AcquireCredentialsHandle failing with SEC_E_INTERNAL_ERROR for domain logon

From: Colin Grant (grant_colin_at_yahoo.co.uk)
Date: 12/19/04

  • Next message: Peter: "ADsSecurityUtility with VB.NET" 
    Date: Sun, 19 Dec 2004 11:51:23 -0000

    Hi,

    I am trying to add client Authentication to an SSL connection.

    I have the following code (taken from an example) to read the client
    certificate from the certificate store and create the client credentials for
    SCHANNEL.

    However, the AcquireCredentialHandle() call works fine when I'm logged onto
    a local account on my PC, but always fails with SEC_E_INTERNAL_ERROR when
    I'm logged in through a domain controller. I am able read the certificate
    from the store OK in both cases.

    Does anyone know how I can get this working when logging in through a
    domain?

    Thanks,

    Colin

    ---- Code Sample -----

    bool SSLImplementation::createCredentials(LPCSTR pszUserName)
    {
        TimeStamp tsExpiry;
        SECURITY_STATUS Status;

        char szErr[200];

        PCCERT_CONTEXT pCertContext = NULL;

        //
        // If a user name is specified, then attempt to find a client
        // certificate. Otherwise, just create a NULL credential.
        //

        if(pszUserName)
        {
            // Find client certificate. Note that this sample just searchs for a
            // certificate that contains the user name somewhere in the subject
    name.
            // A real application should be a bit less casual.
            pCertContext = CertFindCertificateInStore(g_handler.m_hMyCertStore,
                                                      X509_ASN_ENCODING,
                                                      0,
                                                      CERT_FIND_SUBJECT_STR_A,
                                                      pszUserName,
                                                      NULL);
            if(pCertContext == NULL)
            {
                sprintf(szErr,"Error 0x%x returned by
    CertFindCertificateInStore\n", GetLastError());
                g_handler.setLastError(szErr);
                return false;
            }
        }

        //
        // Build Schannel credential structure.
        ZeroMemory(&m_SchannelCred, sizeof(m_SchannelCred));

        m_SchannelCred.dwVersion = SCHANNEL_CRED_VERSION;
        if(pCertContext)
        {
            m_SchannelCred.cCreds = 1;
            m_SchannelCred.paCred = &pCertContext;
        }

        m_SchannelCred.grbitEnabledProtocols = SP_PROT_SSL3_CLIENT;

        //
        // Create an SSPI credential.
        //
        Status = g_handler.m_SecurityFunc.AcquireCredentialsHandleA(
                            NULL, // Name of principal
                            UNISP_NAME_A,
                            SECPKG_CRED_OUTBOUND, // Flags indicating use
                            NULL, // Pointer to logon ID
                            &m_SchannelCred, // Package specific data
                            NULL, // Pointer to GetKey() func
                            NULL, // Value to pass to GetKey()
                            &m_hCred, // (out) Cred Handle
                            &tsExpiry); // (out) Lifetime (optional)
        if(Status != SEC_E_OK)
        {
            sprintf(szErr,"Error 0x%x returned by AcquireCredentialsHandle\n",
    Status);
            g_handler.setLastError(szErr);
            return false;
        }

        //
        // Free the certificate context. Schannel has already made its own copy.
        //

        if(pCertContext)
        {
            CertFreeCertificateContext(pCertContext);
        }

        return true;
    }

  • Next message: Peter: "ADsSecurityUtility with VB.NET"

    Relevant Pages

    • Re: Cannot request computer certificate.
      ... >problem since you can not request a certificate while logged onto the CA. ... Verify that you can ping it by name and IP address from the client ... >> Kerberos, or dns. ... >> List of NetBt transports currently bound to the Redir ...
      (microsoft.public.windows.server.security)
    • Re: The message must contain a wsa:To header
      ... My client app is not generating a trace file. ... the client is not applying the WSE policy at all because of an ... at ApplicationMessagingWS.Dispatch(String messageType, String ... look for a certificate with this subject name in the certificate store ...
      (microsoft.public.dotnet.framework.webservices.enhancements)
    • Re: L2TP/IPSec from XP client to Windows 2003 Server
      ... ie no valid cert found on client - contacted Microsoft ... Windows Server 2003 Certificate Authority running ... The next step is to install Certificate Services on the Windows Server ... From Networks Connections on the client, ...
      (microsoft.public.security)
    • Re: Cannot request computer certificate.
      ... I would verify that the certificate services service is running and set to ... Verify that you can ping it by name and IP address from the client ... > Kerberos, or dns. ... > List of NetBt transports currently bound to the Redir ...
      (microsoft.public.windows.server.security)
    • SNA 3270 to IP TN3270 Conversion =?ISO-8859-1?Q?=96?= Data Stream Encryption
      ... asked them on their thoughts regarding data stream encryption, ... which means that all data is encrypted before it is sent to the client. ... certificate and the keys from three different places: ... SSL client authentication provides additional authentication and access ...
      (bit.listserv.ibm-main)