Blog

CodePartners Blog

rss


Assigning Permission on a Certificate for an ApplicationPoolIdentity Account

SHARE THIS
Facebook twitter linkedin Print Print
Print Email

by Derek Du

Have you had the headache of configuring permissions to your ApplicationPoolIdentity account while running your web application under it? The IIS APPPOOL\Name trick never works for me. I run the ICACLS command to find the user in the permission configuration window.

If your ApplicationPoolIdentity-using-web-application utilizes a certificate to encrypt/decrypt messages, such as a WCF web service with message level security, you have to figure out how to assign permissions based on the certificate of your ApplicationPoolIdentity user.

Similarly, assigning permissions to another file, you can either use the IIS APPPOOL\Name method or use the ICACLS command. The ICACLS approach requires a file path to add a user account. Since the certificate is deeply stored and found under a different name than your original certificate, it makes it difficult to find.

HOW TO FIND THE CERTIFICATE PATH? 

First, a tool called FindPrivateKey.exe, from Microsoft is required. Please note, it is difficult to find the executable link to download this file. You will find it as part of WCF services sample code. Please follow this link to access the source codes. Then, unzip and compile the project from the folder: C:\WF_WCF_Samples\WCF\Setup\FindPrivateKey\. After the compilation, you have an executable file!

This tool helps you find your certificate’s actual file location with the certificate’s thumbprint. To find the thumbprint, open Microsoft Management Console:


 

Now, add the Certificate's snap-in.

 

 

 

Once you find the certificate folder, right click and select Open. Now, select the Details tab in the Certificate dialog and find the Thumbprint of your certificate.

 

 

With the thumbprint selected, run the following command in the command line prompt.

>FindPrivateKey my localmachine -t ” THUMBPRINT “

**Please note, in this example I retrieved the certificate from a local device. Follow this link for directions on retrieving a certificate.**

By running this command, a folder returns with the name of your cert!

 

Finally, a simple ICACLS command grants the permission needed for your cert.

 

Thank you for taking time to read my blog.  I hope you find this information helpful as you come across this situation.

Please note, this blog was published by Derek on December 4th in his personal blog found here.



Comments are closed.
On December 6, 2013 in Development, General, Web application, Web Development by Lori Thomas
Tagged With: Applicationpoolidentity, Certificate, Find Private Key, iis appool, permission , wcf / 3604 Views

Search

Categories

Archives