.NET Core 5.0: X509Certificate2 - No credentials are available in the security package #45680

ststeiger · 2020-12-07T12:38:36Z

In .NET Core 5.0 with Kestrel, I'm getting

"No credentials are available in the security package"

when doing SSL with Kestrel on Windows.
It works fine on Linux ! (including with nginx)
Also, the SNI-callback frequently has string.empty as SNI-"name".
That's a bit of a pitty ...

To reproduce, run TestApplicationHttps
https://github.com/ststeiger/SelfSignedCertificateGenerator/tree/master/TestApplicationHttps

It uses a self-signed ssl-certificate generated with
https://github.com/ststeiger/SelfSignedCertificateGenerator/tree/master/SelfSignedCertificateGenerator
with a self-generated root certificate.

Add the root-certificate to "trusted root certificates".

I'm using the SNI-callback to dynamically load the SSL certificate (it can change at runtime).

            listenOptions.UseHttps(
                delegate (Microsoft.AspNetCore.Server.Kestrel.Https.HttpsConnectionAdapterOptions httpsOptions)
                {
                    UseHttps(certs, httpsOptions);

                    httpsOptions.ServerCertificateSelector =
                        delegate (Microsoft.AspNetCore.Connections.ConnectionContext connectionContext, string name)
                        {
                            return ServerCertificateSelector(certs, connectionContext, name);
                        };

                }
            ); // End ListenOptions.UseHttps

This is the selector


        public static System.Security.Cryptography.X509Certificates.X509Certificate2 ServerCertificateSelector(
              System.Collections.Concurrent.ConcurrentDictionary<string, System.Security.Cryptography.X509Certificates.X509Certificate2> certs
            , Microsoft.AspNetCore.Connections.ConnectionContext connectionContext
            , string name)
        {
            System.Security.Cryptography.X509Certificates.X509Certificate2 cert;

            if (certs != null && certs.Count > 0)
            {
                // return certs.GetEnumerator().Current.Value;
                // return System.Linq.Enumerable.FirstOrDefault(certs);
                foreach (var thisCert  in certs)
                {
                    System.Console.WriteLine("SNI Name: {0}", name);
                    return thisCert.Value;
                }
            }


            /*
            if (name != null && certs.TryGetValue(name, out cert))
            {
                return cert;
            }
            */

            throw new System.IO.InvalidDataException("No certificate for name \"" + name + "\".");
        } // End Function ServerCertificateSelector

Certificate is loaded like

        public static System.Security.Cryptography.X509Certificates.X509Certificate2 GetCert()
        {
            string cert = SecretManager.GetSecret<string>("ssl_cert");
            string key = SecretManager.GetSecret<string>("ssl_key");

            System.ReadOnlySpan<char> certSpan = System.MemoryExtensions.AsSpan(cert);
            System.ReadOnlySpan<char> keySpan = System.MemoryExtensions.AsSpan(key);


            System.Security.Cryptography.X509Certificates.X509Certificate2 certSslLoaded = System.Security.Cryptography.X509Certificates.X509Certificate2.CreateFromPem(certSpan, keySpan);
            return certSslLoaded;
        }

It works on LInux !
But on Windoze...


