Issue with X509Certificate2 (works with Cassini, fails with IIS)

[dpomt]

Hello,

I have an issue with X509Certificate2 constructur.

---------
FileStream fs = File.Open(m_strCertLocation, FileMode.Open,
FileAccess.Read);
byte[] buffer = new byte[fs.Length];
int count = fs.Read(buffer, 0, buffer.Length);
fs.Close();

X509Certificate2 cert = new X509Certificate2(buffer,
m_strCertPassword,X509KeyStorageFlags.MachineKeySet);
---------


throws an System.Security.Cryptography.CryptographicException: Access
denied when running IIS 5.0 or IIS 6.0 while it works fine with Cassini.

[CryptographicException: Access denied
]

System.Security.Cryptography.CryptographicException.ThrowCryptogaphicException(Int32 hr) +33

System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromBlob(Byte[]
rawData, IntPtr password, UInt32 dwFlags, Boolean persistKeySet,
SafeCertContextHandle& pCertCtx) +0

System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[]
rawData, Object password, X509KeyStorageFlags keyStorageFlags) +194

System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[]
rawData, String password, X509KeyStorageFlags keyStorageFlags
....


The code did run before without exception in IIS 5.0/6.0 but I had no
success in finding out what has changed since then.

Since Cassini runs with my user account that has admin rights, I have
temporarly added the ASPNET acoount to the admin group - but that did not
change anything.


m_strCertLocation is the filename with path two a crypted certificate that
is located in the App_Data directory of my web app.

Any suggestions?
Thanks,
Dieter

 

[dpomt]

Just found out what the problem is:

User ASPNET needs change right on folder
D:\Dokumente und Einstellungen\All
Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys

After having granted changed rights to ASPNET for that folder, code works
also in IIS 5.0/6.0.

 

[Steven Cheng[MSFT]]

Hi Dpomt,

Yes, as you've found out, this is a security permission issue.

Actually, the problem is due to the different process/security model of
Casinni(VS 2005 test server) or IIS based ASP.NET web application.

** For IIS hosted ASP.NET applications, the worker process is running under
the ASP.NET worker process account. Default one is machine\ASPNET(for IIS5)
or NetworkService(for IIS6). These services account are not powerful
normally.

**While using the VS 2005 test server(cassini), it is actually a .net
winform application, so the ASP.NET application hosted in testServer is
running under the current logon user account which is always a powerful
user account, so you will bypass many security issue under this condition.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



This posting is provided "AS IS" with no warranties, and confers no rights.