Solved

Certificate for IWAM user

Posted on 2002-05-31
6
987 Views
Last Modified: 2008-03-17
I have a COM component that needs access to certificates. How can I configure certificates and IWAM
user so the COM component used in ASP pages will be allowed to access certificates.

I have tried to do it with winhttpcertcfg utility. I have installed a certificate and granted access
to private key to IWAM user.

COM component has a property to display the number of accessible certificates. This number always reports
0. no matter what I do.

COM component uses certificate to authenticate itself via HTTPS to a HTTPS server which requires client
certificate.
0
Comment
Question by:marko020397
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 63

Expert Comment

by:SysExpert
ID: 7047639
I would post this in one of the programming sections for better help.
You might simply post the link to this question.

I hope this helps !
0
 
LVL 7

Expert Comment

by:franka
ID: 7058061
this posting from a MS-employee is one year old, but it's your question:

you probably need serverside Winhttp 5:

http://msdn.microsoft.com/downloads/default.asp?URL=/code/sample.asp?url=/MSDN-FILES/027/001/655/msdncompositedoc.xml

----------------------------------

Here's a bit of history and an explanation of the issue:

ServerXMLHTTP (SXH) in the original MSXML3 Gold release (November 2000)
offered only partial support for HTTPS. Specifically, it did not support SSL
certificates, which are often (but not always) used for authentication. If
the target server requests a client certificate for authentication, SXH
would fail to send one (even if one was installed) causing the request to
fail. Clearly, support for SSL certificates was a big feature request.

So SSL certificate support was added to SXH for MSXML3 SP1. Unfortunately,
the feature was a bit "over-aggressive":  to do any kind of HTTPS request
with SXH (even one that does not require a clien certificate), a client
certificate must be installed on the machine regardless. Otherwise, this
"access denied" error is encountered in common runtime scenarios (such as
Medium or High out-of-process ASP applications, but not in the Low
in-process setting).

You get the "Access denied" error when running under ASP and not when
running a simple VBScript from the command-line, because ASP applications
run in a different user context, which has stricter security permissions
(for example, it cannot write to the registry). When you run the script from
the command-line you are running in the context of your user account which
often has more access to system resources.


The workaround, other than switching to the "Low (in-process)" ASP
application protection setting, is to install a
client certificate in the Personal certificate store of the user account
that out-of-process ASP applications run under. This is typically the
IWAM_machinename user account. Installing a client certificate in this
account is cumbersome, because:


1. You must know the password for the account. Typically IIS manages the
password for the IWAM_machine account.

2. If you don't know the password, an administrator for the machine can
change it. The password needs to be changed in a couple different places (NT
User account manager, IIS metabase, and COM+ Component Services manager)

Lookup "WAMUserPass" in the on-line IIS documentation
(http://localhost/iisstart.asp), and also the following articles for
information on managing the IWAM account password:
http://support.microsoft.com/support/kb/articles/Q269/3/67.ASP
http://support.microsoft.com/support/kb/articles/Q296/8/51.ASP
http://msdn.microsoft.com/library/psdk/iisref/apro3bcj.htm


3. The IWAM account needs to be temporarily granted Administrator priveleges
for the local machine. Installing a certificate requires local admin
priveleges.

4. The client certificate needs to be installed. You can also use Internet
Explorer to import a certificate, via the Tools / Internet Options... /
Content / Certificates dialog box.

Or this can be also done with the Microsoft Management Console (MMC). The
following article shows how to install the Certificates snap-in for the MMC:
http://support.microsoft.com/support/kb/articles/Q232/1/37.ASP


5. The IWAM account should then be removed from the local Admin group.


Needless to say, this is very complicated and we are looking at fixing the
requirement that a certificate must be installed in order to do any HTTPS.
And also fixing SSL cert support such that certificates do not need to be
installed under the Personal store of the IWAM account (which is too much
trouble), but rather have them installed under the Local Computer
certificate store (which is easier to manage).


0
 
LVL 7

Expert Comment

by:franka
ID: 7058073
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 4

Author Comment

by:marko020397
ID: 7164133
It turned out that this custom made COM component requires IUSR user to have certificate installed.
0
 
LVL 4

Author Comment

by:marko020397
ID: 7501913
I will ask for deletion of this question.
0
 
LVL 5

Accepted Solution

by:
Netminder earned 0 total points
ID: 7501983
Points refunded and question closed; user resolved.

Netminder
EE Admin
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question