warn: Microsoft.AspNetCore.Server.Kestrel[0]
      Overriding address(es) 'https://localhost:5005'. Binding to endpoints defined in UseKestrel() instead.
info: Microsoft.Hosting.Lifetime[0]
      Now listening on: https://[::]:5005
info: Microsoft.Hosting.Lifetime[0]
      Application started. Press Ctrl+C to shut down.
info: Microsoft.Hosting.Lifetime[0]
      Hosting environment: Development
info: Microsoft.Hosting.Lifetime[0]
      Content root path: D:\Stefan.Steiger\Documents\Visual Studio 2017\Projects\SelfSignedCertificateGenerator\TestApplicationHttps
SNI Name: localhost
SNI Name: localhost
fail: Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HM4QLCD86JR3.
      System.ComponentModel.Win32Exception (0x8009030E): Im Sicherheitspaket sind keine Anmeldeinformationen verfügbar.
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
fail: Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HM4QLCD86JR2.
      System.ComponentModel.Win32Exception (0x8009030E): Im Sicherheitspaket sind keine Anmeldeinformationen verfügbar.
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
SNI Name: localhost
SNI Name: localhost
fail: Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HM4QLCD86JR4.
      System.ComponentModel.Win32Exception (0x8009030E): Im Sicherheitspaket sind keine Anmeldeinformationen verfügbar.
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
fail: Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HM4QLCD86JR5.
      System.ComponentModel.Win32Exception (0x8009030E): Im Sicherheitspaket sind keine Anmeldeinformationen verfügbar.
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
SNI Name: localhost
SNI Name: localhost
fail: Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HM4QLCD86JR6.
      System.ComponentModel.Win32Exception (0x8009030E): Im Sicherheitspaket sind keine Anmeldeinformationen verfügbar.
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
fail: Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HM4QLCD86JR7.
      System.ComponentModel.Win32Exception (0x8009030E): Im Sicherheitspaket sind keine Anmeldeinformationen verfügbar.
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
SNI Name: localhost
SNI Name: localhost
fail: Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HM4QLCD86JR8.
      System.ComponentModel.Win32Exception (0x8009030E): Im Sicherheitspaket sind keine Anmeldeinformationen verfügbar.
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
fail: Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HM4QLCD86JR9.
      System.ComponentModel.Win32Exception (0x8009030E): Im Sicherheitspaket sind keine Anmeldeinformationen verfügbar.
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
SNI Name: localhost
SNI Name: localhost
fail: Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HM4QLCD86JRA.
      System.ComponentModel.Win32Exception (0x8009030E): Im Sicherheitspaket sind keine Anmeldeinformationen verfügbar.
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
fail: Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HM4QLCD86JRB.
      System.ComponentModel.Win32Exception (0x8009030E): Im Sicherheitspaket sind keine Anmeldeinformationen verfügbar.
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
SNI Name: localhost
SNI Name: localhost
fail: Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HM4QLCD86JRC.
      System.ComponentModel.Win32Exception (0x8009030E): Im Sicherheitspaket sind keine Anmeldeinformationen verfügbar.
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
fail: Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HM4QLCD86JRD.
      System.ComponentModel.Win32Exception (0x8009030E): Im Sicherheitspaket sind keine Anmeldeinformationen verfügbar.
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()

The text was updated successfully, but these errors were encountered:

ststeiger · 2020-12-07T12:39:12Z

Seems like ticket 27493/23749 was closed prematurely.
#27493 / #23749

ststeiger · 2020-12-07T13:17:33Z

OK, simplified the workaround from #23749:

return new System.Security.Cryptography.X509Certificates.X509Certificate2(
     thisCert.Value.Export(
        System.Security.Cryptography.X509Certificates.X509ContentType.Pkcs12
    )
);

aka

public static System.Security.Cryptography.X509Certificates.X509Certificate2 ServerCertificateSelector(
              System.Collections.Concurrent.ConcurrentDictionary<string, System.Security.Cryptography.X509Certificates.X509Certificate2> certs
            , Microsoft.AspNetCore.Connections.ConnectionContext connectionContext
            , string name)
        {
            System.Security.Cryptography.X509Certificates.X509Certificate2 cert;

            if (certs != null && certs.Count > 0)
            {
                // return certs.GetEnumerator().Current.Value;
                // return System.Linq.Enumerable.FirstOrDefault(certs);
                foreach (var thisCert  in certs)
                {
                    System.Console.WriteLine("SNI Name: {0}", name);

                    if (!System.Runtime.InteropServices.RuntimeInformation.IsOSPlatform(System.Runtime.InteropServices.OSPlatform.Windows))
                        return thisCert.Value;

