Cryptographic Exception on access to Environments tab
MFitchett
Posts: 16
Hi there,
Having recently moved my RGDM from one server to another (following the instructions) I now can't access the environments tab.
All other functionality works and I can access, just not the Environments tab.
I'm running v2.4.12.1
It fails with..
Access Denied
Exception :
System.Security.Cryptography.CryptographicException: Access denied.
at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromFile(String fileName, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx)
at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(String fileName, Object password, X509KeyStorageFlags keyStorageFlags)
at RedGate.Deploy.Shared.Security.CertificateEncoder.FromBase64String(String certificateString, X509KeyStorageFlags keyStorageFlags)
at RedGate.Deploy.Core.Model.Security.Certificate.CreateX509Certificate()
at RedGate.Deploy.Portal.Areas.Configuration.Models.Certificates.CertificateModelBuilder.CreateFrom(Certificate certificate)
at RedGate.Deploy.Portal.Models.Environments.EnvironmentIndexModelBuilder.CreateFrom(IList`1 environments, Certificate certificate)
at RedGate.Deploy.Portal.Controllers.EnvironmentsController.BuildEnvironmentIndexModel()
at RedGate.Deploy.Portal.Controllers.EnvironmentsController.Index()
at lambda_method(Closure , ControllerBase , Object[] )
help!
Having recently moved my RGDM from one server to another (following the instructions) I now can't access the environments tab.
All other functionality works and I can access, just not the Environments tab.
I'm running v2.4.12.1
It fails with..
Access Denied
Exception :
System.Security.Cryptography.CryptographicException: Access denied.
at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromFile(String fileName, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx)
at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(String fileName, Object password, X509KeyStorageFlags keyStorageFlags)
at RedGate.Deploy.Shared.Security.CertificateEncoder.FromBase64String(String certificateString, X509KeyStorageFlags keyStorageFlags)
at RedGate.Deploy.Core.Model.Security.Certificate.CreateX509Certificate()
at RedGate.Deploy.Portal.Areas.Configuration.Models.Certificates.CertificateModelBuilder.CreateFrom(Certificate certificate)
at RedGate.Deploy.Portal.Models.Environments.EnvironmentIndexModelBuilder.CreateFrom(IList`1 environments, Certificate certificate)
at RedGate.Deploy.Portal.Controllers.EnvironmentsController.BuildEnvironmentIndexModel()
at RedGate.Deploy.Portal.Controllers.EnvironmentsController.Index()
at lambda_method(Closure , ControllerBase , Object[] )
help!
Comments
However, now I am receiving an error on performing a health check against my targets...
I've checked the service permissions too.
Should I reinstall the targets client?
Thanks
2014-08-13 19:39:12 +00:00 ERROR System.ServiceModel.Security.SecurityNegotiationException: SOAP security negotiation failed. See inner exception for more details. ---> System.ArgumentException: It is likely that certificate 'CN=Red Gate Deployment Manager' may not have a private key that is capable of key exchange or the process may not have access rights for the private key. Please see inner exception for detail. ---> System.Security.Cryptography.CryptographicException: Invalid provider type specified.
at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
at System.ServiceModel.Security.TlsSspiNegotiation.ValidatePrivateKey(X509Certificate2 certificate)
Redgate Software
Both machines (DM server and agents) are running Windows Server 2012 R2.
The DM server's Redgate Deploment Manager service is Log on As 'Local system'
However, I changed the Deployment Manager portal application pool Identity to use LocalSystem to solve the first issue with the environments tab (permissions related)
I've tried doing a "Repair" install on the agents, do you think it's worth me trying to do a uninstall/reinstall?
Although to me it doesn't feel like an agent problem, more a server / certificate problem,
Thanks Mike,
Matt
I think you're right, it does sound like a problem with the server certificate. Have you tried regenerating the server key (Settings->Server Key). When you do that, you'll need to update the matching server key in the agents (using the Agent Tools app) as well.
