Solved

Cannot "Manage Private Keys"

Posted on 2015-02-23
3
1,540 Views
Last Modified: 2015-02-25
I am implementing Dynamics NAV 2013r2 with NAVUserPassword authentication.  This requires that the service tier be secured with a self-signed certificate.  I have followed the instructions below and have successfully created the certificates...

https://msdn.microsoft.com/en-us/library/gg502478.aspx
https://msdn.microsoft.com/en-us/library/dd355055(v=nav.71).aspx

However, when I attempt to execute the step in the process that provides access to the certificate for the domain service account, I have no option to "Manage Private Keys" - see the attached snippets showing one installation where there IS access and the problem child where there is no access.

Manage Private Keys exists here!
No access to Manage Private Keys.
0
Comment
Question by:tarkmyler
  • 2
3 Comments
 

Author Comment

by:tarkmyler
ID: 40626863
Event log results when attempting to start the Service Tier

Log Name:      Application
Source:        MicrosoftDynamicsNavServer$NAVCert
Date:          2/23/2015 12:09:13 PM
Event ID:      200
Task Category: (12)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      NAVI.dnc.local
Description:
Server instance: NAVCert
The service MicrosoftDynamicsNavServer$NAVCert failed to start. This could be caused by a configuration error. Detailed error information:System.ArgumentException: It is likely that certificate 'CN=XYZService' may not have a private key that is capable of key exchange or the process may not have access rights for the private key. Please see inner exception for detail.
   at System.ServiceModel.Security.SecurityUtils.EnsureCertificateCanDoKeyExchange(X509Certificate2 certificate)
   at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateServerX509TokenProvider()
   at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateLocalSecurityTokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement)
   at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateSecurityTokenProvider(SecurityTokenRequirement requirement)
   at System.ServiceModel.Channels.SslStreamSecurityUpgradeProvider.CreateServerProvider(SslStreamSecurityBindingElement bindingElement, BindingContext context)
   at System.ServiceModel.Channels.SslStreamSecurityBindingElement.BuildServerStreamUpgradeProvider(BindingContext context)
   at System.ServiceModel.Channels.ConnectionOrientedTransportChannelListener..ctor(ConnectionOrientedTransportBindingElement bindingElement, BindingContext context)
   at System.ServiceModel.Channels.TcpChannelListener..ctor(TcpTransportBindingElement bindingElement, BindingContext context)
   at System.ServiceModel.Channels.TcpTransportBindingElement.BuildChannelListener[TChannel](BindingContext context)
   at System.ServiceModel.Channels.SessionChannelDemuxer`2..ctor(BindingContext context, TimeSpan peekTimeout, Int32 maxPendingSessions)
   at System.ServiceModel.Channels.ChannelDemuxer.CreateTypedDemuxer(Type channelType, BindingContext context)
   at System.ServiceModel.Channels.ChannelDemuxer.GetTypedDemuxer(Type channelType, BindingContext context)
   at System.ServiceModel.Channels.ChannelDemuxer.BuildChannelListener[TChannel](BindingContext context, ChannelDemuxerFilter filter)
   at System.ServiceModel.Channels.ChannelBuilder.BuildChannelListener[TChannel]()
   at System.ServiceModel.Channels.ChannelBuilder.BuildChannelListener[TChannel](MessageFilter filter, Int32 priority)
   at System.ServiceModel.Security.SecuritySessionServerSettings.CreateInnerChannelListener()
   at System.ServiceModel.Channels.SecurityChannelListener`1.InitializeListener(ChannelBuilder channelBuilder)
   at System.ServiceModel.Channels.TransportSecurityBindingElement.BuildChannelListenerCore[TChannel](BindingContext context)
   at System.ServiceModel.Channels.SecurityBindingElement.BuildChannelListener[TChannel](BindingContext context)
   at System.ServiceModel.Channels.ReliableChannelListener`3..ctor(ReliableSessionBindingElement binding, BindingContext context)
   at System.ServiceModel.Channels.ReliableListenerOverDuplexSession`2..ctor(ReliableSessionBindingElement binding, BindingContext context)
   at System.ServiceModel.Channels.ReliableSessionBindingElement.BuildChannelListener[TChannel](BindingContext context)
   at Microsoft.Dynamics.Nav.Types.Channels.ChunkingBindingElement.BuildChannelListener[TChannel](BindingContext context)
   at System.ServiceModel.Channels.Binding.BuildChannelListener[TChannel](Uri listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode listenUriMode, BindingParameterCollection parameters)
   at System.ServiceModel.Description.DispatcherBuilder.MaybeCreateListener(Boolean actuallyCreate, Type[] supportedChannels, Binding binding, BindingParameterCollection parameters, Uri listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode listenUriMode, ServiceThrottle throttle, IChannelListener& result, Boolean supportContextSession)
   at System.ServiceModel.Description.DispatcherBuilder.BuildChannelListener(StuffPerListenUriInfo stuff, ServiceHostBase serviceHost, Uri listenUri, ListenUriMode listenUriMode, Boolean supportContextSession, IChannelListener& result)
   at System.ServiceModel.Description.DispatcherBuilder.InitializeServiceHost(ServiceDescription description, ServiceHostBase serviceHost)
   at System.ServiceModel.ServiceHostBase.InitializeRuntime()
   at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at Microsoft.Dynamics.Nav.WindowsServices.NavServerWindowsService.StartWcfServices()
   at Microsoft.Dynamics.Nav.WindowsServices.NavServerWindowsService.Start(String commandLineServiceInstanceName).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="MicrosoftDynamicsNavServer$NAVCert" />
    <EventID Qualifiers="0">200</EventID>
    <Level>2</Level>
