winhttpcertcfg 为 Windows 7 中的 IIS 用户提供访问权限

发布于 2024-08-09 13:50:13 字数 388 浏览 10 评论 0原文

我需要向 IIS 用户授予 pfx 证书的访问权限。该网站在某个用户 AppPoolUser 下的应用程序池下运行。 IIS 自动具有用户名“IIS APPPOOL\AppPoolUser”,这就是我们使用 aspnet_regiis -ga 时需要授予访问权限的用户名。

但是,当我使用 winhttpcertcfg 授予用户“IIS APPPOOL\AppPoolUser”访问权限时,它显示“未找到帐户信息”。

我使用的命令是

winhttpcertcfg -i <filename> -c <certificateLocation> - g -a <account name>

没有在网络上找到任何示例。有什么想法吗?

I need to give access to the IIS user to a pfx certificate. The website is running under the App Pool under some user AppPoolUser. IIS automatically has the user name "IIS APPPOOL\AppPoolUser" and this is what we need to give access when we use aspnet_regiis -ga .

However, when i use winhttpcertcfg to give access to the user "IIS APPPOOL\AppPoolUser", it says "No account information was found".

The command I use is

winhttpcertcfg -i <filename> -c <certificateLocation> - g -a <account name>

Didn't find any samples for this over the web. Any ideas?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(7

千里故人稀 2024-08-16 13:50:13

我知道这是一个老问题,但我昨天也遇到了同样的问题,所以我想我会回答。

我遇到了同样的问题,但证书位于 LocalMachine -> TrustedPeople 存储...

您必须使用 icacls 而不是 WinHttpCertCfg,取自 此链接

基本上,它应该看起来像这样:

ICACLS <filename> /grant "IIS AppPool\DefaultAppPool":R

为了完整起见,这里我需要如何访问“受信任的人”商店。部分摘自此链接

  1. 使用 Microsoft 的 FindPrivateKey 工具在存储区中查找证书的实际文件。此工具必须从 适用于 .NET Framework 4 的 Windows Communication Foundation (WCF) 和 Windows Workflow Foundation (WF) 示例下载。

    FindPrivateKey.exe TrustedPeople LocalMachine -t ""
    
  2. 对 FindPrivateKey 给出的文件使用 icacls

    icacls C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\<证书路径> /grant "IIS AppPool\<您的 AppPool 名称>":R
    

瞧!

I know it's an old question, but I just had the same problem yesterday so I though I'd answer.

I had the same problem but with a certificate located in the LocalMachine -> TrustedPeople store...

You have to use icacls instead of WinHttpCertCfg, taken from this link.

Basically, it should look like this:

ICACLS <filename> /grant "IIS AppPool\DefaultAppPool":R

For the sake of completion, here how I needed to do it to access the "Trusted People" store. Taken in part from this link.

  1. Use the FindPrivateKey tool from Microsoft to locate the actual file for the cert in the store. This tool must be compiled from the source code in .\WF_WCF_Samples\WCF\Setup\FindPrivateKey\CS from the Windows Communication Foundation (WCF) and Windows Workflow Foundation (WF) Samples for .NET Framework 4 download.

    FindPrivateKey.exe TrustedPeople LocalMachine -t "<thumbprint of the SSL cert>"
    
  2. Use icacls on the file given by FindPrivateKey.

    icacls C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\<path to certificate> /grant "IIS AppPool\<your AppPool name>":R
    

Voilà!

慕烟庭风 2024-08-16 13:50:13

对于原来的帖子,您只需将域“IIS APPPool”替换为您计算机的本地域名 - 通常与计算机的名称相同。当WinHttpCertCfg运行时,它将把\变成进入\" 并授予对证书的访问权限。如果您想在具有本地 IIS 的开发桌面上工作,这应该可以解决您的问题。ICACLS 仅适用于服务器(您最终将部署该服务器)到)。

To the original post, you just need to replace the domain "IIS APPPool" with your machine's local domain name - usually the same name as the machine. When WinHttpCertCfg runs, it will turn <MachineName>\<AppPoolUser> into <IIS APPPOOL>\<AppPoolUser>" and grant access to the certficate. If you want to work on a dev desktop with local IIS, this should solve your problem. ICACLS only works on servers (which you will ultimately be deploying to).

守不住的情 2024-08-16 13:50:13

您还可以通过 mmc 证书管理单元执行此操作。

只需右键单击有问题的证书,选择“所有任务”->“管理私钥...,并添加所需的用户(可能是 IIS APPPOOL\[您的应用程序池])。

You can also do this from the mmc Certificates snap-in.

Just right-click the certificate in question, choose All Tasks -> Manage private keys..., and add the user you want (likely IIS APPPOOL\[your app pool]).

与风相奔跑 2024-08-16 13:50:13

Update/tl;dr — 我创建了 CertAdmin 模块让 PowerShell Core 轻松获取和设置证书权限。

我遇到了同样的问题:

  • WinHttpCertCfg 似乎已被放弃,没有合理的替代方案。
  • 我的证书管理器不包含 这篇旧的 MSDN 博客文章
  • 在 Windows 环境中编译 FindPrivateKey 是不合理的开销。

设置证书的权限涉及授予应用程序池对证书文件的读取权限。

这可以使用 icacls.exe 来实现(Windows 资源管理器安全 UI 不支持应用程序池):

icacls C:\ProgramData\Microsoft\crypto\rsa\machinekeys\9876abcdeblahblahblah /grant "IIS AppPool\AppPoolName:R" 

Windows 将计算机密钥存储在 C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys 中,但这些文件与证书无关。可以使用以下 PowerShell 代码获取每个证书的文件名:(

 ls Cert:\LocalMachine\TrustedPeople |
    select Subject,@{n='FileName';e={$_.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName}} |
    Format-List

