1

I'm working on multi tenant ASP.NET web application for digital signing. For every tenant certificate store named "Tenant_{TenantId}" is created in store location "Local Computer" (StoreLocation.LocalMachine).

Everything works fine from windows application running under account with local administrator permissions. When the same library is used from ASP.NET application hosted on IIS, only "Local System" identity can work with certificates.

I tried with local administrator user account and get exception Access is denied:

 System.Security.Cryptography.CryptographicException: Access is denied.

Are there any restrictions on code under IIS? How to grant user/code read certificates permissions (from specific certificate locations/stores)?

Application is hosted on Windows Server 2012R2 / IIS 8.5 / ASP.NET 4.5

Branimir
  • 4,327
  • 1
  • 21
  • 33
  • The code runs under the Application Pool identity, try to change it to administrator and see if it helps – Robert Jul 24 '14 at 07:58
  • I tried to run IIS Pool under local administrator account and it doesn't work, I get exception as described. – Branimir Jul 24 '14 at 11:05
  • Why are you using "Local Machine" and not "Current User" for cert that is used for digital signature? – Ivan Samygin Jul 26 '14 at 00:27
  • Yes, we can use "Current User" store. I think that "Local Machine" makes more sense because we want to provide multi-tenant service, so particular certificate doesn't "belong" to user which runs a service but to service / server. Maybe this is a philosophical difference, but this can comes back to a technical argument. – Branimir Jul 29 '14 at 18:53

1 Answers1

1

There are 3 options you can try.

1) Use MMC (Certificates snap-in for Local Computer).

If your store (Store1) is listed under "Certificates (Local Computer)" node, find your certificate. If the store is not listed, try to search certificate with command from context menu of "Certificates (Local Computer)" node: Find Certificates... (Find in: All certificate stores). After you have found the certificate, you should drag&drop it to Personal store, then select All Tasks -> Manage Private Keys from its context menu, grant access to accout and finally drag&drop it to your store back.

Based on this answer

2) Use WinHttpCertCfg.exe to grant access to certificate private key

winhttpcertcfg -g -c LOCAL_MACHINE\<your-store-name> -s <cert-subject> -a <IIS-app-pool-account>

3) If you need to grant access in code take a look at solution in powershell (you can easily implement it in C#)

Community
  • 1
  • 1
Ivan Samygin
  • 4,210
  • 1
  • 20
  • 33
  • This is the best answer for sure :) I will research if there are restrictions for code run under IIS, if you find any information on that, please add to your answer. – Branimir Jul 29 '14 at 18:58
  • 1
    I believe that the code under IIS hasn't restrictions like Host Protection Attributes and CLR Integration Programming in MSSQL, at least in Integrated mode. The only difference that comes to mind is that AppPool's serving process uses noninteractive logon type. To investigate the source of the issue you can read http://msdn.microsoft.com/en-us/library/windows/desktop/bb204778(v=vs.85).aspx and http://paulstovell.com/blog/x509certificate2 and use tools from section "Tip 8: Know the tools to use" of the latter article. Don't forget to monitor both installing and accessing certs processes! – Ivan Samygin Jul 30 '14 at 20:53