|
|
| NT AUTHORITY\NETWORK SERVICE no permissions to read private key |
|
| Author |
Message |
Kristof.Taveirne
|
 Posted: ASMX Web Services and XML Serialization, NT AUTHORITY\NETWORK SERVICE no permissions to read private key |
Top |
Hi,
I've created a web service that uses WSE3 policy to enable message level security and authentication. The symmetric key is encrypted using the server certificate and so the server's private key is needed to get access to the symmetric key in the ws-security header.
When IIS is trying to access this private key: the following error is returned:
< xml version="1.0" encoding="utf-8" ><soap:Envelope xmlns:wsa=" http://www.hide-link.com/ " xmlns:soap=" http://www.hide-link.com/ "><soap:Header><wsa:Action> http://www.hide-link.com/ ;/wsa:Action><wsa:MessageID>urn:uuid:b03b51c1-c68a-4d93-8135-709bdd4c059e</wsa:MessageID><wsa:RelatesTo>urn:uuid:04c1cdf9-3656-43f6-aef8-3902c4c52005</wsa:RelatesTo>
<wsa:To> http://www.hide-link.com/ ;/wsa:To></soap:Header><soap:Body><soap:Fault><faultcode>soap:Server</faultcode><faultstring>System.Web.Services.Protocols.SoapHeaderException: Server unavailable, please try later ---> System.ApplicationException: WSE841: An error occured processing an outgoing fault response. --->
System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> WSE600: Unable to unwrap a symmetric key using the private key of an X.509 certificate. Please check if the account 'NT AUTHORITY\NETWORK SERVICE' has permissions to read the private key of certificate with subject name 'CN=Blah' and thumbprint '0423E6194CD5F16122857D336DDA6F19AA305E43'. ---> WSE593: Unable to decrypt the key. Please check if the process has the right permission to access the private key. ---> Error occurred while decoding OAEP padding.
--- End of inner exception stack trace ---
--- End of inner exception stack trace ---</faultstring><faultactor>###</faultactor></soap:Fault></soap:Body></soap:Envelope>
So I understand that IIS is executing this webservice using the NT Authority\Network Service account, and that that account doesn't have the permissions to access the private key needed.
Does anyone have any ideas how I can fix this
This is asp.net web service on .Net framework 2.0, developed using VS 2005.
Thanks alot!
Greetings,
Kristof Taveirne.
.NET Development34
|
| |
|
| |
|
KukaRus
|
| Posted: ASMX Web Services and XML Serialization, NT AUTHORITY\NETWORK SERVICE no permissions to read private key |
Top |
- Open the X.509 Certificate Tool.
- Set the certificate location and store name where the certificate is located.
- Click Select the certificate from the store, choose the certificate you want to set the permissions for, and then click OK.
- Click Open Private Key File Properties, click the Security tab, add the ASPNET or Network Service account, depending on which version of IIS the Web service is running under, and then select the Read option.
ms-help://MS.WSE30.1033/WSE3.0/html/b5a8bce9-31a2-444c-a762-86f5bf2abd96.htm
|
| |
|
| |
|
Kristof.Taveirne
|
| Posted: ASMX Web Services and XML Serialization, NT AUTHORITY\NETWORK SERVICE no permissions to read private key |
Top |
Hi,
Thanks for your response.
I tried before what you suggest, but when I did that I got an exception clicking the "View Private Key File Properties" button:
System.Security.Cryptography.CryptographicException: The handle is invalid.
I found another solution using a tool from the Windows SDK: findprivatekey.exe which locates the private key file. and then using cacls.exe you can change permissions on that file.
Greetings and thanks for the suggestion.
Kristof.
|
| |
|
| |
|
| |
|