                    // Hack for Windoze Bug No credentials are available in the security package 
                    // SslStream not working with ephemeral keys
                    return new System.Security.Cryptography.X509Certificates.X509Certificate2(
                            thisCert.Value.Export(
                                System.Security.Cryptography.X509Certificates.X509ContentType.Pkcs12
                            )
                    );
                }
            }

That works around the bug(s) in Windows...

ghost · 2020-12-07T16:00:57Z

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

In .NET Core 5.0 with Kestrel, I'm getting

"No credentials are available in the security package"

when doing SSL with Kestrel on Windows.
It works fine on Linux ! (including with nginx)
Also, the SNI-callback frequently has string.empty as SNI-"name".
That's a bit of a pitty ...

To reproduce, run TestApplicationHttps
https://github.com/ststeiger/SelfSignedCertificateGenerator/tree/master/TestApplicationHttps

It uses a self-signed ssl-certificate generated with
https://github.com/ststeiger/SelfSignedCertificateGenerator/tree/master/SelfSignedCertificateGenerator
with a self-generated root certificate.

Add the root-certificate to "trusted root certificates".

I'm using the SNI-callback to dynamically load the SSL certificate (it can change at runtime).

            listenOptions.UseHttps(
                delegate (Microsoft.AspNetCore.Server.Kestrel.Https.HttpsConnectionAdapterOptions httpsOptions)
                {
                    UseHttps(certs, httpsOptions);

                    httpsOptions.ServerCertificateSelector =
                        delegate (Microsoft.AspNetCore.Connections.ConnectionContext connectionContext, string name)
                        {
                            return ServerCertificateSelector(certs, connectionContext, name);
                        };

                }
            ); // End ListenOptions.UseHttps

This is the selector


        public static System.Security.Cryptography.X509Certificates.X509Certificate2 ServerCertificateSelector(
              System.Collections.Concurrent.ConcurrentDictionary<string, System.Security.Cryptography.X509Certificates.X509Certificate2> certs
            , Microsoft.AspNetCore.Connections.ConnectionContext connectionContext
            , string name)
        {
            System.Security.Cryptography.X509Certificates.X509Certificate2 cert;

            if (certs != null && certs.Count > 0)
            {
                // return certs.GetEnumerator().Current.Value;
                // return System.Linq.Enumerable.FirstOrDefault(certs);
                foreach (var thisCert  in certs)
                {
                    System.Console.WriteLine("SNI Name: {0}", name);
                    return thisCert.Value;
                }
            }


            /*
            if (name != null && certs.TryGetValue(name, out cert))
            {
                return cert;
            }
            */

            throw new System.IO.InvalidDataException("No certificate for name \"" + name + "\".");
        } // End Function ServerCertificateSelector

Certificate is loaded like

        public static System.Security.Cryptography.X509Certificates.X509Certificate2 GetCert()
        {
            string cert = SecretManager.GetSecret<string>("ssl_cert");
            string key = SecretManager.GetSecret<string>("ssl_key");

            System.ReadOnlySpan<char> certSpan = System.MemoryExtensions.AsSpan(cert);
            System.ReadOnlySpan<char> keySpan = System.MemoryExtensions.AsSpan(key);


            System.Security.Cryptography.X509Certificates.X509Certificate2 certSslLoaded = System.Security.Cryptography.X509Certificates.X509Certificate2.CreateFromPem(certSpan, keySpan);
            return certSslLoaded;
        }

It works on LInux !
But on Windoze...


