访问模拟用户密钥库 [英] Accessing Impersonated users key store

问题描述

我正在模拟服务用户帐户，以便连接到需要证书进行连接的Web服务.我已经在运行代码的机器上的服务帐户上安装了客户端证书，但是我收到错误System.Security.Cryptography.CryptographicException:系统找不到指定的文件.

I am impersonating a service user account in order to connect to a webservice that requires a cert to connect. I have installed the client cert on the service account on the machine which is running the code however I receive the error System.Security.Cryptography.CryptographicException: The system cannot find the file specified.

 using (var ctx = new ImpersonationContext("svcAcctUserName", "domain", "password"))
 {
    var clientCert = new X509Certificate2("filePath", "certPassword");
 }

模拟代码有效，为简洁起见，我省略了它，但我通过登录Environment.UserName来确保将上下文切换到svcAcctUserName用户，这表明我正在以svcAcctUserName身份运行. filePath是正确的，但我还是忽略了它，但是在创建X509Certificate2对象之前，请先打开和关闭文件，以确保可以同时访问文件并且路径正确.

The impersonation code works, for brevity I have left it out but I check to make sure my context is switched to the svcAcctUserName user by logging the Environment.UserName, which shows that I am running as svcAcctUserName. The filePath is correct, again I left it out, but I open and close the file before I create the X509Certificate2 object to make sure I have both access to the file and that my path is correct.

由于我将路径作为参数提供，并且确定运行代码的用户可以访问，因此错误令人困惑.

The error is confusing since I provide the path as a parameter and I know for certain the user running the code has access.

也尝试这样做:如何调用Web服务通过使用客户端证书在ASP.NET Web应用程序中进行身份验证

尽管我没有使用asp.net应用程序，但还是尝试了一下.我将证书加载项添加到mmc，添加了本地计算机"证书添加项，然后将证书导入到本地计算机的个人"存储中.

Although I am not using an asp.net application, I gave it a try anyway. I added the certificates add-in to the mmc, added the "local computer" certificates add in and then imported the cert into the Personal store of the local machine.

然后我跑了

WinHttpCertCfg.exe -g -c LOCAL_MACHINE\My -s issuedToName -a domain\svcAcctUserName

尝试再次运行该操作，仍然是同样的问题.

Tried running the operation again, still same problem.

我想念什么?

推荐答案

因此，正如Alex所指出的，我不了解Windows中证书系统的基础体系结构.但是，在执行了上述步骤并修改了我的代码以使用X509Store之后，它就开始工作了.希望这会帮助某人:

So, as Alex pointed out, I do not understand the underlying architecture of certificate system in windows. However, after performing the above steps and modifying my code to use the X509Store, I have it working. Hopefully this will help someone:

using (var ctx = new ImpersonationContext("svcAcctUserName", "domain", "password"))
{
   var store = new X509Store(StoreLocation.LocalMachine);
   store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
   var clientCert = store.Certificates.Find(X509FindType.FindByIssuerName, "IssuerNameHere", false);
   var clientCert2 = new X509Certificate2(clientCert[0]);
}

这篇关于访问模拟用户密钥库的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！