djcheeky
asked on
X509Certificate Store access issue
Hi
We created numerous X509Certificate2's on our application server using a an ASP.NET C# website. When calling any functionality via the website that uses these certificates, the process executes just fine - finding the appopriate certificates from the store.
BUT, when we run a Service that we created, that calls the same code that the website called, the process fails as it doesn't find any certificates in the Store.
When we add the certificates to the store via the website, we use the code:
X509Store storeCurrentUser = new X509Store(StoreName.My, StoreLocation.CurrentUser) ;
Now, after a bit of digging, it seems that in order for the Service to be able to access the certificates, they need to be obtained from the StoreLocation.LocalMachine store (I could be wrong here - so please correct me if I am)
Then, from what I understand, the website should search the StoreLocation.CurrentUser store for certificates, whereas the application Service should access the StoreLocation.LocalMachine store.
The problem is, that via the website, I can only add certificates to the StoreLocation.CurrentUser store. If I try add to the StoreLocation.LocalMachine store, I get an "access denied" error.
What do I need to do to install certificates that will be accessible via a function called via the web application AND the same function called via a Service (Windows Service, not Web Service)
Please help.
Thanks
We created numerous X509Certificate2's on our application server using a an ASP.NET C# website. When calling any functionality via the website that uses these certificates, the process executes just fine - finding the appopriate certificates from the store.
BUT, when we run a Service that we created, that calls the same code that the website called, the process fails as it doesn't find any certificates in the Store.
When we add the certificates to the store via the website, we use the code:
X509Store storeCurrentUser = new X509Store(StoreName.My, StoreLocation.CurrentUser)
Now, after a bit of digging, it seems that in order for the Service to be able to access the certificates, they need to be obtained from the StoreLocation.LocalMachine
Then, from what I understand, the website should search the StoreLocation.CurrentUser store for certificates, whereas the application Service should access the StoreLocation.LocalMachine
The problem is, that via the website, I can only add certificates to the StoreLocation.CurrentUser store. If I try add to the StoreLocation.LocalMachine
What do I need to do to install certificates that will be accessible via a function called via the web application AND the same function called via a Service (Windows Service, not Web Service)
Please help.
Thanks
Does the user with which you are executing the service have permissions to access the store?
ASKER
I'm not sure. What I have been able to determine is:
For the website, the identity of the user using the code below is:
System.Security.Principal. WindowsIde ntity.GetC urrent().N ame
For the website: SERVER_NAME\ASPNET
For the Service: NT AUTHORITY\SYSTEM
The web application installs certificates into the CurrentUser store, which is why when I query that store using the Service, I get no certificates. Because the website used 'SERVER_NAME\ASPNET' as the CurrentUser and the Service used 'NT AUTHORITY\SYSTEM'
Is there not any way to perhaps create a totally new user on the Server and somehow force both the web application AND the service to use this account.
For example, create a user called CERTUSER and then always use SERVERNAME\CERTUSER somehow?
I'm a little confused when it comes to user permissions, I must admit!
Thanks
For the website, the identity of the user using the code below is:
System.Security.Principal.
For the website: SERVER_NAME\ASPNET
For the Service: NT AUTHORITY\SYSTEM
The web application installs certificates into the CurrentUser store, which is why when I query that store using the Service, I get no certificates. Because the website used 'SERVER_NAME\ASPNET' as the CurrentUser and the Service used 'NT AUTHORITY\SYSTEM'
Is there not any way to perhaps create a totally new user on the Server and somehow force both the web application AND the service to use this account.
For example, create a user called CERTUSER and then always use SERVERNAME\CERTUSER somehow?
I'm a little confused when it comes to user permissions, I must admit!
Thanks
ASKER
I apologise - the website is actually using: NT AUTHORITY\NETWORK SERVICE
and not SERVER_NAME\ASPNET
Thanks
and not SERVER_NAME\ASPNET
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.