locked
Help with CredSSP sample code. RRS feed

  • Question

  • Hello,
     I hope this is the correct forum for this question.
     I am trying to get the sample CREDSSP code to run (on a vista platform) and have not been able to sucessfully get it to run. The code is from : http://msdn.microsoft.com/en-us/library/cc540483.aspx


    I did the following:
     
    1) Created a certificated usigng the selfssl utility (it had an error because I don't have IIS installed, but it seems to have correctly installed a certificate)
     
    2) Changed the group policy to include my machine name and also my user name (wasn't really quite sure what should be set - do you have any more information about this? )
     
    3) Built the sample code.
     
    The sample code runs, reads the certificate, sets up the security handles and then gets through the first exchange (ISC/ASC), the second ISC succeeds, but the second ASC fails with error 0x80090330 which is "SEC_E_DECRYPT_FAILURE".
     
    Looking at the protocol spec, it would seem that I've sucessfully gone through the
    TLSClientHello, TLSServerHello, but the TLSClientKeyExchange is failing on the server side as it tried to decrypt the packet
     
    I've looked online and can't seem to find any useful information on why this might be happening. It would seem that there might be a problem with the certificate, but I can't figure out what that might be.
     
    So the main issue is how do I go about figuring out what I'm doing wrong to get the sample code to run.
     
    Here's the output from the run:
     
    Using package: credssp
    Using default credentials of user
    Acquiring client credentials
    Acquiring server credentials
    Certificate subject name = WIN-PW5HZFYFFM5
    ISC Success
    ASC Success
    ISC Success
    AcceptSecurityContext failed: 0x80090330
     

    Can anyone help? Or point me in the right direction for additional documentation or samples?

    Thanks!

    Wednesday, May 20, 2009 11:50 AM

All replies

  • In case anyone else runs into this -- it turns out that there was a duplicate cert in the certificate store. The selfssl app apparently doesn't replace a cert if you re-run it, but rather adds another one with the same name. This confused things...
    Thursday, May 21, 2009 7:51 PM