Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Open Certificate user Store in IIS 6

Reply
Thread Tools

Open Certificate user Store in IIS 6

 
 
=?Utf-8?B?dmVjb3pvQG9ubGluZS5ub3NwYW0=?=
Guest
Posts: n/a
 
      09-05-2005
I've got a problem with opening a certificate user store under IIS6

The situation is:
- I've created an application pool in IIS6 that runs under a local user
account. This account is member of the IIS_WPG group
- In the personal store of the user is a certificate installed.
- I've got a simple aspx page that opens the current user store and shows
the personal certificates and makes it possible to show the details of it.
- When the user is locally logged on to the box it works fine, but when the
user isn't logged on locally, no certificate is found. (even when I make the
user administrator)

How can I open the personal certificate store of the user and get the
personal certificates in IIS6.

Best Regards,
Raymond Roelands

--
______________________________
www.VECOZO.nl

 
Reply With Quote
 
 
 
 
Damien
Guest
Posts: n/a
 
      09-05-2005
http://www.velocityreviews.com/forums/(E-Mail Removed)am wrote:
> I've got a problem with opening a certificate user store under IIS6
>
> The situation is:
> - I've created an application pool in IIS6 that runs under a local user
> account. This account is member of the IIS_WPG group
> - In the personal store of the user is a certificate installed.
> - I've got a simple aspx page that opens the current user store and shows
> the personal certificates and makes it possible to show the details of it.
> - When the user is locally logged on to the box it works fine, but when the
> user isn't logged on locally, no certificate is found. (even when I make the
> user administrator)
>
> How can I open the personal certificate store of the user and get the
> personal certificates in IIS6.
>
> Best Regards,
> Raymond Roelands
>
> --
> ______________________________
> www.VECOZO.nl


Hi Raymond,

I believe that this is related to profiles/registry - that when you run
something as another user, windows doesn't load the full HKCU registry
for the user.

I'm desperately trying to Google for resources. I believe it's going to
involve calls to LoadUserProfile and a lot of other P/Invoke work to
make it happen, unless someone else knows different?

Damien

 
Reply With Quote
 
 
 
 
Steven Cheng[MSFT]
Guest
Posts: n/a
 
      09-06-2005
Hi Raymond,

For accessing certificates, when the certificate is installed in User
store, only the process running under that certain user can access those
certifcates. So as you mentioned that your asp.net web application can
sucessfully access the certificate when navigate from local but failed when
through a remote client, I'm wondering whether it's the asp.net worker
thread's secuirty context be changed cause the problem. Have you used
impersonation in your asp.net application? When using impersonation in
asp.net and IIS configured as integrated windows authentication, the
asp.net's worker process will run under the client user's security context.
You can have a check to see whether this is the problem. In addition, if
convenient, would you also provide the complete code snippet on how to
access the certificate in user store ?

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)


--------------------
| Thread-Topic: Open Certificate user Store in IIS 6
| thread-index: AcWyFbNZTc9EwXNvQFCC3A/6OKDuZg==
| X-WBNR-Posting-Host: 193.108.210.227
| From: "=?Utf-8?B?dmVjb3pvQG9ubGluZS5ub3NwYW0=?=" <(E-Mail Removed)>
| Subject: Open Certificate user Store in IIS 6
| Date: Mon, 5 Sep 2005 05:31:12 -0700
| Lines: 22
| Message-ID: <(E-Mail Removed)>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet:122424
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| I've got a problem with opening a certificate user store under IIS6
|
| The situation is:
| - I've created an application pool in IIS6 that runs under a local user
| account. This account is member of the IIS_WPG group
| - In the personal store of the user is a certificate installed.
| - I've got a simple aspx page that opens the current user store and shows
| the personal certificates and makes it possible to show the details of it.
| - When the user is locally logged on to the box it works fine, but when
the
| user isn't logged on locally, no certificate is found. (even when I make
the
| user administrator)
|
| How can I open the personal certificate store of the user and get the
| personal certificates in IIS6.
|
| Best Regards,
| Raymond Roelands
|
| --
| ______________________________
| www.VECOZO.nl
|
|

 
Reply With Quote
 
=?Utf-8?B?dmVjb3pvQG9ubGluZS5ub3NwYW0=?=
Guest
Posts: n/a
 
      09-13-2005
Hi,

The W3WP process is running under the user which store I try to open. It's
very strange that it works while the user is logged on the machine (throug
terminal services).
On W2k this is not a problem.

