Solved

Certificate for IWAM user

Posted on 2002-05-31
6
978 Views
Last Modified: 2008-03-17
I have a COM component that needs access to certificates. How can I configure certificates and IWAM
user so the COM component used in ASP pages will be allowed to access certificates.

I have tried to do it with winhttpcertcfg utility. I have installed a certificate and granted access
to private key to IWAM user.

COM component has a property to display the number of accessible certificates. This number always reports
0. no matter what I do.

COM component uses certificate to authenticate itself via HTTPS to a HTTPS server which requires client
certificate.
0
Comment
Question by:marko020397
6 Comments
 
LVL 63

Expert Comment

by:SysExpert
Comment Utility
I would post this in one of the programming sections for better help.
You might simply post the link to this question.

I hope this helps !
0
 
LVL 7

Expert Comment

by:franka
Comment Utility
this posting from a MS-employee is one year old, but it's your question:

you probably need serverside Winhttp 5:

http://msdn.microsoft.com/downloads/default.asp?URL=/code/sample.asp?url=/MSDN-FILES/027/001/655/msdncompositedoc.xml

----------------------------------

Here's a bit of history and an explanation of the issue:

ServerXMLHTTP (SXH) in the original MSXML3 Gold release (November 2000)
offered only partial support for HTTPS. Specifically, it did not support SSL
certificates, which are often (but not always) used for authentication. If
the target server requests a client certificate for authentication, SXH
would fail to send one (even if one was installed) causing the request to
fail. Clearly, support for SSL certificates was a big feature request.

So SSL certificate support was added to SXH for MSXML3 SP1. Unfortunately,
the feature was a bit "over-aggressive":  to do any kind of HTTPS request
with SXH (even one that does not require a clien certificate), a client
certificate must be installed on the machine regardless. Otherwise, this
"access denied" error is encountered in common runtime scenarios (such as
Medium or High out-of-process ASP applications, but not in the Low
in-process setting).

You get the "Access denied" error when running under ASP and not when
running a simple VBScript from the command-line, because ASP applications
run in a different user context, which has stricter security permissions
(for example, it cannot write to the registry). When you run the script from
the command-line you are running in the context of your user account which
often has more access to system resources.


The workaround, other than switching to the "Low (in-process)" ASP
application protection setting, is to install a
client certificate in the Personal certificate store of the user account
that out-of-process ASP applications run under. This is typically the
IWAM_machinename user account. Installing a client certificate in this
account is cumbersome, because:


1. You must know the password for the account. Typically IIS manages the
password for the IWAM_machine account.

2. If you don't know the password, an administrator for the machine can
change it. The password needs to be changed in a couple different places (NT
User account manager, IIS metabase, and COM+ Component Services manager)

Lookup "WAMUserPass" in the on-line IIS documentation
(http://localhost/iisstart.asp), and also the following articles for
information on managing the IWAM account password:
http://support.microsoft.com/support/kb/articles/Q269/3/67.ASP
http://support.microsoft.com/support/kb/articles/Q296/8/51.ASP
http://msdn.microsoft.com/library/psdk/iisref/apro3bcj.htm


3. The IWAM account needs to be temporarily granted Administrator priveleges
for the local machine. Installing a certificate requires local admin
priveleges.

4. The client certificate needs to be installed. You can also use Internet
Explorer to import a certificate, via the Tools / Internet Options... /
Content / Certificates dialog box.

Or this can be also done with the Microsoft Management Console (MMC). The
following article shows how to install the Certificates snap-in for the MMC:
http://support.microsoft.com/support/kb/articles/Q232/1/37.ASP


5. The IWAM account should then be removed from the local Admin group.


Needless to say, this is very complicated and we are looking at fixing the
requirement that a certificate must be installed in order to do any HTTPS.
And also fixing SSL cert support such that certificates do not need to be
installed under the Personal store of the IWAM account (which is too much
trouble), but rather have them installed under the Local Computer
certificate store (which is easier to manage).


0
 
LVL 7

Expert Comment

by:franka
Comment Utility
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 4

Author Comment

by:marko020397
Comment Utility
It turned out that this custom made COM component requires IUSR user to have certificate installed.
0
 
LVL 4

Author Comment

by:marko020397
Comment Utility
I will ask for deletion of this question.
0
 
LVL 5

Accepted Solution

by:
Netminder earned 0 total points
Comment Utility
Points refunded and question closed; user resolved.

Netminder
EE Admin
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now