Cryptographic Exception on access to Environments tab

MFitchettMFitchett Posts: 16
edited August 21, 2014 6:00AM in Deployment Manager
Hi there,

Having recently moved my RGDM from one server to another (following the instructions) I now can't access the environments tab.

All other functionality works and I can access, just not the Environments tab.

I'm running v2.4.12.1

It fails with..

Access Denied

Exception :

System.Security.Cryptography.CryptographicException: Access denied.

at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromFile(String fileName, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx)
at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(String fileName, Object password, X509KeyStorageFlags keyStorageFlags)
at RedGate.Deploy.Shared.Security.CertificateEncoder.FromBase64String(String certificateString, X509KeyStorageFlags keyStorageFlags)
at RedGate.Deploy.Core.Model.Security.Certificate.CreateX509Certificate()
at RedGate.Deploy.Portal.Areas.Configuration.Models.Certificates.CertificateModelBuilder.CreateFrom(Certificate certificate)
at RedGate.Deploy.Portal.Models.Environments.EnvironmentIndexModelBuilder.CreateFrom(IList`1 environments, Certificate certificate)
at RedGate.Deploy.Portal.Controllers.EnvironmentsController.BuildEnvironmentIndexModel()
at RedGate.Deploy.Portal.Controllers.EnvironmentsController.Index()
at lambda_method(Closure , ControllerBase , Object[] )

help!

Comments

  • I managed to solve this specific issue by granting appropriate permissions to the application pool of the Redgate Deployment Manager IIS site.

    However, now I am receiving an error on performing a health check against my targets...

    I've checked the service permissions too.

    Should I reinstall the targets client?

    Thanks


    2014-08-13 19:39:12 +00:00 ERROR System.ServiceModel.Security.SecurityNegotiationException: SOAP security negotiation failed. See inner exception for more details. ---> System.ArgumentException: It is likely that certificate 'CN=Red Gate Deployment Manager' may not have a private key that is capable of key exchange or the process may not have access rights for the private key. Please see inner exception for detail. ---> System.Security.Cryptography.CryptographicException: Invalid provider type specified.

    at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
    at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
    at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
    at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
    at System.ServiceModel.Security.TlsSspiNegotiation.ValidatePrivateKey(X509Certificate2 certificate)
  • Can I ask what versions of Windows you're using on all the relevant machines (the DM server and the agents), and also whether you've changed any of the service accounts from Local System to something else?
    Development Lead
    Redgate Software
  • Hi Mike,

    Both machines (DM server and agents) are running Windows Server 2012 R2.

    The DM server's Redgate Deploment Manager service is Log on As 'Local system'

    However, I changed the Deployment Manager portal application pool Identity to use LocalSystem to solve the first issue with the environments tab (permissions related)

    I've tried doing a "Repair" install on the agents, do you think it's worth me trying to do a uninstall/reinstall?

    Although to me it doesn't feel like an agent problem, more a server / certificate problem,

    Thanks Mike,

    Matt
  • Hi Matt,

    I think you're right, it does sound like a problem with the server certificate. Have you tried regenerating the server key (Settings->Server Key). When you do that, you'll need to update the matching server key in the agents (using the Agent Tools app) as well.
    Development Lead
    Redgate Software
  • Hi Mike,

    Thanks for your suggestion, you can probably guess what happened :)

    Clicking on "Generate new server key" throws an Access Denied exception lol

    I'll see if I can figure out some permissions that will allow me to do it but currently everything is still set to LocalSystem!
  • Stack trace if this helps - I've tried various accounts all with no success


