The call CertOpenSystemStore(0, "MY") in a C++ COM DLL returns an "Access is denied" error when called from a classic ASP webapplication.
Doesn't the IUSR and/or IWAM account by default have the proper authorisation to call CertOpenSystemStore() ?
--
Marja 4 6554
Hi,
A few weeks ago, someone asked the same question.
It turned out that the ASP application runs with USER privileges, which
cannot do that. you have to call RevertToSelf to fall back to system
privileges, do the Cert stuff, and then get back to the previous
impersonation level.
Below you will find my answer then.
please note that I have not tested this myself, but the guy who asked the
question then said he'd give it a try, and I didn't hear from him again, so
I assume that it worked.
his original post on January the 11th was called:
Using RevertToSelf in DLL to be used from classic ASP webapplication
Kind regards,
Bruno.
<reply>
use OpenThreadToken to obtain the current token. if i understand you
correctly, the process is running as system, but that specific thread is
running as another user.
if that is true, the thread will have its own token which you will now have.
then you call RevertToSelf, which reverts to the original process token, do
whatever you need to do and call ImpersonateLoggedOnUser with the thread
token you obtained earlier to get back to the security status you originally
had before reverting.
i don't know if RevertToSelf will close the original thread token. if it
does, you should call DuplicateToken to create a duplicate or the thread
token before you revert, and then use the duplicate when calling
ImpersonateLoggedOnUser.
</reply>
"Marja Ribbers-de Vroed" <ma***@nospam.webwaresystems.nl> wrote in message
news:up**************@TK2MSFTNGP14.phx.gbl...
The call CertOpenSystemStore(0, "MY") in a C++ COM DLL returns an "Access is
denied" error when called from a classic ASP webapplication.
Doesn't the IUSR and/or IWAM account by default have the proper
authorisation to call CertOpenSystemStore() ?
--
Marja
Hi,
I just noticed that you were the original poster I mentioned.
I just did some digging. and found this Gem. That should solve your problem
"... Non administrators only have read access, but CertOpenSystemStore tries
to open
the store with full access which is why you get the access denied. ."
the solution:
"The way to get around this is to use CertOpenStore and pass the
(CERT_STORE_READONLY_FLAG | CERT_SYSTEM_STORE_CURRENT_USER) flags. It's
essentially the same, except for the permissions being asked for"
look for the full post on http://groups.google.com/group/micro...625badc498daad
microsoft.public.platformsdk.security has probably more knowledgeable
people on this issue.
Let me know how it turned out.
kind regards,
Bruno.
"Bruno van Dooren" <br**********************@hotmail.com> wrote in message
news:uu**************@TK2MSFTNGP09.phx.gbl... Hi,
A few weeks ago, someone asked the same question. It turned out that the ASP application runs with USER privileges, which cannot do that. you have to call RevertToSelf to fall back to system privileges, do the Cert stuff, and then get back to the previous impersonation level.
Below you will find my answer then. please note that I have not tested this myself, but the guy who asked the question then said he'd give it a try, and I didn't hear from him again, so I assume that it worked.
his original post on January the 11th was called: Using RevertToSelf in DLL to be used from classic ASP webapplication
Kind regards, Bruno.
<reply> use OpenThreadToken to obtain the current token. if i understand you correctly, the process is running as system, but that specific thread is running as another user. if that is true, the thread will have its own token which you will now have.
then you call RevertToSelf, which reverts to the original process token, do whatever you need to do and call ImpersonateLoggedOnUser with the thread token you obtained earlier to get back to the security status you originally had before reverting.
i don't know if RevertToSelf will close the original thread token. if it does, you should call DuplicateToken to create a duplicate or the thread token before you revert, and then use the duplicate when calling ImpersonateLoggedOnUser. </reply> "Marja Ribbers-de Vroed" <ma***@nospam.webwaresystems.nl> wrote in message news:up**************@TK2MSFTNGP14.phx.gbl... The call CertOpenSystemStore(0, "MY") in a C++ COM DLL returns an "Access is denied" error when called from a classic ASP webapplication.
Doesn't the IUSR and/or IWAM account by default have the proper authorisation to call CertOpenSystemStore() ?
-- Marja
Hi Bruno,
Thank you for your reply. I just noticed that you were the original poster I mentioned. I just did some digging. and found this Gem. That should solve your problem "... Non administrators only have read access, but CertOpenSystemStore tries to open the store with full access which is why you get the access denied. ." the solution: "The way to get around this is to use CertOpenStore and pass the (CERT_STORE_READONLY_FLAG | CERT_SYSTEM_STORE_CURRENT_USER) flags. It's essentially the same, except for the permissions being asked for" look for the full post on http://groups.google.com/group/micro...625badc498daad microsoft.public.platformsdk.security has probably more knowledgeable people on this issue. Let me know how it turned out.
I was indeed the poster of the other thread.
Although that other solution technically worked fine, I would rather find a solution where I can prevent the necessity of calling RevertToSelf.
That's why I'm looking into installing the certificate and the private key in a way where the IUSR account can access it.
I found an articles at http://msdn.microsoft.com/library/de...ation_tool.asp and http://users.adelphia.net/~jalderson/IIS/clientcert.htm which explains how to installa the certificate and to allow the IUSR account access to the private key.
So now I'm trying to create a COM DLL which looks up that certificate for the IUSR account.
I will post back here to let you know how it goes.
Regards, Marja
> the solution: "The way to get around this is to use CertOpenStore and pass the (CERT_STORE_READONLY_FLAG | CERT_SYSTEM_STORE_CURRENT_USER) flags. It's essentially the same, except for the permissions being asked for"
That worked fine: no more "access is denied" errors when trying to open the certificate store for the IUSR account !
Thanks !!!
Regards, Marja This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Colin Steadman |
last post by:
I'm trying to setup a small ASP app that our Accounts department can
use to kick off database procedures through a browser. To do this I
need the ASP page to kick off a preprepared .VBS script...
|
by: Hernán Castelo |
last post by:
hi
i need to connect to sql
with different roles
is there any way
for do that without
passing users or passwords
in the connection string ??
|
by: Helena Cai |
last post by:
Hi,
Due to the nature of our system, we need to dynamically import certificate
files into windows certificates store and access the certificate store from
ASP pages, these ASP pages call a VB...
|
by: AVB |
last post by:
Is there any other way to write files to a directory than allowing the
IUSR write access. We have a website that will be writing XML files and
Label files to a directory outside of our website...
|
by: Do |
last post by:
Hi,
I need to give my ASP.net application write access to on of my folders.
In Windows 2000 IIS 5.0 it was IUSR, what group do I give access
for Windows 2003 IIS 6.0? I see new ones like...
|
by: SKG |
last post by:
Can any one explain me
what is IUSR_ account in IIS.
What is ASPNET user account.
do these account work in conjunction.?
Is ASPNET user account used in execution context of the request....
|
by: Stephenoja |
last post by:
Hello Guys,
I have a problem that has to do with Aging Accounts Receivable.
I have three tables with customer account numbers, customer names, customer balances for the years 2003, 2004 and...
|
by: Simon Watkins |
last post by:
Our server administrators recently changed the permissions of most of our
servers (you know how it is, the developers had, shock horror, got to know
the domain administrator password, and some...
|
by: Peter Larsson |
last post by:
I´m not sure where to put this topic, as I dont know where the problem is. But I´ll give it a shoot.
We have a WSUS server here. The WSUS site runs on ASP.NET v1.1
while the applications...
|
by: CloudSolutions |
last post by:
Introduction:
For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
|
by: Faith0G |
last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome former...
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
| |