locked
winhttpcertcfg and private key access issue with client certificates RRS feed

  • Question

  • User-2130976156 posted

    Hi, I am trying to setup a client certificate such that my asp.net web app can call web service using client cert. So i setup a cert.pfx in the localmachine\my store. Now i also gave the application pool identity(domain\user) which is responsible for running my asp.net web app, permissions to the priavte key using winhttpcertcgf tool. So Everything works fine but the issue is if i change the app pool identity to some other domain account(not an admin and not as myself), the asp.net application still works. This indicates to me that the private key access was not limited to app pool identity that i specified to winhttpcertcfg. When i list all users who have access to private key, i see the custom account that i gave permission and also the administrators of the machine and the local system account. So i am stumped as to how other accounts have permission to the private key. Any help is appreciated. I use Win 2k3/IIS6.0/Asp.net v2.0/.net 3.5 for my development. Vinay

    Friday, December 11, 2009 5:17 PM

All replies

  • User1415983342 posted

    Hi, I am trying to setup a client certificate such that my asp.net web app can call web service using client cert. So i setup a cert.pfx in the localmachine\my store. Now i also gave the application pool identity(domain\user) which is responsible for running my asp.net web app, permissions to the priavte key using winhttpcertcgf tool. So Everything works fine but the issue is if i change the app pool identity to some other domain account(not an admin and not as myself), the asp.net application still works.

    I do not see any contradictions
    Do you impersonate the users?
    Do you use windows authentication to recognize domain users?
    Does not  setting up cert.pfx in localmachine\my store
     give acces to any user of machine?
    And you run webapplication under windows account and expect it impersonate domain users in web app? 


    Thursday, December 17, 2009 12:29 AM
  • User-2130976156 posted

    I don't impersonate the users. Users will request the app with their windows identity. But my web app runs under a specific service account.

    I use windows auth to recoginize domain users.

    Setting up cert in local machine store will give access to any user of that machine. But client certificate authentication is only supposed to be possible only if user has access to private key. This does not seem to be the case. This way anybody could steal the certificate and just send a request using that certificate.

    I run the app under windows account(service account for app pool) and only give private key access to this account. So when any domain user calls my app, the app will run in the context of service account and the request should be only successful only if this service account has access to private key. I expect loading of X509Certificate2 cert to try to access the private key when trying to load it but this is not the case unless you explicitly refer to the private key property of the object. This behaviour is quite wierd and unless documented, users might be confused and think that they have setup client certificate auth properly. Unless they try with some other service account they are not going to know about this.

    Thursday, December 17, 2009 2:39 PM
  • User-1945941708 posted

    When you give access with the winhttpcertcfg tool, that gives access to the app pool (not the app pool identity), so everything using that app pool will have access to the cert. If you want to limit access to a specific app pool, you should create a new app pool, and give that specific app pool access to your certificate, so only the one site will have access to the specified cert.

    Tuesday, June 17, 2014 4:50 PM