Access to local machine store

From: Niels Thrane <NielsT@xxxxxxxxxxxxxxxx>
Date: Mon, 02 Jun 2008 10:08:00 +0200

Hi,

I have payment system where my web server receives credit card numbers securely (via HTTPS) from customers. In order to settle the amount that the customer owes I have to make an SSL connection to a payment gateway. That second SSL connection needs to be two-way authenticated (the remote server needs to know my identity).

I'm using the following C# code to do that:

X509Store store = new X509Store(StoreLocation.LocalMachine);
store.Open(OpenFlags.OpenExistingOnly);
X509Certificate2Collection validCerts = store.Certificates.Find(X509FindType.FindBySubjectName, "mycertname", true);
//ssl is my SslStream object
ssl.AuthenticateAsClient("server-cert-name", validCerts, System.Security.Authentication.SslProtocols.Ssl3, true);

This seems to work just fine when I test it under my (admin) account. However, it doesn't work when I run the code under IIS. The error I'm getting is "The credentials supplied to the package were not recognized". I guess the reason is that one needs admin rights to access the local machine store where my SSL certificate is stored. I don't want to run IIS under an admin account so the best solution would probably be to allow the "Network Service" account access to the certificate.

I have found two ways of doing that: I can use the winhttpcertcfg tool OR I can find the certificate file in the file system and grant read access to "network service". I can't install winhttpcertcfg on the system for regulatory reasons and messing with the (undocumented?) file structure seems like a major hack.

In short, what is the best way of allowing my code to authenticate itself as coming from my machine while running under the "network service" account ?

Best regards,

Niels
.

Prev by Date: Re: corrupted profiles and much more
Next by Date: Need a way to remove a certificate from domain computers
Previous by thread: Re: Windows 2003 NIC Firewall Settings - How to add port ranges
Next by thread: Need a way to remove a certificate from domain computers
Index(es):
- Date
- Thread

Relevant Pages

RE: How to enable IWA over multiple servers
... Boot up computer and logon as ActiveDirectory username (im joe ... a member of 192.168.0.4 (the web server), ... through a local account on the webserver rather than a domain user ... Microsoft MSDN Online Support Lead ...
(microsoft.public.dotnet.framework.aspnet.security)
RE: How to enable IWA over multiple servers
... Boot up computer and logon as ActiveDirectory username (im joe ... a member of 192.168.0.4 (the web server), ... client domain identity correctly when the ASP.NET app is hosted on ... through a local account on the webserver rather than a domain user ...
(microsoft.public.dotnet.framework.aspnet.security)
RE: How to enable IWA over multiple servers
... Developing More Secure Microsoft ASP.NET 2.0 Applications ... how are you accessing the web server? ... Boot up computer and logon as ActiveDirectory username (im joe ... are you logon through a local account on the webserver rather ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: Working on a Web Server 2003
... I'm not trying to install the web server on a DC. ... > Are you trying to setup and secure a webserver on a DC? ... > A built in account that has a high level of access rights ... Network Service: ...
(microsoft.public.inetserver.iis)
Re: Working on a Web Server 2003
... I'm not trying to install the web server on a DC. ... > Are you trying to setup and secure a webserver on a DC? ... > A built in account that has a high level of access rights ... Network Service: ...
(microsoft.public.windows.server.active_directory)