N
Niels Thrane
Guest
Hi,
I have payment system where my web server receives credit card numbers
securely (via HTTPS) from customers. In order to settle the amount that
the customer owes I have to make an SSL connection to a payment gateway.
That second SSL connection needs to be two-way authenticated (the remote
server needs to know my identity).
I'm using the following C# code to do that:
X509Store store = new X509Store(StoreLocation.LocalMachine);
store.Open(OpenFlags.OpenExistingOnly);
X509Certificate2Collection validCerts =
store.Certificates.Find(X509FindType.FindBySubjectName, "mycertname", true);
//ssl is my SslStream object
ssl.AuthenticateAsClient("server-cert-name", validCerts,
System.Security.Authentication.SslProtocols.Ssl3, true);
This seems to work just fine when I test it under my (admin) account.
However, it doesn't work when I run the code under IIS. The error I'm
getting is "The credentials supplied to the package were not
recognized". I guess the reason is that one needs admin rights to access
the local machine store where my SSL certificate is stored. I don't want
to run IIS under an admin account so the best solution would probably be
to allow the "Network Service" account access to the certificate.
I have found two ways of doing that: I can use the winhttpcertcfg tool
OR I can find the certificate file in the file system and grant read
access to "network service". I can't install winhttpcertcfg on the
system for regulatory reasons and messing with the (undocumented?) file
structure seems like a major hack.
In short, what is the best way of allowing my code to authenticate
itself as coming from my machine while running under the "network
service" account ?
Best regards,
Niels
I have payment system where my web server receives credit card numbers
securely (via HTTPS) from customers. In order to settle the amount that
the customer owes I have to make an SSL connection to a payment gateway.
That second SSL connection needs to be two-way authenticated (the remote
server needs to know my identity).
I'm using the following C# code to do that:
X509Store store = new X509Store(StoreLocation.LocalMachine);
store.Open(OpenFlags.OpenExistingOnly);
X509Certificate2Collection validCerts =
store.Certificates.Find(X509FindType.FindBySubjectName, "mycertname", true);
//ssl is my SslStream object
ssl.AuthenticateAsClient("server-cert-name", validCerts,
System.Security.Authentication.SslProtocols.Ssl3, true);
This seems to work just fine when I test it under my (admin) account.
However, it doesn't work when I run the code under IIS. The error I'm
getting is "The credentials supplied to the package were not
recognized". I guess the reason is that one needs admin rights to access
the local machine store where my SSL certificate is stored. I don't want
to run IIS under an admin account so the best solution would probably be
to allow the "Network Service" account access to the certificate.
I have found two ways of doing that: I can use the winhttpcertcfg tool
OR I can find the certificate file in the file system and grant read
access to "network service". I can't install winhttpcertcfg on the
system for regulatory reasons and messing with the (undocumented?) file
structure seems like a major hack.
In short, what is the best way of allowing my code to authenticate
itself as coming from my machine while running under the "network
service" account ?
Best regards,
Niels