EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Problem with non-administrative user

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#222
Posted: 05/16/2006 04:33:40
by Santiago Castaño (Standard support level)
Joined: 04/16/2006
Posts: 155

Hi!,

Today, we started giving our application to a few beta-testers. And some of them cannot see any certificates loaded although they see it in "internet explorer" (options->contents->certificates).

They use non-administrative accounts, as "normal user". And also, they cannot load a certificate into my application because i suppose that as it is already loaded in windows, it troughs an exception telling that the certificate is already loaded (but they can't see it in the application.

Why is this happening? i've just looked the help, and found ElWinCertStorage.StorageType. I don't specify it, so I suppose that i'm with default value (which is by the way?).

Here's the chunk of code for getting the certificates:

Code
//winstorage3:=TElWinCertStorage.create(nil) (oncreate)
    WinStorage3.GetAvailableStores(lista);
    for i:=0 to lista.Count-1 do
    begin
      if (lowercase(lista[i])='my') OR (lowercase(lista[i])='addressbook') then
      begin
        SwapWinStorage:=TElWinCertStorage.Create(nil);
        amigable:=WinStorage3.GetStoreFriendlyName(lista[i]);
        if trim(amigable)='' then amigable:=lista[i];
        SwapWinStorage.SystemStores.Clear;
        SwapWinStorage.SystemStores.Add(lista[i]);
        Node1:=Certificados.AddChild(nil);
        Data1:=TPNodeData(certificados.GetNodeData(Node1));
        Data1.Nombre:=amigable;
        Data1.Datos:=SwapWinStorage;
        Data1.NombreOrig:=Lista[i];
//        with certificados.AddChild(nil, amigable, SwapWinStorage)  do StateIndex:=-1;
        StorageList.Add(SwapWinStorage);
        CurrStorageName.Add(lista[i]);

        PrintWinTree(SwapWinStorage,Node1);
      end;
    end;
    Lista.Free;
//winstorage3.free (ondestroy)


Thanks
#224
Posted: 05/16/2006 05:14:32
by Santiago Castaño (Standard support level)
Joined: 04/16/2006
Posts: 155

Hi!,

I've just do a test: i test changing all the telwincertstorages.storagetype=stregistry, and the effect was like in my beta-tester (no certificates appeared and i cannot add my certificate because it already exists).

So it's maybe something related to that. And i've got two questions:
- How can i know if that user is using stsystem, stregistry or stldap?
- If using stregistry or stldap, i see that i have to specify en ElWinCertStorage.SystemStores the keys of the registry??? or the uris of the ldap?? how can i obtain that data?? (i suppose that they don't use ldap, but really i don't know).

Thanks
#227
Posted: 05/16/2006 06:28:50
by Eugene Mayevski (EldoS Corp.)

Your message is somehow confusing.
1)
Is your application able to access the certificates? From your words "because i suppose that as it is already loaded in windows, it troughs an exception telling that the certificate is already loaded" I come to conclusion, that the application is able.

2) The user by default uses stSystem mode. stRegistry mode is used when you *know* the registry key which is a certificate container. The same for LDAP.

3) You can try running Crypto4 PKI and see if it work correctly (i.e. the certificates are visible).


Sincerely yours
Eugene Mayevski
#228
Posted: 05/16/2006 06:58:25
by Ken Ivanov (EldoS Corp.)

Please also try to play with TElWinCertStorage.AccessType property (it is set to atCurrentUser by default). It should be set to atLocalMachine value to access systemwide certificates.
#229
Posted: 05/16/2006 07:18:04
by Santiago Castaño (Standard support level)
Joined: 04/16/2006
Posts: 155

Quote

Please also try to play with TElWinCertStorage.AccessType property (it is set to atCurrentUser by default). It should be set to atLocalMachine value to access systemwide certificates.


I think that "that's it!"; i'll explain you to see if you come to the same conclusion as me.

First of all, my installation is built with inno setup. I simply copy the file, no mistery here.

My customer, did the installation logged as normal user, but "executing as..." administrator. This installation, made the program not see any certificate.

A few minutes ago, he called me telling me that he installed the application, but without privileges of admin (logged as normal user, and executed the installation as normal user). This time, he can see all the certificates (BECAUSE ALL THE CERTIFICATES ARE IN THAT NORMAL USER, and none in the admin user).

So i think (99% posibilities) that executing the installation as admin (but logged as user), marked my program as executable with privileges of admin, and my application was looking at the certificates that the admin has.

So... the question at this point (if i am correct) is:
- How should i put the accesstype so if a admin installs the program all the users that also see the program have my program to look for certificates at all the certificates loaded?
- Is there any way to override that windows executes my application as admin if the user logged is not admin? (so it points to the correct storage).

Thanks,
#230
Posted: 05/16/2006 07:43:08
by Eugene Mayevski (EldoS Corp.)

Quote
Santiago Castaño wrote:
- How should i put the accesstype so if a admin installs the program all the users that also see the program have my program to look for certificates at all the certificates loaded?


As said, using LocalMachine access type in all cases.

Quote
Santiago Castaño wrote:
- Is there any way to override that windows executes my application as admin if the user logged is not admin? (so it points to the correct storage).


I think the following took place: when the application was installed, it has put some certificates to admin's HKCU cert.storage. Now the application is run under restricted account and it doesn't have access to admin's HKCU cert.storage. If you set AccessType to LocalMachine always, you should get rid of the problem. Otherwise your application must check the accounts and install the certificates for each user, if the certificates are not yet installed.


Sincerely yours
Eugene Mayevski
Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.

Reply

Statistics

Topic viewed 5455 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!