    <Task>12</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-02-23T20:09:13.000000000Z" />
    <EventRecordID>34915</EventRecordID>
    <Channel>Application</Channel>
    <Computer>NAVI.dnc.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Server instance: NAVCert
The service MicrosoftDynamicsNavServer$NAVCert failed to start. This could be caused by a configuration error. Detailed error information:System.ArgumentException: It is likely that certificate 'CN=DNCService' may not have a private key that is capable of key exchange or the process may not have access rights for the private key. Please see inner exception for detail.
   at System.ServiceModel.Security.SecurityUtils.EnsureCertificateCanDoKeyExchange(X509Certificate2 certificate)
   at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateServerX509TokenProvider()
   at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateLocalSecurityTokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement)
   at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateSecurityTokenProvider(SecurityTokenRequirement requirement)
   at System.ServiceModel.Channels.SslStreamSecurityUpgradeProvider.CreateServerProvider(SslStreamSecurityBindingElement bindingElement, BindingContext context)
   at System.ServiceModel.Channels.SslStreamSecurityBindingElement.BuildServerStreamUpgradeProvider(BindingContext context)
   at System.ServiceModel.Channels.ConnectionOrientedTransportChannelListener..ctor(ConnectionOrientedTransportBindingElement bindingElement, BindingContext context)
   at System.ServiceModel.Channels.TcpChannelListener..ctor(TcpTransportBindingElement bindingElement, BindingContext context)
   at System.ServiceModel.Channels.TcpTransportBindingElement.BuildChannelListener[TChannel](BindingContext context)
   at System.ServiceModel.Channels.SessionChannelDemuxer`2..ctor(BindingContext context, TimeSpan peekTimeout, Int32 maxPendingSessions)
   at System.ServiceModel.Channels.ChannelDemuxer.CreateTypedDemuxer(Type channelType, BindingContext context)
   at System.ServiceModel.Channels.ChannelDemuxer.GetTypedDemuxer(Type channelType, BindingContext context)
   at System.ServiceModel.Channels.ChannelDemuxer.BuildChannelListener[TChannel](BindingContext context, ChannelDemuxerFilter filter)
   at System.ServiceModel.Channels.ChannelBuilder.BuildChannelListener[TChannel]()
   at System.ServiceModel.Channels.ChannelBuilder.BuildChannelListener[TChannel](MessageFilter filter, Int32 priority)
   at System.ServiceModel.Security.SecuritySessionServerSettings.CreateInnerChannelListener()
   at System.ServiceModel.Channels.SecurityChannelListener`1.InitializeListener(ChannelBuilder channelBuilder)
   at System.ServiceModel.Channels.TransportSecurityBindingElement.BuildChannelListenerCore[TChannel](BindingContext context)
   at System.ServiceModel.Channels.SecurityBindingElement.BuildChannelListener[TChannel](BindingContext context)
   at System.ServiceModel.Channels.ReliableChannelListener`3..ctor(ReliableSessionBindingElement binding, BindingContext context)
   at System.ServiceModel.Channels.ReliableListenerOverDuplexSession`2..ctor(ReliableSessionBindingElement binding, BindingContext context)
   at System.ServiceModel.Channels.ReliableSessionBindingElement.BuildChannelListener[TChannel](BindingContext context)
   at Microsoft.Dynamics.Nav.Types.Channels.ChunkingBindingElement.BuildChannelListener[TChannel](BindingContext context)
   at System.ServiceModel.Channels.Binding.BuildChannelListener[TChannel](Uri listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode listenUriMode, BindingParameterCollection parameters)
   at System.ServiceModel.Description.DispatcherBuilder.MaybeCreateListener(Boolean actuallyCreate, Type[] supportedChannels, Binding binding, BindingParameterCollection parameters, Uri listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode listenUriMode, ServiceThrottle throttle, IChannelListener&amp; result, Boolean supportContextSession)
   at System.ServiceModel.Description.DispatcherBuilder.BuildChannelListener(StuffPerListenUriInfo stuff, ServiceHostBase serviceHost, Uri listenUri, ListenUriMode listenUriMode, Boolean supportContextSession, IChannelListener&amp; result)
   at System.ServiceModel.Description.DispatcherBuilder.InitializeServiceHost(ServiceDescription description, ServiceHostBase serviceHost)
   at System.ServiceModel.ServiceHostBase.InitializeRuntime()
   at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at Microsoft.Dynamics.Nav.WindowsServices.NavServerWindowsService.StartWcfServices()
   at Microsoft.Dynamics.Nav.WindowsServices.NavServerWindowsService.Start(String commandLineServiceInstanceName).</Data>
  </EventData>
</Event>

Open in new window

0
 

Accepted Solution

by:
tarkmyler earned 0 total points
ID: 40630816
No help on this forum, but in the spirit of helping the next poor soul who googles this issue here is what I did.  I finally ended up on the domain controller where I ran mmc.exe and added the Certificate Templates snap-in.  Then I modified security for the Computer template and added my service account there.  I suspect that this was the fix, but I also followed these steps:

1. Cleared certificate cache - certutil -URLCache crl -delete
2. Created batch file with makecert commands
3. Ran batch file as Administrator
 
The "Manage Private Keys" option showed up after that, but already contained by service account (ie: template change).
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
Each year, investment in cloud platforms grows more than 20% (https://www.immun.io/hubfs/Immunio_2016/Content/Marketing/Cloud-Security-Report-2016.pdf?submissionGuid=a8d80a00-6fee-4b85-81db-a4e28f681762) as an increasing number of companies begin to…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question