Re: Certificate key access under Network Service in IIS 6
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 16 Mar 2008 13:50:04 -0500
If it is a permissions problem (sounds like it still is), the tool I like to
use to figure these things out is Process Monitor from MS Sysinternals.
Essentially, you just need to filter on the w3wp.exe process and look for
access denied errors. That will tell you exactly what resource request is
causing the problem. It is likely the private key file but might be a
registry key as well. Once you know the resource, you can just change the
ACL accordingly.
This stuff can be frustrating, but don't give up. Procmon is also a great
tool to have around. You'll use it frequently.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Rick Strahl" <rickstrahl@xxxxxxxxxxx> wrote in message
news:7270A6A3-2728-4A62-9AB2-B35581EAAE00@xxxxxxxxxxxxxxxx
I've run into an issue where I've been unable to get a certificate to load
its private key for signing an XML document when running on an IIS 6
server. I can get the signing process to work if I have the IIS
Application Pool configured to run under SYSTEM but running under the
preferred NETWORK SERVICE account the private key access of the
certificate fails.
I've registered the certificate in the Local Machine / Personal store and
I've set ACLs for the cert by running:
winhttpcertcfg -c LOCAL_MACHINE\My -s "Tidewater Finance Company" -g -a
"NETWORKSERVICE"
winhttpcertcfg -c LOCAL_MACHINE\My -s "Tidewater Finance Company" -l
to presumably set permissions on the certificate. The listing (second
command) does in fact show that Network Service is allowed access to the
certificate, but it still doesn't work.Only under SYSTEM can I access the
cert's private key for signing.
Now on my local test environment running Vista and IIS 7, running NETWORK
SERVICE works just fine after running WinHttpCert.Apparently there's some
environment difference between Win2003 and Vista and the above ACL
assignment works here but not on the live server.
If you're interested I've documented my long process to get cert
signatures to work here:
http://www.west-wind.com/weblog/posts/257599.aspx
But I'm at a loss as to how to get NETWORK SERVICE to access the private
key for the signing process. Right now we're running in SYSTEM context
which is a security issue for my customerl.
Can anybody suggest any other things I can look at?
Any help much appreciated,
Aloha,
+++ Rick ---
---
Rick Strahl
West Wind Technologies
www.west-wind.com/weblog
.
- Follow-Ups:
- Re: Certificate key access under Network Service in IIS 6
- From: Rick Strahl
- Re: Certificate key access under Network Service in IIS 6
- References:
- Certificate key access under Network Service in IIS 6
- From: Rick Strahl
- Certificate key access under Network Service in IIS 6
- Prev by Date: Certificate key access under Network Service in IIS 6
- Next by Date: Re: Certificate key access under Network Service in IIS 6
- Previous by thread: Certificate key access under Network Service in IIS 6
- Next by thread: Re: Certificate key access under Network Service in IIS 6
- Index(es):
Relevant Pages
|
