EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Adding certificates in Windows 2003

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
#3889
Posted: 09/28/2007 06:10:40
by Chaitanya Ram (Basic support level)
Joined: 07/24/2007
Posts: 5


We are using the SecureBlackBox to add the Certificate to the store in our Asp.Net application.

Code
private TElWinCertStorage winCertStorage = = new TElWinCertStorage ();
winCertStorage.AccessType = TSBStorageAccessType.atLocalMachine;
winCertStorage.Add (cert, "ROOT", false, false, false);


In Windows 2003 it neither adds the certificate to the Local Machine store, nor the Current User store (like it does on XP). What privileges needs to be given and where for ASPNET user (or any other user we might impersonate the application with).

Regards,
#3891
Posted: 09/28/2007 07:34:46
by Ken Ivanov (EldoS Corp.)

Thank you for your message.

Would you be so kind to provide us the additional details of the issue:

1. How exactly did you find out that the certificate has not been added? Does the subsequent call to winCertStorage.IsPresent() return false?
2. Does TElWinCertStorage.Add() method fail?
#3896
Posted: 09/30/2007 23:49:10
by Chaitanya Ram (Basic support level)
Joined: 07/24/2007
Posts: 5


Ivanov,

1. After I add the certificate, in another workflow, I use the CN name and look for the certificate using winCertStorage.get_Certificates(). I check in both Local Machine store and Current User store one after th other and it doesn't find. Point to note here is, the same code works fine on XP machine.

2. The TElWinCertStorage.Add() returned void and doesn't throw an error as well. That was my other question that how do we find out whether TElWinCertStorage.Add() was successful or not?

3. Why does the TElWinCertStorage.Add() call put the certificate in Current User store if it does not find access to Local Machine? Is this a secure black box behavior or Windows system?

Appreciate your help,
Chaitanya
#3900
Posted: 10/01/2007 02:45:05
by Ken Ivanov (EldoS Corp.)

Quote
1. After I add the certificate, in another workflow, I use the CN name and look for the certificate using winCertStorage.get_Certif­icates(). I check in both Local Machine store and Current User store one after th other and it doesn't find. Point to note here is, the same code works fine on XP machine.

Thank you for the explanation. We will try to reproduce the problem in our conditions and get back to you then.

Win2003 and WinXP use different approaches for storing certificates (as far as I remember, on Win2003 one has to explicitly set special access rights for the certificates added by a web application). I will be able to give you more exact answer after investigating the issue.

Quote
2. The TElWinCertStorage.Add() returned void and doesn't throw an error as well. That was my other question that how do we find out whether TElWinCertStorage.Add() was successful or not?

If certificate import fails for some reason, TElWinCertStorage.Add() throws the exception of ECertStorageError type.

Quote
3. Why does the TElWinCertStorage.Add() call put the certificate in Current User store if it does not find access to Local Machine? Is this a secure black box behavior or Windows system?

This was planned by design of SecureBlackbox. I suppose we will implement means for disabling this feature in one of the future build updates.
#3901
Posted: 10/01/2007 03:04:10
by Chaitanya Ram (Basic support level)
Joined: 07/24/2007
Posts: 5


Quote
Thank you for the explanation. We will try to reproduce the problem in our conditions and get back to you then.

Win2003 and WinXP use different approaches for storing certificates (as far as I remember, on Win2003 one has to explicitly set special access rights for the certificates added by a web application). I will be able to give you more exact answer after investigating the issue.


Thanks Ivanov, I would be eagerly waiting your response on this.

Chaitanya
#3929
Posted: 10/03/2007 03:11:46
by Ken Ivanov (EldoS Corp.)

We are glad to let you know that we found the reason for the problem. Win2003 uses specific approach for storing certificates under local machine account. Basically, only users belonging to the Administrators group do have the rights to access such certificates. As NETWORK SERVICE user (ASP.NET applications are executed under this user account by default) does not belong to the Administrators group, he cannot access local machine certificates. Please read the following article for the details.

Thus the only solution for the original problem is to grant enough rights to the NETWORK SERVICE user (or to any other user under whose account the Web application is run). The local machine certificates are stored in the HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates registry branch. Simply change the permissions for this branch (e.g., using regedit tool) to allow write access to it for the NETWORK SERVICE user.
#3970
Posted: 10/07/2007 23:08:47
by Chaitanya Ram (Basic support level)
Joined: 07/24/2007
Posts: 5

Thanks a lot Ivanov, that helped!
Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.

Reply

Statistics

Topic viewed 3106 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!