    System.ComponentModel.Win32Exception (0x80004005): Access is denied
    at RedGate.Deploy.Shared.Util.PInvoke.Win32ErrorHelper.ThrowOnError(String message)
    at RedGate.Deploy.Shared.Util.PInvoke.Win32ErrorHelper.ThrowOnFailure(Boolean result, String message)
    at RedGate.Deploy.Shared.Security.CertificateGeneration.CryptContext.GenerateKey(Boolean exportable, Int32 keyBitLength, KeyType type)
    at RedGate.Deploy.Shared.Security.CertificateGeneration.CryptContext.CreateSelfSignedCertificate(SelfSignedCertProperties properties)
    at RedGate.Deploy.Shared.Security.CertificateGenerator.Generate(X500DistinguishedName name, Boolean exportable)
    at RedGate.Deploy.Shared.Security.CertificateGenerator.GenerateNew(X500DistinguishedName name)
    at RedGate.Deploy.Portal.Areas.Configuration.Controllers.CertificatesController.GenerateNew()
    at lambda_method(Closure , ControllerBase , Object[] )
    at System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary`2 parameters)
    at System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary`2 parameters)
  • That's very strange. I'll dig into the code today and see if I can figure out what permissions are missing.
    Development Lead
    Redgate Software
  • Hey Mike,

    Any news on this, kinda stuck without deployments :)

    thanks,

    M
  • Hi,

    I'm afraid I've not had much luck. There's definitely an unusual permissions problem on this machine, but all I can see is that the native method call CryptGenKey is failing with an access denied error code - Microsoft don't give me anything helpful like what object access was denied to.

    Is there any chance you could use Process Monitor (http://technet.microsoft.com/en-gb/sysinternals/bb896645.aspx) to search for access denied events? If you start process monitor just before you press the 'Generate new server key' button, then stop it after the error occurs, you should then be able to search for Access Denied (or error code 5), and find out what objects the certificate generation code is trying to access.

    I'm sorry I don't have anything more useful for you, but the cryptography part of the Win32 API is pretty obscure :cry:
    Development Lead
    Redgate Software
  • Hi Mike,

    Thanks for the reply,

    Running Process Monitor shows that ACCESS DENIED error on:

    Process W3wp.exe
    Operation : CreateFile
    Path : C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2ea1df2b4cbdc687b8ef459f707238f4_31cc42e9-05cb-4d2b-92af-5b129d6622ff

    Detail : Desired Access: Generic Write, Read Attributes, Disposition: OpenIf, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: S, ShareMode: None, AllocationSize: 0

    There's quite a few PATH NOT FOUND type errors, but no more than the usual Process Monitor output!
  • OK, Looks like it might be working...

    Granted access to that one file to the correct identity and switched the App Pool's user back to ApplicationPoolIdentity and all the tabs appear to work..

    Looks like something in moving server hadn't reset some permission somewhere!

    Thanks for your help Mike, I'll have a further poke around today see if I can come up with any more details!
  • Agent Keys changed with new Server Key...

    Run Health Check and........................ it worked!

    thanks again Mike!
  • Ah, that gives us some clues :)

    Can you check the effective permissions for 'NETWORK SERVICE' (which is the user the DM portal runs as) on the folder C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

    On my machine (which is Win 7, so not quite the same - I'll dig out a Server 2012 R2 VM when I get a chance), I have
    • List folder / read data
    • Read attributes
    • Read extended attributes
    • Create files / write data
    • Create folders / append data
    • Write attributes
    • Write extended attributes
    • Read permissions
    Development Lead
    Redgate Software
  • Hi Mike,

    My Effective Access list contains all yours plus various more, it's probably not comparable as I've been 'playing' for a while now with these permissions.

    Probably not something we can easily recreate unless someone does a server move onto a Win 2012 R2 and then does as you ask.

    any other Q's feel free!
  • Hi Mike,

    My Effective Access list contains all yours plus various more, it's probably not comparable as I've been 'playing' for a while now with these permissions.

    Probably not something we can easily recreate unless someone does a server move onto a Win 2012 R2 and then does as you ask.

    any other Q's feel free!
  • Thanks for digging! I'm glad you've got it working now, but that was a weird one :D

    By the way, the Deployment Manager Portal identity is normally set to 'NetworkService' rather than 'ApplicationPoolIdentity' - if you have any further permissions problems, it might be worth resetting back to NetworkService.
    Development Lead
    Redgate Software
Sign In or Register to comment.