如何授予帐户访问证书的权限?
[英]How to grant an account permissions to access a certificate?
问题描述
I have a certificate in the MSMQ service Personal store and I need to grant the Network Service the permissions to access the certificate. 
我在MSMQ服务个人存储中有证书,我需要授予网络服务访问证书的权限。
The only way that I know of to do it is using the certutil.exe on win2008/7 like so: 我知道这样做的唯一方法是使用win2008 / 7上的certutil.exe,如下所示:
certutil -service -service -repairstore MSMQ\My "" D:PAI(A;;GA;;;BA)(A;;GA;;;SY)(A;;GR;;;NS)
(thanks to http://blogs.msdn.com/b/gautamm/archive/2010/10/26/https-messaging-with-client-side-certificate-fails-with-iis-error-403.aspx ) (感谢http://blogs.msdn.com/b/gautamm/archive/2010/10/26/https-messaging-with-client-side-certificate-fails-with-iis-error-403.aspx )
However, certutil on win2003/XP does not recognize the -service parameter, so no good. 但是,win2003 / XP上的certutil无法识别-service参数,所以没有好处。
My question is how can I do it in a way that works for both Win2003/XP and Win2008/7? 我的问题是如何以适合Win2003 / XP和Win2008 / 7的方式实现?
I need a non interactive approach (command line utility, script, COM/.NET/Win32 API). 我需要一种非交互式方法(命令行实用程序,脚本,COM / .NET / Win32 API)。
2 个解决方案
解决方案1
4 已采纳 2011-02-15 08:08:08
If you just need to set ACL rights on the certificate's private key (which your linked page suggests), I just recently posted an answer here on how I found to do that. 如果您只需要在证书的私钥(您的链接页面建议)上设置ACL权限,我最近在这里发布了一个关于我如何找到这个的答案。
Open the X509Store and get the current certificate in hand, and then set the ACL on the private key. 打开X509Store并获取当前的证书,然后在私钥上设置ACL。
You can use something like this to get the SID of the account needing access (or just use the well-known SID S-1-5-20 if you know it's always Network Service): 你可以使用这样的东西来获得需要访问的帐户的SID(或者如果你知道它总是网络服务,那就使用众所周知的SID S-1-5-20):
NTAccount nt = new NTAccount("NT_AUTHORITY", "NetworkService");
SecurityIdentifier sid = (SecurityIdentifier)nt.Translate(typeof(SecurityIdentifier));
My other answer has the code that sets the ACL. 我的另一个答案是设置ACL的代码。 (Caveat: I've run it on Windows Server 2003 but not XP.) (警告:我在Windows Server 2003上运行它而不是XP。)
解决方案2
1 2013-05-07 17:13:56
We had a similar problem with a scheduled app that posts to secured site. 对于发布到安全网站的预定应用,我们遇到了类似的问题。
The certificate store was not accessible by the client. 客户端无法访问证书存储区。 The link posted below mentioned managing the certificates from the windows 2008 r2 mmc snap in and granting access to the user account in question. 下面发布的链接提到管理来自Windows 2008 r2 mmc的证书,并授予对相关用户帐户的访问权限。 We were able to run the schedule process this way and grant access to the account running the client. 我们能够以这种方式运行计划流程并授予对运行客户端的帐户的访问权限。
The other solution, via the scheduler, was to grant the highest level of access for the program (SECURITY RISK) and allowing it run like an admin. 通过调度程序,另一个解决方案是授予程序最高级别的访问权限(安全风险)并允许它像管理员一样运行。
Here is the link referenced above http://msmvps.com/blogs/luisabreu/archive/2010/09/13/grant-access-to-certificate-s-private-key-in-iis-7-5.aspx 以下是http://msmvps.com/blogs/luisabreu/archive/2010/09/13/grant-access-to-certificate-s-private-key-in-iis-7-5.aspx上面引用的链接
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.