Open Certificate user Store in IIS 6

G

Guest

I've got a problem with opening a certificate user store under IIS6

The situation is:
- I've created an application pool in IIS6 that runs under a local user
account. This account is member of the IIS_WPG group
- In the personal store of the user is a certificate installed.
- I've got a simple aspx page that opens the current user store and shows
the personal certificates and makes it possible to show the details of it.
- When the user is locally logged on to the box it works fine, but when the
user isn't logged on locally, no certificate is found. (even when I make the
user administrator)

How can I open the personal certificate store of the user and get the
personal certificates in IIS6.

Best Regards,
Raymond Roelands
 
D

Damien

I've got a problem with opening a certificate user store under IIS6

The situation is:
- I've created an application pool in IIS6 that runs under a local user
account. This account is member of the IIS_WPG group
- In the personal store of the user is a certificate installed.
- I've got a simple aspx page that opens the current user store and shows
the personal certificates and makes it possible to show the details of it.
- When the user is locally logged on to the box it works fine, but when the
user isn't logged on locally, no certificate is found. (even when I make the
user administrator)

How can I open the personal certificate store of the user and get the
personal certificates in IIS6.

Best Regards,
Raymond Roelands

Hi Raymond,

I believe that this is related to profiles/registry - that when you run
something as another user, windows doesn't load the full HKCU registry
for the user.

I'm desperately trying to Google for resources. I believe it's going to
involve calls to LoadUserProfile and a lot of other P/Invoke work to
make it happen, unless someone else knows different?

Damien
 
S

Steven Cheng[MSFT]

Hi Raymond,

For accessing certificates, when the certificate is installed in User
store, only the process running under that certain user can access those
certifcates. So as you mentioned that your asp.net web application can
sucessfully access the certificate when navigate from local but failed when
through a remote client, I'm wondering whether it's the asp.net worker
thread's secuirty context be changed cause the problem. Have you used
impersonation in your asp.net application? When using impersonation in
asp.net and IIS configured as integrated windows authentication, the
asp.net's worker process will run under the client user's security context.
You can have a check to see whether this is the problem. In addition, if
convenient, would you also provide the complete code snippet on how to
access the certificate in user store ?

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)


--------------------
| Thread-Topic: Open Certificate user Store in IIS 6
| thread-index: AcWyFbNZTc9EwXNvQFCC3A/6OKDuZg==
| X-WBNR-Posting-Host: 193.108.210.227
| From: "=?Utf-8?B?dmVjb3pvQG9ubGluZS5ub3NwYW0=?=" <[email protected]>
| Subject: Open Certificate user Store in IIS 6
| Date: Mon, 5 Sep 2005 05:31:12 -0700
| Lines: 22
| Message-ID: <[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet:122424
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| I've got a problem with opening a certificate user store under IIS6
|
| The situation is:
| - I've created an application pool in IIS6 that runs under a local user
| account. This account is member of the IIS_WPG group
| - In the personal store of the user is a certificate installed.
| - I've got a simple aspx page that opens the current user store and shows
| the personal certificates and makes it possible to show the details of it.
| - When the user is locally logged on to the box it works fine, but when
the
| user isn't logged on locally, no certificate is found. (even when I make
the
| user administrator)
|
| How can I open the personal certificate store of the user and get the
| personal certificates in IIS6.
|
| Best Regards,
| Raymond Roelands
|
| --
| ______________________________
| www.VECOZO.nl
|
|
 
G

Guest

Hi,

The W3WP process is running under the user which store I try to open. It's
very strange that it works while the user is logged on the machine (throug
terminal services).
On W2k this is not a problem.

But I tried another solution, the certificate is now stored in the personal
store of the local machine and I granted access to teh user of the w3wp
process to the certificate. (using winhttpcertcfg.exe )
This caused a very little code change but works on both w2k and w2k3.

Raymond
--
______________________________
www.VECOZO.nl
 
S

Steven Cheng[MSFT]

Thanks for your further followup Raymond,

I think the reason of the behavior you met is just as Damien mentioned, for
service application such as asp.net, when start the process, the process
account is login through a service login rather than interactive login, so
it's possible there is no USER PROFILE for that logon session. That's why
the process's accessing to certificate in the worker process account's user
store fails. After you interactively logon using that account through
terminal service, the USER PROFILE is loaded, so the asp.net process get
successful to retrieve the use store certificate.

