7

I have a certificate in the MSMQ service Personal store and I need to grant the Network Service the permissions to access the certificate.

The only way that I know of to do it is using the certutil.exe on win2008/7 like so:

certutil -service -service -repairstore MSMQ\My "" D:PAI(A;;GA;;;BA)(A;;GA;;;SY)(A;;GR;;;NS)

(thanks to http://blogs.msdn.com/b/gautamm/archive/2010/10/26/https-messaging-with-client-side-certificate-fails-with-iis-error-403.aspx)

However, certutil on win2003/XP does not recognize the -service parameter, so no good.

My question is how can I do it in a way that works for both Win2003/XP and Win2008/7?

I need a non interactive approach (command line utility, script, COM/.NET/Win32 API).

Luke Girvin
  • 13,221
  • 9
  • 64
  • 84
mark
  • 59,016
  • 79
  • 296
  • 580

2 Answers2

5

If you just need to set ACL rights on the certificate's private key (which your linked page suggests), I just recently posted an answer here on how I found to do that.

Open the X509Store and get the current certificate in hand, and then set the ACL on the private key.

You can use something like this to get the SID of the account needing access (or just use the well-known SID S-1-5-20 if you know it's always Network Service):

NTAccount nt = new NTAccount("NT_AUTHORITY", "NetworkService");
SecurityIdentifier sid = (SecurityIdentifier)nt.Translate(typeof(SecurityIdentifier));

My other answer has the code that sets the ACL. (Caveat: I've run it on Windows Server 2003 but not XP.)

Community
  • 1
  • 1
Jim Flood
  • 8,144
  • 3
  • 36
  • 48
  • Have you ever tried to open an X509Store associated with a windows service? Please, provide the code snippet. Thanks. – mark Feb 15 '11 at 09:09
  • I did not find an easy way to do that. This link: http://social.msdn.microsoft.com/Forums/en-US/netfxnetcom/thread/3b8f0606-fe05-4607-bc7c-183fc7b719dd/ has a couple of ideas in it. One is to use WSE 2.0 classes (look at the link to see the posted code snippet.) I didn't try it because I didn't want to install WSE 2.0, but here is a download link I found for WSE 2.0: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=1ba1f631-c3e7-420a-bc1e-ef18bab66122 – Jim Flood Feb 15 '11 at 19:09
  • I have marked it as the answer, because the post you have referred contains the answer - using X509Store(IntPtr) constructor, where the handle to the service certificate store is open using P/Invoke. – mark Feb 16 '11 at 18:12
1

We had a similar problem with a scheduled app that posts to secured site.

The certificate store was not accessible by the client. The link posted below mentioned managing the certificates from the windows 2008 r2 mmc snap in and granting access to the user account in question. We were able to run the schedule process this way and grant access to the account running the client.

The other solution, via the scheduler, was to grant the highest level of access for the program (SECURITY RISK) and allowing it run like an admin.

Here is the link referenced above http://msmvps.com/blogs/luisabreu/archive/2010/09/13/grant-access-to-certificate-s-private-key-in-iis-7-5.aspx

Ray Porrata
  • 87
  • 2
  • 2