Redgate Software
Thanks for your suggestion, you can probably guess what happened
Clicking on "Generate new server key" throws an Access Denied exception lol
I'll see if I can figure out some permissions that will allow me to do it but currently everything is still set to LocalSystem!
System.ComponentModel.Win32Exception (0x80004005): Access is denied
at RedGate.Deploy.Shared.Util.PInvoke.Win32ErrorHelper.ThrowOnError(String message)
at RedGate.Deploy.Shared.Util.PInvoke.Win32ErrorHelper.ThrowOnFailure(Boolean result, String message)
at RedGate.Deploy.Shared.Security.CertificateGeneration.CryptContext.GenerateKey(Boolean exportable, Int32 keyBitLength, KeyType type)
at RedGate.Deploy.Shared.Security.CertificateGeneration.CryptContext.CreateSelfSignedCertificate(SelfSignedCertProperties properties)
at RedGate.Deploy.Shared.Security.CertificateGenerator.Generate(X500DistinguishedName name, Boolean exportable)
at RedGate.Deploy.Shared.Security.CertificateGenerator.GenerateNew(X500DistinguishedName name)
at RedGate.Deploy.Portal.Areas.Configuration.Controllers.CertificatesController.GenerateNew()
at lambda_method(Closure , ControllerBase , Object[] )
at System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary`2 parameters)
at System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary`2 parameters)
Redgate Software
Any news on this, kinda stuck without deployments
thanks,
M
I'm afraid I've not had much luck. There's definitely an unusual permissions problem on this machine, but all I can see is that the native method call CryptGenKey is failing with an access denied error code - Microsoft don't give me anything helpful like what object access was denied to.
Is there any chance you could use Process Monitor (http://technet.microsoft.com/en-gb/sysinternals/bb896645.aspx) to search for access denied events? If you start process monitor just before you press the 'Generate new server key' button, then stop it after the error occurs, you should then be able to search for Access Denied (or error code 5), and find out what objects the certificate generation code is trying to access.
I'm sorry I don't have anything more useful for you, but the cryptography part of the Win32 API is pretty obscure
Redgate Software
Thanks for the reply,
Running Process Monitor shows that ACCESS DENIED error on:
Process W3wp.exe
Operation : CreateFile
Path : C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2ea1df2b4cbdc687b8ef459f707238f4_31cc42e9-05cb-4d2b-92af-5b129d6622ff
Detail : Desired Access: Generic Write, Read Attributes, Disposition: OpenIf, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: S, ShareMode: None, AllocationSize: 0
There's quite a few PATH NOT FOUND type errors, but no more than the usual Process Monitor output!
Granted access to that one file to the correct identity and switched the App Pool's user back to ApplicationPoolIdentity and all the tabs appear to work..
Looks like something in moving server hadn't reset some permission somewhere!
Thanks for your help Mike, I'll have a further poke around today see if I can come up with any more details!
Run Health Check and........................ it worked!
thanks again Mike!
Can you check the effective permissions for 'NETWORK SERVICE' (which is the user the DM portal runs as) on the folder C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
On my machine (which is Win 7, so not quite the same - I'll dig out a Server 2012 R2 VM when I get a chance), I have
Redgate Software
My Effective Access list contains all yours plus various more, it's probably not comparable as I've been 'playing' for a while now with these permissions.
Probably not something we can easily recreate unless someone does a server move onto a Win 2012 R2 and then does as you ask.
any other Q's feel free!
My Effective Access list contains all yours plus various more, it's probably not comparable as I've been 'playing' for a while now with these permissions.
Probably not something we can easily recreate unless someone does a server move onto a Win 2012 R2 and then does as you ask.
any other Q's feel free!
By the way, the Deployment Manager Portal identity is normally set to 'NetworkService' rather than 'ApplicationPoolIdentity' - if you have any further permissions problems, it might be worth resetting back to NetworkService.
Redgate Software