1

Today my hosting provider said that an ASP.NET application can be accessed via HTTPS, even without giving permissions for the Application's Pool Identity (At least READ-ONLY) to the SSL Certificate Storage.

To simplify someone's research i'd suggest to take a look at THIS link

  1. IIS 7.5
  2. The project uses the DefaultApplicationPool
  3. Identity = ApplicationPoolIdentity

QUESTION: Is the hosting provider faking me? Or in order to reach a website resource through HTTPS protocol of an ASP.NET project, the server MUST have granted access to the ApplicationPoolIdentity of this projects Application Pool?

Remark:

Without giving additional access to: IIS_IUSRS;Users group, NETWORK SERVICE, and other either. Just by leaving the default the "Administrators Group".

Community
  • 1
  • 1
Cristian E.
  • 3,116
  • 7
  • 31
  • 61

1 Answers1

2

The short answer is: No, the hosting provider is not faking you.

The server (IIS) must have access to the private key of corresponding SSL certificate to correctly establish SSL channel with clients. As far as I know IIS server has this permission by default (because World Wide Web Publishing Service runs under local system account and this account has permission to access local machine store by default). On top of IIS server there is app pools hosting your asp.net page.

But if your web page need for some reason to access a certificate in local machine store (i.e. it signs data or does web requests to another url that requires client certificate) then the app pool has to have access to the corresponding private key and you would have to set the permission using the guide that you posted.

Community
  • 1
  • 1
pepo
  • 8,644
  • 2
  • 27
  • 42
  • Thank you for the answer! Hmm correct me if i'm wrong. When talking about asp.net and IIS, the configuration "brigde" is the web.config. So, when adding a web application to IIS, you must choose the suitable ApplicationPool. How then an HTTPS request to the application might be done under the ACL(Access control list) of the Local System Account and not under the ACL of the current Application Pool Identity? – Cristian E. Mar 25 '14 at 08:22
  • I think of this this way: SSL is a transport layer and is handled by IIS server. When transport channel is established comes the application layer. ASP.NET is my application layer. So access to private key is done under system account and any other application logic is then handled by pool account. Maybe [this](http://www.iis.net/learn/get-started/introduction-to-iis/introduction-to-iis-architecture) can bring some light into this. – pepo Mar 25 '14 at 09:09
  • Thank you I'll dig some more and come back with an answer. – Cristian E. Mar 25 '14 at 09:14