Reputation: 412
IIS 10 Application permissions to access a Cert in Certificate Manager
I am a ASP and IIS noob. I live in a Linux terminal, so this is been a steep learning curve...
I have a C# Web API written in .Net 4.6. The Web API communicates with a 3rd Party SOAP Web Service which requires SOAP requests to be signed using a X509 certificate using the WSE 2.0 standard. This all works on my local dev machine with out an issue.
I deployed the application to an AWS Elastic Beanstalk Env, using IIS 10 and Windows server 2016 Data Center. The Web API does not work for any functions that need to access the Certificate. All other URL's work fine.
I have imported the Certificate to the Local Computer Certificate Store. This is a simple case where I have not configured the correct permissions.
How do I check that IIS has access to the required Cert and what user do I need to add to the Cert to provide the correct access for IIS Apps.
I have done the following with no luck:
- Install VS 2017 on the server and successfully run a console app to test if the WSE 2.0 dll's where the issue. Worked fine.
- Added Read access to IIS_IUSRS on the private Keys for the Cert in MMC
- Added Read access to IUSER on the private Keys for the Cert in MMC
- Added Read access to "IIS APPPOOL\DefaultAppPool" on the private Keys for the Cert in MMC
- Modified the RSA folder permission in the Programs Data Crypto dicretory, so don't remember the exact path, which ended up breaking the system
Upvotes: 0
Views: 5329
Answers (1)
Reputation: 412
So I managed to work this out. Turns out that WSE 2.0 X509CertificateStore does not play nice with Windows Server 2016 Cert manager via IIS. I had to use the newer System.Security.Cryptography.X509Certificates X509Store class to access the Cert then convert a X509Certificate2 to a MS Web Service2.X509Certificate. Code below:
X509Store store = new X509Store(StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection Certificate2Collection = store.Certificates;
X509Certificate2Collection results =
Certificate2Collection.Find(X509FindType.FindBySubjectName, (object)subject, false);
X509Certificate2 cert = results[0];
Microsoft.Web.Services2.Security.X509.X509Certificate cert =
new Microsoft.Web.Services2.Security.X509.X509Certificate(cert.Export(X509ContentType.Cert));
Upvotes: 0
Related Questions
- ASP.NET X509Certificate2 access denied when hosted in IIS
- HTTP status 403: Forbidden exception using certificate to authenticate ASP.NET web service
- IIS Client certificate not working. Returns 403 error
- IIS has no access to Certificate Store
- Why is access denied when installing SSL cert on IIS 5?
- Cannot read X509 certificates from certificate store in a web application
- Windows 2008 R2 permissions for accessing certificate stores from IIS
- ASP.net permissions to root certificate store
- Implementing certificate authorization in asp.net
- Access control to web service