Click here to get back home

openCertStore() denied to Network Service
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
openCertStore() denied to Network Service Jason Viers 09-19-2007
Posted by Jason Viers on September 19, 2007, 3:04 pm
Please log in for more thread options
 I have a certificate I'd like to be able to use from my ISAPI Extension,
which runns as "Network Service". I've seen things for giving
permission to the certificate itself via WinHttpCertCfg, but I'm unable
to open the local machine certificate store _at all_. The C++ call

HCERTSTORE hSystemStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0,
        NULL, CERT_SYSTEM_STORE_LOCAL_MACHINE, L"MY");

returns NULL, and GetLastError() gives 5 (Access Denied). I've seen
people asking similar[1] questions[2], but never getting a response.
Pages such as this[3] specifically reference grantin access to Network
Service, so it has to be possible.

If I change the application pool to run as "Local System", then opening
the store & getting the cert works, but I'd like to avoid the privilege
escalation if possible. How do I get into the Certificate Store as
Network Service?

Thanks
Jason

[1]
http://www.eggheadcafe.com/forumarchives/securitycrypto/Jul2005/post23380878.asp
[2]
http://www.derkeiler.com/Newsgroups/microsoft.public.dotnet.framework.aspnet.security/2003-06/0093.html
[3] http://msdn2.microsoft.com/en-us/library/aa302408.aspx

Posted by jwgoerlich on September 20, 2007, 7:42 am
Please log in for more thread options
 Does the "Network Service" account have read permissions to the
MachineKeys folder? This is located under All Users Profile
\Application Data\Microsoft\Crypto\RSA.

J Wolfgang Goerlich


> I have a certificate I'd like to be able to use from my ISAPI Extension,
> which runns as "Network Service". I've seen things for giving
> permission to the certificate itself via WinHttpCertCfg, but I'm unable
> to open the local machine certificate store _at all_. The C++ call
>
> HCERTSTORE hSystemStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0,
> NULL, CERT_SYSTEM_STORE_LOCAL_MACHINE, L"MY");
>
> returns NULL, and GetLastError() gives 5 (Access Denied). I've seen
> people asking similar[1] questions[2], but never getting a response.
> Pages such as this[3] specifically reference grantin access to Network
> Service, so it has to be possible.
>
> If I change the application pool to run as "Local System", then opening
> the store & getting the cert works, but I'd like to avoid the privilege
> escalation if possible. How do I get into the Certificate Store as
> Network Service?
>
> Thanks
> Jason
>
> [1]http://www.eggheadcafe.com/forumarchives/securitycrypto/Jul2005/post2...
> [2]http://www.derkeiler.com/Newsgroups/microsoft.public.dotnet.framework...
> [3]http://msdn2.microsoft.com/en-us/library/aa302408.aspx



Similar ThreadsPosted
"Network Service" account is UNABLE to write to a network shared folder April 18, 2007, 7:01 pm
Windows service denied access to mapped drive May 4, 2007, 7:06 am
'NT Authority\Network Service' Account July 26, 2005, 4:03 am
accessing HKCU of network service account December 21, 2005, 4:23 pm
Is NETWORK SERVICE Member of Users Group? March 12, 2007, 4:39 pm
Boot Volume NTFS Permissions for Network Service July 3, 2006, 10:45 pm
SCEP - Network Device Enrollment Service on Windows 2008 Standard March 31, 2008, 10:32 am
Howto : programatically give NTAUTHORIRTY\Network Service account write permission on a directory August 4, 2005, 9:38 pm
Getting Access is Denied March 2, 2006, 6:30 pm
DRA and access denied September 28, 2006, 10:13 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap