Tuesday, September 30, 2008

Cannot find the X.509 certificate using the following search criteria: StoreName 'My', StoreLocation 'LocalMachine', FindType 'FindBySubjectName'

I tried to hook up my portal with a WCF service but got error: Cannot find the X.509 certificate using the following search criteria: StoreName 'My', StoreLocation CurrentUser, FindType 'FindBySubjectName', FindValue.

The app pool of this portal uses NetworkService account. The cert is there in CurrentUser store. Why portal server cannot find this cert?

It is because NetworkService will not search cert in CurrentUser store. Current User is only my logon account. Since the portal can run without a user logon or with multple users logon, NetworkService may not know which "CurrentUser" account to search the cert.

Two solutions:

(1) Use a cert in LocalMachine then NetworkService is able to find it.

(2) Using my own logon account instead of the built-in accounts for the app pool also resolved the problem.

Possible solution:
You may use NetworkService account but create a CurrentUser cert store for NetworkService. To do this, in MMC, create a cert store for WWW service. Then NetworkService may consider this store as its "CurrentUser" store and seach certs in it. I have not tried this.

On 2/26/2009, I encountered the same issue. I did not find anything wrong by doing all verification. The cert is not expired, the permission is correct, cert chain is normal, etc. Finally, I had to delete and reinstall the cert. Then it worked. This means the cert store can cheat somehow.

No comments: