Re: Client Certificate and Code Access Security

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Jürgen Laude (JrgenLaude_at_discussions.microsoft.com)
Date: 01/13/05 

Date: Thu, 13 Jan 2005 07:39:10 -0800

Hello Dilip,

Changing permissions on the client side is not an option for my customers.
Why am I able to use client side certificates in the internet zone with my
default internet explorer settings for web pages, but not from a .NET
application for web services? Browsing the asmx page works with the client
certificate, because IE is pulling it from the store. I understand that a
.NET app should not be allowed to access a users certificate store without
his knowledge, but the client is receiving the certificate from a user
selected file, so it is users intention to provide it to the application for
his authentication.

Thanks,
Jürgen

"Dilip Krishnan" wrote:

> Hello Jürgen,
> Basically yr having a client application that your trying to run as a
> downloaded interenet application. Such applications are security sandboxed
> as "internet" applications. Which have restricted permissions as far as loading
> things from the hard disk etc. Assuming yr using ssl a client cert cannot
> get access to your certificate in your local stores. Giving just appropriate
> permissions should solve this problem
>
> HTH
> Regards,
> Dilip Krishnan
> MCAD, MCSD.net
> dkrishnan at geniant dot com
> http://www.geniant.com
>
> > Hi,
> >
> > I am implementing a IIS deployed client (Windows Forms) that accesses
> > a web
> > service on the same server. I want to use client certificates for
> > authentication.
> > My problem is, when I call the web service with CAS "Internet"
> > permissions,
> > I'm receiving a SecurityException in a thread that seems to create the
> > connection. The user selects the certificate with a OpenFileDialog
> > configured
> > for working with "Internet" permissions. I can verify the loading of
> > the
> > certificate and assigning it to the web service proxy works without
> > problems.
> > Running the same with "Full Trust" works perfect, but my customers
> > require
> > "Internet" permissions only.
> > What do I need to do to work arround that? If not, why is using a
> > client
> > certificate that the user manually selects a security risk (it is no
> > problem
> > for Internet Explorer to do that)?
> > Thank you in advance,
> >
> > Jürgen
> >
>
>
>

Relevant Pages

  • Re: Client Certificate and Code Access Security
    ... But since yr .net client is running under "Internet" permissions, ... > access a users certificate store without his knowledge, ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • Re: SSL POP3 works only locally if cert name is used
    ... yes there is a way to export the certificate and install it on the client ... On the SERVER: ... 1- open Internet Explorer, ... On the client computer, ...
    (microsoft.public.windows.server.sbs)
  • Re: Checkpoint smart defance as IPS
    ... *any* SSL/TLS communication without tampering anything on the client ... website a client visits on-the-fly. ... don't have private key for the certificate on that website. ...
    (Security-Basics)
  • Re: Checkpoint smart defance as IPS
    ... *any* SSL/TLS communication without tampering anything on the client ... website a client visits on-the-fly. ... don't have private key for the certificate on that website. ...
    (Security-Basics)
  • Re: How do I make a local machine client certificate available to all users?
    ... It sounds like your client machines are Intranet machines which access ... your server machine to know the client machine is if the client ... specific machines to access this website over the internet. ... but the certificate is installed on a per user basis. ...
    (microsoft.public.inetserver.iis.security)