> I am struggling with some web application X509 signing issues, but was
> finally able to get everything working by setting the web application
> impersonate value to "myuseraccount." Since the key we have to use
> for signing is installed under the "myuseraccount" Personal store and
> not exportable, I think I am stuck having the web app impersonate
> myself.
>
> In any event, everything works fine if I leave myself logged into the
> server on which the app runs. Any users accessing the box remotely
> can run the page that signs a payload. After I log out, however, the
> process no longer works. The Event Viewer app log seems to indicate
> that the certificate for signing was not found, but why should be
> being logged in affect that? Since my code is pulling from
> CurrentUserStore, does that somehow use the currently logged-in user
> store, rather than the store of the impersonate user?
>
> I have played with file, folder, and certificate permissions until my
> fingers bled, but it's possible I missed something. Many thanks in
> advance to anyone who can help solve this one.
>

"Metrophobe" <jasonmiley@hotmail.com> wrote in message
news:1106673940.859235.174370@c13g2000cwb.googlegroups.com...
> Thanks for your help; unfortunately, I am still stuck. I tried running
> IIS under the ASP.NET account, rather than the standard
> IUSR_MACHINENAME account, but still had no luck. As far as your
> recommendation to give access to the certificate store, I assume that
> you are speaking about the physical location ("C:\Document and
> Settings\...Crypto\..."). Is there some other way (presumably through
> MMC) to give access to the store from a non-physical perspective?
>
> Even if everyone has access to the store, however, I don't see how to
> specifcy the store. My certificate is in the MYUSERNAME\Personal
> store, which I don't think I have access to programmatically. If I am
> coding in .NET, I can access the CurrentUserStore or the
> LocalMachineStore, but I don't see any way to access any kind of
> "OtherUserStore." It appears that the store for MyUsername is
> effectively blocked unless the ASP.NET process is running under that
> account (in which case the MyUsername store becomes the
> CurrentUserStore). It would seem from my testing, though, that even
> then the account still has to be physically logged in before the
> certificate is available.
>
> Can anyone verify what has to happen before the CurrentUserStore for
> "UserA" is available? Is it necessary to run the ASP.NET process under
> that account *and* be logged in?
>

> Thanks for your help, Sidd. I believe I have a workaround now in that
> I am signing with a Verisign certificate that we have loaded onto the
> box. Based on my understanding and by speaking with the 3rd party,
> this should work just fine. This way, of course, I can just access
> the Local Machine Store and get the certificate no matter who I am
> logged in as.
>
> The reason this certificate ended up in MyUserName\Personal store is
> because I received the certificate through the 3rd party's Certificate
> Server via Internet Explorer while I was logged in. The cert was
> automatically placed in my store, and since the private key was not
> exportable, I could not export the key and still sign with it (or so
> it appears). I tried explicitly giving access to the private key file
> and store folders to the ASP.NET account and IUSR account to no avail.
> Without the LocalMachine Store having its own private key, there was
> no way to reference the original private key file.
>
> One more question, however, to anyone with enough time to answer. I
> read everywhere that for ASP.NET to access a store, the store
> "typically" needs to reside in the LocalMachine store, or that the
> cert "should" be in that store. No one seems to address the
> alternative, however. Is accessing another user's store possible?
> Even if it's not best practice, it would nice to get a definitive
> answer on this.
>