Encrypted RPC using Schannel's SPPI for SSL and AuthInfo binding

From: Durand Miller (pleasecheck_at_website.co.za)
Date: 12/07/04


Date: Tue, 7 Dec 2004 07:37:02 +0200

Hi,

I'm developing on Windows 2000 Server (SP4) with the Microsoft Platform SDK
(2003)
and Visual C++ 6. I currently have an RPC (tcp) connection running between
two machines to do remote data retrieval and this connection now needs to be
encrypted.

I'm hoping to get an SSL tunnel between the two using the RPC calls
RpcSetBindingAuthInfo and RpcServerRegisterAuthInfo while specifying
RPC_C_AUTHN_GSS_SCHANNEL and setting up my SCHANNEL_CRED structure...

I'm having little luck and there is hardly any documentation about this
process that I can find. My steps have been the following:

Server side:
1) I've made a self-signed certificate using makecert.exe and I've loaded it
into the LocalMachine\Root certificate store.
2) In the RPC server setup, I'm opening up this store and locating the
certificate.
3) I'm setting up an SCHANNEL_CRED structure to point to this single
certificate.
4) I'm also setting up the structure to point to the LocalMachine\Root store
as the trusted certificates.
5) I'm then calling RpcServerRegisterAuthInfo with RPC_C_AUTHN_GSS_SCHANNEL
and passing this SCHANNEL_CRED as my data.
6) I'm then continuing on as normal....

Do I need a principal name for the Register call? If my certificate is
called "bob", I've tried "msstd:bob", "bob" and NULL?
Do I need to initialize the SCHANNEL_CRED structure in any way? And if so,
how?

Client side:
1) I've imported the same key that the server generated into the same
store - LocalMachine\Root
2) In the RPC server setup, I'm opening up this store and locating the
certificate.
3) I'm setting up an SCHANNEL_CRED structure to point to this single
certificate.
4) I'm specifying that SSL3/2/1, etc be used in the structure. (trying them
all)
5) I'm fully resolving my binding information
6) I'm then calling RpcSetBindingAuthInfo with RPC_C_AUTHN_GSS_SCHANNEL and
passing this SCHANNEL_CRED as my data.
7) I'm then continuing on as normal....and attempting to connect.

None of these calls return an error code. Everything returns 0 on both sides
of the connection.

However, when I run the actual RPC client, I get an error output of 5
(ACCESS DENIED) as soon as it attempts to connect.

Does this mean the handshake is failing and my credentials are incorrect?

Regards,

Durand.