locked
Application with HTTPS connections and IE 7 WinInet Issue. RRS feed

  • Question

  • Hi,
     
    We have a Visual C++ application that runs as a Windows Service. The Service runs with Local System Account
    and makes HTTPS connections to a server (our own server) for downloading files.
    We use WinInet in our Service for the HTTPS communication.
     
    The application works with no problem until we tested the application with IE 7.
    With IE 7, when we call CHttpFile :: SendRequest, the function returns 0. We caught the error and the error number
    was 12057 - ERROR_INTERNET_SEC_CERT_REV_FAILED. I ran the Fiddler tool to verify.
    What I saw was that the Service tried to make a connection to GeoTrust to verify the Certificate returned from
    the server,  and fails.
    This event leads me to believe that the Service for some reason can't verify the Certificate from the server
    with the Root Certificate that is already installed on the PC (comes with IE).
    I ran the Fiddler tool with PC running IE 6 and the Fiddler tool didn't show that the Service tried
    to make a connection to GeoTrust. On the PC running IE 6, the service can verify the Certificate that is
    returned from the server with the Root Certificate that installed on the PC .
     
    Right now the work around is to change the Logon as of our Windows Service to a valid Local User Account.
    By changing the Logon as, the Service can verify the Certificate that comes from the server with the Root Certificate
    installed on the Client PC and doesn't need to make a connection to GeoTrust.
     
    My question is, why with IE 7 WinInet.dll, the Local System Account can't read the Root Certificate that is
    installed  on the PC ? It worked before with previous version of IEs.
     
    Thank you in advanced.
    Friday, May 11, 2007 4:47 PM

Answers

  • I see you posted this to the WinInet newsgroup microsoft.public.inetsdk.programming.wininet.  That is the correct place to seek help with this issue.  This forum is for Peer-to-Peer networking related questions.  Cordell Jones answered your post on that newsgroup but I'll summarize it here for context in future search results --

     

    (1) You shouldn't use WinINet in a service

          [It's specifically designed to not work in a service]


      (2) Definitely don't use WinINet in a service running as local system!

          [Doing network operations in the context of a service running as Local System opens you up to a ton of security risk.

            It is recommended to design your service so that the part that opens network connections runs under an account other than  

            LocalSystem (e.g. LocalService)]


      (3) Developers wishing to do HTTP in a service should use WinHTTP

          [WinHTTP is designed to be work in a service]


    and here is a link to a KB on the issue -- http://support.microsoft.com/default.aspx/kb/238425 

    Tuesday, May 15, 2007 8:31 PM