How to integrate into a web application?

[AndersBillLinden]

Your documentation is awesome!

Maybe there should be some information on how to integrate bankid in a web application?

The problems I have encountered is that if I run my web application in IIS, I am then getting Could not establish secure channel for SSL/TLS with authority 'site.com'. Using the LocalMachine storeLocation both for the client certificate and server certificate.

Is it adding to complexity to run the application as the IIS user? Or is it something else that IIS is adding?

Should the IIS user be able to use the "Trusted Root Certificate Authorities" store? To me it seems like the IIS user can read that store using the X509Store.Certificates.Find method, but not to use it with a WCF client.

If I am debugging my application locally, I am able to have the WCF client working. Maybe thats because I am running the application as another user? How could it be relevant which user I am running as?

All of my problems in this are described here.

[EricHerlitz]

Thanks

You are right, I should probably add another post on how to implement this in an IIS or Azure environment where we typically implement these things.

I did a check on the last IIS implementation I made and found the following config

<clientCredentials>
    <clientCertificate findValue="FP Testcert 2" storeLocation="CurrentUser"
      storeName="My" x509FindType="FindBySubjectName" />
    <serviceCertificate>
        <defaultCertificate findValue="BankID SSL Root Certification Authority TEST"
          storeLocation="LocalMachine" storeName="Root" x509FindType="FindBySubjectName" />
        <authentication certificateValidationMode="None" revocationMode="NoCheck"
          trustedStoreLocation="LocalMachine" />
    </serviceCertificate>
</clientCredentials>

What it means is that the IIS App pool running the site instance is run as a service user and not a generic app pool-account, and the clientCertificate have been installed in that users specific store.

I'll do my best to post something on the setup.

Cheers

[AndersBillLinden]

Thanks for the answer, will make a try!

Anders

[AndersBillLinden]

The problem was that I needed to add permission to the app pool to use the certificate! Permissions that seems only decorative because I am able to create a web application that reads the certificates using the X509Store.Certificates.Find function.

If I want to use a certificate via web.config, the story is different. It seems that ASP.NET voluntarily refuses to use the license if the file permissions of a file inside the folder

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

do not hold an entry for the app pool pseudo user. A user which name is on the form

IIS AppPool\DefaultAppPool

To be able to add that user, I could not just use the file permissions->security tab. It will fail to find the "user".

I needed to install Windows Server 2003 Resource Kit Tools.

When installing this on a windows server 2012, an error dialog comes up about the install not being compatible with the system. I ignored this, there is still a button to continue the installation. I kept in mind where the installation was saved in the file system and used a console window. It is time for icacls.exe to do its job.

cd C:\Program Files (x86)\Windows Resource Kits\Tools

Listing the folder C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys in an explorer window shows me files which names are not informative, so I had to just pick one for the next step.

icacls C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f3c9f4206ce2a9e2a4bb8d8f3182497e_a73a6629-821a-46ca-a17a-15h70f1ceb1c /grant "IIS APPPOOL\my_app_pool":R

I had to try two files before I found the correct one. There is a tool called FindPrivateKey.exe to find out the filename without guessing. I have tried to use it despite the fact that I was downloading an exe file from a random guy (not microsoft). I had problems to use it however, I did not run it with the correct arguments.

My web.config uses LocalMachine and Root for both the client certificate and the server certificate.

When I have added the file permission using icacls, the site is able to use the certificate and the file permissions for the key file in question shows and entry holding the name of the app pool without the prefix IIS AppPool\. Trying to add an entry with that user name, with or without the prefix, not using icacls fails.

[peponeska]

You can add rights to the private key using standard windows tools, i.e. certlm.msc

Then in the permissions window add account like IIS APPPOOL\name_of_the_apppool_your_app_runs_under, i.e. IIS AppPool\DefaultAppPool

[AndersBillLinden]

That will give me the error message An object named "IIS APPPOOL\my_apppool" cannot be found. Checking all Object types (adding Service Accounts and Computers) does not help.

[peponeska]

@AndersBillLinden It should be a local account, not a domain account (check location). Unless your IIS Pool runs under a domain service account :)

[AndersBillLinden]

System (that my webserver runs as) is already included. Now, how do I input the account for the app pool? Isnt IIS APPPOOL kinda pseudo domain?

[peponeska]

IIS APPPOOL is a local group on the server. If your server is assigned to Windows Active Directory then you will have the AD selected by default in the location when assigning rights to private key. You need to select local computer in the location box.

It will look like this.

[peponeska]

When you create app pool it will create apppool identity account based on th ename of the pool. Mine looks like this:

You can change the account to a custom account. Often it is changed to a managed service account.

[AndersBillLinden]

@peponeska When I right click a certificate in certlm.msc, I only get the menu entries "Open" and "Export..."

[AndersBillLinden]

I also note that when I installed a certificate to local machine (trusted root) today, I did not get an additional file in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys...

[peponeska]

@AndersBillLinden You are selectin from Trusted Root Certificates store. There are certificates without private key so Manage Private Keys does not make sense there. When you go to Personal store you should see a certificate with a slightly different icon that has a small key on it. IMO only private keys from Personal store will end up as files in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys.

[AndersBillLinden]

I do not get the "manage private keys" menu (or advanced operations). Do I need to change file permissions for some file? I am doing this as administrator so I guess not. Or do I create a key myself using "request certificate with new key"?

[AndersBillLinden]

Ok, there must not have been a private key in the files I have got. The client certificate needs to have that?

[peponeska]

@AndersBillLinden Yes, exactly. Do you have any certificates in Personal store?

[EricHerlitz]

@AndersBillLinden Did you manage to solve this?

[AndersBillLinden]

I solved it for the test case, but when I got files from the bank, they were in .cer format instead of .pfx. I assume those should work as client certificates. When I added those certificates, nothing was added in the MachineKeys folder.

[AndersBillLinden]

I solved it for the production case as well, creating a p12 file from previously mentioned .cer using a java program.