WCF X509 certificate Auth Type Kerberos to NTLM

0
votes

I am having problem with deploying my WCF client application from Dev to Stagging area (same as live).

On my ASP.NET app. (which has WCF client) uses domain user for the application pool. This means when I am authenticating my X509 certificate it uses Kerberos authenticatiion becouse of the windows domain account. Now on the stagging environment we have to use the local machine account for application pool. This means on the stagging environment it uses NTLM when authenticate using X509 certificate. and this does not work.

Could anyone please shead some light on what is the best way to solve (or get around) this issue?

Thanks

Edit: Exception is as follows:

at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr) at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromBlob(Byte[] rawData, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx) at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[] rawData, Object password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(Byte[] rawData, String password) at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData, String password) at ...CertificateManager.GetClientCertificate(typCertificateTypes CertificateType) in

Note: The certificate file that I am getting is from the SQL database and not stored on local certificate store.

The application is using WCF client to talk to a remote Server using X509 Certificate. We dont have control over the service part. Only difference between code/config is the ASP.NET application Pool account. This account is a domain user account on the dev but local user account on Stagging and Prod. (I know dont ask! It isnt my choice or decision :))

2
wcfx509certificatekerberosntlm
can u pls paste the error that u are getting?rauts
Have updated the question with the exceptiondaehaai
Can you impersonate an admin for getting the certificates. That's how we solved it.albertjan
thanks the_ajp. Could you please elloborate a bit more about this or direct me towards an example/article .thxdaehaai

2 Answers

1
votes

That is little bit inaccurate description isn't it? What security mode are you using and what is the point of certificate in your security configuration?

Even with domain account it can still use NTLM because it is still single hoop. The reason why it doesn't work in staging environment is because the server hosting the service doesn't know the local user of the server hosting the service's client. You can try ugly hack: on the second server create a local user with exactly same user name and password. But it is just waste of time because you can in the same way simply turn off authentication because:

A staging environment which doesn't reflect production environment is useless. Once it doesn't reflect real environment it doesn't depend if you use different authentication mechanism or if you don't use authentication at all. If you plan to use domain account and Kerberos in production you must have staging environment with test domain and configured Kerberos. Otherwise you don't have to use staging at all because you will fix real integration errors in production anyway.

Ok, so your question is blurred because it obviously doesn't have nothing to do with account and WCF's security is not affected by Kerberos or NTLM at all because you are using client certificate to authenticate to the service, aren't you? The exception stack trace says that your code is unable to create valid certificate from raw data (loaded from SQL server?). So either data in SQL database are not correct, password is not correct or you didn't load data correctly.

1
votes

This error typically comes when the application pool under which ur ASP.net application runs doesn't have access to the private key of the client certificate that u want to attach for WCF service call. Please make sure that the application pool identity has access to the certificates private key. Also can you paste the code that you are u using to load and attach the certificate to the WCF service call.