But I tried another solution, the certificate is now stored in the personal
store of the local machine and I granted access to teh user of the w3wp
process to the certificate. (using winhttpcertcfg.exe )
This caused a very little code change but works on both w2k and w2k3.

Raymond
--
______________________________
www.VECOZO.nl



"Steven Cheng[MSFT]" wrote:

> Hi Raymond,
>
> For accessing certificates, when the certificate is installed in User
> store, only the process running under that certain user can access those
> certifcates. So as you mentioned that your asp.net web application can
> sucessfully access the certificate when navigate from local but failed when
> through a remote client, I'm wondering whether it's the asp.net worker
> thread's secuirty context be changed cause the problem. Have you used
> impersonation in your asp.net application? When using impersonation in
> asp.net and IIS configured as integrated windows authentication, the
> asp.net's worker process will run under the client user's security context.
> You can have a check to see whether this is the problem. In addition, if
> convenient, would you also provide the complete code snippet on how to
> access the certificate in user store ?
>
> Thanks,
>
> Steven Cheng
> Microsoft Online Support
>
> Get Secure! www.microsoft.com/security
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>
>
> --------------------
> | Thread-Topic: Open Certificate user Store in IIS 6
> | thread-index: AcWyFbNZTc9EwXNvQFCC3A/6OKDuZg==
> | X-WBNR-Posting-Host: 193.108.210.227
> | From: "=?Utf-8?B?dmVjb3pvQG9ubGluZS5ub3NwYW0=?=" <(E-Mail Removed)>
> | Subject: Open Certificate user Store in IIS 6
> | Date: Mon, 5 Sep 2005 05:31:12 -0700
> | Lines: 22
> | Message-ID: <(E-Mail Removed)>
> | MIME-Version: 1.0
> | Content-Type: text/plain;
> | charset="Utf-8"
> | Content-Transfer-Encoding: 7bit
> | X-Newsreader: Microsoft CDO for Windows 2000
> | Content-Class: urn:content-classes:message
> | Importance: normal
> | Priority: normal
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> | Newsgroups: microsoft.public.dotnet.framework.aspnet
> | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
> | Xref: TK2MSFTNGXA01.phx.gbl
> microsoft.public.dotnet.framework.aspnet:122424
> | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
> |
> | I've got a problem with opening a certificate user store under IIS6
> |
> | The situation is:
> | - I've created an application pool in IIS6 that runs under a local user
> | account. This account is member of the IIS_WPG group
> | - In the personal store of the user is a certificate installed.
> | - I've got a simple aspx page that opens the current user store and shows
> | the personal certificates and makes it possible to show the details of it.
> | - When the user is locally logged on to the box it works fine, but when
> the
> | user isn't logged on locally, no certificate is found. (even when I make
> the
> | user administrator)
> |
> | How can I open the personal certificate store of the user and get the
> | personal certificates in IIS6.
> |
> | Best Regards,
> | Raymond Roelands
> |
> | --
> | ______________________________
> | www.VECOZO.nl
> |
> |
>
>

 
Reply With Quote
 
Steven Cheng[MSFT]
Guest
Posts: n/a
 
      09-14-2005
Thanks for your further followup Raymond,

I think the reason of the behavior you met is just as Damien mentioned, for
service application such as asp.net, when start the process, the process
account is login through a service login rather than interactive login, so
it's possible there is no USER PROFILE for that logon session. That's why
the process's accessing to certificate in the worker process account's user
store fails. After you interactively logon using that account through
terminal service, the USER PROFILE is loaded, so the asp.net process get
successful to retrieve the use store certificate.

