Disclaimer

Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Jan 24, 2011

How to give IIS access to private keys

If one of your ASP.NET applications need to access to a certificate from the certificate store along with its private key, you'll probably run into trouble. The private key is saved in a special file with an unguessable name. It's not readable for everyone (for obvious reasons). The lack of file access is not very intuitive, as you can see the certificate in the Certificate MMC snap-in, and it will claim that "this certificate has a corresponding private key". You'll still have to give the application pool's user read access to the key.


There are some differences in how to do this for the 2008 R2 and the 2003 server, here's a short explanation and some useful resources for both versions.

Windows 2008 R2 server
On the 2008 R2 server, the lack of read access to the private key will manifest itself as this exception:
Exception Details: System.Security.Cryptography.CryptographicException: Keyset does not exist
A notable new feature in the 2008 R2 server (with IIS 7.5) is that applications pools run under their own user. You need to figure out which identity the application pool is running as, e.g.: IIS AppPool\DefaultAppPool. Here's a great writeup on how this works: Application pool identities.

The security properties of the private key file can be set through the certificate MMC snap-in. (Start -> run -> "mmc" -> Add snap-in -> Certificates -> Local Machine/Personal cert store). You need to give the application pool user read access to the private key file.

Note: the 2008 server (not R2) uses the same user execution model as the 2003 server, keep reading if you have one of those.

Windows 2003 server
On the 2003 server, the exception is even less informative than on the 2008 R2.
Exception Details: System.Security.Cryptography.CryptographicException: The handle is invalid.
The challenge is still the lack of read access to the private key. Here's an explanation on how to use the WSE tool to adjust the private key's security settings. You can also check out Microsoft's findprivatekey.exe tool.

You'll probably need to give the user NETWORKSERVICE read access to the private key file, unless you've changed the application pool user defaults.

34 comments:

  1. Free educational software is everywhere - you just have to look harder to find those that are good quality.http://www.how-todo.xyz/

    ReplyDelete
  2. Thanks, decent post. I would also like to share this page on whatsapp spy apps.

    ReplyDelete
  3. The varying size pins line up with the cuts on a key to allow the plug to turn and activate the lock. So, if a lock has pins numbered 3-5-4-2-1 then the cuts on the key must be 3-5-4-2-1.автоключар

    ReplyDelete
  4. In the case of an emergency then (or if you've just given up with the fiddly lock picking), you may want to break the door down.duplicate key maker

    ReplyDelete
  5. I enjoyed over read your blog post. This was actually what i was looking for and i am glad to came here!
    subway surfers

    ReplyDelete
  6. You actually make it look so easy with your performance but I find this matter to be actually something which I think I would never comprehend. It seems too complicated and extremely broad for me. I'm looking forward for your next post, I’ll try to get the hang of it! cloud torrent clients

    ReplyDelete
  7. Some apart from the catastrophic effects that discovery may cause, some jurisdictions have outlawed the use of such apps, and one may be subject to prosecution if there is sufficient evidence to prove that they are responsible for spying activities on other people. WhatsApp Sniffer Contrary to popular belief, it's quite easy to spy on your employees and make sure they're getting the job done.

    ReplyDelete
  8. I think that thanks for the valuabe information and insights you have so provided here. Melbourne Access Control Systems

    ReplyDelete
  9. We offer the homework doer free service & assignment help in US. We work round the clock, have the lowest prices, and love helping students!
    i need help with my homework for free

    ReplyDelete
  10. At singaporetranslators.com,our high experienced professional team ready 24*7 to deliver you an effective,plagiarism free translation in numerous pairs of languages at very reasonable prices. Translation Services Singapore

    ReplyDelete
  11. For best Case Study Assignment Help in UAE. UAE Assignment Help is the top-most assignment help service provider in UAE. Our team is highly qualified and they are giving all the assignment help services at best price. We are working from 10+ years in assignment writing so there is no chance of mistakes in your assignment. We are giving top-quality content for your assignment help. We are giving on-time delivery guarantee for all the assignment help.

    ReplyDelete
  12. NZ Assignment Help have Phd level expert and all of them have 10+ years of experience in the field of assignment help in New Zealand. Get the best top written online assignments and increase your academic performance with the help of Assignment Helper NZ. We are providing all the assignment help services for all college and university students and we give 10% discount for local NZ Students. We have a large team of 250+ assignment writers and they are working from past several years in assignment writing.

    ReplyDelete
  13. Looking for private banquet hall in Jaipur for your office meets? Eclectica Restaurant have the best private banquet hall in jaipur. We have a sitting of more than 200+ peoples in our banquet and our banquet is fully air-conditioned.

    ReplyDelete
  14. Situs Judi Slot Online terbaik adalah https://sparta77.me/desktop/home dengan tampilan situs yang sederhana dan cara mendaftar yang cepat, delapan cash ideal bagi bettor member baru

    ReplyDelete
  15. This comment has been removed by the author.

    ReplyDelete
  16. This comment has been removed by the author.

    ReplyDelete
  17. This comment has been removed by the author.

    ReplyDelete
  18. This comment has been removed by the author.

    ReplyDelete
  19. This is so helpful for me as I was stuck in a problem and this method solved it. Now it's time to avail Outsource Email Support for more information.

    ReplyDelete
  20. The blog and data is excellent and informative as well your work is very good and I appreciate well hopping for some more informative posts. Thank you so much for sharing. fecaakure cut off mark for bio-technology

    ReplyDelete
  21. It’s a beautiful updates; what a fantastic article and you're excellent. Thanks for sharing your awesome ideas with your readers. ospoly nd daily part-time application deadline - Best Related Educational Updates Portal in the World; Examination and Academic Guide, High Paying Jobs & Scholarship Website

    ReplyDelete
  22. Thanks this was very useful.

    ReplyDelete
  23. I read your excellent post. After reading this post, i really appreciate your effort and my request is to please share us more post in future. Keep it up. Now read more about wordle junior for more information.

    ReplyDelete
  24. Thank you for this wonderful information share and excellent information providing in your article. This was actually what I was looking for now I finally found. Now read more about Airport Car Services in Detroit for more information.

    ReplyDelete
  25. Managing security and access permissions can be a complex task, but the step-by-step instructions provided here make it much easier for me. Now read more about huddersfield taxis for more information.

    ReplyDelete

Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts