Open Certificate user Store in IIS 6

Discussion in 'ASP .Net' started by =?Utf-8?B?dmVjb3pvQG9ubGluZS5ub3NwYW0=?=, Sep 5, 2005.

  1. I've got a problem with opening a certificate user store under IIS6

    The situation is:
    - I've created an application pool in IIS6 that runs under a local user
    account. This account is member of the IIS_WPG group
    - In the personal store of the user is a certificate installed.
    - I've got a simple aspx page that opens the current user store and shows
    the personal certificates and makes it possible to show the details of it.
    - When the user is locally logged on to the box it works fine, but when the
    user isn't logged on locally, no certificate is found. (even when I make the
    user administrator)

    How can I open the personal certificate store of the user and get the
    personal certificates in IIS6.

    Best Regards,
    Raymond Roelands

    --
    ______________________________
    www.VECOZO.nl
     
    =?Utf-8?B?dmVjb3pvQG9ubGluZS5ub3NwYW0=?=, Sep 5, 2005
    #1
    1. Advertising

  2. =?Utf-8?B?dmVjb3pvQG9ubGluZS5ub3NwYW0=?=

    Damien Guest

    am wrote:
    > I've got a problem with opening a certificate user store under IIS6
    >
    > The situation is:
    > - I've created an application pool in IIS6 that runs under a local user
    > account. This account is member of the IIS_WPG group
    > - In the personal store of the user is a certificate installed.
    > - I've got a simple aspx page that opens the current user store and shows
    > the personal certificates and makes it possible to show the details of it.
    > - When the user is locally logged on to the box it works fine, but when the
    > user isn't logged on locally, no certificate is found. (even when I make the
    > user administrator)
    >
    > How can I open the personal certificate store of the user and get the
    > personal certificates in IIS6.
    >
    > Best Regards,
    > Raymond Roelands
    >
    > --
    > ______________________________
    > www.VECOZO.nl


    Hi Raymond,

    I believe that this is related to profiles/registry - that when you run
    something as another user, windows doesn't load the full HKCU registry
    for the user.

    I'm desperately trying to Google for resources. I believe it's going to
    involve calls to LoadUserProfile and a lot of other P/Invoke work to
    make it happen, unless someone else knows different?

    Damien
     
    Damien, Sep 5, 2005
    #2
    1. Advertising

  3. Hi Raymond,

    For accessing certificates, when the certificate is installed in User
    store, only the process running under that certain user can access those
    certifcates. So as you mentioned that your asp.net web application can
    sucessfully access the certificate when navigate from local but failed when
    through a remote client, I'm wondering whether it's the asp.net worker
    thread's secuirty context be changed cause the problem. Have you used
    impersonation in your asp.net application? When using impersonation in
    asp.net and IIS configured as integrated windows authentication, the
    asp.net's worker process will run under the client user's security context.
    You can have a check to see whether this is the problem. In addition, if
    convenient, would you also provide the complete code snippet on how to
    access the certificate in user store ?

    Thanks,

    Steven Cheng
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)


    --------------------
    | Thread-Topic: Open Certificate user Store in IIS 6
    | thread-index: AcWyFbNZTc9EwXNvQFCC3A/6OKDuZg==
    | X-WBNR-Posting-Host: 193.108.210.227
    | From: "=?Utf-8?B?dmVjb3pvQG9ubGluZS5ub3NwYW0=?=" <>
    | Subject: Open Certificate user Store in IIS 6
    | Date: Mon, 5 Sep 2005 05:31:12 -0700
    | Lines: 22
    | Message-ID: <>
    | MIME-Version: 1.0
    | Content-Type: text/plain;
    | charset="Utf-8"
    | Content-Transfer-Encoding: 7bit
    | X-Newsreader: Microsoft CDO for Windows 2000
    | Content-Class: urn:content-classes:message
    | Importance: normal
    | Priority: normal
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    | Newsgroups: microsoft.public.dotnet.framework.aspnet
    | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
    | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
    | Xref: TK2MSFTNGXA01.phx.gbl
    microsoft.public.dotnet.framework.aspnet:122424
    | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
    |
    | I've got a problem with opening a certificate user store under IIS6
    |
    | The situation is:
    | - I've created an application pool in IIS6 that runs under a local user
    | account. This account is member of the IIS_WPG group
    | - In the personal store of the user is a certificate installed.
    | - I've got a simple aspx page that opens the current user store and shows
    | the personal certificates and makes it possible to show the details of it.
    | - When the user is locally logged on to the box it works fine, but when
    the
    | user isn't logged on locally, no certificate is found. (even when I make
    the
    | user administrator)
    |
    | How can I open the personal certificate store of the user and get the
    | personal certificates in IIS6.
    |
    | Best Regards,
    | Raymond Roelands
    |
    | --
    | ______________________________
    | www.VECOZO.nl
    |
    |
     
    Steven Cheng[MSFT], Sep 6, 2005
    #3
  4. Hi,

    The W3WP process is running under the user which store I try to open. It's
    very strange that it works while the user is logged on the machine (throug
    terminal services).
    On W2k this is not a problem.

