CertOpenSystemStore and IUSR / IWAM accounts

[Marja Ribbers-de Vroed]

The call CertOpenSystemStore(0, "MY") in a C++ COM DLL returns an "Access is denied" error when called from a classic ASP webapplication.

Doesn't the IUSR and/or IWAM account by default have the proper authorisation to call CertOpenSystemStore() ?

 

[Bruno van Dooren]

Hi,

A few weeks ago, someone asked the same question.
It turned out that the ASP application runs with USER privileges, which
cannot do that. you have to call RevertToSelf to fall back to system
privileges, do the Cert stuff, and then get back to the previous
impersonation level.

Below you will find my answer then.
please note that I have not tested this myself, but the guy who asked the
question then said he'd give it a try, and I didn't hear from him again, so
I assume that it worked.

his original post on January the 11th was called:
Using RevertToSelf in DLL to be used from classic ASP webapplication

Kind regards,
Bruno.

<reply>
use OpenThreadToken to obtain the current token. if i understand you
correctly, the process is running as system, but that specific thread is
running as another user.
if that is true, the thread will have its own token which you will now have.

then you call RevertToSelf, which reverts to the original process token, do
whatever you need to do and call ImpersonateLoggedOnUser with the thread
token you obtained earlier to get back to the security status you originally
had before reverting.

i don't know if RevertToSelf will close the original thread token. if it
does, you should call DuplicateToken to create a duplicate or the thread
token before you revert, and then use the duplicate when calling
ImpersonateLoggedOnUser.
</reply>



The call CertOpenSystemStore(0, "MY") in a C++ COM DLL returns an "Access is
denied" error when called from a classic ASP webapplication.

Doesn't the IUSR and/or IWAM account by default have the proper
authorisation to call CertOpenSystemStore() ?

 

[Bruno van Dooren]

Hi,

I just noticed that you were the original poster I mentioned.
I just did some digging. and found this Gem. That should solve your problem

"... Non administrators only have read access, but CertOpenSystemStore tries
to open
the store with full access which is why you get the access denied. ."

the solution:
"The way to get around this is to use CertOpenStore and pass the
(CERT_STORE_READONLY_FLAG | CERT_SYSTEM_STORE_CURRENT_USER) flags. It's
essentially the same, except for the permissions being asked for"

look for the full post on
http://groups.google.com/group/micr...ccess+is+denied&rnum=6&hl=en#a8625badc498daad

microsoft.public.platformsdk.security has probably more knowledgeable
people on this issue.

Let me know how it turned out.

kind regards,
Bruno.

 

[Marja Ribbers-de Vroed]

Hi Bruno,

Thank you for your reply.

I just noticed that you were the original poster I mentioned.
I just did some digging. and found this Gem. That should solve your problem

"... Non administrators only have read access, but CertOpenSystemStore tries
to open
the store with full access which is why you get the access denied. ."

the solution:
"The way to get around this is to use CertOpenStore and pass the
(CERT_STORE_READONLY_FLAG | CERT_SYSTEM_STORE_CURRENT_USER) flags. It's
essentially the same, except for the permissions being asked for"

look for the full post on
http://groups.google.com/group/micr...ccess+is+denied&rnum=6&hl=en#a8625badc498daad

microsoft.public.platformsdk.security has probably more knowledgeable
people on this issue.

Let me know how it turned out.

I was indeed the poster of the other thread.
Although that other solution technically worked fine, I would rather find a solution where I can prevent the necessity of calling RevertToSelf.
That's why I'm looking into installing the certificate and the private key in a way where the IUSR account can access it.

I found an articles at http://msdn.microsoft.com/library/d...cfg_exe__a_certificate_configuration_tool.asp and http://users.adelphia.net/~jalderson/IIS/clientcert.htm which explains how to installa the certificate and to allow the IUSR account access to the private key.
So now I'm trying to create a COM DLL which looks up that certificate for the IUSR account.

I will post back here to let you know how it goes.

Regards, Marja

 

[Marja Ribbers-de Vroed]

the solution:

"The way to get around this is to use CertOpenStore and pass the
(CERT_STORE_READONLY_FLAG | CERT_SYSTEM_STORE_CURRENT_USER) flags. It's
essentially the same, except for the permissions being asked for"

That worked fine: no more "access is denied" errors when trying to open the certificate store for the IUSR account !

Thanks !!!

Regards, Marja