Hello, I am having an issue when trying to import a certificate to the Local System account store. I basically have a custom service that runs as local system, which needs to access the Personal Cert Store to get a certificate. The cert has been added using MMC but isnt being detected. After some investigation I found this site: http://www.eldos.com/security/articles/7116.php This talks about security settings for system accounts where you need to explicitly allow access to the private keys using WinHttpCertCfg.exe -g -c LOCAL_MACHINE\MY -s "<certcn>" -a "DOMAIN\COMPUTERNAME$" WinHttpCertCfg.exe -g -c LOCAL_MACHINE\MY -s "<certcn>" -a "Local System" I am still having the issue. Has any one came across this issue before? Not sure how I will go about changing the service account, so lets hope we have an answer lol Cheers Paul

Hi Paul, Thanks for posting in Microsoft TechNet forums. Was the certificate imported properly according to the steps in the article below? Import a certificate http://technet.microsoft.com/en-us/library/cc776889(v=ws.10).aspx Also please check the information in the thread below to see if it can be helpful to you: Where does MMC Certificates snap-in import certificates for Service account? http://stackoverflow.com/questions/4882126/where-does-mmc-certificates-snap-in-import-certificates-for-service-account (Note: Since the site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.) Regards Kevin TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

Hi Kevin, Thanks for the response. Thats correct, I have imported the certificate to the Computers personal certificate store. The problem I have is down to the service runs as 'Local System' which doesnt seem to have access, or see the relevant cert. For example, as part of the service, it creates a dump of the environment variables. The username field reads as DOMAIN\ComputerName$. When you check the computer store, the certificate is there. Thanks Paul

Hi Paul, Thank you for clarifying the issue for us. I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience. Have a nice day. Regards Kevin TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

Hi Paul, Like as Computer Personal Store, some specific service also has its personal store, by default, service firstly check service store to get certificate needed, then computer store/user store according to which account the service is running under. So we also can import certificate used by the service into service store, for example, we export LDAPs certificate to Active Directory Domain Service. You can check if the custom service has service store, if it has, try to import the certificate to the service store. 1. Log onto the server running the custom service, then open MMC snap-in. 2. Add Certificate console, and then select Service account. 3. Check if the custom service resides in the list of service accounts. If does, select it. 4. Expland to Personal node, import the certificate used by the service. Does the service detect the certificate in service store? If there does not exist service store for this custom service, let me know the answer of the following questions: 1. How do you know that the service cannot detect the cert which has been imported to computer store? 2. What error message do you receive when the service cannot detect the cert? 3. What operating system the server having the service are running? Regards Diana Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Diana, Thanks for the response. The service does show up in the list, and the certificate is in the personal store. If it helps, this is the SCOM Management services that only runs as 'Local System'. We get an error message when we trying to access an SSL certificate in the personal store. This is written to the Event Viewer. The reason I have asked on these forums rather than SCOM as it appears to be a security/ssl issue rather than the application. To answer your questions: 1. How do you know that the service cannot detect the cert which has been imported to computer store? - We get an alert in Event viewer saying 'Client authentication is not possible as the certificate is not found'. 2. What error message do you receive when the service cannot detect the cert? C:\Program Files\System Center 2012\Operations Manager\Server\Health Service State\Monitoring Host Temporary Files 3835\2514\ABC.Customer.Discovery.vbs(35, 3) msxml3.dll: A certificate is required to complete client authentication 3. What operating system the server having the service are running? The server is 2008 R2 SP1. Thanks Paul

Hi Paul, Just from the error message, I cannot absolutely say that this is security issue or SCOM issue. You can check if the certificate is associated with private key by using the following steps: 1. Log onto the server in which you have imported the certificate, open MMC snap-in. 2. Locate the certificate in personal store, double-click it, check if the message "You have a private key that corresponds to this certificate" exists or not. If it exists, it indicates the certificate status is ok. In your situation, I'm not sure if clients try to access the SCOM server. If this is the case, it's possible that the box "require client certificate" is checked in IIS. Please try to modify the SSL settings in IIS. 1. Open IIS Manager and navigate to Default Website. 2. In Features View, double-click SSL Settings. 3. On the SSL Settings page, in the Client certificates area, select Accept to accept client certificate if client provides certificates. 4. In the Action pane, click Apply. After that, please check if the issue still persists. If so, I'm afraid that consulting SCOM engineer is ncessary. Regards, DianaPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Paul, Just from the error message, I cannot absolutely say that this is security issue or SCOM issue. You can check if the certificate is associated with private key by using the following steps: 1. Log onto the server in which you have imported the certificate, open MMC snap-in. 2. Locate the certificate in personal store, double-click it, check if the message "You have a private key that corresponds to this certificate" exists or not. If it exists, it indicates the certificate status is ok. In your situation, I'm not sure if clients try to access the SCOM server. If this is the case, it's possible that the box "require client certificate" is checked in IIS. Please try to modify the SSL settings in IIS. 1. Open IIS Manager and navigate to Default Website. 2. In Features View, double-click SSL Settings. 3. On the SSL Settings page, in the Client certificates area, select Accept to accept client certificate if client provides certificates. 4. In the Action pane, click Apply. After that, please check if the issue still persists. If so, I'm afraid that consulting SCOM engineer is ncessary. Regards, DianaPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Paul, Does the issue still occur? Thanks. DianaPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Paul, As this thread has been quiet for a while, we will mark it as Answered as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish. BTW, wed love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts. Best Regards Kevin TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.