Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Certificate for IWAM user

Posted on 2002-05-31
6
Medium Priority
?
996 Views
Last Modified: 2008-03-17
I have a COM component that needs access to certificates. How can I configure certificates and IWAM
user so the COM component used in ASP pages will be allowed to access certificates.

I have tried to do it with winhttpcertcfg utility. I have installed a certificate and granted access
to private key to IWAM user.

COM component has a property to display the number of accessible certificates. This number always reports
0. no matter what I do.

COM component uses certificate to authenticate itself via HTTPS to a HTTPS server which requires client
certificate.
0
Comment
Question by:marko020397
6 Comments
 
LVL 63

Expert Comment

by:SysExpert
ID: 7047639
I would post this in one of the programming sections for better help.
You might simply post the link to this question.

I hope this helps !
0
 
LVL 7

Expert Comment

by:franka
ID: 7058061
this posting from a MS-employee is one year old, but it's your question:

you probably need serverside Winhttp 5:

http://msdn.microsoft.com/downloads/default.asp?URL=/code/sample.asp?url=/MSDN-FILES/027/001/655/msdncompositedoc.xml

----------------------------------

Here's a bit of history and an explanation of the issue:

ServerXMLHTTP (SXH) in the original MSXML3 Gold release (November 2000)
offered only partial support for HTTPS. Specifically, it did not support SSL
certificates, which are often (but not always) used for authentication. If
the target server requests a client certificate for authentication, SXH
would fail to send one (even if one was installed) causing the request to
fail. Clearly, support for SSL certificates was a big feature request.

So SSL certificate support was added to SXH for MSXML3 SP1. Unfortunately,
the feature was a bit "over-aggressive":  to do any kind of HTTPS request
with SXH (even one that does not require a clien certificate), a client
certificate must be installed on the machine regardless. Otherwise, this
"access denied" error is encountered in common runtime scenarios (such as
Medium or High out-of-process ASP applications, but not in the Low
in-process setting).

You get the "Access denied" error when running under ASP and not when
running a simple VBScript from the command-line, because ASP applications
run in a different user context, which has stricter security permissions
(for example, it cannot write to the registry). When you run the script from
the command-line you are running in the context of your user account which
often has more access to system resources.


The workaround, other than switching to the "Low (in-process)" ASP
application protection setting, is to install a
client certificate in the Personal certificate store of the user account
that out-of-process ASP applications run under. This is typically the
IWAM_machinename user account. Installing a client certificate in this
account is cumbersome, because:


1. You must know the password for the account. Typically IIS manages the
password for the IWAM_machine account.

2. If you don't know the password, an administrator for the machine can
change it. The password needs to be changed in a couple different places (NT
User account manager, IIS metabase, and COM+ Component Services manager)

Lookup "WAMUserPass" in the on-line IIS documentation
(http://localhost/iisstart.asp), and also the following articles for
information on managing the IWAM account password:
http://support.microsoft.com/support/kb/articles/Q269/3/67.ASP
http://support.microsoft.com/support/kb/articles/Q296/8/51.ASP
http://msdn.microsoft.com/library/psdk/iisref/apro3bcj.htm


3. The IWAM account needs to be temporarily granted Administrator priveleges
for the local machine. Installing a certificate requires local admin
priveleges.

4. The client certificate needs to be installed. You can also use Internet
Explorer to import a certificate, via the Tools / Internet Options... /
Content / Certificates dialog box.

Or this can be also done with the Microsoft Management Console (MMC). The
following article shows how to install the Certificates snap-in for the MMC:
http://support.microsoft.com/support/kb/articles/Q232/1/37.ASP


5. The IWAM account should then be removed from the local Admin group.


Needless to say, this is very complicated and we are looking at fixing the
requirement that a certificate must be installed in order to do any HTTPS.
And also fixing SSL cert support such that certificates do not need to be
installed under the Personal store of the IWAM account (which is too much
trouble), but rather have them installed under the Local Computer
certificate store (which is easier to manage).


0
[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

 
LVL 4

Author Comment

by:marko020397
ID: 7164133
It turned out that this custom made COM component requires IUSR user to have certificate installed.
0
 
LVL 4

Author Comment

by:marko020397
ID: 7501913
I will ask for deletion of this question.
0
 
LVL 5

Accepted Solution

by:
Netminder earned 0 total points
ID: 7501983
Points refunded and question closed; user resolved.

Netminder
EE Admin
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Hello there! As a developer I have modified and refactored the unit tests which was written by fellow developers in the past. On the course, I have gone through various misconceptions and technical challenges when it comes to implementation. I would…
Screencast - Getting to Know the Pipeline
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question