In addition, I think your current solution is a reasonable one since for
those service account (local account) which may have no USER PROFILE
loaded, we'd better put certificate in LOCAL MACHINE store and grant them
the access permission to as to make the certificate available to those
non-interactive service processes.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)


--------------------
| Thread-Topic: Open Certificate user Store in IIS 6
| thread-index: AcW4Z2aGbly+lvkaSSS68hgKKVhWnA==
| X-WBNR-Posting-Host: 193.108.210.227
| From: "=?Utf-8?B?dmVjb3pvQG9ubGluZS5ub3NwYW0=?=" <(E-Mail Removed)>
| References: <(E-Mail Removed)>
<sBr#(E-Mail Removed)>
| Subject: RE: Open Certificate user Store in IIS 6
| Date: Tue, 13 Sep 2005 06:31:09 -0700
| Lines: 98
| Message-ID: <(E-Mail Removed)>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet:124161
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| Hi,
|
| The W3WP process is running under the user which store I try to open.
It's
| very strange that it works while the user is logged on the machine
(throug
| terminal services).
| On W2k this is not a problem.
|
| But I tried another solution, the certificate is now stored in the
personal
| store of the local machine and I granted access to teh user of the w3wp
| process to the certificate. (using winhttpcertcfg.exe )
| This caused a very little code change but works on both w2k and w2k3.
|
| Raymond
| --
| ______________________________
| www.VECOZO.nl
|
|
|
| "Steven Cheng[MSFT]" wrote:
|
| > Hi Raymond,
| >
| > For accessing certificates, when the certificate is installed in User
| > store, only the process running under that certain user can access
those
| > certifcates. So as you mentioned that your asp.net web application can
| > sucessfully access the certificate when navigate from local but failed
when
| > through a remote client, I'm wondering whether it's the asp.net worker
| > thread's secuirty context be changed cause the problem. Have you used
| > impersonation in your asp.net application? When using impersonation in
| > asp.net and IIS configured as integrated windows authentication, the
| > asp.net's worker process will run under the client user's security
context.
| > You can have a check to see whether this is the problem. In addition,
if
| > convenient, would you also provide the complete code snippet on how to
| > access the certificate in user store ?
| >
| > Thanks,
| >
| > Steven Cheng
| > Microsoft Online Support
| >
| > Get Secure! www.microsoft.com/security
| > (This posting is provided "AS IS", with no warranties, and confers no
| > rights.)
| >
| >
| > --------------------
| > | Thread-Topic: Open Certificate user Store in IIS 6
| > | thread-index: AcWyFbNZTc9EwXNvQFCC3A/6OKDuZg==
| > | X-WBNR-Posting-Host: 193.108.210.227
| > | From: "=?Utf-8?B?dmVjb3pvQG9ubGluZS5ub3NwYW0=?="
<(E-Mail Removed)>
| > | Subject: Open Certificate user Store in IIS 6
| > | Date: Mon, 5 Sep 2005 05:31:12 -0700
| > | Lines: 22
| > | Message-ID: <(E-Mail Removed)>
| > | MIME-Version: 1.0
| > | Content-Type: text/plain;
| > | charset="Utf-8"
| > | Content-Transfer-Encoding: 7bit
| > | X-Newsreader: Microsoft CDO for Windows 2000
| > | Content-Class: urn:content-classes:message
| > | Importance: normal
| > | Priority: normal
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| > | Newsgroups: microsoft.public.dotnet.framework.aspnet
| > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl
| > microsoft.public.dotnet.framework.aspnet:122424
| > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
| > |
| > | I've got a problem with opening a certificate user store under IIS6
| > |
| > | The situation is:
| > | - I've created an application pool in IIS6 that runs under a local
user
| > | account. This account is member of the IIS_WPG group
| > | - In the personal store of the user is a certificate installed.
| > | - I've got a simple aspx page that opens the current user store and
shows
| > | the personal certificates and makes it possible to show the details
of it.
| > | - When the user is locally logged on to the box it works fine, but
when
| > the
| > | user isn't logged on locally, no certificate is found. (even when I
make
| > the
| > | user administrator)
| > |
| > | How can I open the personal certificate store of the user and get the
| > | personal certificates in IIS6.
| > |
| > | Best Regards,
| > | Raymond Roelands
| > |
| > | --
| > | ______________________________
| > | www.VECOZO.nl
| > |
| > |
| >
| >
|

 
Reply With Quote
 
JIMCO Software
Guest
Posts: n/a
 
      09-14-2005
Steven Cheng[MSFT] wrote:
> Thanks for your further followup Raymond,
>
> I think the reason of the behavior you met is just as Damien
> mentioned, for service application such as asp.net, when start the
> process, the process account is login through a service login rather
> than interactive login, so it's possible there is no USER PROFILE for
> that logon session. That's why the process's accessing to certificate
> in the worker process account's user store fails. After you
> interactively logon using that account through terminal service, the
> USER PROFILE is loaded, so the asp.net process get successful to
> retrieve the use store certificate.
>
> In addition, I think your current solution is a reasonable one since
> for those service account (local account) which may have no USER
> PROFILE loaded, we'd better put certificate in LOCAL MACHINE store
> and grant them the access permission to as to make the certificate
> available to those non-interactive service processes.
>


Steven,

In 1.1, when the process starts, ASP.NET calls LoadUserProfile internally.
That's what creates the C:\Documents and Settings\<machine_name>\ASPNET
folder. I mention this simply as a correction because there actually is a
profile loaded for ASPNET.