    But I tried another solution, the certificate is now stored in the personal
    store of the local machine and I granted access to teh user of the w3wp
    process to the certificate. (using winhttpcertcfg.exe )
    This caused a very little code change but works on both w2k and w2k3.

    Raymond
    --
    ______________________________
    www.VECOZO.nl



    "Steven Cheng[MSFT]" wrote:

    > Hi Raymond,
    >
    > For accessing certificates, when the certificate is installed in User
    > store, only the process running under that certain user can access those
    > certifcates. So as you mentioned that your asp.net web application can
    > sucessfully access the certificate when navigate from local but failed when
    > through a remote client, I'm wondering whether it's the asp.net worker
    > thread's secuirty context be changed cause the problem. Have you used
    > impersonation in your asp.net application? When using impersonation in
    > asp.net and IIS configured as integrated windows authentication, the
    > asp.net's worker process will run under the client user's security context.
    > You can have a check to see whether this is the problem. In addition, if
    > convenient, would you also provide the complete code snippet on how to
    > access the certificate in user store ?
    >
    > Thanks,
    >
    > Steven Cheng
    > Microsoft Online Support
    >
    > Get Secure! www.microsoft.com/security
    > (This posting is provided "AS IS", with no warranties, and confers no
    > rights.)
    >
    >
    > --------------------
    > | Thread-Topic: Open Certificate user Store in IIS 6
    > | thread-index: AcWyFbNZTc9EwXNvQFCC3A/6OKDuZg==
    > | X-WBNR-Posting-Host: 193.108.210.227
    > | From: "=?Utf-8?B?dmVjb3pvQG9ubGluZS5ub3NwYW0=?=" <>
    > | Subject: Open Certificate user Store in IIS 6
    > | Date: Mon, 5 Sep 2005 05:31:12 -0700
    > | Lines: 22
    > | Message-ID: <>
    > | MIME-Version: 1.0
    > | Content-Type: text/plain;
    > | charset="Utf-8"
    > | Content-Transfer-Encoding: 7bit
    > | X-Newsreader: Microsoft CDO for Windows 2000
    > | Content-Class: urn:content-classes:message
    > | Importance: normal
    > | Priority: normal
    > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    > | Newsgroups: microsoft.public.dotnet.framework.aspnet
    > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
    > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
    > | Xref: TK2MSFTNGXA01.phx.gbl
    > microsoft.public.dotnet.framework.aspnet:122424
    > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
    > |
    > | I've got a problem with opening a certificate user store under IIS6
    > |
    > | The situation is:
    > | - I've created an application pool in IIS6 that runs under a local user
    > | account. This account is member of the IIS_WPG group
    > | - In the personal store of the user is a certificate installed.
    > | - I've got a simple aspx page that opens the current user store and shows
    > | the personal certificates and makes it possible to show the details of it.
    > | - When the user is locally logged on to the box it works fine, but when
    > the
    > | user isn't logged on locally, no certificate is found. (even when I make
    > the
    > | user administrator)
    > |
    > | How can I open the personal certificate store of the user and get the
    > | personal certificates in IIS6.
    > |
    > | Best Regards,
    > | Raymond Roelands
    > |
    > | --
    > | ______________________________
    > | www.VECOZO.nl
    > |
    > |
    >
    >
     
    =?Utf-8?B?dmVjb3pvQG9ubGluZS5ub3NwYW0=?=, Sep 13, 2005
    #4
  5. Thanks for your further followup Raymond,

    I think the reason of the behavior you met is just as Damien mentioned, for
    service application such as asp.net, when start the process, the process
    account is login through a service login rather than interactive login, so
    it's possible there is no USER PROFILE for that logon session. That's why
    the process's accessing to certificate in the worker process account's user
    store fails. After you interactively logon using that account through
    terminal service, the USER PROFILE is loaded, so the asp.net process get
    successful to retrieve the use store certificate.

    In addition, I think your current solution is a reasonable one since for
    those service account (local account) which may have no USER PROFILE
    loaded, we'd better put certificate in LOCAL MACHINE store and grant them
    the access permission to as to make the certificate available to those
    non-interactive service processes.

