Thanks for your further followup Raymond,
I think the reason of the behavior you met is just as Damien mentioned, for
service application such as asp.net, when start the process, the process
account is login through a service login rather than interactive login, so
it's possible there is no USER PROFILE for that logon session. That's why
the process's accessing to certificate in the worker process account's user
store fails. After you interactively logon using that account through
terminal service, the USER PROFILE is loaded, so the asp.net process get
successful to retrieve the use store certificate.
In addition, I think your current solution is a reasonable one since for
those service account (local account) which may have no USER PROFILE
loaded, we'd better put certificate in LOCAL MACHINE store and grant them
the access permission to as to make the certificate available to those
non-interactive service processes.
Thanks,
Steven Cheng
Microsoft Online Support
Get Secure!
www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
| Thread-Topic: Open Certificate user Store in IIS 6
| thread-index: AcW4Z2aGbly+lvkaSSS68hgKKVhWnA==
| X-WBNR-Posting-Host: 193.108.210.227
| From: "=?Utf-8?B?dmVjb3pvQG9ubGluZS5ub3NwYW0=?=" <
[email protected]>
| References: <
[email protected]>
<sBr#
[email protected]>
| Subject: RE: Open Certificate user Store in IIS 6
| Date: Tue, 13 Sep 2005 06:31:09 -0700
| Lines: 98
| Message-ID: <
[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet:124161
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| Hi,
|
| The W3WP process is running under the user which store I try to open.
It's
| very strange that it works while the user is logged on the machine
(throug
| terminal services).
| On W2k this is not a problem.
|
| But I tried another solution, the certificate is now stored in the
personal
| store of the local machine and I granted access to teh user of the w3wp
| process to the certificate. (using winhttpcertcfg.exe )
| This caused a very little code change but works on both w2k and w2k3.
|
| Raymond
| --
| ______________________________
|
www.VECOZO.nl
|
|
|
| "Steven Cheng[MSFT]" wrote:
|
| > Hi Raymond,
| >
| > For accessing certificates, when the certificate is installed in User
| > store, only the process running under that certain user can access
those
| > certifcates. So as you mentioned that your asp.net web application can
| > sucessfully access the certificate when navigate from local but failed
when
| > through a remote client, I'm wondering whether it's the asp.net worker
| > thread's secuirty context be changed cause the problem. Have you used
| > impersonation in your asp.net application? When using impersonation in
| > asp.net and IIS configured as integrated windows authentication, the
| > asp.net's worker process will run under the client user's security
context.
| > You can have a check to see whether this is the problem. In addition,
if
| > convenient, would you also provide the complete code snippet on how to
| > access the certificate in user store ?
| >
| > Thanks,
| >
| > Steven Cheng
| > Microsoft Online Support
| >
| > Get Secure!
www.microsoft.com/security
| > (This posting is provided "AS IS", with no warranties, and confers no
| > rights.)
| >
| >
| > --------------------
| > | Thread-Topic: Open Certificate user Store in IIS 6
| > | thread-index: AcWyFbNZTc9EwXNvQFCC3A/6OKDuZg==
| > | X-WBNR-Posting-Host: 193.108.210.227
| > | From: "=?Utf-8?B?dmVjb3pvQG9ubGluZS5ub3NwYW0=?="
<
[email protected]>
| > | Subject: Open Certificate user Store in IIS 6
| > | Date: Mon, 5 Sep 2005 05:31:12 -0700
| > | Lines: 22
| > | Message-ID: <
[email protected]>
| > | MIME-Version: 1.0
| > | Content-Type: text/plain;
| > | charset="Utf-8"
| > | Content-Transfer-Encoding: 7bit
| > | X-Newsreader: Microsoft CDO for Windows 2000
| > | Content-Class: urn:content-classes:message
| > | Importance: normal
| > | Priority: normal
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| > | Newsgroups: microsoft.public.dotnet.framework.aspnet
| > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl
| > microsoft.public.dotnet.framework.aspnet:122424
| > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
| > |
| > | I've got a problem with opening a certificate user store under IIS6
| > |
| > | The situation is:
| > | - I've created an application pool in IIS6 that runs under a local
user
| > | account. This account is member of the IIS_WPG group
| > | - In the personal store of the user is a certificate installed.
| > | - I've got a simple aspx page that opens the current user store and
shows
| > | the personal certificates and makes it possible to show the details
of it.
| > | - When the user is locally logged on to the box it works fine, but
when
| > the
| > | user isn't logged on locally, no certificate is found. (even when I
make
| > the
| > | user administrator)
| > |
| > | How can I open the personal certificate store of the user and get the
| > | personal certificates in IIS6.
| > |
| > | Best Regards,
| > | Raymond Roelands
| > |
| > | --
| > | ______________________________
| > |
www.VECOZO.nl
| > |
| > |
| >
| >
|
