The call CertOpenSystemS tore(0, "MY") in a C++ COM DLL returns an "Access is denied" error when called from a classic ASP webapplication.
Doesn't the IUSR and/or IWAM account by default have the proper authorisation to call CertOpenSystemS tore() ?
--
Marja
4  6589 
Hi,
A few weeks ago, someone asked the same question.
It turned out that the ASP application runs with USER privileges, which
cannot do that. you have to call RevertToSelf to fall back to system
privileges, do the Cert stuff, and then get back to the previous
impersonation level.
Below you will find my answer then.
please note that I have not tested this myself, but the guy who asked the
question then said he'd give it a try, and I didn't hear from him again, so
I assume that it worked.
his original post on January the 11th was called:
Using RevertToSelf in DLL to be used from classic ASP webapplication
Kind regards,
Bruno.
<reply>
use OpenThreadToken to obtain the current token. if i understand you
correctly, the process is running as system, but that specific thread is
running as another user.
if that is true, the thread will have its own token which you will now have.
then you call RevertToSelf, which reverts to the original process token, do
whatever you need to do and call ImpersonateLogg edOnUser with the thread
token you obtained earlier to get back to the security status you originally
had before reverting.
i don't know if RevertToSelf will close the original thread token. if it
does, you should call DuplicateToken to create a duplicate or the thread
token before you revert, and then use the duplicate when calling
ImpersonateLogg edOnUser.
</reply>
"Marja Ribbers-de Vroed" <ma***@nospam.w ebwaresystems.n l> wrote in message
news:up******** ******@TK2MSFTN GP14.phx.gbl...
The call CertOpenSystemS tore(0, "MY") in a C++ COM DLL returns an "Access is
denied" error when called from a classic ASP webapplication.
Doesn't the IUSR and/or IWAM account by default have the proper
authorisation to call CertOpenSystemS tore() ?
--
Marja
Hi,
I just noticed that you were the original poster I mentioned.
I just did some digging. and found this Gem. That should solve your problem
"... Non administrators only have read access, but CertOpenSystemS tore tries
to open
the store with full access which is why you get the access denied. ."
the solution:
"The way to get around this is to use CertOpenStore and pass the
(CERT_STORE_REA DONLY_FLAG | CERT_SYSTEM_STO RE_CURRENT_USER ) flags. It's
essentially the same, except for the permissions being asked for"
look for the full post on http://groups.google.com/group/micro...625badc498daad
microsoft.publi c.platformsdk.s ecurity has probably more knowledgeable
people on this issue.
Let me know how it turned out.
kind regards,
Bruno.
"Bruno van Dooren" <br************ **********@hotm ail.com> wrote in message
news:uu******** ******@TK2MSFTN GP09.phx.gbl... Hi,
A few weeks ago, someone asked the same question.
It turned out that the ASP application runs with USER privileges, which
cannot do that. you have to call RevertToSelf to fall back to system
privileges, do the Cert stuff, and then get back to the previous
impersonation level.
Below you will find my answer then.
please note that I have not tested this myself, but the guy who asked the
question then said he'd give it a try, and I didn't hear from him again,
so I assume that it worked.
his original post on January the 11th was called:
Using RevertToSelf in DLL to be used from classic ASP webapplication
Kind regards,
Bruno.
<reply>
use OpenThreadToken to obtain the current token. if i understand you
correctly, the process is running as system, but that specific thread is
running as another user.
if that is true, the thread will have its own token which you will now
have.
then you call RevertToSelf, which reverts to the original process token,
do
whatever you need to do and call ImpersonateLogg edOnUser with the thread
token you obtained earlier to get back to the security status you
originally
had before reverting.
i don't know if RevertToSelf will close the original thread token. if it
does, you should call DuplicateToken to create a duplicate or the thread
token before you revert, and then use the duplicate when calling
ImpersonateLogg edOnUser.
</reply>
"Marja Ribbers-de Vroed" <ma***@nospam.w ebwaresystems.n l> wrote in message
news:up******** ******@TK2MSFTN GP14.phx.gbl...
The call CertOpenSystemS tore(0, "MY") in a C++ COM DLL returns an "Access
is denied" error when called from a classic ASP webapplication.
Doesn't the IUSR and/or IWAM account by default have the proper
authorisation to call CertOpenSystemS tore() ?
--
Marja
Hi Bruno,
Thank you for your reply. I just noticed that you were the original poster I mentioned.
