Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

SSL with SSPI

244 views
Skip to first unread message

Dave

unread,
May 31, 2001, 1:31:04 PM5/31/01
to
The following Win API function is being used in the SDK SSL sample.

hMyCertStore = CertOpenSystemStore(0, "MY");

In the stand alone exe it works as expected.

When the same code is used in an ATL DLL through a web application it
fails. The error number is 5 and description is "Access is denied".

Since all web access occurs through the security context of
IUSR_MACHINENAME adding this user to the administrators group confirms
this is related to permissions. The question:

How does one make this work? MS indicates that wininet should not be
used in server applications and points to the SDK sample which,
disappointing enough, does not demonstrate usage in a web server
environment.

Thanks for any assistance you can offer,

Dave

Carlos Lopez

unread,
Jun 1, 2001, 9:10:07 PM6/1/01
to
The reason for this is that IUSR_MACHINENAME's profile is not loaded. This
means it will use the default profile when opening the certificate store.
Non administrators only have read access, but CertOpenSystemStore tries to
open the store with full access which is why you get the access denied.

The way to get around this is to use CertOpenStore and pass the
(CERT_STORE_READONLY_FLAG | CERT_SYSTEM_STORE_CURRENT_USER) flags. It's
essentially the same, except for the permissions being asked for.

Mind you, I don't think you'll find any certificates in the default profile
unless you have already have certificates in there. Another thing you might
try is adding the certificates to the local machine(requires adimistrative
access) and have the application look in that store.

thanks
Carlos


Dave

unread,
Jun 4, 2001, 4:14:21 PM6/4/01
to
"Carlos Lopez" <nospam...@microsoft.com> wrote in message news:<etpuODw6AHA.996@tkmsftngp03>...

Thanks for the information. What store would contain the certificate
required to initiate an SSL connection to a remote web server? How
would the following line look in such a case assuming the security
context of IUSR_MACHINENAME is being used?

hMyCertStore = CertOpenSystemStore(0, "MY");

Thanks,

Dave

Carlos Lopez

unread,
Jun 5, 2001, 8:56:07 PM6/5/01
to
Since the IUSR account has no loaded profile, the best place to store the
certificate is in the local machine certificate store. This would require
an administrator to place IUSR's certificate in the store ahead of time
before using it.

How you place the certificate in the store depends on how you are getting
the certificate. If you have a pfx file you can use mmc.exe and select the
certificate snapin to store the certificate in the Personal store. You have
to select the "Computer Account" option in the first dialog when you load
the snapin.

CertOpenStore would look like:
CertOpenStore(CERT_STORE_PROV_SYSTEM_A,
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
0,
CERT_SYSTEM_STORE_LOCAL_MACHINE
|CERT_STORE_READONLY_FLAG,
"MY");

thanks
Carlos


0 new messages