Jul 24 2008

WCF, certificates, event logs and silly security exceptions

Published by Raja Nadar at 7:57 pm under security, wcf

my friend was working on certificate based WCF transport messages. she prototyped a demo, and was testing it out. she kept on hitting the following exception:

Found multiple X.509 certificates using the following search criteria: StoreName ‘My’, StoreLocation ‘LocalMachine’, FindType ‘FindBySubjectName’, FindValue ”. Provide a more specific find value.

the error message could not have been more concise.. I had a look at the code, and there was nothing programmatic to verify. it was all WCF configuration driven [that I like so much J].

the configuration for binding was as follows:

<bindings>

  <wsHttpBinding>

    <binding name=wsHttpEndpointBinding>

      <security mode=Message>

        <message clientCredentialType=Certificate />

      </security>

    </binding>

  </wsHttpBinding>

</bindings>

the configuration for service credentials was as follows:

<serviceCredentials>

  <clientCertificate>

    <certificate storeLocation=LocalMachine storeName=My

                 x509FindType=FindBySubjectName />

    <authentication revocationMode=Online trustedStoreLocation=CurrentUser />

  </clientCertificate>

  <serviceCertificate findValue=rajanadar.com storeName=My

                      storeLocation=LocalMachine

    x509FindType=FindBySubjectName />

</serviceCredentials>

I thought, the search ‘rajanadar.com’ may be returning more than one certificate from the store. (may be due to root certificates etc.., I don’t know)

I checked my certificate store, and gave a specific (unique) Subject Name and tried different things.

no luck, still the same issue.

after a little observation, I read the error message a little more carefully.. (why didn’t I do this the first time?)

Found multiple X.509 certificates using the following search criteria: StoreName ‘My’, StoreLocation ‘LocalMachine’, FindType ‘FindBySubjectName’, FindValue ”. Provide a more specific find value.

it complained of a blank ‘FindValue’

then it struck me that we missed the FindValue for the client certificate, not the service certificate.

The corrected configuration was:

<serviceCredentials>

  <clientCertificate>

    <certificate storeLocation=LocalMachine storeName=My

        x509FindType=FindBySubjectName findValue=uniqueclient.rajanadar.com />

    <authentication revocationMode=Online trustedStoreLocation=CurrentUser />

  </clientCertificate>

  <serviceCertificate findValue=server.rajanadar.com storeName=My

             storeLocation=LocalMachine x509FindType=FindBySubjectName />

</serviceCredentials>

that solved the issue. it was a simple silly mistake. (obviously only after it was caught)

 

the next error I encountered, sounded something like:

Unhandled Exception: System.Net.WebException: The underlying connection was closed: Could not establish secure channel for SSL/TLS.

 

Fortunately, my past sleight of hand on WSE and SSL certificates, quickly reminded me that, when dealing with Web Applications, I need to give sufficient access permissions to the aspnet user account, to the PFX files of the certificates.

I modified the access permissions of the PFX file in question, (yeah the \AppData\Microsoft\Crypto\RSA\MachineKeys path) and the application seemed to work without any more issues. silly things, nonetheless there’s a first time..

 

p.s. the aspnet user account permission issue reminds me of one more classic issue that I encountered most of the times..

[SecurityException: Requested registry access is not allowed.] 

Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)

System.Diagnostics.EventLog.FindSourceRegistration(String source, String machineName, Boolean readOnly)

System.Diagnostics.EventLog.SourceExists(String source, String machineName) +79

System.Diagnostics.EventLog.SourceExists(String source)

 

this is again because, creating a new event log or event source, needs registry write permissions, typically not possessed by the aspnet account.

 

Solution: initially, I used to grant write permissions to the registry keys

(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\NewLog or HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Source)
 

But then, this is not a good security approach. during the lifetime of the application, it just needs to write to the event logs and never create new ones. Hence I created the new registry keys (effectively new event logs/sources) using my Installers, and granted read permissions to the web application accounts. this sounded good.