warn: Microsoft.AspNetCore.Server.Kestrel[0]
      Overriding address(es) 'https://localhost:5005'. Binding to endpoints defined in UseKestrel() instead.
info: Microsoft.Hosting.Lifetime[0]
      Now listening on: https://[::]:5005
info: Microsoft.Hosting.Lifetime[0]
      Application started. Press Ctrl+C to shut down.
info: Microsoft.Hosting.Lifetime[0]
      Hosting environment: Development
info: Microsoft.Hosting.Lifetime[0]
      Content root path: D:\Stefan.Steiger\Documents\Visual Studio 2017\Projects\SelfSignedCertificateGenerator\TestApplicationHttps
SNI Name: localhost
SNI Name: localhost
fail: Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HM4QLCD86JR3.
      System.ComponentModel.Win32Exception (0x8009030E): Im Sicherheitspaket sind keine Anmeldeinformationen verfügbar.
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
fail: Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HM4QLCD86JR2.
      System.ComponentModel.Win32Exception (0x8009030E): Im Sicherheitspaket sind keine Anmeldeinformationen verfügbar.
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
SNI Name: localhost
SNI Name: localhost
fail: Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HM4QLCD86JR4.
      System.ComponentModel.Win32Exception (0x8009030E): Im Sicherheitspaket sind keine Anmeldeinformationen verfügbar.
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
fail: Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HM4QLCD86JR5.
      System.ComponentModel.Win32Exception (0x8009030E): Im Sicherheitspaket sind keine Anmeldeinformationen verfügbar.
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
SNI Name: localhost
SNI Name: localhost
fail: Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HM4QLCD86JR6.
      System.ComponentModel.Win32Exception (0x8009030E): Im Sicherheitspaket sind keine Anmeldeinformationen verfügbar.
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
fail: Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HM4QLCD86JR7.
      System.ComponentModel.Win32Exception (0x8009030E): Im Sicherheitspaket sind keine Anmeldeinformationen verfügbar.
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
SNI Name: localhost
SNI Name: localhost
fail: Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HM4QLCD86JR8.
      System.ComponentModel.Win32Exception (0x8009030E): Im Sicherheitspaket sind keine Anmeldeinformationen verfügbar.
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
fail: Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HM4QLCD86JR9.
      System.ComponentModel.Win32Exception (0x8009030E): Im Sicherheitspaket sind keine Anmeldeinformationen verfügbar.
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
SNI Name: localhost
SNI Name: localhost
fail: Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HM4QLCD86JRA.
      System.ComponentModel.Win32Exception (0x8009030E): Im Sicherheitspaket sind keine Anmeldeinformationen verfügbar.
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
fail: Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HM4QLCD86JRB.
      System.ComponentModel.Win32Exception (0x8009030E): Im Sicherheitspaket sind keine Anmeldeinformationen verfügbar.
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
SNI Name: localhost
SNI Name: localhost
fail: Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HM4QLCD86JRC.
      System.ComponentModel.Win32Exception (0x8009030E): Im Sicherheitspaket sind keine Anmeldeinformationen verfügbar.
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
fail: Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HM4QLCD86JRD.
      System.ComponentModel.Win32Exception (0x8009030E): Im Sicherheitspaket sind keine Anmeldeinformationen verfügbar.
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()

Author:	ststeiger
Assignees:	-
Labels:	`area-System.Net`
Milestone:	-

wfurt · 2020-12-07T17:38:47Z

Alternatively, you can store certificate and key in X509Store. In general, Schannel cannot work with in-memory keys. So this is really dup of #23749.

ghost · 2020-12-07T17:39:12Z

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

In .NET Core 5.0 with Kestrel, I'm getting

"No credentials are available in the security package"

when doing SSL with Kestrel on Windows.
It works fine on Linux ! (including with nginx)
Also, the SNI-callback frequently has string.empty as SNI-"name".
That's a bit of a pitty ...

To reproduce, run TestApplicationHttps
https://github.com/ststeiger/SelfSignedCertificateGenerator/tree/master/TestApplicationHttps

It uses a self-signed ssl-certificate generated with
https://github.com/ststeiger/SelfSignedCertificateGenerator/tree/master/SelfSignedCertificateGenerator
with a self-generated root certificate.

Add the root-certificate to "trusted root certificates".

