Launch signtool in a Web Service

Discussion in 'ASP .Net Web Services' started by Thibaut Blanchin, Jul 24, 2007.

  1. Does anybody know how to launch correctly signtool.exe inside a Web Service ?
    I'm having headache trying....

    For security and authentication reasons I use Impersonation. (configured in
    web.config file). I've create a WS that uses process.start to launch signtool.
    I'm getting error : "SignTool Error: CoCreateInstance returned error:
    0x80040150 Could not read key from registry"
    After some search I've found that processes are lauched under the IIS
    Application Pool instead of Impersonated user. So, I've create a new
    application pool running under a domain account (CertExe) which is having
    administrator rights on the web server and change my application to run
    inside this pool.
    This implies to create a SPN or to change authentication on IIS from
    kerberos to NTLM. I've tried both, the process is actually running under
    CertExe account but I still have the error. To verify, I logged on the web
    server with CertExe account, then I retreived the command line generated by
    the Web Service and launched it in cmd.exe, it worked perfectly.
    I've also found a thread here:
    http://groups.google.fr/group/micro...115518ec324/270b82cb52a28853#270b82cb52a28853
    He suggests to call kernel32.dll to launch the process but the problem is
    that it doesn't work (I mean it is actually working but signtool doesn't do
    the job) and I can't get access to standard and error output to see what
    happens...
    Finally I've use sysinternals filemon and process monitor to have a look on
    what is accessed by signtool.
    Unfortunatly, signtool is opening a huge amount of keys in the registry but
    always successfully.... It seems that the error "could not read key from
    registry" is not appropriate. Something else is going wrong but I don't know
    what...
    If somebody is having an idea, I would appreciate a lot since I'm a bit lost
    now !

    --
    Thibaut Blanchin
    DT - Plate formes & Systèmes
    CEGID
     
    Thibaut Blanchin, Jul 24, 2007
    #1
    1. Advertising

  2. OK, I've finally found the solution....
    The problem is not due to ASP.net or WebService programming but signtool.exe.
    This tool needs the profile of the user it is running under to be loaded.
    (maybe trying to access registry key under HKCU)
    If you just run process.start, the profile is not loaded for the context of
    execution...
    If a session for this user doesn't already exists, signtool will crash.
    The easyest way to workaround is to let a session locked under this account
    on the server
    or to launch a task like cmd.exe with runas or scheduled tasks.

    So, here is how to make a web service calling signtool if this could help
    somebody:

    - Use impersonation : this is necessary since the access will be checked
    against the current user. Check also that the user is having enough rights to
    access signtool.exe

    - Create an application pool running under a dedicated user "CertUser"
    (domain or not) that will be able to make the sign file process (access to
    pfx / surf on timestamping service). When the child process is created by
    process.start it will not be created under the impersonated user but CertUser.

    - open a session for CertUser by logging on to the server or lauching a task
    under this user

    I don't know if there is a better solution to force the profile of this user
    to be loaded with process.start...

    --
    Thibaut Blanchin
    DT - Plate formes & Systèmes
    CEGID


    "Thibaut Blanchin" wrote:

    > Does anybody know how to launch correctly signtool.exe inside a Web Service ?
    > I'm having headache trying....
    >
    > For security and authentication reasons I use Impersonation. (configured in
    > web.config file). I've create a WS that uses process.start to launch signtool.
    > I'm getting error : "SignTool Error: CoCreateInstance returned error:
    > 0x80040150 Could not read key from registry"
    > After some search I've found that processes are lauched under the IIS
    > Application Pool instead of Impersonated user. So, I've create a new
    > application pool running under a domain account (CertExe) which is having
    > administrator rights on the web server and change my application to run
    > inside this pool.
    > This implies to create a SPN or to change authentication on IIS from
    > kerberos to NTLM. I've tried both, the process is actually running under
    > CertExe account but I still have the error. To verify, I logged on the web
    > server with CertExe account, then I retreived the command line generated by
    > the Web Service and launched it in cmd.exe, it worked perfectly.
    > I've also found a thread here:
    > http://groups.google.fr/group/micro...115518ec324/270b82cb52a28853#270b82cb52a28853
    > He suggests to call kernel32.dll to launch the process but the problem is
    > that it doesn't work (I mean it is actually working but signtool doesn't do
    > the job) and I can't get access to standard and error output to see what
    > happens...
    > Finally I've use sysinternals filemon and process monitor to have a look on
    > what is accessed by signtool.
    > Unfortunatly, signtool is opening a huge amount of keys in the registry but
    > always successfully.... It seems that the error "could not read key from
    > registry" is not appropriate. Something else is going wrong but I don't know
    > what...
    > If somebody is having an idea, I would appreciate a lot since I'm a bit lost
    > now !
    >
    > --
    > Thibaut Blanchin
    > DT - Plate formes & Systèmes
    > CEGID
     
    Thibaut Blanchin, Jul 25, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    1
    Views:
    2,833
    Steve C. Orr [MVP, MCSD]
    Apr 7, 2005
  2. Replies:
    1
    Views:
    751
  3. enda man

    Call Signtool using python

    enda man, Mar 2, 2010, in forum: Python
    Replies:
    3
    Views:
    1,101
    Chris Rebert
    Mar 2, 2010
  4. Thang Nguyen

    Error in Signtool ("Personal" certificate store not found)

    Thang Nguyen, Aug 5, 2006, in forum: ASP .Net Security
    Replies:
    3
    Views:
    614
    Dominick Baier
    Aug 5, 2006
  5. Sruli Ganor

    Netscape signtool 1.3 problem

    Sruli Ganor, Jul 7, 2003, in forum: Javascript
    Replies:
    5
    Views:
    203
    Sruli Ganor
    Jul 21, 2003
Loading...

Share This Page