In addition, I think your current solution is a reasonable one since for
those service account (local account) which may have no USER PROFILE
loaded, we'd better put certificate in LOCAL MACHINE store and grant them
the access permission to as to make the certificate available to those
non-interactive service processes.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)


--------------------
| Thread-Topic: Open Certificate user Store in IIS 6
| thread-index: AcW4Z2aGbly+lvkaSSS68hgKKVhWnA==
| X-WBNR-Posting-Host: 193.108.210.227
| From: "=?Utf-8?B?dmVjb3pvQG9ubGluZS5ub3NwYW0=?=" <[email protected]>
| References: <[email protected]>
<sBr#[email protected]>
| Subject: RE: Open Certificate user Store in IIS 6
| Date: Tue, 13 Sep 2005 06:31:09 -0700
| Lines: 98
| Message-ID: <[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet:124161
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| Hi,
|
| The W3WP process is running under the user which store I try to open.
It's
| very strange that it works while the user is logged on the machine
(throug
| terminal services).
| On W2k this is not a problem.
|
| But I tried another solution, the certificate is now stored in the
personal
| store of the local machine and I granted access to teh user of the w3wp
| process to the certificate. (using winhttpcertcfg.exe )
| This caused a very little code change but works on both w2k and w2k3.
|
| Raymond
| --
| ______________________________
| www.VECOZO.nl
|
|
|
| "Steven Cheng[MSFT]" wrote:
|
| > Hi Raymond,
| >
| > For accessing certificates, when the certificate is installed in User
| > store, only the process running under that certain user can access
those
| > certifcates. So as you mentioned that your asp.net web application can
| > sucessfully access the certificate when navigate from local but failed
when
| > through a remote client, I'm wondering whether it's the asp.net worker
| > thread's secuirty context be changed cause the problem. Have you used
| > impersonation in your asp.net application? When using impersonation in
| > asp.net and IIS configured as integrated windows authentication, the
| > asp.net's worker process will run under the client user's security
context.
| > You can have a check to see whether this is the problem. In addition,
if
| > convenient, would you also provide the complete code snippet on how to
| > access the certificate in user store ?
| >
| > Thanks,
| >
| > Steven Cheng
| > Microsoft Online Support
| >
| > Get Secure! www.microsoft.com/security
| > (This posting is provided "AS IS", with no warranties, and confers no
| > rights.)
| >
| >
| > --------------------
| > | Thread-Topic: Open Certificate user Store in IIS 6
| > | thread-index: AcWyFbNZTc9EwXNvQFCC3A/6OKDuZg==
| > | X-WBNR-Posting-Host: 193.108.210.227
| > | From: "=?Utf-8?B?dmVjb3pvQG9ubGluZS5ub3NwYW0=?="
<[email protected]>
| > | Subject: Open Certificate user Store in IIS 6
| > | Date: Mon, 5 Sep 2005 05:31:12 -0700
| > | Lines: 22
| > | Message-ID: <[email protected]>
| > | MIME-Version: 1.0
| > | Content-Type: text/plain;
| > | charset="Utf-8"
| > | Content-Transfer-Encoding: 7bit
| > | X-Newsreader: Microsoft CDO for Windows 2000
| > | Content-Class: urn:content-classes:message
| > | Importance: normal
| > | Priority: normal
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| > | Newsgroups: microsoft.public.dotnet.framework.aspnet
| > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl
| > microsoft.public.dotnet.framework.aspnet:122424
| > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
| > |
| > | I've got a problem with opening a certificate user store under IIS6
| > |
| > | The situation is:
| > | - I've created an application pool in IIS6 that runs under a local
user
| > | account. This account is member of the IIS_WPG group
| > | - In the personal store of the user is a certificate installed.
| > | - I've got a simple aspx page that opens the current user store and
shows
| > | the personal certificates and makes it possible to show the details
of it.
| > | - When the user is locally logged on to the box it works fine, but
when
| > the
| > | user isn't logged on locally, no certificate is found. (even when I
make
| > the
| > | user administrator)
| > |
| > | How can I open the personal certificate store of the user and get the
| > | personal certificates in IIS6.
| > |
| > | Best Regards,
| > | Raymond Roelands
| > |
| > | --
| > | ______________________________
| > | www.VECOZO.nl
| > |
| > |
| >
| >
|
 