--
Jim Cheshire
JIMCO Software
http://www.jimcosoftware.com

FrontPage add-ins for FrontPage 2000 - 2003




 
Reply With Quote
 
Steven Cheng[MSFT]
Guest
Posts: n/a
 
      09-14-2005
Thanks for your further input Jim,

yes, the LOCAL ASPNET account 's profile will be loaded. However, on win2k3
, when using the IIS6 model with NetworkService, the profile may not be
loaded correctly as the ASPNET account.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
| From: "JIMCO Software" <(E-Mail Removed)>
| References: <(E-Mail Removed)>
<sBr#(E-Mail Removed)>
<(E-Mail Removed)>
<(E-Mail Removed)>
| Subject: Re: Open Certificate user Store in IIS 6
| Date: Tue, 13 Sep 2005 20:27:40 -0500
| Lines: 37
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
| X-RFC2646: Format=Flowed; Original
| Message-ID: <(E-Mail Removed)>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| NNTP-Posting-Host: adsl-68-94-19-17.dsl.rcsntx.swbell.net 68.94.19.17
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFT NGP14.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet:124398
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| Steven Cheng[MSFT] wrote:
| > Thanks for your further followup Raymond,
| >
| > I think the reason of the behavior you met is just as Damien
| > mentioned, for service application such as asp.net, when start the
| > process, the process account is login through a service login rather
| > than interactive login, so it's possible there is no USER PROFILE for
| > that logon session. That's why the process's accessing to certificate
| > in the worker process account's user store fails. After you
| > interactively logon using that account through terminal service, the
| > USER PROFILE is loaded, so the asp.net process get successful to
| > retrieve the use store certificate.
| >
| > In addition, I think your current solution is a reasonable one since
| > for those service account (local account) which may have no USER
| > PROFILE loaded, we'd better put certificate in LOCAL MACHINE store
| > and grant them the access permission to as to make the certificate
| > available to those non-interactive service processes.
| >
|
| Steven,
|
| In 1.1, when the process starts, ASP.NET calls LoadUserProfile
internally.
| That's what creates the C:\Documents and Settings\<machine_name>\ASPNET
| folder. I mention this simply as a correction because there actually is
a
| profile loaded for ASPNET.
|
| --
| Jim Cheshire
| JIMCO Software
| http://www.jimcosoftware.com
|
| FrontPage add-ins for FrontPage 2000 - 2003
|
|
|
|
|

 
Reply With Quote
 
JIMCO Software
Guest
Posts: n/a
 
      09-14-2005
Steven Cheng[MSFT] wrote:
> Thanks for your further input Jim,
>
> yes, the LOCAL ASPNET account 's profile will be loaded. However, on
> win2k3 , when using the IIS6 model with NetworkService, the profile
> may not be loaded correctly as the ASPNET account.
>


Boy, my reading skills are really going downhill in my old age. Didn't even
see "IIS6" in this.

--
Jim Cheshire
JIMCO Software
http://www.jimcosoftware.com

FrontPage add-ins for FrontPage 2000 - 2003




 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
User Certificate Mapping From IIS to asp.Net Application DLN ASP .Net 0 05-24-2007 05:21 PM
Win32::OLE and CAPICOM to find a certificate in certificate store will raise exception danielhe99@gmail.com Perl Misc 0 07-20-2006 06:47 AM
Shared certificate store? Chuck Firefox 0 02-15-2006 05:44 PM
How to Import Certificate file into windows certificate store under IWAM account Helena Cai ASP General 0 08-29-2004 05:27 AM
Accessing Certificate Store on Win 2003 from an ASP page =?Utf-8?B?TW9oaXQ=?= ASP .Net 0 05-14-2004 01:51 PM



Advertisments