Re: Certificate key access under Network Service in IIS 6



Hey Joe,

Thanks. Good idea. Haven't done that because I've been remoted in to the customer's server. Not sure if I'll end up having the rights I need in the TS session to run ProcMon. Will give a shot though.

+++ Rick ---



---
Rick Strahl
West Wind Technologies
www.west-wind.com/weblog


"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:uJMjQa5hIHA.4764@xxxxxxxxxxxxxxxxxxxxxxx
If it is a permissions problem (sounds like it still is), the tool I like to use to figure these things out is Process Monitor from MS Sysinternals. Essentially, you just need to filter on the w3wp.exe process and look for access denied errors. That will tell you exactly what resource request is causing the problem. It is likely the private key file but might be a registry key as well. Once you know the resource, you can just change the ACL accordingly.

This stuff can be frustrating, but don't give up. Procmon is also a great tool to have around. You'll use it frequently.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Rick Strahl" <rickstrahl@xxxxxxxxxxx> wrote in message news:7270A6A3-2728-4A62-9AB2-B35581EAAE00@xxxxxxxxxxxxxxxx

I've run into an issue where I've been unable to get a certificate to load its private key for signing an XML document when running on an IIS 6 server. I can get the signing process to work if I have the IIS Application Pool configured to run under SYSTEM but running under the preferred NETWORK SERVICE account the private key access of the certificate fails.

I've registered the certificate in the Local Machine / Personal store and I've set ACLs for the cert by running:

winhttpcertcfg -c LOCAL_MACHINE\My -s "Tidewater Finance Company" -g -a "NETWORKSERVICE"
winhttpcertcfg -c LOCAL_MACHINE\My -s "Tidewater Finance Company" -l

to presumably set permissions on the certificate. The listing (second command) does in fact show that Network Service is allowed access to the certificate, but it still doesn't work.Only under SYSTEM can I access the cert's private key for signing.

Now on my local test environment running Vista and IIS 7, running NETWORK SERVICE works just fine after running WinHttpCert.Apparently there's some environment difference between Win2003 and Vista and the above ACL assignment works here but not on the live server.

If you're interested I've documented my long process to get cert signatures to work here:
http://www.west-wind.com/weblog/posts/257599.aspx

But I'm at a loss as to how to get NETWORK SERVICE to access the private key for the signing process. Right now we're running in SYSTEM context which is a security issue for my customerl.

Can anybody suggest any other things I can look at?

Any help much appreciated,

Aloha,

+++ Rick ---

---

Rick Strahl
West Wind Technologies
www.west-wind.com/weblog



.



Relevant Pages

  • Re: Certificate key access under Network Service in IIS 6
    ... I've run into an issue where I've been unable to get a certificate to load ... its private key for signing an XML document when running on an IIS 6 ... I can get the signing process to work if I have the IIS ... command) does in fact show that Network Service is allowed access to the ...
    (microsoft.public.dotnet.security)
  • Re: Private key generation
    ... As I wrote in my first answer to that thread - there are many situations when key pair is generated on trusted server. ... identity based encryption) simply requires generation of private key on server... ... High assurance keys (especially these that afterward are split in multiple shares using secret sharing schemes) may also require use of specialized equipment and computers that runs in a tempest/EM shielded locations. ... Default scenario supported by Microsoft Certificate Server is the most standard CA mode when CA just signs X509 certificate with emedded public keys. ...
    (microsoft.public.dotnet.security)
  • Re: How to use certificates?
    ... I expect that server will know the client public key, ... > private key for that certificate. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Certificate Server
    ... of our certificate servers is having trouble with the certsrv website. ... server I get a event id 553 failure audit with request type of krb_ap_req ... The network service account is what we are ...
    (microsoft.public.inetserver.misc)
  • Certificate Server
    ... of our certificate servers is having trouble with the certsrv website. ... server I get a event id 553 failure audit with request type of krb_ap_req ... The network service account is what we are ...
    (microsoft.public.security)