Certificate for IWAM user

I have a COM component that needs access to certificates. How can I configure certificates and IWAM
user so the COM component used in ASP pages will be allowed to access certificates.

I have tried to do it with winhttpcertcfg utility. I have installed a certificate and granted access
to private key to IWAM user.

COM component has a property to display the number of accessible certificates. This number always reports
0. no matter what I do.

COM component uses certificate to authenticate itself via HTTPS to a HTTPS server which requires client
certificate.
LVL 4
marko020397Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
NetminderConnect With a Mentor Commented:
Points refunded and question closed; user resolved.

Netminder
EE Admin
0
 
SysExpertCommented:
I would post this in one of the programming sections for better help.
You might simply post the link to this question.

I hope this helps !
0
 
frankaCommented:
this posting from a MS-employee is one year old, but it's your question:

you probably need serverside Winhttp 5:

http://msdn.microsoft.com/downloads/default.asp?URL=/code/sample.asp?url=/MSDN-FILES/027/001/655/msdncompositedoc.xml

----------------------------------

Here's a bit of history and an explanation of the issue:

ServerXMLHTTP (SXH) in the original MSXML3 Gold release (November 2000)
offered only partial support for HTTPS. Specifically, it did not support SSL
certificates, which are often (but not always) used for authentication. If
the target server requests a client certificate for authentication, SXH
would fail to send one (even if one was installed) causing the request to
fail. Clearly, support for SSL certificates was a big feature request.

So SSL certificate support was added to SXH for MSXML3 SP1. Unfortunately,
the feature was a bit "over-aggressive":  to do any kind of HTTPS request
with SXH (even one that does not require a clien certificate), a client
certificate must be installed on the machine regardless. Otherwise, this
"access denied" error is encountered in common runtime scenarios (such as
Medium or High out-of-process ASP applications, but not in the Low
in-process setting).

You get the "Access denied" error when running under ASP and not when
running a simple VBScript from the command-line, because ASP applications
run in a different user context, which has stricter security permissions
(for example, it cannot write to the registry). When you run the script from
the command-line you are running in the context of your user account which
often has more access to system resources.


The workaround, other than switching to the "Low (in-process)" ASP
application protection setting, is to install a
client certificate in the Personal certificate store of the user account
that out-of-process ASP applications run under. This is typically the
IWAM_machinename user account. Installing a client certificate in this
account is cumbersome, because:


1. You must know the password for the account. Typically IIS manages the
password for the IWAM_machine account.

2. If you don't know the password, an administrator for the machine can
change it. The password needs to be changed in a couple different places (NT
User account manager, IIS metabase, and COM+ Component Services manager)

Lookup "WAMUserPass" in the on-line IIS documentation
(http://localhost/iisstart.asp), and also the following articles for
information on managing the IWAM account password:
http://support.microsoft.com/support/kb/articles/Q269/3/67.ASP
http://support.microsoft.com/support/kb/articles/Q296/8/51.ASP
http://msdn.microsoft.com/library/psdk/iisref/apro3bcj.htm


3. The IWAM account needs to be temporarily granted Administrator priveleges
for the local machine. Installing a certificate requires local admin
priveleges.

4. The client certificate needs to be installed. You can also use Internet
Explorer to import a certificate, via the Tools / Internet Options... /
Content / Certificates dialog box.

Or this can be also done with the Microsoft Management Console (MMC). The
following article shows how to install the Certificates snap-in for the MMC:
http://support.microsoft.com/support/kb/articles/Q232/1/37.ASP


5. The IWAM account should then be removed from the local Admin group.


Needless to say, this is very complicated and we are looking at fixing the
requirement that a certificate must be installed in order to do any HTTPS.
And also fixing SSL cert support such that certificates do not need to be
installed under the Personal store of the IWAM account (which is too much
trouble), but rather have them installed under the Local Computer
certificate store (which is easier to manage).


0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
marko020397Author Commented:
It turned out that this custom made COM component requires IUSR user to have certificate installed.
0
 
marko020397Author Commented:
I will ask for deletion of this question.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.