Issue with X509Certificate2 (works with Cassini, fails with IIS)

Discussion in 'ASP .Net Security' started by dpomt, Nov 5, 2006.

  1. dpomt

    dpomt Guest

    Hello,

    I have an issue with X509Certificate2 constructur.

    ---------
    FileStream fs = File.Open(m_strCertLocation, FileMode.Open,
    FileAccess.Read);
    byte[] buffer = new byte[fs.Length];
    int count = fs.Read(buffer, 0, buffer.Length);
    fs.Close();

    X509Certificate2 cert = new X509Certificate2(buffer,
    m_strCertPassword,X509KeyStorageFlags.MachineKeySet);
    ---------


    throws an System.Security.Cryptography.CryptographicException: Access
    denied when running IIS 5.0 or IIS 6.0 while it works fine with Cassini.

    [CryptographicException: Access denied
    ]

    System.Security.Cryptography.CryptographicException.ThrowCryptogaphicException(Int32 hr) +33

    System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromBlob(Byte[]
    rawData, IntPtr password, UInt32 dwFlags, Boolean persistKeySet,
    SafeCertContextHandle& pCertCtx) +0

    System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[]
    rawData, Object password, X509KeyStorageFlags keyStorageFlags) +194

    System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[]
    rawData, String password, X509KeyStorageFlags keyStorageFlags
    ....


    The code did run before without exception in IIS 5.0/6.0 but I had no
    success in finding out what has changed since then.

    Since Cassini runs with my user account that has admin rights, I have
    temporarly added the ASPNET acoount to the admin group - but that did not
    change anything.


    m_strCertLocation is the filename with path two a crypted certificate that
    is located in the App_Data directory of my web app.

    Any suggestions?
    Thanks,
    Dieter
    dpomt, Nov 5, 2006
    #1
    1. Advertising

  2. dpomt

    dpomt Guest

    Just found out what the problem is:

    User ASPNET needs change right on folder
    D:\Dokumente und Einstellungen\All
    Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys

    After having granted changed rights to ASPNET for that folder, code works
    also in IIS 5.0/6.0.
    dpomt, Nov 5, 2006
    #2
    1. Advertising

  3. Hi Dpomt,

    Yes, as you've found out, this is a security permission issue.

    Actually, the problem is due to the different process/security model of
    Casinni(VS 2005 test server) or IIS based ASP.NET web application.

    ** For IIS hosted ASP.NET applications, the worker process is running under
    the ASP.NET worker process account. Default one is machine\ASPNET(for IIS5)
    or NetworkService(for IIS6). These services account are not powerful
    normally.

    **While using the VS 2005 test server(cassini), it is actually a .net
    winform application, so the ASP.NET application hosted in testServer is
    running under the current logon user account which is always a powerful
    user account, so you will bypass many security issue under this condition.

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead



    This posting is provided "AS IS" with no warranties, and confers no rights.
    Steven Cheng[MSFT], Nov 6, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Les Caudle
    Replies:
    2
    Views:
    1,718
    Les Caudle
    Sep 19, 2006
  2. OJ
    Replies:
    5
    Views:
    1,423
    Juan T. Llibre
    May 14, 2007
  3. pseongho

    X509Certificate2 in .NET 1.1

    pseongho, May 5, 2006, in forum: ASP .Net Security
    Replies:
    0
    Views:
    287
    pseongho
    May 5, 2006
  4. daed
    Replies:
    0
    Views:
    1,180
  5. emc
    Replies:
    1
    Views:
    195
Loading...

Share This Page