    Thanks,

    Steven Cheng
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)


    --------------------
    | Thread-Topic: Open Certificate user Store in IIS 6
    | thread-index: AcW4Z2aGbly+lvkaSSS68hgKKVhWnA==
    | X-WBNR-Posting-Host: 193.108.210.227
    | From: "=?Utf-8?B?dmVjb3pvQG9ubGluZS5ub3NwYW0=?=" <>
    | References: <>
    <sBr#>
    | Subject: RE: Open Certificate user Store in IIS 6
    | Date: Tue, 13 Sep 2005 06:31:09 -0700
    | Lines: 98
    | Message-ID: <>
    | MIME-Version: 1.0
    | Content-Type: text/plain;
    | charset="Utf-8"
    | Content-Transfer-Encoding: 7bit
    | X-Newsreader: Microsoft CDO for Windows 2000
    | Content-Class: urn:content-classes:message
    | Importance: normal
    | Priority: normal
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    | Newsgroups: microsoft.public.dotnet.framework.aspnet
    | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
    | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
    | Xref: TK2MSFTNGXA01.phx.gbl
    microsoft.public.dotnet.framework.aspnet:124161
    | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
    |
    | Hi,
    |
    | The W3WP process is running under the user which store I try to open.
    It's
    | very strange that it works while the user is logged on the machine
    (throug
    | terminal services).
    | On W2k this is not a problem.
    |
    | But I tried another solution, the certificate is now stored in the
    personal
    | store of the local machine and I granted access to teh user of the w3wp
    | process to the certificate. (using winhttpcertcfg.exe )
    | This caused a very little code change but works on both w2k and w2k3.
    |
    | Raymond
    | --
    | ______________________________
    | www.VECOZO.nl
    |
    |
    |
    | "Steven Cheng[MSFT]" wrote:
    |
    | > Hi Raymond,
    | >
    | > For accessing certificates, when the certificate is installed in User
    | > store, only the process running under that certain user can access
    those
    | > certifcates. So as you mentioned that your asp.net web application can
    | > sucessfully access the certificate when navigate from local but failed
    when
    | > through a remote client, I'm wondering whether it's the asp.net worker
    | > thread's secuirty context be changed cause the problem. Have you used
    | > impersonation in your asp.net application? When using impersonation in
    | > asp.net and IIS configured as integrated windows authentication, the
    | > asp.net's worker process will run under the client user's security
    context.
    | > You can have a check to see whether this is the problem. In addition,
    if
    | > convenient, would you also provide the complete code snippet on how to
    | > access the certificate in user store ?
    | >
    | > Thanks,
    | >
    | > Steven Cheng
    | > Microsoft Online Support
    | >
    | > Get Secure! www.microsoft.com/security
    | > (This posting is provided "AS IS", with no warranties, and confers no
    | > rights.)
    | >
    | >
    | > --------------------
    | > | Thread-Topic: Open Certificate user Store in IIS 6
    | > | thread-index: AcWyFbNZTc9EwXNvQFCC3A/6OKDuZg==
    | > | X-WBNR-Posting-Host: 193.108.210.227
    | > | From: "=?Utf-8?B?dmVjb3pvQG9ubGluZS5ub3NwYW0=?="
    <>
    | > | Subject: Open Certificate user Store in IIS 6
    | > | Date: Mon, 5 Sep 2005 05:31:12 -0700
    | > | Lines: 22
    | > | Message-ID: <>
    | > | MIME-Version: 1.0
    | > | Content-Type: text/plain;
    | > | charset="Utf-8"
    | > | Content-Transfer-Encoding: 7bit
    | > | X-Newsreader: Microsoft CDO for Windows 2000
    | > | Content-Class: urn:content-classes:message
    | > | Importance: normal
    | > | Priority: normal
    | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    | > | Newsgroups: microsoft.public.dotnet.framework.aspnet
    | > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
    | > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
    | > | Xref: TK2MSFTNGXA01.phx.gbl
    | > microsoft.public.dotnet.framework.aspnet:122424
    | > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
    | > |
    | > | I've got a problem with opening a certificate user store under IIS6
    | > |
    | > | The situation is:
    | > | - I've created an application pool in IIS6 that runs under a local
    user
    | > | account. This account is member of the IIS_WPG group
    | > | - In the personal store of the user is a certificate installed.
    | > | - I've got a simple aspx page that opens the current user store and
    shows
    | > | the personal certificates and makes it possible to show the details
    of it.
    | > | - When the user is locally logged on to the box it works fine, but
    when
    | > the
    | > | user isn't logged on locally, no certificate is found. (even when I
    make
    | > the
    | > | user administrator)
    | > |
    | > | How can I open the personal certificate store of the user and get the
    | > | personal certificates in IIS6.
    | > |
    | > | Best Regards,
    | > | Raymond Roelands
    | > |
    | > | --
    | > | ______________________________
    | > | www.VECOZO.nl
    | > |
    | > |
    | >
    | >
    |
     
