AcquireCredentialsHandle returns SEC_E_NO_CREDENTIALS

tags:

sspi
winapi

views:

366

answers:

AcquireCredentialsHandle returns SEC_E_NO_CREDENTIALS

I have managed to open the certificate store by using CertOpenSystemStore and I can find my self signed certificate (created using OpenSSL) using CertFindCertificateInStore which I installed through the MMC console on Windows Vista Ultimate. However I am not sure what this error really means as I have been unable to spot the answer in the MSDN documentation. Is this a certificate problem? Or an OS problem, in the sense it should be a Windows Server OS for this to work?

I am using Win32 API in Delphi 2010, but C examples are fine.

Thanks, Bruce

+2 A:

The error description in MSDN is rather vague:

No credentials are available in the security package.

Afaik this error means that the SSPI SChannel package did not find the private key for the certificate or the certificate is not valid for SSL/TLS. Make sure the certificate/private key are loaded in the PROV_RSA_SCHANNEL Crypto provider (CSP), not in the Enhanced CSP.

You should enable SChannel logging for (much) more detailed error info, see How to enable Schannel event logging (KB is for IIS, but the method described enabled Schannel logging globally on the machine).

Been a while since I worked with SSL/TLS, but if I may give one advice: google for posts by "John Banes" and the error you have, you're likely going to find some clues.

Remus Rusanu 2009-11-13 05:39:05

+1 the link about how to enable schannel login is very useful. Thanks.

Len Holgate 2009-11-13 10:16:00

Do you have a link to generating a valid SSL/TLS certificate using OpenSSL on WIndows Vista, are there restrictions on the level of encryption you can use with Schannel? This looks like my problem, but also I am using the UNISP_NAME = 'Microsoft Unified Security Protocol Provider', which seems the only one that works. Thanks for any more hints as I am having trouble finding definitive info on this subject.

Bruce 2009-11-17 05:08:40

I see that the hCryptProv parameter of CertOpenStore is now documented as legacy and should be NULL. In Win2k3 this needed to be the SChannel CSP, then the resulted HCERTSTORE needed to be passed as hCertRoot to the SCHANNEL_CRED structure passed as pAuthData to AquireCredentialsHandle. From what I see in Vista they only support loading certs from the MyUser or MyComputer stores, which means you can't pass in an arbitrary cert, you can pass in a credential and let the system pick the right certificate. I may be off, this whole area is *very* gray in MSDN.

Remus Rusanu 2009-11-17 05:19:26

I can get the certificate using CertFindCertificateInStore and it is returning the correct certificate but when I pass the CertContext and CertStore to AcquireCredentialsHandle I get the 'No credentials are available in the security package.' error which led me to believe that I have the wrong kind of private/public certificate (wrong hash or something else), but I can't find what it should be. I had been using the .bat files from this project; http://beta.codeproject.com/KB/IP/AsyncSocketServerandClien.aspx but no luck.

Bruce 2009-11-17 05:28:49

Yeap, that sounds very familiar. Afaik if you pass the Certcontext and CertStore to ACH then the cert store must be the SChannel CSP, not the default one. Turn on SChannel logging, in it details you'll find what CSP is used to lookup the cert. Your cert must be loaded into *that* CSP store.

Remus Rusanu 2009-11-17 05:46:30

Event viewer says the provider is Schannel and the Channel is System with the General windows saying "Creating an SSL server credential." and then I still get the 'No credentials are available in the security package.' error. Unfortunately the stackoverflow link in your answer doesn't link to anywhere for me, does it work for you?

Bruce 2009-11-17 05:59:16

SChannel is the SSPI provider, you need to know the CSP provider used by SChannel. Follow the linked KB article and enable logging.

Remus Rusanu 2009-11-17 06:11:50

Yes I did, that's where the information I had in my previous comment came from. Maybe not enough information is provided in Vista; System - Provider [ Name] Schannel - EventID 36867 [ Qualifiers] 16384 Level 4 Task 0 Keywords 0x80000000000000 - TimeCreated [ SystemTime] 2009-11-17T05:57:30.000Z EventRecordID 40292 Channel System Computer x24 Security Thats' all I see having set the logging to 0x0004.

Bruce 2009-11-17 06:24:38

I hadn't followed the instructions quite well enough, I should have set it to 0x0007 instead which reveals that my private key information is not attached, thanks very much for you help, it is very much appreciated.

Bruce 2009-11-17 06:30:51

Although it still doesn't say what SSPI provider is.

Bruce 2009-11-17 06:33:02

Try this: Open the default CSP, export your key pair with CryptExportKey, open the RSA_SCHANNEL CSP with CryptAcquireContext, import your key pair into it (cert and private key) with CryptImportKey, then obtain the cert context from the RSA_SCHANNEL CSP and pass that to ACH. These are fairly complex steps, please check errors appropiately. Provided the cert is valid for SSL/TLS usage (most are), this *does* work, see http://rusanu.com/2008/10/23/how-does-certificate-based-authentication-work/

Remus Rusanu 2009-11-17 06:41:28

For other reasons I switched from using a Vista machine to an XP machine and then a Windows 7 machine on both XP and Windows 7, the code worked flawlessly.

Bruce 2009-11-25 01:21:26

ansaurus

tags:

views:

answers:

AcquireCredentialsHandle returns SEC_E_NO_CREDENTIALS

related questions