 

there’s a solution to every problem; given enough time and sometimes, well, just time…

13 Responses to “WCF, certificates, event logs and silly security exceptions”

  1. FRANKon 25 Jun 2010 at 7:21 pm

    Pillspot.org. Canadian Health&Care.Special Internet Prices.No prescription online pharmacy.PillSpot.org. Vitamins@buy.online” rel=”nofollow”>.…

    Categories: Eye Care.Mental HealthBlood Pressure/Heart.Stop SmokingAntidepressants.Skin Care.Weight Loss.Stomach.Antibiotics.Anxiety/Sleep Aid.Antiviral.Pain Relief.Vitamins/Herbal Supplements.Antidiabetic.Womens Health.Mens Health.Anti-allergic/A…

  2. JOHNNYon 21 Jul 2010 at 4:37 am


    MedicamentSpot.com. Canadian Health&Care.Best quality drugs.No prescription online pharmacy.Special Internet Prices. High quality pills. Order drugs online

    Buy:Aricept.Amoxicillin.Ventolin.Prozac.Wellbutrin SR.Lipothin.Acomplia.Seroquel.Female Cialis.Lipitor.SleepWell.Buspar.Cozaar.Benicar.Zocor.Advair.Female Pink Viagra.Lasix.Nymphomax.Zetia….

  3. JUANon 21 Jul 2010 at 4:16 pm


    MedicamentSpot.com. Canadian Health&Care.Special Internet Prices.Best quality drugs.No prescription online pharmacy. No prescription pills. Order pills online

    Buy:Propecia.Maxaman.Super Active ED Pack.VPXL.Viagra Soft Tabs.Cialis.Levitra.Tramadol.Viagra.Viagra Super Force.Cialis Soft Tabs.Cialis Professional.Viagra Super Active+.Soma.Cialis Super Active+.Zithromax.Viagra Professional….

  4. r\x3dhon 29 Aug 2010 at 3:20 am

    r\x3dh http://ABABYCLOTHES.INFO/tag/r\x3dh : r\x3dh…

    au Card XD/…

  5. uk MacBook Apple/on 29 Aug 2010 at 4:30 am

    uk MacBook Apple/ http://AWESOMEBABYCLOTHES.INFO/tag/r\x3dh : uk MacBook Apple/…

    r\x3dh…

  6. noteson 29 Aug 2010 at 6:20 am

    Translation http://bnokiafvh8m.BEDROOMPROPERTY.INFO/tag/Translation+notes+base/ : notes…

    Translation…

  7. airbrushon 29 Aug 2010 at 5:11 pm

    cosmetics http://bmacofh0.AUTOPARTSVILLE.INFO/tag/airbrush+makeup+mac+cosmetics/ : mac…

    cosmetics…

  8. Naturalon 29 Aug 2010 at 5:14 pm

    Natural http://wnaturallihjlr.02JEEPPARTS.US/tag/phenomena+natural+Natural/ : Natural…

    phenomena…

  9. honeywellon 29 Aug 2010 at 5:43 pm

    Portable http://cprogrammabletqdi1h.AUTOPARTSTHAI.INFO/tag/honeywell+Heaters+Portable/ : Heaters…

    Heaters…

  10. bookcaseson 29 Aug 2010 at 9:54 pm

    Shelves http://fhowu3d.ABABYCLOTHES.INFO/tag/bookcases+Shelves+Decorate/ : Decorate…

    Shelves…

  11. exhauston 30 Aug 2010 at 10:05 pm

    easton http://hlakewoodhhqdf0.05KIAPARTS.US/tag/easton+system+exhaust/ : exhaust…

    system…

  12. DWIGHTon 06 Sep 2010 at 3:09 pm


    CheapTabletsOnline.Com. Canadian Health&Care.Special Internet Prices.Best quality drugs.No prescription online pharmacy. No prescription pills. Order pills online

    Buy:Human Growth Hormone.Accutane.Synthroid.Arimidex.Nexium.Actos.Prednisolone.Zyban.Petcam (Metacam) Oral Suspension.Prevacid.Retin-A.100% Pure Okinawan Coral Calcium.Zovirax.Mega Hoodia.Lumigan.Valtrex….

  13. STEVEon 07 Sep 2010 at 7:06 am


    CheapTabletsOnline.Com. Canadian Health&Care.Special Internet Prices.No prescription online pharmacy.Best quality drugs. High quality drugs. Buy pills online

    Buy:Prozac.Wellbutrin SR.Zocor.Lasix.Buspar.Benicar.Amoxicillin.Cozaar.Aricept.SleepWell.Nymphomax.Advair.Female Cialis.Lipitor.Lipothin.Zetia.Seroquel.Acomplia.Ventolin.Female Pink Viagra….

Trackback URI | Comments RSS

Leave a Reply