Reputation: 77
IIS ASP.NET Core OpenIddict certificates access
I using OpenIddict with ASP.NET Core like this:
X509KeyStorageFlags storageFkags = X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.MachineKeySet;
using FileStream fse = File.Open(Path.Combine(environment.ContentRootPath, openIddictConfig.EncryptionCertificate.FilePath), FileMode.Open);
options.AddEncryptionCertificate(fse, openIddictConfig.EncryptionCertificate.Password, storageFkags);
using FileStream fss = File.Open(Path.Combine(environment.ContentRootPath, openIddictConfig.SigningCertificate.FilePath), FileMode.Open);
options.AddSigningCertificate(fss, openIddictConfig.SigningCertificate.Password, storageFkags);
But when I'm publishing app to IIS, I get error
System.UnauthorizedAccessException
Application '/LM/W3SVC/2/ROOT' with physical root 'C:\MySite' hit unexpected managed exception, exception code = '0xe0434352'. First 30KB characters of captured stdout and stderr logs:
Unhandled exception. System.UnauthorizedAccessException: Access to the path 'C:\MySite\Certificates\Production.EncryptionCertificate.pfx' is denied.at Microsoft.Win32.SafeHandles.SafeFileHandle.CreateFile(String fullPath, FileMode mode, FileAccess access, FileShare share, FileOptions options)
at Microsoft.Win32.SafeHandles.SafeFileHandle.Open(String fullPath, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize, Nullable1 unixCreateMode) at System.IO.Strategies.OSFileStreamStrategy..ctor(String path, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize, Nullable1 unixCreateMode)
at System.IO.Strategies.FileStreamHelpers.ChooseStrategyCore(String path, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize, Nullable`1 unixCreateMode)
at System.IO.File.Open(String path, FileMode mode)
at MySite.Infrastructure.DependencyInjection.<>c__DisplayClass0_0.b__4(OpenIddictServerBuilder options)
It can be solved by changing ApplicationPool to Administartor instead of ApplicationPoolIdentity (first on screen):
But I guess its bad practice. How can I solve this issue while using ApplicationPoolIdentity?
Upvotes: 0
Views: 568
Answers (1)
Reputation: 2430
It might be a permissions issue. When you use ApplicationPoolIdentity as the identity of the application pool, insufficient permissions cause access to the certificate to be denied.
You can try the following: Your certificate folder path: C:\MySite\Certificates, right click on the folder and select "Properties" > select the "Security" tab > click the "Edit" button > click the "Add" button > type IIS AppPool\YourAppPoolName ( For example: IIS AppPool\DefaultAppPool) > click "Check Names" > click "OK" and close the dialog box > select the account you just added and check whether it has corresponding permissions > click "OK".
Upvotes: 0
Related Questions
- Best way to resolve file path too long exception
- ASP.NET Core System.UnauthorizedAccessException: Access to the path 'C:\..." is denied
- C# .Net Core problem with create FileStream (docker on mapped volume from Mac OS host)
- Get file path to image on Azure Asp.Net core server (in controller)
- System.UnauthorizedAccessException: Access to the path is denied (UWP C#)
- Access denied file in asp.net core
- Error - Unable to access the IIS metabase
- How do you check for permissions to write to a directory or file?