Launch signtool in a Web Service

[Thibaut Blanchin]

Does anybody know how to launch correctly signtool.exe inside a Web Service ?
I'm having headache trying....

For security and authentication reasons I use Impersonation. (configured in
web.config file). I've create a WS that uses process.start to launch signtool.
I'm getting error : "SignTool Error: CoCreateInstance returned error:
0x80040150 Could not read key from registry"
After some search I've found that processes are lauched under the IIS
Application Pool instead of Impersonated user. So, I've create a new
application pool running under a domain account (CertExe) which is having
administrator rights on the web server and change my application to run
inside this pool.
This implies to create a SPN or to change authentication on IIS from
kerberos to NTLM. I've tried both, the process is actually running under
CertExe account but I still have the error. To verify, I logged on the web
server with CertExe account, then I retreived the command line generated by
the Web Service and launched it in cmd.exe, it worked perfectly.
I've also found a thread here:
http://groups.google.fr/group/micro...115518ec324/270b82cb52a28853#270b82cb52a28853
He suggests to call kernel32.dll to launch the process but the problem is
that it doesn't work (I mean it is actually working but signtool doesn't do
the job) and I can't get access to standard and error output to see what
happens...
Finally I've use sysinternals filemon and process monitor to have a look on
what is accessed by signtool.
Unfortunatly, signtool is opening a huge amount of keys in the registry but
always successfully.... It seems that the error "could not read key from
registry" is not appropriate. Something else is going wrong but I don't know
what...
If somebody is having an idea, I would appreciate a lot since I'm a bit lost
now !

 

[Thibaut Blanchin]

OK, I've finally found the solution....
The problem is not due to ASP.net or WebService programming but signtool.exe.
This tool needs the profile of the user it is running under to be loaded.
(maybe trying to access registry key under HKCU)
If you just run process.start, the profile is not loaded for the context of
execution...
If a session for this user doesn't already exists, signtool will crash.
The easyest way to workaround is to let a session locked under this account
on the server
or to launch a task like cmd.exe with runas or scheduled tasks.

So, here is how to make a web service calling signtool if this could help
somebody:

- Use impersonation : this is necessary since the access will be checked
against the current user. Check also that the user is having enough rights to
access signtool.exe

- Create an application pool running under a dedicated user "CertUser"
(domain or not) that will be able to make the sign file process (access to
pfx / surf on timestamping service). When the child process is created by
process.start it will not be created under the impersonated user but CertUser.

- open a session for CertUser by logging on to the server or lauching a task
under this user

I don't know if there is a better solution to force the profile of this user
to be loaded with process.start...