Emby require to start as adminsitrator to enable SSL?

[jplobao 0]

Hi,

So, i am migrating Emby to other server, and now i noticed that, to be SSL available, i have to run Emby as an administrator. However, doing this i will loose access to the mapping drive to access all the library content.

Therefor, can you help me to configure a way, to Emby enable SSL, with my user account that has the mapping drives created, as i had in old server?

Thank you for your help

 

[Luke 37125]

Hi, starting as admin is not required for ssl. What makes you think this?

[jplobao 0]

Because when i start as admin it looks like this: 

 

But when i run without admin rights stays like this:

 

 

[jplobao 0]

I found an workaround. Creating the mapping drive while administrator solved the issue:

Run CMD as admin and use NET USE

and adding a regestry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 

New DWORD named: EnableLinkedConnections

Set value to 1

Restart PC

 

[darkassassin07 429]

A server log would help, but absent that; I'd guess the non-admin user doesn't have permission to access the ssl cert thus can't start the https listener.

 

Running emby server (or any web service) as administrator is not a good idea.

[jplobao 0]

If you wanna go deep dive on it, i appreciated.

Logs in attach

embyserver.txt

[Happy2Play 8309]

Per that log there shouldn't be an issue.

2024-03-15 19:34:16.566 Info App: Adding HttpListener prefix http://+:8096/
2024-03-15 19:34:16.566 Info App: Adding HttpListener prefix https://+:443/

 

[jplobao 0]

it was running as admin... 

Attached with regular user 

 

Edited March 15 by jplobao

[Happy2Play 8309]

3 minutes ago, jplobao said:

it was running as admin... 

Attached with regular user 

Please remove log do to what you named your cert.

But as suspected user did not have access to cert.

Error loading cert from xxxxxxxxxxxxxxxx
Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Access denied.

Or is unable to load do to permissions but dev might be able to interpret it correctly.

Edited March 15 by Happy2Play

[jplobao 0]

The certificate is on a folder where all users have access! it is a standard folder...

[Luke 37125]

Adding HttpListener prefix https://+:443/

Maybe this is your issue. 

Emby Server does not need admin rights for SSL, but binding to port 443 is a special case that might special authorization on the system.

[Luke 37125]

FYI the default ssl port for emby server is 8920.

[Happy2Play 8309]

1 minute ago, Luke said:

Adding HttpListener prefix https://+:443/

Maybe this is your issue. 

Emby Server does not need admin rights for SSL, but binding to port 443 is a special case that might special authorization on the system.

That log was loaded as admin user.

Removed log was User got access denied.

2024-03-15 20:17:19.503 Error App: Error loading cert from C:\Cert\xxxxxxxxx.pfx
	*** Error Report ***
	Version: 4.8.3.0
	Command line: C:\Users\Administrator\AppData\Roaming\Emby-Server\system\EmbyServer.dll
	Operating system: Microsoft Windows 10.0.19045
	Framework: .NET 6.0.27
	OS/Process: x64/x64
	Runtime: C:/Users/Administrator/AppData/Roaming/Emby-Server/system/System.Private.CoreLib.dll
	Processor count: 4
	Data path: C:\Users\Administrator\AppData\Roaming\Emby-Server\programdata
	Application path: C:\Users\Administrator\AppData\Roaming\Emby-Server\system
	Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Access denied.
	   at Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(ReadOnlySpan`1 rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags)
	   at Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(ReadOnlySpan`1 rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
	   at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
	   at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName, String password)
	   at Emby.Server.Implementations.ApplicationHost.GetCertificate(CertificateInfo info)
	Source: System.Security.Cryptography.X509Certificates
	TargetSite: Internal.Cryptography.Pal.Native.SafeCertContextHandle FilterPFXStore(System.ReadOnlySpan`1[System.Byte], Microsoft.Win32.SafeHandles.SafePasswordHandle, Internal.Cryptography.Pal.Native.PfxCertStoreFlags)

So is it a User cannot load or just doesn't have permission to the cert?

[Luke 37125]

Ok so @jplobaowe cannot tell you why access is being denied. We can only confirm that it is happening and give you steps to try and resolve it, but there is no way for us to determine why as it is specific to your enviornment.

My suggestion would be to make a certificates subfolder underneath C:\Users\Administrator\AppData\Roaming\Emby-Server\programdata

And put the pfx there.

[jplobao 0]

For testing porpuses, i changed the port to the default one, but the issue is the same.

Regarding to pfx file, i added security for "Everyone" , Full control. The folder also Full contro for user "Everyone". The same still continues to happen.

As i said, because of an issue with addin "Trailers" (you can see it in other post of mine), today i migrated from Windows 8 to Windows 10. In windows 8 the same configurarions were working fine. In Windows10 i got this issue...

I will test putting the certificate on the folder mentioned by @Lukeand i will give you some feedback about it

 

[jplobao 0]

The result was the same.

If you want i can paste here the logs... But the results were the same

[Luke 37125]

7 hours ago, jplobao said:

The result was the same.

If you want i can paste here the logs... But the results were the same

Hi, yes please and thanks.

[jplobao 0]

Sure,

Where it is

embyserver .txt

[Luke 37125]

On 3/16/2024 at 8:48 AM, jplobao said:

Sure,

Where it is

embyserver .txt 39.93 kB · 3 downloads

Hi, this might be your issue: https://github.com/Microsoft/dotnet-framework-early-access/issues/25#issuecomment-394419380

So the access denied is not about the pfx file but about the machine keystore.

[jplobao 0]

Hi,

I reviewed that post, and checked my machine and the default permissions are set!. This "server" it was not an upgrade, but a fresh windows 10 install. I use "certifytheweb" to generate the certificate, and it goes with no issue.

Do you still think this is the issue?

Thanks

[Luke 37125]

Quote

and it goes with no issue.

"goes with no issue" doesn't really matter. The problem is related to how the certificate is configured, not whether it succeeds to generate or not. The certificate is configured to use the local machine keystore, and this is what is throwing the access denied errors.