Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Winhttp from service not working : 12175 Error

5,957 views
Skip to first unread message

gP T Gr8

unread,
Apr 27, 2005, 4:09:32 AM4/27/05
to
Hi all,
i have a problem with SSL connection when i run from service. im
running a service from LocalSystem account. and my certificate is
installed in trusted root.
everything goes fine when i run it from user account but gives error
12175 (ERROR_WINHTTP_SECURE_FAILURE) when launch it from service.

here is the piece of code
m_hIntOpen = WinHttpOpen(T2CW(m_oszAppID),
WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, WINHTTP_NO_PROXY_NAME,
WINHTTP_NO_PROXY_BYPASS, 0)))

m_hIntConnect = WinHttpConnect(m_hIntOpen,T2CW(m_oszDomain),
INTERNET_DEFAULT_HTTPS_PORT , 0) ))


WinHttpOpenRequest(m_hIntConnect, psztHttpVerb,T2CW( m_oszURL), NULL,
NULL,WINHTTP_DEFAULT_ACCEPT_TYPES, WINHTTP_FLAG_SECURE);

WinHttpAddRequestHeaders( m_hOpenReq,
my_REQUEST_HEADER,-1, WINHTTP_ADDREQ_FLAG_ADD );

WinHttpSetCredentials(m_hOpenReq,WINHTTP_AUTH_TARGET_SERVER,WINHTTP_AUTH_SCHEME_DIGEST,T2CW(m_oszUserName),T2CW(m_oszPassword),NULL))

and sendrequest.....

i tried impersonating the user with..
DWORD dwPiD = GetCurrentProcessId();
HANDLE hSelf = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwPiD);
BOOL b = OpenProcessToken( hSelf,TOKEN_ALL_ACCESS, &hNew);
BOOL bImp = ImpersonateLoggedOnUser(hNew);
but again same thing...
i tries this also
if
(OpenProcessToken(OpenProcess(PROCESS_ALL_ACCESS,FALSE,GetCurrentProcessId()),

(TOKEN_IMPERSONATE | TOKEN_READ | TOKEN_DUPLICATE),
&hThreadToken))
{
LoadUserProfile(hThreadToken, &ProfileInfo);
CloseHandle(hThreadToken);
}

same error...

pls suggest me the some solution. where i need not change the service
running account (it should run on LOcalSystem Account)

thanx

Stephen Sulzer

unread,
Apr 28, 2005, 5:50:44 AM4/28/05
to

What kind of certificate (client or server) have you put in the Local
System's Trusted Root certificate store? The Trusted Root certificate store
contains the certificates of certificate-issuing organizations who you trust
(e.g., like Verisign).

A client certificate (one which you would give to a web server to
authenticate your identity) should be stored in the Personal certificate
store.

A local administrator can install certificates into the Local System
certificate stores using the "Certificates" MMC snap-in component, and then
use the WinHttpCertCfg.exe utility to grant access permissions to that
certificate. Is this similar to what you did to install the certificate?

You should not need to do any impersonation in your Windows service, if the
certificate is properly installed and configured.

If you receive a SECURE_FAILURE error from WinHttp, there are a few places
you can check or additional information:

1) in the Event Viewer control panel app. Check all three logs
(Application, System and Security).

2) a WinHttp trace file. Use the WinHttpTraceCfg.exe utility to
enable/disable WinHttp tracing. In the trace file, just prior to the
SECURE_FAILURE error, you may see the type of SSL or certificate failure
that WinHttp encountered.

3) in your code, register a status callback function (via
WinHttpSetStatusCallback, specifying
dwNotificationFlags=WINHTTP_CALLBACK_FLAG_SECURE_FAILURE). When the
SECURE_FAILURE error occurs, WinHttp can call your status callback function
with additional information about the cause of the failure. See the
following for more information about the
WINHTTP_CALLBACK_STATUS_SECURE_FAILURE notification:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/http/internet_status_callback_prototype.asp?frame=true
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/http/winhttpsetstatuscallback.asp


Hope that helps.

- Stephen

gP T Gr8

unread,
Apr 28, 2005, 1:26:59 PM4/28/05
to
thanx for your response.
im using server certificate. i install a certificate (for testing
putpose i have created myCertificate ) at server. and i access the same
site using ie, when it asks shows security popup i view the certificate
and install it on my machine.
so im having the same certificate as that of server.

please tell me how could i use server side certificate for SSL im using
digest authentication also.

for my actuall product out put im going to get certificate from
verisign so i need not install at client. but now im installling the
same certificate as that of server in client machine trusted root.
and this is working fine when i run my app from user context


thanx in advance
gP

Stephen Sulzer

unread,
Apr 29, 2005, 3:55:10 AM4/29/05
to
When you use Internet Explorer to install the server's certificate into your
Trusted Roots certificate store, it affects only the current user's
certificates, not the Local System. You need to use the MMC Certificates
snap-in to install certificates for the Local Machine or a service account.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/4fa4568e-16de-4a64-b65e-12ee14b31dc2.mspx

- Stephen


gP T Gr8

unread,
Apr 29, 2005, 8:42:21 AM4/29/05
to
hi,
i made a copy of certificate in services account, both root certificate
and issued certificates are assosiated with the service now. still it
is giving the same error.

pls note that im using only above apis im not doing anything for
certificate. i thing this is only the thing i need to do.

please tell me where im going wrong. why is it not working its again
giving same error.

thanx for all your every effort to solve my problem. and thanx for your
attention.

regards
gP

gP T Gr8

unread,
May 2, 2005, 11:31:21 AM5/2/05
to
i got my problem solved. i had problem with my certificate.
now i have a service running and the certificate is in Local Machine
Account.

thax stephen for ur help.

u rock winhttp group..!!!!

0 new messages