Solved

Security Certificate install results in 'Access is denied' IIS7

Posted on 2014-10-21
8
600 Views
Last Modified: 2014-11-08
When trying to install my Comodo SSL certificate on my SBS2011 server (IIS7) it’s failing with “There was an error performing this operation: Details: access is denied”. Most hits on this point to security settings on the c:\program data\microsoft\crypto\rsa\machinekeys folder and offer a solution of granting full permissions to the folder to ‘everyone’ and full permissions to the folder & all subfolder to ‘administrators’. But on attempting to set these permissions, even though am logged on as domain administrator, I get “An error occurred while applying security information to…… Access is Denied”. After closing the folder properties window, the security does show it the way I want it, but installing the certificate still fails with this same error.
0
Comment
Question by:laurencoull
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 2

Expert Comment

by:Jeff Lewandowski
ID: 40395280
Instructions to change the folder permissions:

http://msdn.microsoft.com/en-us/library/bb909654%28v=vs.90%29.aspx
0
 
LVL 28

Expert Comment

by:becraig
ID: 40395283
What method are you using for installing your certificate ?

Can you provide a little more information on the steps you have taken to this point:
e.g:
I created the CSR - downloaded the certificate from Comodo - then did "x"   etc...
0
 
LVL 61

Expert Comment

by:btan
ID: 40396005
I believe you are having the issue like this for HRESULT: 0×80070005 (E_ACCESSDENIED)
http://toastergremlin.com/?p=432
Ensure that the “Administrators” group has full control and the “Everyone” group has the following permissions on this folder only:
List folder / read data
Read attributes
Read extended attributes
Create files /write data
Create folders / append data
Write attributes
Write extended attributes
Read permissions

So for the permission setting, do ensure the above is done. Check the permissions on that directory to ensure that Administrators is in the list. If you can't even do that, you'll have to take ownership of the folder first (it's a tab in the Advanced Permissions dialog screen).  Looking at the top level folder, Administrators should has Full Control. It will then have ownership of it, so do make sure to check the box to apply recursively. http://support.microsoft.com/kb/278381

also in case these come handy


Certificate Installation: Microsoft IIS 7.x
https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/639/0/certificate-installation-microsoft-iis-7x

CSR Generation: Microsoft IIS 7.x
https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/628/0/csr-generation-microsoft-iis-7x
0
 

Author Comment

by:laurencoull
ID: 40396607
Ok: taking ownership of the folder has enabled me to set the permissions as I need to. Just before I try to install the certificate, is there a way of backing up the existing one incase it messes things up, or if it does mess things up for some reason, is there a way of un-doing it?
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 61

Expert Comment

by:btan
ID: 40396815
always to clone HDD of it, but then i may consider
Volume Shadow Copy (backups of open files and applications, shared folder etc) - http://technet.microsoft.com/en-us/magazine/dd637757.aspx

Shadow Copy is enabled on a per volume basis. Once configured on a volume, all shared folders residing on that volume will automatically be shadowed. Shadow Copy can be configured either graphically using the Computer Management tool or via the command prompt.
http://www.techotopia.com/index.php/Configuring_Volume_Shadow_Copy_on_Windows_Server_2008

Backing Up Certificates in Windows
http://technet.microsoft.com/en-us/library/cc771848%28v=ws.10%29.aspx

Backup the PFX (private key) from certstore
https://support.comodo.com/index.php?/Knowledgebase/Article/View/368/0/backing-up-and-restoring-a-certificate-in-iis-5-or-6
0
 

Author Comment

by:laurencoull
ID: 40397720
Ok, success, the certificate is showing as installed! There are actually 5 ceertificates listed under Server Certificates in the IIS7 Manager but I guess the other 4 aren't doing any harm? 3 are self-signed and the 4th is saying issued by 'WMSvc-WIN-RNCF.....' then the 5th one is my Comodo one. But I'm a little concerned as I always thought when you purchased a proper certificate, you no longer got the message 'There is a problem with this web site's security certificate' making you click 'Continue to this website (not recommended)' to proceed. But we're still getting this.
0
 
LVL 28

Expert Comment

by:becraig
ID: 40397730
This error can generally be due to any number of things, usually either a name mismatch or an untrusted CA certificate.

You can usually tell by looking at the actual error popup itself.
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 40398312
WMSvc--WIN-RNCF is likely for WMSvc-server name certificate. Mainly clients can connect remotely to the Web Management Service on a Web server in order to administer that server like in http://technet.microsoft.com/en-us/library/cc735088(v=ws.10).aspx (under server manager | add roles | highlighted Webserver IIS and add the management service)

nonetheless the warning is mainly due to untrusted CA or mismatched domain as shared ... See these steps to have server cert and client to have the cert to avoid warning - esp if self signed server cert is used (in most of the case as you also have the WMSvc).
https://www.sslshopper.com/article-how-to-create-a-self-signed-certificate-in-iis-7.html

Overall, I do suggest to protect yourself (as a client) against the rogue (if they are not known or necessary or revocated) CA, you must un-trust that CA (i.e. remove it from your "trusted roots" certificate store). This merely implies that servers that you still wish to talk to should use some other, distinct CA, for their certificates.

The Firefox Web browser, though, uses its own SSL implementation and trust store, separated from that of the base OS. Moreover, Firefox supports profiles, meaning that a user can have several "personas" with Firefox, each with its own settings, including the set of trusted roots
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now