Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

winhttpcertcfg giving access to IIS user in Windows 7

I need to give access to the IIS user to a pfx certificate. The website is running under the App Pool under some user AppPoolUser. IIS automatically has the user name "IIS APPPOOL\AppPoolUser" and this is what we need to give access when we use aspnet_regiis -ga .

However, when i use winhttpcertcfg to give access to the user "IIS APPPOOL\AppPoolUser", it says "No account information was found".

The command I use is

winhttpcertcfg -i <filename> -c <certificateLocation> - g -a <account name>

Didn't find any samples for this over the web. Any ideas?

like image 997
bkhanal Avatar asked Nov 05 '09 05:11

bkhanal


People also ask

What user does IIS run under?

IIS 6 - by default, application pools run under the Network Service account which is a member of IIS_WPG group.

What's default permissions for IIS_IUSRS?

Applying Modify/Write Permissions to the Correct User Account. Under the Security tab, you will see MACHINE_NAME\IIS_IUSRS is listed. This means that IIS automatically has read-only permission on the directory (e.g. to run ASP.Net in the site). You do not need to edit this entry.


1 Answers

I know it's an old question, but I just had the same problem yesterday so I though I'd answer.

I had the same problem but with a certificate located in the LocalMachine -> TrustedPeople store...

You have to use icacls instead of WinHttpCertCfg, taken from this link.

Basically, it should look like this:

ICACLS <filename> /grant "IIS AppPool\DefaultAppPool":R

For the sake of completion, here how I needed to do it to access the "Trusted People" store. Taken in part from this link.

  1. Use the FindPrivateKey tool from Microsoft to locate the actual file for the cert in the store. This tool must be compiled from the source code in .\WF_WCF_Samples\WCF\Setup\FindPrivateKey\CS from the Windows Communication Foundation (WCF) and Windows Workflow Foundation (WF) Samples for .NET Framework 4 download.

    FindPrivateKey.exe TrustedPeople LocalMachine -t "<thumbprint of the SSL cert>"
    
  2. Use icacls on the file given by FindPrivateKey.

    icacls C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\<path to certificate> /grant "IIS AppPool\<your AppPool name>":R
    

Voilà!

like image 51
dstj Avatar answered Sep 17 '22 16:09

dstj