    Steven Cheng[MSFT], Sep 14, 2005
    #5
  6. Steven Cheng[MSFT] wrote:
    > Thanks for your further followup Raymond,
    >
    > I think the reason of the behavior you met is just as Damien
    > mentioned, for service application such as asp.net, when start the
    > process, the process account is login through a service login rather
    > than interactive login, so it's possible there is no USER PROFILE for
    > that logon session. That's why the process's accessing to certificate
    > in the worker process account's user store fails. After you
    > interactively logon using that account through terminal service, the
    > USER PROFILE is loaded, so the asp.net process get successful to
    > retrieve the use store certificate.
    >
    > In addition, I think your current solution is a reasonable one since
    > for those service account (local account) which may have no USER
    > PROFILE loaded, we'd better put certificate in LOCAL MACHINE store
    > and grant them the access permission to as to make the certificate
    > available to those non-interactive service processes.
    >


    Steven,

    In 1.1, when the process starts, ASP.NET calls LoadUserProfile internally.
    That's what creates the C:\Documents and Settings\<machine_name>\ASPNET
    folder. I mention this simply as a correction because there actually is a
    profile loaded for ASPNET.

    --
    Jim Cheshire
    JIMCO Software
    http://www.jimcosoftware.com

    FrontPage add-ins for FrontPage 2000 - 2003
     
    JIMCO Software, Sep 14, 2005
    #6
  7. Thanks for your further input Jim,

    yes, the LOCAL ASPNET account 's profile will be loaded. However, on win2k3
    , when using the IIS6 model with NetworkService, the profile may not be
    loaded correctly as the ASPNET account.

    Thanks,

    Steven Cheng
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)

    --------------------
    | From: "JIMCO Software" <>
    | References: <>
    <sBr#>
    <>
    <>
    | Subject: Re: Open Certificate user Store in IIS 6
    | Date: Tue, 13 Sep 2005 20:27:40 -0500
    | Lines: 37
    | X-Priority: 3
    | X-MSMail-Priority: Normal
    | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
    | X-RFC2646: Format=Flowed; Original
    | Message-ID: <>
    | Newsgroups: microsoft.public.dotnet.framework.aspnet
    | NNTP-Posting-Host: adsl-68-94-19-17.dsl.rcsntx.swbell.net 68.94.19.17
    | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
    | Xref: TK2MSFTNGXA01.phx.gbl
    microsoft.public.dotnet.framework.aspnet:124398
    | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
    |
    | Steven Cheng[MSFT] wrote:
    | > Thanks for your further followup Raymond,
    | >
    | > I think the reason of the behavior you met is just as Damien
    | > mentioned, for service application such as asp.net, when start the
    | > process, the process account is login through a service login rather
    | > than interactive login, so it's possible there is no USER PROFILE for
    | > that logon session. That's why the process's accessing to certificate
    | > in the worker process account's user store fails. After you
    | > interactively logon using that account through terminal service, the
    | > USER PROFILE is loaded, so the asp.net process get successful to
    | > retrieve the use store certificate.
    | >
    | > In addition, I think your current solution is a reasonable one since
    | > for those service account (local account) which may have no USER
    | > PROFILE loaded, we'd better put certificate in LOCAL MACHINE store
    | > and grant them the access permission to as to make the certificate
    | > available to those non-interactive service processes.
    | >
    |
    | Steven,
    |
    | In 1.1, when the process starts, ASP.NET calls LoadUserProfile
    internally.
    | That's what creates the C:\Documents and Settings\<machine_name>\ASPNET
    | folder. I mention this simply as a correction because there actually is
    a
    | profile loaded for ASPNET.
    |
    | --
    | Jim Cheshire
    | JIMCO Software
    | http://www.jimcosoftware.com
    |
    | FrontPage add-ins for FrontPage 2000 - 2003
    |
    |
    |
    |
    |
     
    Steven Cheng[MSFT], Sep 14, 2005
    #7
  8. Steven Cheng[MSFT] wrote:
    > Thanks for your further input Jim,
    >
    > yes, the LOCAL ASPNET account 's profile will be loaded. However, on
    > win2k3 , when using the IIS6 model with NetworkService, the profile
    > may not be loaded correctly as the ASPNET account.
    >


    Boy, my reading skills are really going downhill in my old age. Didn't even
    see "IIS6" in this. :)

    --
    Jim Cheshire
    JIMCO Software
    http://www.jimcosoftware.com

    FrontPage add-ins for FrontPage 2000 - 2003
     
    JIMCO Software, Sep 14, 2005
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?TW9oaXQ=?=
    Replies:
    0
    Views:
    438
    =?Utf-8?B?TW9oaXQ=?=
    May 14, 2004
  2. anjan dave
    Replies:
    1
    Views:
    339
    Rogan Dawes
    Feb 9, 2007
  3. DLN
    Replies:
    0
    Views:
    466
  4. Helena Cai
    Replies:
    0
    Views:
    401
    Helena Cai
    Aug 29, 2004
  5. Replies:
    0
    Views:
    415
Loading...

Share This Page