[prev in list] [next in list] [prev in thread] [next in thread]
List: ms-cryptoapi
Subject: Re: IUSR_XXX permissions !! Urgent !
From: Rodolfo Lomascolo <r.lomascolo () MAIL ! IPS ! ES>
Date: 2001-08-22 22:44:58
[Download RAW message or body]
We had the same problems with crypto functions from asps in the past and
solved them in a way similar to this ( our solution dont expose the user
and password in the asp, it is in the dll code or could be in the
registry and read from the dll), impersonating a user executing the code
and then going back to the IIS user.
Extracted from Q248187 (can be fount at microsoft web site)
HOWTO: Impersonate a User from Active Server Pages
By default, ASP runs in the security context of the impersonated user.
When a request for an ASP file is made, the Web server utilizes a worker
thread and sets the security context of that thread to an impersonated
user. The Internet Information Server (IIS) authentication method
(Anonymous, Basic, NT Integrated, and so on) determines the impersonated
user. Then, the ASP code runs in the context of that user.
When you impersonate a user, you can resolve the following security
conflicts in your application:
An application that uses NT Integrated (NTLM) security or Kerberos to
authenticate that needs to access a network resource (such as a file, an
Access database, or a SQL Server) through the Named Pipes protocol.
An application that accesses a network resource from the Session_OnEnd
or Application_OnEnd event.
The Session_OnEnd and Application_OnEnd events run with the identity of
the process. For in-process or Low application protection applications,
this is the SYSTEM user ID, and the process is the Inetinfo.exe file.
Rather than impersonating, you can run in a separate memory process or
with High (isolated) application protection and set the identity of the
Microsoft Transaction Server (MTS) package or COM+ application to the
desired user ID.
An application that supports multiple users who are connecting to the
WinNT:// namespace through Microsoft Active Directory Services Interface
(ADSI).
These connections are cached with the security credentials of the first
user that opens the connection. Impersonating ensures that a single user
opens the connection; as a result, that user's credentials match the
cached credentials.
*****************************************************
* Rodolfo Lomascolo Szittyay *
* mailto: r.lomascolo@mail.ips.es *
* IPS http://www.ips.es *
* ipsCA http://www.ipsca.com *
* Madrid-Spain *
* Teléfono: 91.640.20.52 / 609.30.25.13 *
*****************************************************
-----Mensaje original-----
De: Microsoft Cryptographic API [mailto:CryptoAPI@DISCUSS.MICROSOFT.COM]
En nombre de Antonio Cesa da Silveira Jr.
Enviado el: miércoles, 22 de agosto de 2001 18:48
Para: CryptoAPI@DISCUSS.MICROSOFT.COM
Asunto: IUSR_XXX permissions !! Urgent !
Hello, I am send this mail again, because I still not get response of
cryptoAPI discuss... Please help-me.
I have a self-signed certificate in cert store under
HKEY_LOCAL_MACHINE, created via makecert , and a Com Object that uses it
for sign data over ASP (IIS /win2000) . A similar simple desktop
application works fine, get the certificate and sign data, but the Com
object not !!
I have read that is problem with IUSR_<machine> user permissions, but I
don´t Know how set up correctly. Somebody know how ? Would can send me
the code for this ?
I am getting the CRYPT_E_NO_KEY_PROPERTY in first call of
cryptSignMessage, but the certificate have a private key associate with
him ( I can sign in desktop application ! ). Set its property ? Why ?
If there are a private key ...
I don´t know more what to do ...
My code ( ( Delphi ):
//********************************
hSystemStoreHandle := CertOpenStore(
CERT_STORE_PROV_SYSTEM,
X509_ASN_ENCODING or PKCS_7_ASN_ENCODING,
0, // Use
default cryptographic provider
CERT_SYSTEM_STORE_LOCAL_MACHINE ,
name_location);
if (hSystemStoreHandle = nil) then
begin
...
end;
pSignerCert := CertFindCertificateInStore(
hSystemStoreHandle,
X509_ASN_ENCODING or
PKCS_7_ASN_ENCODING,
0,
CERT_FIND_SUBJECT_STR,
certficate_name,
nil);
if (pSignerCert = nil) then
begin
....
end;
ZeroMemory(@SignMessagePara, SizeOf(SignMessagePara));
SignMessagePara.cbSize := SizeOf(CRYPT_SIGN_MESSAGE_PARA);
SignMessagePara.HashAlgorithm.pszObjId := szOID_RSA_MD5;
SignMessagePara.pSigningCert := pSignerCert;
SignMessagePara.dwMsgEncodingType := X509_ASN_ENCODING or
PKCS_7_ASN_ENCODING;
SignMessagePara.cMsgCert := 1;
SignMessagePara.rgpMsgCert := @pSignerCert;
// In two steps, sign and encode the message.
// First, get the number of bytes requred for the buffer
// to hold the signed and encoded message.
if not CryptSignMessage( @SignMessagePara,
false,
1,
@mensagemArray,
@tamanhoArray,
nil,
tamAssinado) then
begin
// HERE I get error !!
end;
//********************************
Thanks in advance...
----------------------------------------------------------------
Users Guide http://discuss.microsoft.com/archives/mailfaq.asp
contains important info. Save time, search the archives at
http://discuss.microsoft.com/archives/index.html . To unsubscribe,
mailto:CryptoAPI-signoff-request@DISCUSS.MICROSOFT.COM
----------------------------------------------------------------
Users Guide http://discuss.microsoft.com/archives/mailfaq.asp
contains important info. Save time, search the archives at
http://discuss.microsoft.com/archives/index.html .
To unsubscribe, mailto:CryptoAPI-signoff-request@DISCUSS.MICROSOFT.COM
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic