1

I am creating a service to get users smartcards in a SmartCard only domain (So I can't pass the user's authentication since they haven't enrolled to smartcard so i use other authentication methods to authenticate the user) and then the user sends me his CSR but when I try to create the certificate on behalf of the User I get the following error:

"CertEnroll::CX509Enrollment::Enroll: This type of certificate can be issued only to a user.: The specified role was not configured for the application 0x8004e00c (-2147164148 CONTEXT_E_ROLENOTFOUND)"

I created a Service Account that has access to the Enrollment Agent Certificate and created a certificate for that Account. I also created a smartcard template that requires an enrollment agent certificate signature to request the certificate on behalf of users and gave that service account full access to that template as well. The application runs under in IIS Application Pool that uses that service account as the identity, and I request the certificate using this code (it uses the CERTENROLLLib):

_cSignerCertificateWrapper.Initialize(true, X509PrivateKeyVerify.VerifyNone, EncodingType.XCN_CRYPT_STRING_BASE64, Convert.ToBase64String(_x509Certificate2Wrapper.RawData));
var innerRequest = new CX509CertificateRequestPkcs10Class();
innerRequest.InitializeDecode("ContextMachine", EncodingType.XCN_CRYPT_STRING_BINARY);
innerRequest.InitializeDecode(request);

_cx509CertificateRequestCmcWrapper.InitializeFromInnerRequestTemplateName(innerRequest, templateName);
_cx509CertificateRequestCmcWrapper.RequesterName = requesterName;
_cx509CertificateRequestCmcWrapper.SignerCertificate = _cSignerCertificateWrapper.WrappedObject;
_cx509CertificateRequestCmcWrapper.Encode();

_cx509EnrollmentWrapper.InitializeFromRequest(_cx509CertificateRequestCmcWrapper.WrappedObject);

try
{
    _cx509EnrollmentWrapper.Enroll();
}

I also switched the IIS account to run under my user and I still get the error. do I have to somehow authenticate into the CA or does it use my IIS identity for the request (I did verify that it is running under the context by checking the output of this System.Security.Principal.WindowsIdentity.GetCurrent().Name)?

vik_78
  • 1,107
  • 2
  • 13
  • 20
Igal Flegmann
  • 582
  • 1
  • 8
  • 19
  • Does application run on local machine and not on IIS server? I think the certificate has to be on client machines and not IIS server. Users a GUEST accounts and have very limited access on IIS server. You would have to run the IIS service as ADMIN to give user more access which is not recommended. – jdweng Apr 11 '19 at 16:52
  • the client submits the cert as a web request, the IIS server requests the certificate on behalf of the user. This is in part because the user doesnt have network conectivity to the domain (just 443 is open to this machine). the user authentication has nothing to do with the account used on the IIS – Igal Flegmann Apr 11 '19 at 17:01

1 Answers1

1

you are getting the certificate as machine context, change this line:

_cSignerCertificateWrapper.Initialize(true, X509PrivateKeyVerify.VerifyNone, EncodingType.XCN_CRYPT_STRING_BASE64, Convert.ToBase64String(_x509Certificate2Wrapper.RawData));

to:

_cSignerCertificateWrapper.Initialize(false, X509PrivateKeyVerify.VerifyNone, EncodingType.XCN_CRYPT_STRING_BASE64, Convert.ToBase64String(_x509Certificate2Wrapper.RawData));

and remove this line

innerRequest.InitializeDecode("ContextMachine", EncodingType.XCN_CRYPT_STRING_BINARY);

Tacot
  • 154
  • 1
  • 10