How to Import Certificate file into windows certificate store under IWAM account

How to Import Certificate file into windows certificate store under IWAM account

Post by Helena Ca » Mon, 30 Aug 2004 14:23:20


Hi,

Due to the nature of our system, we need to dynamically import certificate
files into windows certificates store and access the certificate store from
ASP pages, these ASP pages call a VB dll component, which uses the CAPICOM
component to manipulate windows certficate store.

Because ASP is running under IWAM account, we got "Access is denied" error
when trying to import the certificate files. We registered the VB
components under COM+ to get around this security problem. However,
recently we are experiencing all sorts of problems with COM+ ( eg.
DLLHost.exe hang with 100% CPU after heavy traffic, ActiveX component can
not be created out of sudden), we decided to move this VB component out of
COM+, which means we are facing the same old "Access is denied" problem
again.

I did some search in the newsgroups, somebody suggested to log on under IWAM
account to enable ASP import certificates, however, because our machine is
the server, this is not a prefered option.

Also, there is a tool provided by microsoft called "winhttpcertcfg.exe",
which can import certficates into the certifcate store and allow IWAM
account to access them. At this stage, I am thinking to use shell command
to call this exe from VB program, however, I am not quite comfortable with
solution...

Can anybody give me some sugguestion or let me know if I am on the right
track?

Thanks in advance.
helena
 
 
 

How to Import Certificate file into windows certificate store under IWAM account

Post by adam » Thu, 02 Sep 2004 11:31:30

I had a similar problem only we where using an ASP.NET web service to
call the certificates. We found that once the certs where installed
they would work fine if you envoked them using an Administrator, Domain
Admin, or Domain user account.

After some time we decided to work in the same way you did by using a
COM + object and had the same problem as you. We finally found that if
you allow in our case the ASP.NET service account to have read access to
the C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA directory solved our problem. Although in
your case i guess it would need read / write / modify.

I hope this helps.