Discussion:
How to make AcquireCredentialsHandle work on a TLS server?
(too old to reply)
Tim Ward
2009-10-09 14:18:19 UTC
Permalink
I've got a properly set up certificate chain in an Aladdin eToken.

As far as I can see there are no restrictions in the certificate as to its
use. None that I can see looking at the certificate with Internet Options /
Certificates, anyway.

I've got code that works fine to use this certificate to authenticate the
client side of a TLS conversation; in particular AcquireCredentialsHandle
with
SP_PROT_TLS1_CLIENT and SECPKG_CRED_OUTBOUND works, as does the subsequent
SSL negotiation and then user data transfer. This code is based on
WebClient.c from the SDK samples.

Now I want to use a similar certificate, eg the same one, on the server side
of a similar conversation. Looking at WebServer.c suggests that I should use
SP_PROT_TLS1 instead of SP_PROT_TLS1_CLIENT, and SECPKG_CRED_INBOUND instead
of SECPKG_CRED_OUTBOUND, and that's about it.

But when I do that AcquireCredentialsHandle returns SEC_E_NO_CREDENTIALS.

What could be wrong? - the documentation that I've found doesn't give a lot
of clues. There's just this from the WebServer readme:

"The Name field must match the name of the server machine exactly."

Is this saying that the Name field in the certificate must match the fully
qualified domain name of the machine that's going to be running the TLS
server? If so, how do I avoid this requirement? - I understand that this is
the usual way in which web server certificates work, but I'm not doing
anything remotely related to web servers and don't need to, and can't, abide
by their conventions. In particular the machine running the TLS server will
typically be a laptop with no public internet connection and no fully
qualified domain name and no DNS entry.

The requirement is that I have matching certificates at each end of the
connection which are tied to hardware devices like the eToken dongle, it
doesn't make sense for our application to tie the certificates to the names
of whatever laptops might happen to be running the application from time to
time.
--
Tim Ward - posting as an individual unless otherwise clear
Brett Ward Limited - www.brettward.co.uk
Cambridge Accommodation Notice Board - www.brettward.co.uk/canb
Cambridge City Councillor
John Banes
2009-10-12 23:47:04 UTC
Permalink
Post by Tim Ward
I've got a properly set up certificate chain in an Aladdin eToken.
As far as I can see there are no restrictions in the certificate as to its
use. None that I can see looking at the certificate with Internet Options /
Certificates, anyway.
I've got code that works fine to use this certificate to authenticate the
client side of a TLS conversation; in particular AcquireCredentialsHandle
with
SP_PROT_TLS1_CLIENT and  SECPKG_CRED_OUTBOUND works, as does the subsequent
SSL negotiation and then user data transfer. This code is based on
WebClient.c from the SDK samples.
Now I want to use a similar certificate, eg the same one, on the server side
of a similar conversation. Looking at WebServer.c suggests that I should use
SP_PROT_TLS1 instead of SP_PROT_TLS1_CLIENT, and SECPKG_CRED_INBOUND instead
of SECPKG_CRED_OUTBOUND, and that's about it.
But when I do that AcquireCredentialsHandle returns SEC_E_NO_CREDENTIALS.
What could be wrong? - the documentation that I've found doesn't give a lot
"The Name field must match the name of the server machine exactly."
Is this saying that the Name field in the certificate must match the fully
qualified domain name of the machine that's going to be running the TLS
server? If so, how do I avoid this requirement? - I understand that this is
the usual way in which web server certificates work, but I'm not doing
anything remotely related to web servers and don't need to, and can't, abide
by their conventions. In particular the machine running the TLS server will
typically be a laptop with no public internet connection and no fully
qualified domain name and no DNS entry.
The requirement is that I have matching certificates at each end of the
connection which are tied to hardware devices like the eToken dongle, it
doesn't make sense for our application to tie the certificates to the names
of whatever laptops might happen to be running the application from time to
time.
--
Tim Ward - posting as an individual unless otherwise clear
Brett Ward Limited -www.brettward.co.uk
Cambridge Accommodation Notice Board -www.brettward.co.uk/canb
Cambridge City Councillor
This error code indicates that there's something wrong with the
private key. Perhaps the private key isn't stored using a
PROV_RSA_SCHANNEL CSP? There may be additional information in the
system event log, depending on what version of Windows that you're
running.

