient(host, port);
    
    SslStream stream = new SslStream(client.GetStream(), false, (sender, certificate, chain, errors) => true);
    
    X509CertificateCollection clientCertificates = new X509CertificateCollection {clientCertificate};
    
    stream.AuthenticateAsClient(host, clientCertificates, SslProtocols.Tls, false);

    When I run the code in a Console Application, everything works fine, stream.IsAuthenticated and stream.IsMutuallyAuthenticated return true and stream.LocalCertificate contains the correct certificate object.

    However when running the exact same code in a Windows Service (as LOCAL SYSTEM user), although stream.IsAuthenticated returns true, stream.IsMutuallyAuthenticated returns false and stream.LocalCertificate returns null.

    This happens while in both scenarios, after the first line is ran clientCertificate loads the correct certification data and contains the correct information for Certificate's Subject and Issuer.

    I have also tried forcing the SslStream to pick the Certificate using this code:

    X509Certificate clientCertificate = new X509Certificate(certificationFilePath, certificateFilePassword);
    
    TcpClient client = new TcpClient(host, port);
    
    SslStream stream = new SslStream(client.GetStream(), false, (sender, certificate, chain, errors) => true, (sender, host, certificates, certificate, issuers) => clientCertificate);
    
    X509CertificateCollection clientCertificates = new X509CertificateCollection {clientCertificate};
    
    stream.AuthenticateAsClient(host, clientCertificates, SslProtocols.Tls, false);

    However the code still doesn't work and stream.IsMutuallyAuthenticated returns false and stream.LocalCertificate returns null.

    I have been exploring this for a few days and I can't figure this out. Any help is highly appreciated.

    Monday, July 10, 2017 2:39 PM

All replies

  • Hi RojanGh,

    >>However when running the exact same code in a Windows Service (as LOCAL SYSTEM user), although stream.IsAuthenticated returns true, stream.IsMutuallyAuthenticated returns false and stream.LocalCertificate returns null.

    Does it work for administrator user. if it works for administrator user, please check if LOCAL SYSTEM user have accessing rights to the certificate by using WinHttpCertCfg? like this:

    winhttpcertcfg -g -c LOCAL_MACHINE\My -s MyCertificate -a TESTUSER
    

    For more information, please refer to:

    https://msdn.microsoft.com/en-us/library/aa384088(VS.85).aspx#_using

    Best regards,

    Cole Wu


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, July 11, 2017 6:22 AM
    Moderator
  • Don't specify "-a <username>" to that command if you'll try to access the certificate with LocalSystem. Per user certificate store can only be accessed if your code login as that user account and with profile loaded.

    And since you're on this topic, if you ever try to store certificate on user's certificate store, always update password with the security desktop instead of "Right-click My Computer" -> Manage or in case the user is AD user, don't reset it on AD administration tool. See my exchange with Aaron Margosis here.


    Tuesday, July 11, 2017 7:50 AM
    Answerer