服务结构:通过证书通过Azure KeyVault进行身份验证:"KeySet不存在" [英] Service Fabric: Authenticating with Azure KeyVault via cert: "KeySet does not exist"

查看:35
本文介绍了服务结构:通过证书通过Azure KeyVault进行身份验证:"KeySet不存在"的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

这是我要启用的方案:

我希望通过客户端证书从我的Web服务应用程序(azure服务结构)向azure密钥库进行身份验证.

这些是我要执行的步骤:

These are the steps I'm following:

  1. 以天蓝色(自签名)向我的密钥库添加证书
  2. 通过Azure Powershell(pfx)下载证书
  3. 创建Azure应用实例以标识我的应用
  4. 将证书与应用程序关联
  5. 为azure应用程序创建服务主体
  6. 授予对密钥库的主要访问权限

一切看起来不错.当我启动我的服务(本地服务结构群集),并尝试连接到keyvault来检索我存储在其中的密钥+值时,出现错误:

All looks good. When I spin up my service (local service fabric cluster), and try to connect to keyvault to retrieve a secret key+value that I have stored inside, I get error:

CryptographicException:密钥集不存在"

CryptographicException: "KeySet does not exist"

当我尝试在运行时检查X509Certificate2对象的PrivateKey属性值时,它将引发相同的异常.

When I try to examine PrivateKey property value of the X509Certificate2 object at runtime, it throws the same exception.

找到证书,并且存在私钥(我通过MMC和某些命令行工具对此进行了验证).

The certificate is found, and the private key exists (I verified this via MMC as well as some command line tools).

我可能会缺少什么?我能想到的唯一失败原因是服务结构用户上下文(我认为是网络服务)没有查看私钥的权限?它存储在"LocalMachine"证书存储中,在个人"文件夹(也称为我的").据我所知,应用程序应该能够在没有特殊权限的情况下从LocalMachine存储中读取吗?

What can I be missing? Only cause I can think of for this failure is that service fabric user context (Network Service, I think) does not have permission to look at private key? It is stored in "LocalMachine" certificate store, under Personal" folder (also referred to as "My"). From what I know, applications should be able to read from LocalMachine store without special permissions?

推荐答案

向证书服务私钥授予 NETWORK SERVICE 用户权限的另一种简便方法(比我的其他答案更容易):

An alternative easier way to grant NETWORK SERVICE user permission on certificate private key (easier than my other answer):

  1. 在MMC中打开证书管理单元: WIN + R ->输入 mmc -> File-> Add/Remove Snap-in->添加证书(计算机帐户).
  2. 查找证书->右键单击并选择所有任务/管理私钥"
  3. 授予 NETWORK SERVICE 用户
    4. 的权限 Read
  1. Open certificate snap-in in MMC: WIN + R -> type mmc -> File -> Add/Remove Snap-in -> Add Certificates (Computer Account).
  2. Find your certificate -> Right click and choose All Tasks/Manage Private Keys
  3. Grant Read Permission for NETWORK SERVICE user

这篇关于服务结构:通过证书通过Azure KeyVault进行身份验证:"KeySet不存在"的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
C#/.NET最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