locked
IIS custom application pool user not able to access certificates RRS feed

  • Question

  • User-1700962694 posted

    I have a web application running on an on-prem server using IIS 10 and dotnet 2.1. I am trying to use a certificate managed in the Windows certificate store to authenticate to KeyVault. 

    My code:

                    var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
                    store.Open(OpenFlags.ReadOnly);
                    var certs = store.Certificates.Find(
                        X509FindType.FindByThumbprint,
                        iConfiguration.GetValue<string>("AppSettings:certThumbprint"),
                        false
                    );
    
                    var credential = new ClientCertificateCredential(
                        tenantID, clientID, 
                        certs.OfType<X509Certificate2>().Single()
                    );
    
                    secretsClient = new SecretClient(
                        keyVaultURI,
                        credential
                    );

    I have also tried the following variants: 

    var store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
    
    var store = new X509Store(StoreLocation.CurrentUser);

    No matter which combination I try, I am getting the following error from certs.OfType<>.Single() : "Sequence contains no elements"

    This implies to me that the application can't access the certificates. The application pool is running using a custom account ("domain\user"), not one of the build in account types (ApplicationPoolIdentity, LocalSystem, etc).

    I've found many guides on how to grant the ApplicationPoolIdentity account access to a certificate, but none for a custom account. I tried giving full control to the custom account ("user@fully.qualified.domain") but I'm still getting the error.

    Can anybody help me figure out what is going on with this?

    Tuesday, April 20, 2021 10:33 PM

All replies

  • User1065476709 posted

    Hi dianepana,

    I am getting the following error from certs.OfType<>.Single() : "Sequence contains no elements"

    This error means you want to fetch data from a null, you can try to use SingleOrDefault instead of Single.

    Best regards,

    Sam

    Wednesday, April 21, 2021 2:08 AM