Skip to main content

Troubleshooting

Digital Certificates Rejected

Giving ASP.net Access to the Certificate Store

The Post may be failing because the certificate was not attached to the Post. This is commonly because the required permissions for WSE to Sign or Decrypt with an X.509 Certificate have not been set.

WSE must have permission to obtain the X.509 private key from the local computer certificate store. By default, only the owner and the System account can access the private key of a certificate. Also by default, the ASP.NET service runs under the ASPNET account, and that account does not have access to the private key.

Resolution Steps – Windows Explorer

To give the ASP.NET account access to the private key, give the account under which ASP.NET is running Full Control access to the files containing the keys the WSE will need to retrieve in the following folder:

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

The account the ASP.NET worker process runs under is controlled by the <processModel> element in the Machine.config file.

  1. Set the Username attribute of the <processModel> element to specify the account ASP.NET runs under.
    • By default, the Username attribute is set to the special machine account, which maps to the low-privileged ASP.NET user account created when the .NET Framework SDK is installed.
  2. Open Windows Explorer.
  3. Navigate to the C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys folder.
  4. Select the files containing the keys that the WSE will need to retrieve.
  5. From the File menu, select Properties.
  6. On the Security tab, add the ASP.NET account and select the Full Control option.
note

Determining which key file in the MachineKeys folder is associated with a certificate can be difficult. One easy method is to note the creation date and time when creating a new certificate. When you view the files in the MachineKeys directory, check the Date Modified field for the corresponding date and time.

Resolution Steps - WinHttpCertCfg.exe

If the previous steps do not resolve the issue, you can use the winhttpcertcfg Microsoft toolkit to configure client certificates in any certificate store that can be accessed by the Internet Server Web Application Manager (IWAM) account.

In this case, use this tool to enable the x509 store class to grab certificates from the certificate store.

  1. There is a Microsoft resource tool kit – winhttpcertcfg – refer to the article @ - http://msdn.microsoft.com/en-us/library/aa384088.aspx.
  2. Download the winhttpcertcfg.exe
  3. Follow steps in the documentation to set permissions for the ASP.NET account to access from the certificate store for both ASP.NET and network service accounts.