Certificate key access under Network Service in IIS 6




I've run into an issue where I've been unable to get a certificate to load its private key for signing an XML document when running on an IIS 6 server. I can get the signing process to work if I have the IIS Application Pool configured to run under SYSTEM but running under the preferred NETWORK SERVICE account the private key access of the certificate fails.

I've registered the certificate in the Local Machine / Personal store and I've set ACLs for the cert by running:

winhttpcertcfg -c LOCAL_MACHINE\My -s "Tidewater Finance Company" -g -a "NETWORKSERVICE"
winhttpcertcfg -c LOCAL_MACHINE\My -s "Tidewater Finance Company" -l

to presumably set permissions on the certificate. The listing (second command) does in fact show that Network Service is allowed access to the certificate, but it still doesn't work.Only under SYSTEM can I access the cert's private key for signing.

Now on my local test environment running Vista and IIS 7, running NETWORK SERVICE works just fine after running WinHttpCert.Apparently there's some environment difference between Win2003 and Vista and the above ACL assignment works here but not on the live server.

If you're interested I've documented my long process to get cert signatures to work here:
http://www.west-wind.com/weblog/posts/257599.aspx

But I'm at a loss as to how to get NETWORK SERVICE to access the private key for the signing process. Right now we're running in SYSTEM context which is a security issue for my customerl.

Can anybody suggest any other things I can look at?

Any help much appreciated,

Aloha,

+++ Rick ---

---

Rick Strahl
West Wind Technologies
www.west-wind.com/weblog

.



Relevant Pages

  • Re: Certificate key access under Network Service in IIS 6
    ... I've run into an issue where I've been unable to get a certificate to load ... its private key for signing an XML document when running on an IIS 6 ... I can get the signing process to work if I have the IIS ... command) does in fact show that Network Service is allowed access to the ...
    (microsoft.public.dotnet.security)
  • Re: Certificate key access under Network Service in IIS 6
    ... Haven't done that because I've been remoted in to the customer's server. ... It is likely the private key file but might be a registry key as well. ... I can get the signing process to work if I have the IIS Application Pool configured to run under SYSTEM but running under the preferred NETWORK SERVICE account the private key access of the certificate fails. ...
    (microsoft.public.dotnet.security)
  • Re: Passing certificates between processes (and machines)
    ... you musn't even consider moving your private key (used ... for signing docs) to another "principal" for signing. ... one must posses the private key for the certificate. ... In order to have the server doing the ...
    (microsoft.public.security)
  • Re: Passing certificates between processes (and machines)
    ... you musn't even consider moving your private key (used ... for signing docs) to another "principal" for signing. ... one must posses the private key for the certificate. ... In order to have the server doing the ...
    (microsoft.public.win2000.security)
  • RE: Some questions on code signing with smartcards
    ... Is there a way to transfer the generated strong name signing private key ... The "unsecure intermediate storage" you mention in your post is actually a key BLOB which is more secure because it is encrypted with the key exchange public key of ... Is there a way to generate a PKCS#10 format certificate request from the ...
    (microsoft.public.platformsdk.security)