避免SslStream.AuthenticateAsClient的管理员访问权限?

时间:2010-11-11 04:39:12

标签: c# .net windows-7 ssl-certificate sslstream

我有一个使用.NET SslStream类以及客户端和服务器证书的应用程序。此应用程序在Windows XP上运行良好。但是在Windows 7(也可能是Vista)上,调用SslStream.AuthenticateAsClient时会出现以下异常:

System.ComponentModel.Win32Exception: The credentials supplied to the package were not recognized   
  at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface SecModule, String package, CredentialUse intent, SecureCredential scc)   
  at System.Net.Security.SecureChannel.AcquireCredentialsHandle(CredentialUse credUsage, SecureCredential& secureCredential)   
  at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[]& thumbPrint)   
  at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output)   
  at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count)   
  at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)   
  at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)   
  at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)   
  at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)   
  at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)   
  at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)   
  at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)   
  at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)   
  at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)

如果应用程序在Windows 7上“作为”管理员运行,那么一切都很有效。我猜这里的根本原因是AuthenticateAsClient需要客户端证书的私钥(安装在本地机器个人证书存储中),并且该操作需要管理员访问。

我的问题是,是否有任何措施可以解决这个问题?或者,使用带有客户端证书的AuthenticateAsClient是否需要管理员权限才是生活中的事实?

2 个答案:

答案 0 :(得分:2)

您是否尝试过使用WinHttpCertCfg授予当前用户对证书的访问权限?

类似的东西:

winhttpcertcfg -g -c LOCAL_MACHINE\My -s MyCertificate -a TESTUSER

有关详细信息,请参阅this article

答案 1 :(得分:1)

Microsoft管理控制台(MMC)使管理员能够将客户端证书导入本地计算机。但是,导入证书不会自动授予对其他帐户的私钥的访问权限。客户端证书身份验证需要此私钥。 Microsoft Windows HTTP服务(WinHTTP)证书配置工具可以在需要时授予对其他帐户(如IWAM帐户)的访问权限。

https://msdn.microsoft.com/en-us/library/aa384088(VS.85).aspx#_using