Re: Client Certificate and Code Access Security

From: Jürgen Laude (JrgenLaude_at_discussions.microsoft.com)
Date: 01/13/05 

Date: Thu, 13 Jan 2005 07:39:10 -0800

Hello Dilip,

Changing permissions on the client side is not an option for my customers.
Why am I able to use client side certificates in the internet zone with my
default internet explorer settings for web pages, but not from a .NET
application for web services? Browsing the asmx page works with the client
certificate, because IE is pulling it from the store. I understand that a
.NET app should not be allowed to access a users certificate store without
his knowledge, but the client is receiving the certificate from a user
selected file, so it is users intention to provide it to the application for
his authentication.

Thanks,
Jürgen

"Dilip Krishnan" wrote:

> Hello Jürgen,
> Basically yr having a client application that your trying to run as a
> downloaded interenet application. Such applications are security sandboxed
> as "internet" applications. Which have restricted permissions as far as loading
> things from the hard disk etc. Assuming yr using ssl a client cert cannot
> get access to your certificate in your local stores. Giving just appropriate
> permissions should solve this problem
>
> HTH
> Regards,
> Dilip Krishnan
> MCAD, MCSD.net
> dkrishnan at geniant dot com
> http://www.geniant.com
>
> > Hi,
> >
> > I am implementing a IIS deployed client (Windows Forms) that accesses
> > a web
> > service on the same server. I want to use client certificates for
> > authentication.
> > My problem is, when I call the web service with CAS "Internet"
> > permissions,
> > I'm receiving a SecurityException in a thread that seems to create the
> > connection. The user selects the certificate with a OpenFileDialog
> > configured
> > for working with "Internet" permissions. I can verify the loading of
> > the
> > certificate and assigning it to the web service proxy works without
> > problems.
> > Running the same with "Full Trust" works perfect, but my customers
> > require
> > "Internet" permissions only.
> > What do I need to do to work arround that? If not, why is using a
> > client
> > certificate that the user manually selects a security risk (it is no
> > problem
> > for Internet Explorer to do that)?
> > Thank you in advance,
> >
> > Jürgen
> >
>
>
>

Relevant Pages

  • Re: Client Certificate and Code Access Security
    ... But since yr .net client is running under "Internet" permissions, ... > access a users certificate store without his knowledge, ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • Re: SSL POP3 works only locally if cert name is used
    ... yes there is a way to export the certificate and install it on the client ... On the SERVER: ... 1- open Internet Explorer, ... On the client computer, ...
    (microsoft.public.windows.server.sbs)
  • Re: How do I make a local machine client certificate available to all users?
    ... It sounds like your client machines are Intranet machines which access ... your server machine to know the client machine is if the client ... specific machines to access this website over the internet. ... but the certificate is installed on a per user basis. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Cannot request computer certificate.
    ... >problem since you can not request a certificate while logged onto the CA. ... Verify that you can ping it by name and IP address from the client ... >> Kerberos, or dns. ... >> List of NetBt transports currently bound to the Redir ...
    (microsoft.public.windows.server.security)
  • Re: The message must contain a wsa:To header
    ... My client app is not generating a trace file. ... the client is not applying the WSE policy at all because of an ... at ApplicationMessagingWS.Dispatch(String messageType, String ... look for a certificate with this subject name in the certificate store ...
    (microsoft.public.dotnet.framework.webservices.enhancements)