如果您的证书位于其他存储中,请更改“TrustedPeople”。)

应用程序池的名称可以从 IIS 管理器的应用程序池节点获取,或者通过运行此 PowerShell 代码:

Import-Module WebAdministration; ls IIS:\AppPools

此 PowerShell 3 脚本将使用 Out-GridView (ogv) 作为证书和应用程序池的 GUI 选择列表,然后授予权限:

ipmo WebAdministration
$cert = (ls Cert:\LocalMachine\TrustedPeople |
    ogv -OutputMode Single -Title "Select Certificate").
    PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
$app = (ls IIS:\AppPools |
    ogv -OutputMode Single -Title "Select App Pool").Name
icacls $env:ProgramData\Microsoft\crypto\rsa\machinekeys\$cert /grant "IIS AppPool\$($app):R"

Update/tl;dr — I've created the CertAdmin module for PowerShell Core to easily get and set certificate permissions.

I was having the same issue:

  • WinHttpCertCfg seems to have been abandoned without a reasonable alternative.
  • My Certificate Manager did not include a "Manage Private Keys" option as mentioned in this old MSDN blog post.
  • Compiling FindPrivateKey is unreasonable overhead in a Windows environment.

Setting the permission for a cert involves granting the application pool the read right to the cert file.

This can be achieved using icacls.exe (the Windows Explorer security UI does not support application pools):

icacls C:\ProgramData\Microsoft\crypto\rsa\machinekeys\9876abcdeblahblahblah /grant "IIS AppPool\AppPoolName:R" 

Windows stores machine keys in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys , but the names of the files are not related to the certificate. The file name for each certificate can be obtained using this PowerShell code:

 ls Cert:\LocalMachine\TrustedPeople |
    select Subject,@{n='FileName';e={$_.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName}} |
    Format-List

(Change "TrustedPeople" if your cert is in another store.)

The name of the application pool can be obtained from the Application Pools node of the IIS Manager, or by running this PowerShell code:

Import-Module WebAdministration; ls IIS:\AppPools

This PowerShell 3 script will use Out-GridView (ogv) as a GUI pick list for the cert and the app pool, then grant the permission:

ipmo WebAdministration
$cert = (ls Cert:\LocalMachine\TrustedPeople |
    ogv -OutputMode Single -Title "Select Certificate").
    PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
$app = (ls IIS:\AppPools |
    ogv -OutputMode Single -Title "Select App Pool").Name
icacls $env:ProgramData\Microsoft\crypto\rsa\machinekeys\$cert /grant "IIS AppPool\$($app):R"
暗恋未遂 2024-08-16 13:50:13

安装应用程序时还会添加文档:

C:\Program Files (x86)\Windows Resource Kits\Tools

以下示例显示了配置工具的一些使用方法。

此命令列出有权访问注册表 LOCAL_MACHINE 分支的“Root”证书存储中“MyCertificate”证书私钥的帐户。

winhttpcertcfg -l -c LOCAL_MACHINE\Root -s MyCertificate

此命令授予 TESTUSER 帐户对“我的”证书存储中“MyCertificate”证书私钥的访问权限。

winhttpcertcfg -g -c LOCAL_MACHINE\My -s MyCertificate -a TESTUSER

此命令从 PFX 文件导入证书和私钥,并将私钥访问权限扩展到另一个帐户。

winhttpcertcfg -i PFXFile -c LOCAL_MACHINE\My -a IWAM_TESTMACHINE

此命令删除具有指定证书的 IWAM_TESTMACHINE 帐户对私钥的访问权限。

winhttpcertcfg -r -c LOCAL_MACHINE\Root -s MyCertificate -a IWAM_TESTMACHINE

When you install the application is also adds the documentation:

C:\Program Files (x86)\Windows Resource Kits\Tools

The following examples show some of the ways in which the configuration tool can be used.

This command lists accounts that have access to the private key for the "MyCertificate" certificate in the "Root" certificate store of the LOCAL_MACHINE branch of the registry.

winhttpcertcfg -l -c LOCAL_MACHINE\Root -s MyCertificate

This command grants access to the private key of the "MyCertificate" certificate in the "My" certificate store for the TESTUSER account.

winhttpcertcfg -g -c LOCAL_MACHINE\My -s MyCertificate -a TESTUSER

This command imports a certificate and private key from a PFX file and extends private key access to another account.

winhttpcertcfg -i PFXFile -c LOCAL_MACHINE\My -a IWAM_TESTMACHINE

This command removes access to the private key for the IWAM_TESTMACHINE account with the specified certificate.

winhttpcertcfg -r -c LOCAL_MACHINE\Root -s MyCertificate -a IWAM_TESTMACHINE
眼波传意 2024-08-16 13:50:13

如果您仍然想继续使用 wihHttpCertCfg,请使用以下命令:

winhttpcertcfg.exe -i <filename> -c <certificateLocation> -a "ComputerName\IIS APPPOOL\AppPoolName"

我遇到了同样的问题,今天通过上面的命令解决了它。

If you still want to continue using wihHttpCertCfg, then use the below command:

winhttpcertcfg.exe -i <filename> -c <certificateLocation> -a "ComputerName\IIS APPPOOL\AppPoolName"

I had same issue and I resolved it by above command today.

百变从容 2024-08-16 13:50:13

对我来说有效的是我的临时站点位于网络服务(应用程序池)(部署)中,在我的本地是“applicationpoolidentity”(工作副本),

只需将其更改为 applicationpoolidentity 并运行 winhttpcertcfg 命令

What works from me is my staging site is in network service (app pool) (deployment) and in my local is "applicationpoolidentity" (working copy)

just change it to applicationpoolidentity and run your winhttpcertcfg command

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文