0

I have a Windows service which does some stuff using a Smartcard. The certificate of the smartcard is mapped into the MY store of the local machine. Accessing the private key of the smartcard is no problem when the service runs as System, but it fails when run as NetworkService.

I've already granted access to the certificate to the NetworkService using the Certificate MMC (Manage Private Keys...).

The error I get is: The Smart card resource manager is not running.

The error is thrown with a Cryptographic Exception.

Stacktrace:   at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters     parameters, Boolean randomKeyContainer)
    at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
    at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
    at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
    at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()

Any ideas which privileges and/or permissions are required to access the Smart card resource manager?

Kind regards,

Henning Krause

Henning Krause
  • 5,302
  • 3
  • 24
  • 37

2 Answers2

1

The LocalService has enough permissions to access smartcards. This is the solution I went with.

Henning Krause
  • 5,302
  • 3
  • 24
  • 37
  • This is working. But the `LocalService` has full access to computer. Is there some other solution? Something like adding NT Service\ to a Windows Group? Or somehow adding it to a group policy? – robie2011 Sep 24 '18 at 09:06
  • Are you confusing the LocalService with LocalSystem? The LocalService is similiar to the NetworkService, but anonymously authenticates to remote systems. – Henning Krause Sep 25 '18 at 14:34
  • Sorry, I was confusing `LocalSystem` with `LocalService`. Services should be executed as `NT Service\` and it works with Windows 10. Only with Windows 7 Pro this does not work. I was able to run it with `NT AUTHORITY\Local Service` and `NT AUTHORITY\System` in Win 7 Pro. Are there any possiblities to run service with appropriate service account ( `NT Service\`)? This is necessary to use windows authentification with SQL Server. – robie2011 Sep 26 '18 at 12:24
  • There is no "real" account NT Service\. That is a virtual account created by WIndows. See https://stackoverflow.com/questions/14197908/how-to-add-a-service-sid-to-a-service. So if you enable this, you can grant permission based on NT Service\ instead of local service or local system. But this is unrelated to the account the service actually runs under. – Henning Krause Sep 26 '18 at 14:56
  • "So if you enable this, you can grant permission based on NT Service\ instead of local service or local system" ... Which permissions are required to have access to smart card? – robie2011 Sep 28 '18 at 09:28
  • As I said above, you run your service as LocalService, but you grant addtitional permisssions to NT Service\yourService> – Henning Krause Oct 01 '18 at 12:44
0

X509Certificate2 raises "The Smart card resource manager is not running" exception http://blogs.msdn.com/b/alejacma/archive/2011/05/19/x509certificate2-raises-quot-the-smart-card-resource-manager-is-not-running-quot-exception.aspx

Alejandro Campos Magencio
  • 11