Monthly Archives: November 2012

Resolving “certificate for the given thumbprint could not be loaded” error with Azure Tools for Visual Studio

Recently I encountered a strange error when attempting some storage-related activities using Windows Azure Tools within Visual Studio 2012. When either adding a new storage account or changing Connection String settings I was met with:

The certificate for the given thumbprint could not be loaded from the Current User/Personal certificate store. Please install the certificate.

While I was able to resolve the error, I cannot reproduce it (and gave up trying), but if you face the same problem, hopefully this will help you.

Background

If Visual Studio was looking for a certificate, where was it looking? It turns out that the Windows Azure Tools for Visual Studio store some certificate related references in a file called Windows Azure Connections.xml in your personal settings area on Windows. This file is created on your behalf once you’ve created any Publish Profiles by Publishing Cloud Services to Windows Azure from Visual Studio.

The file lives here:

%UserProfile%\Documents\Visual Studio 2012\Settings\Windows Azure Connections.xml

On my Windows 8 development machine, this is:

C:\Users\billdev\My Documents\Visual Studio 2012\Settings\Windows Azure Connections.xml

The file contains the credentials you’d previously supplied during publishing and will look something like the following:

<?xml version=”1.0″?>
<NamedCredentials xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xmlns:xsd=”http://www.w3.org/2001/XMLSchema”>
<Items>
<NamedCredential>
    <SubscriptionId>12345678-abcd-ae10-abba-01812e1e1000</SubscriptionId>
<IsImported>false</IsImported>
<ServiceEndpoint>https://management.core.windows.net/</ServiceEndpoint>
<CertificateThumbprint>A123B123C12333EC954471ED75C37D59003681F7</CertificateThumbprint>
<Name>Page of Photos</Name>
</NamedCredential>
</Items>
<LastUsedName>Page of Photos</LastUsedName>
</NamedCredentials>

Note that the NamedCredential XML element item may be repeated.

Problem

The problem turns out to be that one of the certificates referenced (identified by thumbprint via CertificateThumbprint XML element) either it is not installed properly locally, or not installed in the associated Windows Azure Subscription (identified by SubscriptionId XML element).

Solution

For each certificate referenced by a CertificateThumbprint element (there could be more than one, unlike the simple example shown above):

  1. Make sure the certificate is installed in your Local Certificate store and contains a Private Key – which usually can be found in the Personal (or “My”) store name under the Current User certificates by using the Certificates Snap-in with Microsoft Management Console. (You can also use certmgr.exe or write your own code to dump certificate info). (If the certificate exists in your local certificate store then it is probably fine. It is not likely it is missing a Private Key. But it is possible.)
  2. Make sure the certificate has been uploaded to the Windows Azure Portal for the SubscriptionId  referenced within Windows Azure Connections.xml.

That’s it. Should work. Worst case you can delete each element of your Windows Azure Connections.xml profile and start over.

Specific Scenarios

These are the two specific scenarios where I saw the problem in case you are interested.

Scenario #1

This scenario failed whether or not a project was open.

  1. Open the Server Explorer window in Visual Studio
  2. Right-click on Windows Azure Storage, choose “Add New Storage Account…“, and the error dialog appears:
    “The certificate for the given thumbprint could not be loaded from the Current User/Personal certificate store. Please install the certificate.”
  3. This message is extra confusing since I don’t think there ought to be any certificates involved here. And no project/solution is open.

Scenario #2.

This scenario requires an open Azure project.

  1. Open the UI tool for editing Azure configuration by opening your Cloud Project in Solution Explorer, drilling into Roles, and double-clicking on a Web Role or Worker Role project. The Role configuration editor window opens in Visual Studio.
  2. Choose Settings, then Add Setting (which creates Setting1 of Type=String), change Setting1‘s Type to Connection String, and the click the “…” button at far right (to pop up the connection string edit window), and an error dialog appears:
    “The certificate for the given thumbprint could not be loaded from the Current User/Personal certificate store. Please install the certificate.”

Here are the screen shots for the two error dialogs (slightly different).

image

How to Enable ASP.NET Trace Statements to Show Up In Windows Azure Compute Emulator

As you may be aware, Windows Azure has a cloud simulation environment that can be run on a desktop or laptop computer to make it easier to develop applications for the Windows Azure cloud. One of the tools is the Compute Emulator which simulates the running of Web Roles and Worker Roles as part of Cloud Services. The Compute Emulator is handy for seeing what’s going on with your Cloud Services, including display of logging trace messages from your application or from Azure. A small anomaly in the developer experience is the use of System.Diagnostics.Trace is configured to output to the Compute Emulator – but only when invoked from Web Role or Worker Role processes; trace statements from ASP.NET code (at least when using full IIS) do not appear. This is because ASP.NET processes lack the DevelopmentFabricTraceListener in the Trace.TraceListeners collection (as described long ago by fellow Windows Azure MVP Andy Cross (@andybareweb)).

The assembly needed in Andy’s instructions is hard to find these days (it lives in the GAC) and is undocumented. And you only want to do this in debug code running in your local Cloud Simulation environment anyway. So explicitly referencing the needed assembly feels a little dirty since you’d never want it to be deployed accidentally to the cloud.

The Solution

I’ve taken these considerations and created a very simple to use method that you can easily call from ASP.NET code — probably from Application_Start in Global.asax.cs — and not worry about it polluting your production code or causing other ills. The code uses reflection to load the needed assembly to avoid the need for an explicit reference, and the dynamic loading is only done under the proper circumstances; loading the assembly would never be attempted in a cloud deployment.

The Code

 

Bill is the author of the book Cloud Architecture Patterns, recently published by O’Reilly. Find Bill on twitter @codingoutloud or contact him for Windows Azure consulting.

Cloud Architecture Patterns book

Iterate through all certificates in the Certificate Store on Windows Azure

Pretty simple generic C# code to iterate through all certificates in the Windows Certificate Store and dump some metadata about each to standard output. Note that it really gets ALL certificates and doesn’t hard-code any stores or locations.

And just for fun, here is a dump of the certificates running on a Windows Azure Web Role (I did not install any add’l certificates on this instance):