Monday, July 28, 2008

WCF and Message based security

Monday, July 28, 2008 Posted by Unknown
To use message based security in combination with username clientcredential type

I needed to grant access to the private key of the machine certificate to solve the following problem:

System.ArgumentException was unhandled
Message="The certificate 'CN=localhost' must have a private key that is capable of key exchange. The process must have access rights for the private key."

The first thing to do is lookup the certificate in the Local Machine MMC Certificate Store.
Lookup the thumbnail of the certificate to use in findprivatekey.

I used the tool findprivatekey which is included in the WCF samples on:
Microsoft WCF Samples

Use findprivatekey as:

findprivatekey.exe My LocalMachine -t "" /a

now use cacls.exe to set the security for the account that the service is running in.

In my case IIS 6:

cacls "" /E /G "NETWORK SERVICE":R

/E - edit
/G - username
:R - read access

Now the Network Service account is able to use the private key to decrypt the client messages.