J

JIMCO Software

Steven said:
Thanks for your further followup Raymond,

I think the reason of the behavior you met is just as Damien
mentioned, for service application such as asp.net, when start the
process, the process account is login through a service login rather
than interactive login, so it's possible there is no USER PROFILE for
that logon session. That's why the process's accessing to certificate
in the worker process account's user store fails. After you
interactively logon using that account through terminal service, the
USER PROFILE is loaded, so the asp.net process get successful to
retrieve the use store certificate.

In addition, I think your current solution is a reasonable one since
for those service account (local account) which may have no USER
PROFILE loaded, we'd better put certificate in LOCAL MACHINE store
and grant them the access permission to as to make the certificate
available to those non-interactive service processes.

Steven,

In 1.1, when the process starts, ASP.NET calls LoadUserProfile internally.
That's what creates the C:\Documents and Settings\<machine_name>\ASPNET
folder. I mention this simply as a correction because there actually is a
profile loaded for ASPNET.

--
Jim Cheshire
JIMCO Software
http://www.jimcosoftware.com

FrontPage add-ins for FrontPage 2000 - 2003
 
S

Steven Cheng[MSFT]

Thanks for your further input Jim,

yes, the LOCAL ASPNET account 's profile will be loaded. However, on win2k3
, when using the IIS6 model with NetworkService, the profile may not be
loaded correctly as the ASPNET account.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
| From: "JIMCO Software" <[email protected]>
| References: <[email protected]>
<sBr#[email protected]>
<[email protected]>
<[email protected]>
| Subject: Re: Open Certificate user Store in IIS 6
| Date: Tue, 13 Sep 2005 20:27:40 -0500
| Lines: 37
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
| X-RFC2646: Format=Flowed; Original
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| NNTP-Posting-Host: adsl-68-94-19-17.dsl.rcsntx.swbell.net 68.94.19.17
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet:124398
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| Steven Cheng[MSFT] wrote:
| > Thanks for your further followup Raymond,
| >
| > I think the reason of the behavior you met is just as Damien
| > mentioned, for service application such as asp.net, when start the
| > process, the process account is login through a service login rather
| > than interactive login, so it's possible there is no USER PROFILE for
| > that logon session. That's why the process's accessing to certificate
| > in the worker process account's user store fails. After you
| > interactively logon using that account through terminal service, the
| > USER PROFILE is loaded, so the asp.net process get successful to
| > retrieve the use store certificate.
| >
| > In addition, I think your current solution is a reasonable one since
| > for those service account (local account) which may have no USER
| > PROFILE loaded, we'd better put certificate in LOCAL MACHINE store
| > and grant them the access permission to as to make the certificate
| > available to those non-interactive service processes.
| >
|
| Steven,
|
| In 1.1, when the process starts, ASP.NET calls LoadUserProfile
internally.
| That's what creates the C:\Documents and Settings\<machine_name>\ASPNET
| folder. I mention this simply as a correction because there actually is
a
| profile loaded for ASPNET.
|
| --
| Jim Cheshire
| JIMCO Software
| http://www.jimcosoftware.com
|
| FrontPage add-ins for FrontPage 2000 - 2003
|
|
|
|
|
 
J

JIMCO Software

Steven said:
Thanks for your further input Jim,

yes, the LOCAL ASPNET account 's profile will be loaded. However, on
win2k3 , when using the IIS6 model with NetworkService, the profile
may not be loaded correctly as the ASPNET account.

Boy, my reading skills are really going downhill in my old age. Didn't even
see "IIS6" in this. :)

--
Jim Cheshire
JIMCO Software
http://www.jimcosoftware.com

FrontPage add-ins for FrontPage 2000 - 2003
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top