Encrypted RPC using Schannel's SPPI for SSL and AuthInfo binding

From: Durand Miller (pleasecheck_at_website.co.za)
Date: 12/07/04


Date: Tue, 7 Dec 2004 07:37:02 +0200

Hi,

I'm developing on Windows 2000 Server (SP4) with the Microsoft Platform SDK
(2003)
and Visual C++ 6. I currently have an RPC (tcp) connection running between
two machines to do remote data retrieval and this connection now needs to be
encrypted.

I'm hoping to get an SSL tunnel between the two using the RPC calls
RpcSetBindingAuthInfo and RpcServerRegisterAuthInfo while specifying
RPC_C_AUTHN_GSS_SCHANNEL and setting up my SCHANNEL_CRED structure...

I'm having little luck and there is hardly any documentation about this
process that I can find. My steps have been the following:

Server side:
1) I've made a self-signed certificate using makecert.exe and I've loaded it
into the LocalMachine\Root certificate store.
2) In the RPC server setup, I'm opening up this store and locating the
certificate.
3) I'm setting up an SCHANNEL_CRED structure to point to this single
certificate.
4) I'm also setting up the structure to point to the LocalMachine\Root store
as the trusted certificates.
5) I'm then calling RpcServerRegisterAuthInfo with RPC_C_AUTHN_GSS_SCHANNEL
and passing this SCHANNEL_CRED as my data.
6) I'm then continuing on as normal....

Do I need a principal name for the Register call? If my certificate is
called "bob", I've tried "msstd:bob", "bob" and NULL?
Do I need to initialize the SCHANNEL_CRED structure in any way? And if so,
how?

Client side:
1) I've imported the same key that the server generated into the same
store - LocalMachine\Root
2) In the RPC server setup, I'm opening up this store and locating the
certificate.
3) I'm setting up an SCHANNEL_CRED structure to point to this single
certificate.
4) I'm specifying that SSL3/2/1, etc be used in the structure. (trying them
all)
5) I'm fully resolving my binding information
6) I'm then calling RpcSetBindingAuthInfo with RPC_C_AUTHN_GSS_SCHANNEL and
passing this SCHANNEL_CRED as my data.
7) I'm then continuing on as normal....and attempting to connect.

None of these calls return an error code. Everything returns 0 on both sides
of the connection.

However, when I run the actual RPC client, I get an error output of 5
(ACCESS DENIED) as soon as it attempts to connect.

Does this mean the handshake is failing and my credentials are incorrect?

Regards,

Durand.



Relevant Pages

  • RPC over HTTP, Microsoft solution
    ... Exchange Server 2003 RPC over HTTP Deployment Scenarios ... Place a check in the box next to 'Certificate Services' and click 'Yes' ...
    (microsoft.public.exchange.setup)
  • Re: RPC over HTTP scenario
    ... I think my problem goes back to the certificate issue now. ... RPC Ping utility to test connectivity from the outside to the server. ... DNS name on the Internet, should the certificate still have the external DNS ...
    (microsoft.public.windows.server.sbs)
  • Re: rpc over https problems
    ... "The name on the security certificate is invalid or does not match the name ... when you open it with OWA)? ... and inserted it to the trusted root both on the server and the client ... Configure Outlook 2003 to use RPC over HTTP/S ...
    (microsoft.public.exchange.admin)
  • Encrypted RPC using Schannels SPPI for SSL and AuthInfo binding
    ... I'm developing on Windows 2000 Server with the Microsoft Platform SDK ... I'm hoping to get an SSL tunnel between the two using the RPC calls ... I've made a self-signed certificate using makecert.exe and I've loaded it ... In the RPC server setup, I'm opening up this store and locating the ...
    (microsoft.public.win32.programmer.networks)
  • Re: Client Certificates Issue
    ... "Active Directory User Objects" where the certificate is available, ... the Store Name for that store or, how can I access it using C#.Net code? ... not on your server. ... of the private key for the certificate they provided to the server. ...
    (microsoft.public.dotnet.framework.aspnet.security)