I'm using the SNI-callback to dynamically load the SSL certificate (it can change at runtime).

            listenOptions.UseHttps(
                delegate (Microsoft.AspNetCore.Server.Kestrel.Https.HttpsConnectionAdapterOptions httpsOptions)
                {
                    UseHttps(certs, httpsOptions);

                    httpsOptions.ServerCertificateSelector =
                        delegate (Microsoft.AspNetCore.Connections.ConnectionContext connectionContext, string name)
                        {
                            return ServerCertificateSelector(certs, connectionContext, name);
                        };

                }
            ); // End ListenOptions.UseHttps

This is the selector


        public static System.Security.Cryptography.X509Certificates.X509Certificate2 ServerCertificateSelector(
              System.Collections.Concurrent.ConcurrentDictionary<string, System.Security.Cryptography.X509Certificates.X509Certificate2> certs
            , Microsoft.AspNetCore.Connections.ConnectionContext connectionContext
            , string name)
        {
            System.Security.Cryptography.X509Certificates.X509Certificate2 cert;

            if (certs != null && certs.Count > 0)
            {
                // return certs.GetEnumerator().Current.Value;
                // return System.Linq.Enumerable.FirstOrDefault(certs);
                foreach (var thisCert  in certs)
                {
                    System.Console.WriteLine("SNI Name: {0}", name);
                    return thisCert.Value;
                }
            }


            /*
            if (name != null && certs.TryGetValue(name, out cert))
            {
                return cert;
            }
            */

            throw new System.IO.InvalidDataException("No certificate for name \"" + name + "\".");
        } // End Function ServerCertificateSelector

Certificate is loaded like

        public static System.Security.Cryptography.X509Certificates.X509Certificate2 GetCert()
        {
            string cert = SecretManager.GetSecret<string>("ssl_cert");
            string key = SecretManager.GetSecret<string>("ssl_key");

            System.ReadOnlySpan<char> certSpan = System.MemoryExtensions.AsSpan(cert);
            System.ReadOnlySpan<char> keySpan = System.MemoryExtensions.AsSpan(key);


            System.Security.Cryptography.X509Certificates.X509Certificate2 certSslLoaded = System.Security.Cryptography.X509Certificates.X509Certificate2.CreateFromPem(certSpan, keySpan);
            return certSslLoaded;
        }

It works on LInux !
But on Windoze...


warn: Microsoft.AspNetCore.Server.Kestrel[0]
      Overriding address(es) 'https://localhost:5005'. Binding to endpoints defined in UseKestrel() instead.
info: Microsoft.Hosting.Lifetime[0]
      Now listening on: https://[::]:5005
info: Microsoft.Hosting.Lifetime[0]
      Application started. Press Ctrl+C to shut down.
info: Microsoft.Hosting.Lifetime[0]
      Hosting environment: Development
info: Microsoft.Hosting.Lifetime[0]
      Content root path: D:\Stefan.Steiger\Documents\Visual Studio 2017\Projects\SelfSignedCertificateGenerator\TestApplicationHttps
SNI Name: localhost
SNI Name: localhost
fail: Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HM4QLCD86JR3.
      System.ComponentModel.Win32Exception (0x8009030E): Im Sicherheitspaket sind keine Anmeldeinformationen verfügbar.
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
fail: Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HM4QLCD86JR2.
      System.ComponentModel.Win32Exception (0x8009030E): Im Sicherheitspaket sind keine Anmeldeinformationen verfügbar.
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
SNI Name: localhost
SNI Name: localhost
fail: Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HM4QLCD86JR4.
      System.ComponentModel.Win32Exception (0x8009030E): Im Sicherheitspaket sind keine Anmeldeinformationen verfügbar.
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
fail: Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HM4QLCD86JR5.
      System.ComponentModel.Win32Exception (0x8009030E): Im Sicherheitspaket sind keine Anmeldeinformationen verfügbar.
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
SNI Name: localhost
SNI Name: localhost
fail: Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HM4QLCD86JR6.
      System.ComponentModel.Win32Exception (0x8009030E): Im Sicherheitspaket sind keine Anmeldeinformationen verfügbar.
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
fail: Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HM4QLCD86JR7.
      System.ComponentModel.Win32Exception (0x8009030E): Im Sicherheitspaket sind keine Anmeldeinformationen verfügbar.
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
SNI Name: localhost
SNI Name: localhost
fail: Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HM4QLCD86JR8.
      System.ComponentModel.Win32Exception (0x8009030E): Im Sicherheitspaket sind keine Anmeldeinformationen verfügbar.
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
fail: Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HM4QLCD86JR9.
      System.ComponentModel.Win32Exception (0x8009030E): Im Sicherheitspaket sind keine Anmeldeinformationen verfügbar.
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
SNI Name: localhost
SNI Name: localhost
fail: Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HM4QLCD86JRA.
      System.ComponentModel.Win32Exception (0x8009030E): Im Sicherheitspaket sind keine Anmeldeinformationen verfügbar.
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
fail: Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HM4QLCD86JRB.
      System.ComponentModel.Win32Exception (0x8009030E): Im Sicherheitspaket sind keine Anmeldeinformationen verfügbar.
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
SNI Name: localhost
SNI Name: localhost
fail: Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HM4QLCD86JRC.
      System.ComponentModel.Win32Exception (0x8009030E): Im Sicherheitspaket sind keine Anmeldeinformationen verfügbar.
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()
fail: Microsoft.AspNetCore.Server.Kestrel[0]
      Unhandled exception while processing 0HM4QLCD86JRD.
      System.ComponentModel.Win32Exception (0x8009030E): Im Sicherheitspaket sind keine Anmeldeinformationen verfügbar.
         at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
         at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
         at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
         at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
         at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
         at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
         at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
         at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync()

