除非用户在管理员组中，否则无法建立 SSL 连接

Question

这是一个 .NET 6 项目。证书从 pfx 文件导入到本地计算机存储。 使用以下代码，跳过不相关的部分，将服务帐户添加到本地管理员组时一切正常。

var certStore = new X509Store(storeName, storeLocation);
certStore.Open(OpenFlags.ReadOnly);
var _clientCertificate = certStore.Certificates
.Find(X509FindType.FindByThumbprint, thumbprint, false)
.FirstOrDefault();
...
BasicHttpsBinding binding = new BasicHttpsBinding(BasicHttpsSecurityMode.Transport);
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;

var client = new Client(binding, endpoint);
client.ClientCredentials.ClientCertificate.Certificate = _clientCertificate;
...

当帐户不在本地管理员组中时，将引发以下异常：

System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority 'other.service.com'.
 ---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
 ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
 ---> System.ComponentModel.Win32Exception (0x8009030D): The credentials supplied to the package were not recognized
   at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
   at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
   at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
   at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)

我在这里想念什么？

Answer 1

据我所知，可能有以下几个原因：

1. 当您说您不在本地管理员组中时，错误将是因为管理员和普通成员具有不同的权限。你可以尝试把用户放在管理员里再试一次，如果成功，就是这个问题了。

2. 验证网站 SSL 证书是否可信。如果 SSL 证书不受信任，您将需要安装 SSL 证书的根证书。您可以查看the case 了解更多解决方案。

   希望能帮助到你。