Geeks With Blogs

News
Welcome to my blog.
Here's what we've got on the menu today:

Lorin Thwaits A geek says what?

Here's a fun question that came through the Arizona .NET User's Group list about using client certificates with ASP.NET:

Question:
How do you set up a client x509 certificate to be used by code run by an ASP.NET process?  This article didn't help:  http://support.microsoft.com/default.aspx?scid=kb;EN-US;901183  The WinHttpCertCfg.exe util would not install certs into the store.  I had to use the mmc certificates plugin.

The workaround I did in development was to log in as the web user and install the cert into their personal cert store. Then when the code attempted to use the cert to establish a secure connection with our 3rd party service it worked.

In production, the web user is the IUSR_ account which can't log in since password is controlled by the OS.  So this won't work for production.

v1.0 and v1.1 of the framework have a bug that is fixed by SP's.  It always looks in the personal store for a client certificate's private key even if you grant permission to view it from the root store.  For us this still seems to be the problem even with the SP applied, but v2.0 is supposed to have this fixed.

If anyone can help me, I would really appreciate it.  I'm in a pinch now trying to get this resolved.

Answer:
The issue is not simply if the certificate is installed in the root or the Personal logical store name.  There's more to the story, specifically which account it's installed for.  In fact it needs to be in the Personal logical store name of the local computer account.  (Kinda counter-intuitive, isn't it?)  Shown here is an MMC console with two instances of the Certificates Snap-In added, one focused on the local computer and the other on the currently logged in user:

For those who haven't used the MMC tool with certificates before, follow along with me for a moment:

  1. Open MMC, then add the Certificates Snap-In.  (Done by pressing CTRL-M, ALT-D, then finding the snap-in you want in the lengthy list.)
  2. When you choose to add this Snap-In, it needs to know which of the three account options to focus on: the computer, user, or a service account.  Choose computer, and on the next screen the account for the local computer.
  3. Now open the Personal store for this computer account.  This is where your client certificate(s) need to be imported.  Each certificate must have the private key, so you have to use a .PFX file when you export / import to bring the certificate in.  It's the only file type that can contain the private key.
From your question it sounds like you had gotten this far earlier, but focused on a user account instead of the computer account.

Once all the certificates you want are in the Personal store of the local computer, follow step #2 in the KB article to use WinHttpCertCfg to grant access to the certificate for ASP.NET.  You must be logged on as an administrator for this to work.  The -c switch selects the certificate store, which can begin with either "LOCAL_MACHINE" or "CURRENT_USER".  The name "MY" refers to the same store that the MMC Snap-In calls "Personal".  The -s switch chooses a SubjectStr (conveniently case insensitive), which is simply whatever name the certificate was issued to, so the same name that's listed in the first column of the Certificates Snap-In.  The -a switch refers to the account being granted permission, and for ASP.NET should not be IUSR_ because when it switches over to the .NET code it's running as "Network Service" in Win2K3 or "ASPNET" in Win2K / XP.  So use that for -a.

If all goes well with the WinHttpCertCfg.exe command the result should be something like this:

C:\CertCfg>WinHttpCertCfg.exe -g -c LOCAL_MACHINE\MY -s "lorin.thwaits" -a "ASPNET"
Microsoft (R) WinHTTP Certificate Configuration Tool
Copyright (C) Microsoft Corporation 2001.

Matching certificate:
CN=Lorin.Thwaits

Granting private key access for account:
    COMPUTERNAME\ASPNET

C:\CertCfg>

One final point, and you already mentioned it, is that if you're using v1.1 of the framework you need SP1.  And at this point your certificate should work in production.  No need to ever know the password for the ASPNET or IUSR_ account to make all this happen.

Posted on Friday, December 30, 2005 3:35 PM ASP.NET , IIS | Back to top


Comments on this post: Using client certificates with ASP.NET

# re: Using client certificates with ASP.NET
Requesting Gravatar...
Just got an email from the guy who had originally asked the question, and this walkthrough worked for him. Problem solved!
Left by Lorin Thwaits on Jan 02, 2006 7:29 AM

# re: Using client certificates with ASP.NET
Requesting Gravatar...
I followed all the steps mentioned above, and on my local desktop machine (WinXP) it worked.

But now it doesn't seem to work in production (windows server 2K3)

It seems that .net SP1 is installed (in software list I see hotfix KB 867460 that represents SP1)

A windows forms application on the production server works, but my asp.net application does not work.

Anyone any ideas?
Left by Mark on Aug 15, 2006 11:59 PM

# re: Using client certificates with ASP.NET
Requesting Gravatar...
Same problem as the poster above. I granted ASPNET the permission to the certificate in the LOCAL_MACHINE\MY store, and the -l switch confirmed it. But the call to OpenCertStore fails (returns null). It works from a Console app under my account, but fails from the ASP.NET app.
Left by YogiBaar on Sep 28, 2006 9:20 PM

# re: Using client certificates with ASP.NET
Requesting Gravatar...
Hey guys,

I created a certificate on my test web server and then I exported it as an .PFX file.

