locked
The certificate's private key could not be accessed

    Question

  • Hi,

     

    I am working with the Geneva Framework and Windows Cardspace. In my STS config file I am using the following sentence:

     

          <serviceCertificate>

            <certificateReference findValue="certificateThumbprint" storeLocation="LocalMachine" storeName="My"                            x509FindType="FindByThumbprint" />

          </serviceCertificate>

     

    When I try to access my STS from the browser it throw this error exception:

     

    Parser Error Message: ID1024: The configuration property value is not valid.
    PropertyName: serviceCertificate
    Error: ID1039: The certificate's private key could not be accessed. Ensure the access control list (ACL) on the certificate's private key grants access to the application pool user.

     

    I already tried to solve the problem with the solutions that I found on Internet but it is still not working:

     

    §  From the MMC tool I right clicked in the certificate that I am using, All Tasks -> Manage Private Keys and gave access to IIS user, Network Service and finally to Everyone.

     

    §  Also ran winhttpcertcfg tool and did the same,  gave access to IIS user, Network Service and finally to Everyone.

     

    I am working on Vista with IIS7.

     

    Does anyone have any idea of what could be the problem?

    Thanks!

    Friday, November 13, 2009 3:41 PM

Answers

  • Hi,

    I had to work with some other issues but now everything is working fine.

    Thanks all for your help!

    • Marked as answer by MaryCR Wednesday, November 25, 2009 8:24 PM
    Wednesday, November 25, 2009 8:24 PM

All replies

  • Hi MaryCR,

    try moving the certificate to the IIS-Account with MMC an certificate-SnapIn (LocalMachine and Service-IIS)

    Harald Ki.
    Friday, November 13, 2009 6:15 PM
  • <serviceCertificate>

            <certificateReference findValue="certificateThumbprint" storeLocation="LocalMachine" storeName="My"                            x509FindType="FindByThumbprint" />

          </serviceCertificate>


    If this is that actual config you are using, then this [findValue="certificateThumbprint"] appears incorrect.  It should be the thumbprint of the cert, something like [findValue="8f53e5d353367ee538bb7dd362ef3950917b61bb"].  You can find the thumbprint using the mmc snapin.

    Friday, November 13, 2009 6:36 PM
  • Hi Harald,

    Thanks for your answer!



    I clicked on add/remove snap-in, then Certificates -> Service Account -> Local Computer -> IIS Admin Service and I moved the certificate to it, but I am still getting the same error. Is that what you told me to do?

    I am working with an installed certificate. If I install a certificate the physical path of the private key file is:

    C:\Users\MyUserAccount\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2692022201-2325077697-891178831-1329

    But, if I create one rather than install it, the physical path of the private key file is: 

    C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

    and I don't have any problem in this case. But I need to install it.

     


    Friday, November 13, 2009 8:20 PM
  • Hi Brent,

    In the findValue field I am actually using the thumbprint of my certificate.
    Friday, November 13, 2009 8:23 PM
  • Hi MaryCR,

    the IIS account is not the account IIS Admin Service.
    it is something like www publishing (w3svc).
    i only have win7 germany here, so the namings are a little different

    greeting
    Harald K.
    Friday, November 13, 2009 10:52 PM
  • That’s most probably not the cause.

     

    IIS7+ does not load user profiles by default.

     

    The typical approach is to install the certificate into the machine store and grant read access to the worker process account.

     

    If you are on 2008 R2 – this is a little special – since IIS 7.5 injects a primary SID into the worker process – something like IIS AppPool\DefaultAppPool.

     

    Make sure you know under which account your web app is running (do a Response.Write(WindowsIdentity.GetCurrent().Name to find out).

     

    This account needs read access to the private key file.

     

    HTH


    Dominick Baier | thinktecture | http://www.leastprivilege.com
    Saturday, November 14, 2009 12:52 AM
  • Hi All,

     

    Thanks for your answers!

     

    I have another question and maybe someone know the answer.

     

    I am working with cardspace, managed cards and sts. At this moment everything works fine if I have the service and the client on the same machine, but If I have the sts in another machine, when I click on the send button on the identity selector the following message is showed in the event viewer:

     

    There was a failure making a WS-Trust exchange with an external application.  The Identity provider end point was not found.

     

    Inner Exception: Metadata contains a reference that cannot be resolved: 'https://www.datastorage.com/DataStorageSTS/Service.svc/mex'.

    Inner Exception: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

    Inner Exception: The remote certificate is invalid according to the validation procedure.

     

    In the hosts file the value www.datastorage.com is referring the ip of the machine where the sts is located. I am using an own certificate named www.datastorage.com.

     

    In the browser the 'https://www.datastorage.com/DataStorageSTS/Service.svc/mex' url shows this message:

     

    The security certificate presented by this website was not issued by a trusted certificate authority.

     

    But I can click in the option "Continue to this web site" and I get the result that I want. Unfortunately in the identity selector I can't do that, so I want to know if there is a way of ignore certificate errors programmatically using a security token service?

     

    Thanks!

    Wednesday, November 18, 2009 11:01 PM
  • It sounds like your error is coming from within CardSpace when it accesses the mex file. I don't think there is a way to get it to accept the certificate.

    Is the certificate presented a self-signed certificate for www.datastorage.com? Could you add it to the Trusted Publishers store on the client machine?
    Friday, November 20, 2009 6:26 AM
    Moderator
  • Hi,

    I had to work with some other issues but now everything is working fine.

    Thanks all for your help!

    • Marked as answer by MaryCR Wednesday, November 25, 2009 8:24 PM
    Wednesday, November 25, 2009 8:24 PM
  • Hello Dominick.

     

    I have client certificate instaled in machine store/my and i'm accessing this in c# code.

    so far so good.

    my problem is that when i try to sign a xml file i get Signing key is not loaded...

    i have already give permissions to my certificate private key to appPool\myapp and i still have this error... what can be?

     

    i have tried a lot of things impersonation, another store location, i have changed the app pool to network service... nothing works!

     

    i don't know what to do. can you help me with this...

     

    • Proposed as answer by digitaljeebus Thursday, July 05, 2012 6:58 PM
    • Unproposed as answer by digitaljeebus Thursday, July 05, 2012 6:58 PM
    Wednesday, January 12, 2011 7:05 PM
  • Here is what i did and worked quickly:

    I clicked on add/remove snap-in, then Certificates (local computer) -> Personal -> Certificates

    went to my certificate (which i was using in ADFS 2.0 with it) and clicked on "All Tasks" -> "manage private keys"

    Here you can grant access to the service account that is running your web site. in my case i was lazy :) i've added everyone.

    Friday, September 30, 2011 11:24 AM