I just did some digging. and found this Gem. That should solve your problem
"... Non administrators only have read access, but CertOpenSystemS tore tries
to open
the store with full access which is why you get the access denied. ."
the solution:
"The way to get around this is to use CertOpenStore and pass the
(CERT_STORE_REA DONLY_FLAG | CERT_SYSTEM_STO RE_CURRENT_USER ) flags. It's
essentially the same, except for the permissions being asked for"
look for the full post on
http://groups.google.com/group/micro...625badc498daad
microsoft.publi c.platformsdk.s ecurity has probably more knowledgeable
people on this issue.
Let me know how it turned out.
I was indeed the poster of the other thread.
Although that other solution technically worked fine, I would rather find a solution where I can prevent the necessity of calling RevertToSelf.
That's why I'm looking into installing the certificate and the private key in a way where the IUSR account can access it.
I found an articles at http://msdn.microsoft.com/library/de...ation_tool.asp and http://users.adelphia.net/~jalderson/IIS/clientcert.htm which explains how to installa the certificate and to allow the IUSR account access to the private key.
So now I'm trying to create a COM DLL which looks up that certificate for the IUSR account.
I will post back here to let you know how it goes.
Regards, Marja
> the solution: "The way to get around this is to use CertOpenStore and pass the
(CERT_STORE_REA DONLY_FLAG | CERT_SYSTEM_STO RE_CURRENT_USER ) flags. It's
essentially the same, except for the permissions being asked for"
That worked fine: no more "access is denied" errors when trying to open the certificate store for the IUSR account !
Thanks !!!
Regards, Marja This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Colin Steadman |
last post by:
I'm trying to setup a small ASP app that our Accounts department can
use to kick off database procedures through a browser. To do this I
need the ASP page to kick off a preprepared .VBS script file. I've
made some good progress on this, but have hit a brick wall and dont
know where to go next.
I have setup a basic HTML form which submits a request to an ASP page.
The ASP page creates a WSCRIPT shell on the server and runs the...
|
by: Hernán Castelo |
last post by:
hi
i need to connect to sql
with different roles
is there any way
for do that without
passing users or passwords
in the connection string ??
|
by: Helena Cai |
last post by:
Hi,
Due to the nature of our system, we need to dynamically import certificate
files into windows certificates store and access the certificate store from
ASP pages, these ASP pages call a VB dll component, which uses the CAPICOM
component to manipulate windows certficate store.
Because ASP is running under IWAM account, we got "Access is denied" error
when trying to import the certificate files. We registered the VB
components...
|
by: AVB |
last post by:
Is there any other way to write files to a directory than allowing the
IUSR write access. We have a website that will be writing XML files and
Label files to a directory outside of our website directory but I am
hesitant to give the generic IUSR account write access to anything and
wondered if we could asign a different account or if there was some
sort of ASP script we could use. These files will be created based on a
received XML string...
|
by: Do |
last post by:
Hi,
I need to give my ASP.net application write access to on of my folders.
In Windows 2000 IIS 5.0 it was IUSR, what group do I give access
for Windows 2003 IIS 6.0? I see new ones like System, Network,
Network Service, Interactive Guest, etc.
Thanks,
Do
| | |
by: SKG |
last post by:
Can any one explain me
what is IUSR_ account in IIS.
What is ASPNET user account.
do these account work in conjunction.?
Is ASPNET user account used in execution context of the request.
Appreciate any pointers
TIA
|
by: Stephenoja |
last post by:
Hello Guys,
I have a problem that has to do with Aging Accounts Receivable.
I have three tables with customer account numbers, customer names, customer balances for the years 2003, 2004 and 2005. I need to build a query that will provide the account numbers, names and balances for customers who only appear in the 2004 table and another for those who only appear in 2005. Bear in mind that there are customers whos name appear in 2003, 2004...
|
by: Simon Watkins |
last post by:
Our server administrators recently changed the permissions of most of our
servers (you know how it is, the developers had, shock horror, got to know
the domain administrator password, and some decision was made on high to
clamp down on everything)
This consequently has had the effect of rendering our live ASP.NET 2 web
server useless with page requests for .NET sites returning ACL permission
errors.
I ran a few tools and found out...
|
by: Peter Larsson |
last post by:
I´m not sure where to put this topic, as I dont know where the problem is. But I´ll give it a shoot.
We have a WSUS server here. The WSUS site runs on ASP.NET v1.1
while the applications (Clientwebservice etc) run on v2.0 (except Selfupdate and Content folders). I have realised that inorder to get WSUS to work is to give the IWAM acc proper rights to the ASP.NET Temporary Files folder.
Now my problem is that every day (night) this account...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
| | |
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