Next I took this file to the client (my machine in this case) and I imported it into Local Computer --> Personal using MMC.

But when I try to browse my application on my test web server I don't see any certificate listed on the "Choose a digital certificate" Window.

Could somebody help me please? I have spent so much time on it......

Thanks
Left by ureyes84 on Apr 27, 2007 5:26 PM

# re: Using client certificates with ASP.NET
Requesting Gravatar...
I had all sorts of problems installing certificates on our production server (Windows Server 2003). I wish I'd seen this article before! These were the main issues I had:

* For a production server, you must use an mmc snap in to install the certificate. It is not sufficient to just double click the icon in windows as it will only install the certificate in the store for the logged in user

* As stated above, make sure that the application that is using the certificate has permissions to access it (by using the utility). In our case (an asp.net web app) this was the NETWORK SERVICE account

* We also had a situation where an intermediary certificate was missing, even though the main certificate was installed correctly
Left by Andy on Apr 07, 2008 3:10 AM

# re: Using client certificates with ASP.NET
Requesting Gravatar...
I was very excited to see this posting. I have been experiencing the same issues on my server (not to mention my workstation).
I implemented the steps above regarding mmc and the config utility. I was very excited to see it work flawless on my workstation but my excitement it didnt last. I cannot replicate my workstation results on my IIS server. I even went so far as to do a parallel config betwen my wks and my iis. Exact same steps, different results.
My IIS server is 2K3 web edition with SP2. I have .Net v2.0.50727 SP1 also installed. The version of IIS is the default version that comes with the server. Oh, it also has IE7 (yuck) on it
Anyone have any suggestions as to why it wont work on my server?
Left by oaJoe on Apr 29, 2008 5:49 AM

# re: Using client certificates with ASP.NET
Requesting Gravatar...
If you are trying to use .Net v2.0.50727 then you need to ensure that the root .Net Version is registered with IIS.

How To:

Run the following from the command prompt to determine what is the root version:

C:\>C:\WINDOWS\Microsoft.NET\Framework\
v2.0.50727\aspnet_regiis.exe /lv

This will retrun the following:

C:\>C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis.exe /lv
1.1.4322.0 Valid (Root) C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
2.0.50727.0 Valid C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll

Note that .Net Version 1.1.xx is set as the (Root)

Change this using the the -r switch aspnet_regiis.exe and this will "install/register" version 2.0.xx

C:\>C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -r
Start installing ASP.NET (2.0.50727) and replacing ASP.NET DLL in all Scriptmaps with current versio
n.
....................
Finished installing ASP.NET (2.0.50727) and replacing ASP.NET DLL in all Scriptmaps with current ver
sion.


VERY IMPORTANT:

Note that I executed from the 2.0 framework folder. Each version of the framework has a version of aspnet_regiis.exe. So keep in mind that you MUST execute from the framework folder of the version that you are wanting to execute aspnet_regiis.exe on and register.

Even though you may have already set 2.0 as the AST.NET Verson from the Default Web Site Properties page .Net 1.1.xxx is still set at the root within the IIS MetaBase.xml file (Location: C:\WINDOWS\system32\inetsrv). the biggest difference is the InProcessIsapiApps (take note before you run the above and you will see the versions flip).

The InProcessIsapiApps metabase property specifies a list of ISAPI filters and extensions that must be run in the Web server process.

Some additional reading that may help:

http://support.microsoft.com/kb/812833


Of course never forget to run IISRESET from a command prompt........


Hope this helps :)

Left by bama on Aug 22, 2008 2:21 AM

# re: Using client certificates with ASP.NET
Requesting Gravatar...
Thanks. This solved our issue.
Left by Ramdas Murali on Dec 30, 2008 7:51 AM

# re: Using client certificates with ASP.NET
Requesting Gravatar...
Thanks for the article. The only thing I had to change from these steps was to install the certificate in Root of the local machine (instead of My).
Left by fjb on Jun 23, 2009 9:53 AM

# re: Using client certificates with ASP.NET
Requesting Gravatar...
Hello,
i am doing a same thing which you describe above. i can do authentication using local user/ administator but not able to connect with a NETWORK SERVICe account. I have VISTA. is there are anything new in VISTA for IISREG.exe -r ?
Left by rakesh on Jul 23, 2009 8:38 AM

# re: Using client certificates with ASP.NET
Requesting Gravatar...
Thanks for the article.
Left by Tiffany co Necklaces on Oct 17, 2009 11:59 PM

# re: Using client certificates with ASP.NET
Requesting Gravatar...
you are simply great buddy...
Left by DDos Protection on Nov 06, 2009 8:50 PM

Your comment:
 (will show your gravatar)


Copyright © Lorin Thwaits | Powered by: GeeksWithBlogs.net