Author:	ststeiger
Assignees:	-
Labels:	`area-System.Net`, `area-System.Net.Security`
Milestone:	-

ststeiger · 2020-12-07T17:47:11Z

Alternatively, you can store certificate and key in X509Store. In general, Schannel cannot work with in-memory keys. So this is really dup of #23749.

Yea, but that issue is closed and not resolved.

wfurt · 2020-12-07T17:59:15Z

I'm not sure if it is fixable without Schannel changes. Perhaps we can documentation.

karelz · 2020-12-07T20:32:33Z

Duplicate of #23749

jkotas added the area-System.Net label Dec 7, 2020

wfurt added the area-System.Net.Security label Dec 7, 2020

wfurt removed the area-System.Net label Dec 7, 2020

karelz marked this as a duplicate of #23749 Dec 7, 2020

karelz closed this as completed Dec 7, 2020

ghost locked as resolved and limited conversation to collaborators Jan 6, 2021

karelz added this to the 6.0.0 milestone Jan 26, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

.NET Core 5.0: X509Certificate2 - No credentials are available in the security package #45680

.NET Core 5.0: X509Certificate2 - No credentials are available in the security package #45680

ststeiger commented Dec 7, 2020

ststeiger commented Dec 7, 2020 •

edited

Loading

ststeiger commented Dec 7, 2020 •

edited

Loading

ghost commented Dec 7, 2020

wfurt commented Dec 7, 2020

ghost commented Dec 7, 2020

ststeiger commented Dec 7, 2020

wfurt commented Dec 7, 2020

karelz commented Dec 7, 2020

.NET Core 5.0: X509Certificate2 - No credentials are available in the security package #45680

.NET Core 5.0: X509Certificate2 - No credentials are available in the security package #45680

Comments

ststeiger commented Dec 7, 2020

ststeiger commented Dec 7, 2020 • edited Loading

ststeiger commented Dec 7, 2020 • edited Loading

ghost commented Dec 7, 2020

wfurt commented Dec 7, 2020

ghost commented Dec 7, 2020

ststeiger commented Dec 7, 2020

wfurt commented Dec 7, 2020

karelz commented Dec 7, 2020

ststeiger commented Dec 7, 2020 •

edited

Loading

ststeiger commented Dec 7, 2020 •

edited

Loading