EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Sharing Private Key using Secure Black Box

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#4012
Posted: 10/15/2007 06:22:57
by sadanand G (Basic support level)
Joined: 10/12/2007
Posts: 9

(a) Windows XP Professional (same problem with windows 2003)
(b) .Net 2.0.50727
© SBB version ???
#4013
Posted: 10/15/2007 06:26:45
by Ken Ivanov (EldoS Corp.)

Thank you.

Quote
© SBB version ???

It can be found in the changes.txt file included to the distribution. Anyway, I suppose that knowing OS and Framework version will be enough for us to reproduce the problem.
#4014
Posted: 10/15/2007 09:45:16
by Ken Ivanov (EldoS Corp.)

Unfortunately, we were unable to reproduce the problem you are describing. Please find attached a small application and check if it works in your conditions. Use it in the following way:
a) Run the application under User1 and click the 'Generate and Install' button. Click the 'Extract' button to ensure that the certificate and private key is accessible for User1.
b) Run the application under User2 and click the 'Extract' button. Is the private key accessed correctly?


[ Download ]
#4025
Posted: 10/16/2007 00:28:55
by sadanand G (Basic support level)
Joined: 10/12/2007
Posts: 9

Thanks for the attached application.

I am able to reproduce the issue using your application with little modification to have impersonated users. below are the changes and steps to reproduce the issue.

CHANGES:
a) Added new class "ImpersonateUser" for Impersonation.
b) Modified Form1.cs to impersonate. please search for "$" symbol for easy identification
of changes.
STEPS:
1) Search for private "const string impersonatingUser" and "private const string
impersonatingPassword" change the user name and password of user that you want to
impersonate.
2) Run the application under User1 and click the 'Generate and Install' button. Click
the 'Extract' button to ensure that the certificate and private key is accessible for
User1.
3) Run the application under User2 and click the 'Extract' button. Is the private key
accessed correctly? In my case it is Not.
Follow above steps to test the application under impersonation and please let me know the result.
Note: Impersonation is done only for two event handlers not for whole application.

please find modified application from the attachment.



[ Download ]
#4039
Posted: 10/16/2007 10:27:51
by Ken Ivanov (EldoS Corp.)

Quote
3) Run the application under User2 and click the 'Extract' button. Is the private key
accessed correctly? In my case it is Not.

The private key is accessed correctly by the modified application in our environment. I suppose that the problem is related to access restrictions. Please try to grant Administrator rights to both users and check whether the problem still appears.
#4041
Posted: 10/17/2007 04:49:17
by sadanand G (Basic support level)
Joined: 10/12/2007
Posts: 9

We dont want User1 and User2 be part of admin group because site will be running under the impersonated users. please refer to my first posting.
please remove user1 and user2 from admin group and try to reproduce.
#4050
Posted: 10/18/2007 06:32:44
by Ken Ivanov (EldoS Corp.)

If the application does work for users with administrative rights on your machine (but does not work if it is run under non-admin accounts) then the problem is definitely related to access rights. Please do the following:
a) run regedit,
b) open the 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\My' key,
c) modify the permissions of the 'My' key to allow User1 and User2 read and write to this key.

After doing this, please run the application again and check if it works as you expected.
#4060
Posted: 10/19/2007 02:05:18
by sadanand G (Basic support level)
Joined: 10/12/2007
Posts: 9

I verified user access permission to system certificate key, User1 and user2 are already has full control permission to SystemCerti­ficates key :(. did you tryed by removing users from admin group?
#4063
Posted: 10/19/2007 05:05:40
by sadanand G (Basic support level)
Joined: 10/12/2007
Posts: 9

Thanks for your time.

Finall I got solution
Execute WinHttpCertCfg.exe -g -c LOCAL_MACHINE\MY -s "Issued_To_name" -a "Account_name" command to grant access to a specific user account

PLEASE NOTE: To successfully execute the command you must login to the machine with the user who installed the certificates.

follow the link.
http://msdn2.microsoft.com/en-us/library/aa302408.aspx.

Thanks
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.

Reply

Statistics

Topic viewed 7797 times

Number of guests: 2, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!