The certificate's private key could not be accessed

Question

Hi,

 

I am working with the Geneva Framework and Windows Cardspace. In my STS config file I am using the following sentence:

 

      <serviceCertificate>

        <certificateReference findValue="certificateThumbprint" storeLocation="LocalMachine" storeName="My"                            x509FindType="FindByThumbprint" />

      </serviceCertificate>

 

When I try to access my STS from the browser it throw this error exception:

 

Parser Error Message: ID1024: The configuration property value is not valid.
PropertyName: serviceCertificate
Error: ID1039: The certificate's private key could not be accessed. Ensure the access control list (ACL) on the certificate's private key grants access to the application pool user.

 

I already tried to solve the problem with the solutions that I found on Internet but it is still not working:

 

§  From the MMC tool I right clicked in the certificate that I am using, All Tasks -> Manage Private Keys and gave access to IIS user, Network Service and finally to Everyone.

 

§  Also ran winhttpcertcfg tool and did the same,  gave access to IIS user, Network Service and finally to Everyone.

 

I am working on Vista with IIS7.

 

Does anyone have any idea of what could be the problem?

Thanks!

Answer 1

Hi MaryCR,

try moving the certificate to the IIS-Account with MMC an certificate-SnapIn (LocalMachine and Service-IIS)

Harald Ki.

Answer 2

<serviceCertificate>

        <certificateReference findValue="certificateThumbprint" storeLocation="LocalMachine" storeName="My"                            x509FindType="FindByThumbprint" />

      </serviceCertificate>


If this is that actual config you are using, then this [findValue="certificateThumbprint"] appears incorrect.  It should be the thumbprint of the cert, something like [findValue="8f53e5d353367ee538bb7dd362ef3950917b61bb"].  You can find the thumbprint using the mmc snapin.

Answer 3

Hi Harald,

Thanks for your answer!


I clicked on add/remove snap-in, then Certificates -> Service Account -> Local Computer -> IIS Admin Service and I moved the certificate to it, but I am still getting the same error. Is that what you told me to do?

I am working with an installed certificate. If I install a certificate the physical path of the private key file is:

C:\Users\MyUserAccount\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2692022201-2325077697-891178831-1329

But, if I create one rather than install it, the physical path of the private key file is: 

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

and I don't have any problem in this case. But I need to install it.

 

Answer 4

Hi Brent,

In the findValue field I am actually using the thumbprint of my certificate.

Answer 5

Hi MaryCR,

the IIS account is not the account IIS Admin Service.
it is something like www publishing (w3svc).
i only have win7 germany here, so the namings are a little different

greeting
Harald K.

Answer 6

That’s most probably not the cause.

 

IIS7+ does not load user profiles by default.

 

The typical approach is to install the certificate into the machine store and grant read access to the worker process account.

 

If you are on 2008 R2 – this is a little special – since IIS 7.5 injects a primary SID into the worker process – something like IIS AppPool\DefaultAppPool.

 

Make sure you know under which account your web app is running (do a Response.Write(WindowsIdentity.GetCurrent().Name to find out).

 

This account needs read access to the private key file.

 

HTH

---

Dominick Baier | thinktecture | http://www.leastprivilege.com

Answer 7

Hi All,

 

Thanks for your answers!

 

I have another question and maybe someone know the answer.

 

I am working with cardspace, managed cards and sts. At this moment everything works fine if I have the service and the client on the same machine, but If I have the sts in another machine, when I click on the send button on the identity selector the following message is showed in the event viewer:

 

There was a failure making a WS-Trust exchange with an external application.  The Identity provider end point was not found.

 

Inner Exception: Metadata contains a reference that cannot be resolved: 'https://www.datastorage.com/DataStorageSTS/Service.svc/mex'.

Inner Exception: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

Inner Exception: The remote certificate is invalid according to the validation procedure.

 

In the hosts file the value www.datastorage.com is referring the ip of the machine where the sts is located. I am using an own certificate named www.datastorage.com.

 

In the browser the 'https://www.datastorage.com/DataStorageSTS/Service.svc/mex' url shows this message:

 

The security certificate presented by this website was not issued by a trusted certificate authority.

 

But I can click in the option "Continue to this web site" and I get the result that I want. Unfortunately in the identity selector I can't do that, so I want to know if there is a way of ignore certificate errors programmatically using a security token service?

 

Thanks!

Answer 8

It sounds like your error is coming from within CardSpace when it accesses the mex file. I don't think there is a way to get it to accept the certificate.

Is the certificate presented a self-signed certificate for www.datastorage.com? Could you add it to the Trusted Publishers store on the client machine?

Answer 9

Hi,

I had to work with some other issues but now everything is working fine.

Thanks all for your help!

Answer 10

Hello Dominick.

 

I have client certificate instaled in machine store/my and i'm accessing this in c# code.

so far so good.

my problem is that when i try to sign a xml file i get Signing key is not loaded...

i have already give permissions to my certificate private key to appPool\myapp and i still have this error... what can be?

 

i have tried a lot of things impersonation, another store location, i have changed the app pool to network service... nothing works!

 

i don't know what to do. can you help me with this...

 

Answer 11

Here is what i did and worked quickly:

I clicked on add/remove snap-in, then Certificates (local computer) -> Personal -> Certificates

went to my certificate (which i was using in ADFS 2.0 with it) and clicked on "All Tasks" -> "manage private keys"

Here you can grant access to the service account that is running your web site. in my case i was lazy :) i've added everyone.