0

I am a ASP and IIS noob. I live in a Linux terminal, so this is been a steep learning curve...

I have a C# Web API written in .Net 4.6. The Web API communicates with a 3rd Party SOAP Web Service which requires SOAP requests to be signed using a X509 certificate using the WSE 2.0 standard. This all works on my local dev machine with out an issue.

I deployed the application to an AWS Elastic Beanstalk Env, using IIS 10 and Windows server 2016 Data Center. The Web API does not work for any functions that need to access the Certificate. All other URL's work fine.

I have imported the Certificate to the Local Computer Certificate Store. This is a simple case where I have not configured the correct permissions.

How do I check that IIS has access to the required Cert and what user do I need to add to the Cert to provide the correct access for IIS Apps.

I have done the following with no luck:
- Install VS 2017 on the server and successfully run a console app to test if the WSE 2.0 dll's where the issue. Worked fine. - Added Read access to IIS_IUSRS on the private Keys for the Cert in MMC
- Added Read access to IUSER on the private Keys for the Cert in MMC
- Added Read access to "IIS APPPOOL\DefaultAppPool" on the private Keys for the Cert in MMC
- Modified the RSA folder permission in the Programs Data Crypto dicretory, so don't remember the exact path, which ended up breaking the system

LorneCurrie
  • 282
  • 3
  • 11
  • How do you confirm that it's a permission issue? Do you have the errors logged? – Chetan Jan 15 '19 at 02:22
  • I successfully ran a sample of code as administrator to rule out any issue with DLL's or my code. – LorneCurrie Jan 15 '19 at 02:41
  • 1
    I suggest you could try to added "IIS AppPool\AppPoolName" to Full Trust on certificate in "Local Computer\Personal" in Certificates MMC. Replace "AppPoolName" with the name of your application pool. – Brando Zhang Jan 15 '19 at 05:57
  • 1
    “I have imported the Certificate to the Local Computer Certificate Store.” The Local Computer has several stores, so which store did you install it to? – Lex Li Jan 16 '19 at 05:12
  • I put the certs in to Personal store in Local Machine. you need to add IIS AppPool\DefaultAppPool user (or which ever app pool user you use) to the Private Key Permission. @Brando Zhang's comment is correct. – LorneCurrie Jan 16 '19 at 21:55

1 Answers1

0

So I managed to work this out. Turns out that WSE 2.0 X509CertificateStore does not play nice with Windows Server 2016 Cert manager via IIS. I had to use the newer System.Security.Cryptography.X509Certificates X509Store class to access the Cert then convert a X509Certificate2 to a MS Web Service2.X509Certificate. Code below:

X509Store store = new X509Store(StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection Certificate2Collection = store.Certificates;
X509Certificate2Collection results = 
    Certificate2Collection.Find(X509FindType.FindBySubjectName, (object)subject, false);
X509Certificate2 cert = results[0];
Microsoft.Web.Services2.Security.X509.X509Certificate cert = 
    new Microsoft.Web.Services2.Security.X509.X509Certificate(cert.Export(X509ContentType.Cert));
LorneCurrie
  • 282
  • 3
  • 11
  • 1
    WSE usage is a red flag. It is not clear whether Microsoft still supports WSE 3.0 (it urged users to migrate to WCF https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/migrating-wse-3-0-web-services-to-wcf but WCF is also on the way of dying), and you are still using WSE 2.0. – Lex Li Jan 16 '19 at 17:30
  • The Service we need to integrate with is based on WSE 2.0. If we wanted to use SOAP UI, it had to be version 3.0, which I was using in in 2009... They are in no hurry to update the system. – LorneCurrie Jan 16 '19 at 21:52