none
Getting System.Security.Cryptography.CryptographicException: Access is denied. error on store.Open(OpenFlags.ReadWrite)

    Question

  • Hello,

    I have a WCF service that downloads x509 certificate public keys from a remote xml file.  The code looks like:

    X509Store store = new X509Store("My", "CurrentUser");
    StorePermission sp = new StorePermission(PermissionState.Unrestricted);
    sp.Assert();
    store.Open(
    OpenFlags.ReadWrite);
    store.Add(cert); //this is the X509Certificate2 cert that I have created from the remote xml
    store.Close();

    However, I am getting the following exception:

    System.Security.Cryptography.CryptographicException: Access is denied. at System.Security.Cryptography.X509Certificates.X509Store.Open(OpenFlags flags)

     

    ...when the code runs in my WCF service hosted in IIS7.  I have the service running under a domain account, to which I have granted full control of the c:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder.

    Any idea what I am missing?

    Thanks



    terryc_ms
    Thursday, January 15, 2009 9:55 AM

Answers

  • I found the solution to the issue - (but still have a question below)

    1. The service account was not an admin on the machine (by design) and I was attempting to write to the LocalMachine store, hence the "Access Denied" exception (it would have saved me some time if the exception had told me what resource my service account was being denied access to).  I changed this to use the CurrentUser store instead, which does not require admin access.

    2. The CurrentUser store location will only exist for a user if they have a user profile on the machine, so I had to log into the machine interactively with my service account once, to create their CurrentUser cert storeLocation.

    I am still not clear what the StorePermission does (added to the code below in bold).  Is this necessary when writing to the CurrentUser store location? 

    X509Store store = new X509Store(StoreName.MyStoreLocation.CurrentUser);
    StorePermission sp = new StorePermission(PermissionState.Unrestricted);
    sp.Flags =
    StorePermissionFlags
    .OpenStore;
    sp.Assert();
    store.Open(
    OpenFlags.MaxAllowed);
    store.Add(cert); //cert is the X509Certificate2 cert that I have created
    store.Close();


    terryc_ms
    • Marked as answer by Bin-ze Zhao Monday, January 19, 2009 2:39 AM
    Saturday, January 17, 2009 1:24 AM

All replies

  • hi,

    Could you please set up a complete scenario such as your server and client frame and also where you download the x509 certificate.

    I need to recover your error exception and see what I can do here for you.

    thanks
    Binze
    Friday, January 16, 2009 9:28 AM
  • I found the solution to the issue - (but still have a question below)

    1. The service account was not an admin on the machine (by design) and I was attempting to write to the LocalMachine store, hence the "Access Denied" exception (it would have saved me some time if the exception had told me what resource my service account was being denied access to).  I changed this to use the CurrentUser store instead, which does not require admin access.

    2. The CurrentUser store location will only exist for a user if they have a user profile on the machine, so I had to log into the machine interactively with my service account once, to create their CurrentUser cert storeLocation.

    I am still not clear what the StorePermission does (added to the code below in bold).  Is this necessary when writing to the CurrentUser store location? 

    X509Store store = new X509Store(StoreName.MyStoreLocation.CurrentUser);
    StorePermission sp = new StorePermission(PermissionState.Unrestricted);
    sp.Flags =
    StorePermissionFlags
    .OpenStore;
    sp.Assert();
    store.Open(
    OpenFlags.MaxAllowed);
    store.Add(cert); //cert is the X509Certificate2 cert that I have created
    store.Close();


    terryc_ms
    • Marked as answer by Bin-ze Zhao Monday, January 19, 2009 2:39 AM
    Saturday, January 17, 2009 1:24 AM
  •  Hi,

    Good to hear you found the solution.

    StorePermission Controls access to stores containing X.509 certificates. This is only for security purpose. So it entirely depends on what you need.  StorePermission class uses PermissionState and StorePermissionFlags as parameters to control the access state and access level to the certificate stores. The article below explain it well:
    http://msdn.microsoft.com/en-us/library/system.security.permissions.storepermission.aspx

    check it out and find related information.

    Thanks
    Binze
    Monday, January 19, 2009 2:36 AM
  • StorePermission is a CAS (Code Access Security) permission. You will *only* need this when you run in partial trust. This is not the case in your scneario.

    When running on IIS7 - you can specify to load the user profile of the App Pool. This gives you access to the per user store of the app pool account.
    Dominick Baier, thinktecture - http://www.leastprivilege.com
    • Proposed as answer by MonkeyTennis Wednesday, April 11, 2012 6:06 PM
    Monday, January 19, 2009 8:26 AM
  • After searching 'the entire internet', this inconspicuous 2 liner, hidden away at the bottom of the thread, is exactly the right solution.

    Thanks!

    Brad


    Bradley Cotier

    Wednesday, April 11, 2012 6:08 PM