Re: DCOM & CryptoAPI

From: Cuppens Peter (peter.cuppens_at_impactec.net)
Date: 09/22/03 

Date: Mon, 22 Sep 2003 08:25:22 GMT

Tx Valery,

I will try this ASAP at customers machine.

Regards,

Peter

"Valery Pryamikov" <Valery.Pryamikov@nospam.sm.siemens.no> wrote in message
news:uFW3AdEeDHA.1736@TK2MSFTNGP12.phx.gbl...
> You can use certificates mmc snap-in.
> Simply start mmc; ctrl-M... Add... certificates... and use it.
>
> Additionally - make sure that you are using
CERT_SYSTEM_STORE_LOCAL_MACHINE
> flag when calling CertOpenStore API.
>
> -Valery.
>
> "Cuppens Peter" <peter.cuppens@impactec.net> wrote in message
> news:LVM7b.13232$4p.542850@phobos.telenet-ops.be...
> > Tx Valery,
> >
> > How exactly do I install a certificate as machine certificate.I tried to
> > install the certificate as a "machine certificate" by means of IE
> selecting
> > the different containers and within those the "local machine" option but
> > that did not work.
> >
> > Peter
> >
> >
> > "Valery Pryamikov" <Valery.Pryamikov@nospam.sm.siemens.no> wrote in
> message
> > news:egFtsU7cDHA.3948@TK2MSFTNGP11.phx.gbl...
> > > Hi,
> > > Your problem is that you are trying to use "User" certificates in your
> > DCOM
> > > program, but only "Machine" certificates could be reliably used by
logon
> > as
> > > batch job type logon (Logon As Batch job doesn't load hive, but this
is
> > > where registry certstore resigns).
> > > Additionally you have to make sure that account that you are using for
> > DCOM
> > > LauchAs have write permission on corresponding key container file for
> > having
> > > access to the private key (see: Documents and Settings\All
> > Users\Application
> > > Data\Microsoft\Crypto\RSA\MachineKeys).
> > > And remove that account from local administrators group -
non-privileged
> > > account will be quite enough for this purpose.
> > >
> > > -Valery.
> > >
> > > "Cuppens Peter" <peter.cuppens@impactec.net> wrote in message
> > > news:2u_5b.2030$QS3.149534@phobos.telenet-ops.be...
> > > > Hi,
> > > >
> > > > we wrote a DCOM component that handles file concatenation and 3DES -
> RSA
> > > > decryption based on certificates. When we create (via createobject)
> the
> > > > component, everything works perfect on a local machine, when we
create
> > the
> > > > object while it resides on a remote machine the decryption part
fails
> > but
> > > > all other tasks run without problems.
> > > >
> > > > We configured the remote machine such that the account used on the
> > > DCOMCNFG
> > > > identity tab is the same as the one used for installation of the
> > > > certificates. To make sure that sufficent rights exists we made that
> > > account
> > > > member of the local adminstrators.
> > > >
> > > > If the account mentionned is logged on locally to the remote machine
> > > > everything including the decryption functions works. If we loggoff
> > during
> > > > the decryption, that decryption cycle is ended with success but the
> next
> > > one
> > > > will not work. If no user or any other user is logged on locally
into
> > the
> > > > remote machine then the decryption part of the component fails.
> > > >
> > > > When the component fails we receive an error 0x80092004. In the past
I
> > > also
> > > > received this error when certificates where installed with a
different
> > > > browser version.
> > > >
> > > > The remote platform is an NT2000 Server servicepack 3 machine.
> > > >
> > > > Do we need specific settings or verification when CryptoAPI is
> embedded
> > in
> > > a
> > > > DCOM component ?
> > > >
> > > >
> > > > Tx.
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Loading