【发布时间】:2017-07-10 15:25:11
【问题描述】:
我有这个代码:
string certificateFilePath = @"C:\Users\Administrator\Documents\Certificate.pfx";
string certificateFilePassword = "Some Password Here";
X509Certificate clientCertificate = new X509Certificate(certificateFilePath, certificateFilePassword);
TcpClient client = new TcpClient(host, port);
SslStream stream = new SslStream(client.GetStream(), false, (sender, certificate, chain, errors) => true);
X509CertificateCollection clientCertificates = new X509CertificateCollection {clientCertificate};
stream.AuthenticateAsClient(host, clientCertificates, SslProtocols.Tls, false);
当我在控制台应用程序中运行代码时,一切正常,stream.IsAuthenticated 和 stream.IsMutuallyAuthenticated 返回 true 和 stream.LocalCertificate 包含正确的证书对象。
但是,当在 Windows Service (as LOCAL SYSTEM user) 中运行完全相同的代码时,虽然 stream.IsAuthenticated 返回 true,stream.IsMutuallyAuthenticated 返回 false 和 stream.LocalCertificate 返回 null。
在这两种情况下都会发生这种情况,在运行第一行 clientCertificate 后会加载正确的认证数据并包含证书的 Subject 和 Issuer 的正确信息。
我还尝试使用此代码强制 SslStream 选择证书:
string certificateFilePath = @"C:\Users\Administrator\Documents\Certificate.pfx";
string certificateFilePassword = "Some Password Here";
X509Certificate clientCertificate = new X509Certificate(certificateFilePath, certificateFilePassword);
TcpClient client = new TcpClient(host, port);
SslStream stream = new SslStream(client.GetStream(), false, (sender, certificate, chain, errors) => true, (sender, host, certificates, certificate, issuers) => clientCertificate);
X509CertificateCollection clientCertificates = new X509CertificateCollection {clientCertificate};
stream.AuthenticateAsClient(host, clientCertificates, SslProtocols.Tls, false);
但是代码仍然不起作用,stream.IsMutuallyAuthenticated 返回false 和stream.LocalCertificate 返回null。
我已经探索了几天,但我无法弄清楚。非常感谢任何帮助。
编辑: 使用 WinHttpCertCfg 工具尝试证书后,发现与similar question(s) 不同,LOCAL SYSTEM 帐户已经可以访问目标证书的私钥,如下图所示: 因此问题仍然没有解决。
【问题讨论】:
-
如果您尝试以
NETWORK SERVICE或LOCAL SERVICE而不是LOCAL SYSTEM运行服务会发生什么? -
@CamiloTerevinto 我会试试看,几分钟后回复你。
-
与
NETWORK SERVICE、LOCAL SERVICE和LOCAL SYSTEM@CamiloTerevinto 的结果完全相同 -
你能以管理员身份运行它并告诉我们吗?
-
它以管理员@Juan 的身份完美运行
标签: c# authentication ssl sslstream local-system-account