none
Can't make BITS upload work with client certificate authentication RRS feed

  • Question

  • Hi

    I have an IIS extension for BITS with upload enabled on the server (Win2008) and a C# .NET4 client running as a windows service on the client machine (Win8.1)

    The BITS upload without the certificate auth is working fine.

    I have generated a self-signed root cert, added it to TrustedCA storage on both machines, generated child client and server certs, added them to the respective storages. Both are displayed as valid and trusted in the MMC console.

    However, when I try to use client cert authentication (setting "Require client certificate" in the IIS and adding the certificate to the BITS job on the client), the client certificate does not seem to be received by IIS.

    The code I'm using to set the cert on client is:

    var httpOptions = (IBackgroundCopyJobHttpOptions) job2;
    httpOptions.SetClientCertificateByName(certificate.certLocation, certificate.certStoreName, certificate.certSubjectName);


    The certLocation is

    BG_CERT_STORE_LOCATION.BG_CERT_STORE_LOCATION_LOCAL_MACHINE

    since the client certificate is installed into LocalMachine and the service is running as LocalSystem.

    Additionally, right after I have called SetClientCertificateByName, I try to get it back:

    string stName, stLocation;
    var hash = new IntPtr();
    httpOptions.GetClientCertificate(out loc, out stName, hash, out stLocation)

    But it returns empty values.

    I have tried to check the certificate presence via:

    var store = new X509Store(certificate.certStoreName, StoreLocation.LocalMachine);
    store.Open(OpenFlags.ReadOnly);
    var certs = store.Certificates.Find(X509FindType.FindBySubjectName, certificate.certSubjectName, true)

    and the certificate is indeed there.

    I have also tried using WinHttpCertCfg.exe (no errors, but nothing changed) and FindPrivateKey.exe (says "Unable to obtain private key file name") to grant the access to the cert's private key to the LocalSystem account.

    I'm out of ideas on this one. Any insight would be very appreciated.



    Tuesday, June 17, 2014 5:24 AM

Answers

  • Hi,

    >>Unable to obtain private key file name

    The private key is used to decrypt messages coming from the client and to verify the integrity of signed messages. This implies that access is required to the private key by the account under which the service will be running. The private key is only accessible by you if the account you are using to run winhttpcertcfg and the findprivatekey tools is the same as the one used to create the certificates. The error might be becuase there is a discrepancy in this regard.

    Also, When you create the certificate and export it, you need to make sure that the private key is actually created and placed in a folder similar to:
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys. The error might be because the private key file has not been actually created or its not in the expected location.

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.


    Tuesday, July 1, 2014 12:28 PM
    Moderator

All replies

  • please read this article to find your answer

    http://msdn.microsoft.com/en-us/library/aa362781(v=vs.85).aspx

    Thursday, June 19, 2014 10:15 AM
  • Sorry, but I have re-read it and found nothing new. It says I must call SetClientCertificateByName, which I do. It says client cert auth is not supported prior to Vista - I am using Win2008/Win8.1
    Friday, June 20, 2014 8:06 AM
  • Hi,

    >>Unable to obtain private key file name

    The private key is used to decrypt messages coming from the client and to verify the integrity of signed messages. This implies that access is required to the private key by the account under which the service will be running. The private key is only accessible by you if the account you are using to run winhttpcertcfg and the findprivatekey tools is the same as the one used to create the certificates. The error might be becuase there is a discrepancy in this regard.

    Also, When you create the certificate and export it, you need to make sure that the private key is actually created and placed in a folder similar to:
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys. The error might be because the private key file has not been actually created or its not in the expected location.

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.


    Tuesday, July 1, 2014 12:28 PM
    Moderator