Regards,
John
Tim Ward
2009-10-13 10:10:49 UTC
Permalink
Post by John Banes
This error code indicates that there's something wrong with the
private key. Perhaps the private key isn't stored using a
PROV_RSA_SCHANNEL CSP?
There is nothing wrong with the private key, as evidenced by the certificate
works to authenticate the client end of an SSL connection.
Post by John Banes
There may be additional information in the
system event log, depending on what version of Windows that you're
running.
36867 (creating server) followed by 36871 ("a fatal error occurred while
creating an SSL server credential", really helpful that)

That's with HKLM\...\SCHANNEL EventLogging set to 7.
--
Tim Ward - posting as an individual unless otherwise clear
Brett Ward Limited - www.brettward.co.uk
Cambridge Accommodation Notice Board - www.brettward.co.uk/canb
Cambridge City Councillor
John Banes
2009-10-13 19:03:20 UTC
Permalink
Post by Tim Ward
Post by John Banes
This error code indicates that there's something wrong with the
private key. Perhaps the private key isn't stored using a
PROV_RSA_SCHANNEL CSP?
There is nothing wrong with the private key, as evidenced by the certificate
works to authenticate the client end of an SSL connection.
Post by John Banes
There may be additional information in the
system event log, depending on what version of Windows that you're
running.
36867 (creating server) followed by 36871 ("a fatal error occurred while
creating  an SSL server credential", really helpful that)
That's with HKLM\...\SCHANNEL EventLogging set to 7.
--
Tim Ward - posting as an individual unless otherwise clear
Brett Ward Limited -www.brettward.co.uk
Cambridge Accommodation Notice Board -www.brettward.co.uk/canb
Cambridge City Councillor
Well, just because the private key works for client-side operations
doesn't mean that it will work on the server side. The server-side
operations are different and so are the requirements for the private
key.

Because you've enabled event logging, I would expect to see an event
36868 in the event log that shows the configuration of the private
key, including the CSP name and type, and whether it's a user or
machine private key. This usually makes configuration problems stand
out fairly clearly.
Tim Ward
2009-10-13 19:06:10 UTC
Permalink
Post by John Banes
Because you've enabled event logging, I would expect to see an event
36868 in the event log that shows the configuration of the private
key, including the CSP name and type, and whether it's a user or
machine private key. This usually makes configuration problems stand
out fairly clearly.
Nope, no such event.

I'm now talking to an MS tech support person who's got one of the USB
dongles I'm using and who helped develop their CSP so I think I'm in with a
good chance there ... thanks for your time.
--
Tim Ward - posting as an individual unless otherwise clear
Brett Ward Limited - www.brettward.co.uk
Cambridge Accommodation Notice Board - www.brettward.co.uk/canb
Cambridge City Councillor
webdrive
2013-03-28 22:40:58 UTC
Permalink
Tim Ward wrote on 10/13/2009 15:06 ET
"John Banes" wrote in messag
news
Post by John Banes
Because you've enabled event logging, I would expect to see an even
36868 in the event log that shows the configuration of the privat
key, including the CSP name and type, and whether it's a user o
machine private key. This usually makes configuration problems stan
out fairly clearly
Nope, no such event
I'm now talking to an MS tech support person who's got one of the US
dongles I'm using and who helped develop their CSP so I think I'm in with
good chance there ... thanks for your time
Tim Ward - posting as an individual unless otherwise clea
Brett Ward Limited - www.brettward.co.u
Cambridge Accommodation Notice Board - www.brettward.co.uk/can
Cambridge City Councillo
Hi

I realize it's been a while, but I was wondering what the solution would be fo
this issue

I too am currently writing an HTTP/S server in C/C++ leveraging the Serve
Certificate stored on the eToken USB stick

I'm also getting the same exact error...what's the trick

Thanks
Michael

Loading...