IIS 10应用程序权限以访问证书管理器中的证书
[英]IIS 10 Application permissions to access a Cert in Certificate Manager
问题描述
I am a ASP and IIS noob. 
我是ASP和IIS菜鸟。 I live in a Linux terminal, so this is been a steep learning curve... 我住在Linux终端中,所以这是一个艰难的学习过程……
I have a C# Web API written in .Net 4.6. 我有一个用.Net 4.6编写的C#Web API。 The Web API communicates with a 3rd Party SOAP Web Service which requires SOAP requests to be signed using a X509 certificate using the WSE 2.0 standard. Web API与第三方SOAP Web服务进行通信,该服务要求使用WSE 2.0标准的X509证书对SOAP请求进行签名。 This all works on my local dev machine with out an issue. 所有这些都可以在我的本地开发机器上正常工作。
I deployed the application to an AWS Elastic Beanstalk Env, using IIS 10 and Windows server 2016 Data Center. 我使用IIS 10和Windows Server 2016数据中心将应用程序部署到AWS Elastic Beanstalk Env。 The Web API does not work for any functions that need to access the Certificate. Web API不适用于需要访问证书的任何功能。 All other URL's work fine. 所有其他URL都可以正常工作。
I have imported the Certificate to the Local Computer Certificate Store. 我已将证书导入到本地计算机证书存储中。 This is a simple case where I have not configured the correct permissions. 这是一个简单的案例,其中我没有配置正确的权限。
How do I check that IIS has access to the required Cert and what user do I need to add to the Cert to provide the correct access for IIS Apps. 如何检查IIS是否有权访问所需的证书,以及需要将什么用户添加到证书中才能为IIS应用程序提供正确的访问权限。
I have done the following with no luck: 我没有运气就做了以下事情:
- Install VS 2017 on the server and successfully run a console app to test if the WSE 2.0 dll's where the issue. -在服务器上安装VS 2017,并成功运行控制台应用程序以测试WSE 2.0 dll是否是问题所在。 Worked fine. 很好 - Added Read access to IIS_IUSRS on the private Keys for the Cert in MMC -在MMC中为证书的私钥添加了对IIS_IUSRS的读取访问权限
- Added Read access to IUSER on the private Keys for the Cert in MMC -在MMC中为证书的私钥添加了对IUSER的读取权限
- Added Read access to "IIS APPPOOL\\DefaultAppPool" on the private Keys for the Cert in MMC -在MMC中为证书的私钥添加了对“ IIS APPPOOL \\ DefaultAppPool”的读取权限
- Modified the RSA folder permission in the Programs Data Crypto dicretory, so don't remember the exact path, which ended up breaking the system -修改了Programs Data Crypto目录中的RSA文件夹权限,因此不记得确切的路径了,这最终破坏了系统
1 个解决方案
解决方案1
0 2019-01-16 03:05:38
So I managed to work this out. 所以我设法解决了。 Turns out that WSE 2.0 X509CertificateStore does not play nice with Windows Server 2016 Cert manager via IIS. 事实证明,WSE 2.0 X509CertificateStore不能通过IIS与Windows Server 2016 Cert Manager配合使用。 I had to use the newer System.Security.Cryptography.X509Certificates X509Store class to access the Cert then convert a X509Certificate2 to a MS Web Service2.X509Certificate. 我必须使用较新的System.Security.Cryptography.X509Certificates X509Store类来访问Cert,然后将X509Certificate2转换为MS Web Service2.X509Certificate。 Code below: 代码如下:
X509Store store = new X509Store(StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection Certificate2Collection = store.Certificates;
X509Certificate2Collection results =
Certificate2Collection.Find(X509FindType.FindBySubjectName, (object)subject, false);
X509Certificate2 cert = results[0];
Microsoft.Web.Services2.Security.X509.X509Certificate cert =
new Microsoft.Web.Services2.Security.X509.X509Certificate(cert.Export(X509ContentType.Cert));
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.