DotNetNewsgroup.com  
web access to complete list of Microsoft.NET newsgroups
   home   |   control panel login   |   archive  |  
 
  carried group
academic
adonet
aspnet
aspnet.announcements
aspnet.buildingcontrols
aspnet.caching
aspnet.datagridcontrol
aspnet.mobile
aspnet.security
aspnet.webcontrols
aspnet.webservices
assignment_manager
datatools
dotnet.distributed_apps
dotnet.general
dotnet.myservices
dotnet.nternationalization
dotnet.scripting
dotnet.security
dotnet.vjsharp
dotnet.vsa
dotnet.xml
dotnetfaqs
framework
framework.clr
framework.compactframework
framework.component_services
framework.controls
framework.databinding
framework.drawing
framework.enhancements
framework.interop
framework.odbcnet
framework.performance
framework.remoting
framework.sdk
framework.setup
framework.webservices
framework.windowsforms
framework.wmi
frwk.windowsforms.designtime
lang.csharp
lang.jscript
lang.vb
lang.vb.controls
lang.vb.data
lang.vb.upgrade
lang.vc
lang.vc.libraries
  
 
start date: Tue, 24 Jul 2007 06:54:01 -0700,    posted on: microsoft.public.dotnet.framework.aspnet.webservices        back       

Thread Index
  1    Thibaut Blanchin
          2    Thibaut Blanchin


Launch signtool in a Web Service    
Does anybody know how to launch correctly signtool.exe inside a Web Service ?
I'm having headache trying....

 For security and authentication reasons I use Impersonation. (configured in 
web.config file). I've create a WS that uses process.start to launch signtool.
I'm getting error : "SignTool Error: CoCreateInstance returned error: 
0x80040150 Could not read key from registry"
After some search I've found that processes are lauched under the IIS 
Application Pool instead of Impersonated user. So, I've create a new 
application pool running under a domain account (CertExe) which is having 
administrator rights on the web server and change my application to run 
inside this pool.
This  implies to create a SPN or to change authentication on IIS from 
kerberos to NTLM. I've tried both, the process is actually running under 
CertExe account but I still have the error. To verify, I logged on the web 
server with CertExe account, then I retreived the command line generated by 
the Web Service and launched it in cmd.exe, it worked perfectly.
I've also found a thread here:
http://groups.google.fr/group/microsoft.public.dotnet.framework.aspnet/browse_thread/thread/142d3115518ec324/270b82cb52a28853%23270b82cb52a28853
He suggests to call kernel32.dll to launch the process but the problem is 
that it doesn't work (I mean it is actually working but signtool doesn't do 
the job) and I can't get access to standard and error output to see what 
happens...
Finally I've use sysinternals filemon and process monitor to have a look on 
what is accessed by signtool.
Unfortunatly, signtool is opening a huge amount of keys in the registry but 
always successfully.... It seems that the error "could not read key from 
registry" is not appropriate. Something else is going wrong but I don't know 
what...
If somebody is having an idea, I would appreciate a lot since I'm a bit lost 
now !

-- 
Thibaut Blanchin
DT - Plate formes & Systèmes
CEGID
Date:Tue, 24 Jul 2007 06:54:01 -0700   Author:  

RE: Launch signtool in a Web Service    
OK, I've finally found the solution....
The problem is not due to ASP.net or WebService programming but signtool.exe.
This tool needs the profile of the user it is running under to be loaded.
(maybe trying to access registry key under HKCU)
If you just run process.start, the profile is not loaded for the context of 
execution...
If a session for this user doesn't already exists, signtool will crash.
The easyest way to workaround is to let a session locked under this account 
on the server
or to launch a task like cmd.exe with runas or scheduled tasks.

So, here is how to make a web service calling signtool if this could help 
somebody:

- Use impersonation : this is necessary since the access will be checked 
against the current user. Check also that the user is having enough rights to 
access signtool.exe

- Create an application pool running under a dedicated user "CertUser" 
(domain or not) that will be able to make the sign file process (access to 
pfx / surf on timestamping service). When the child process is created by 
process.start it will not be created under the impersonated user but CertUser.

- open a session for CertUser by logging on to the server or lauching a task 
under this user

I don't know if there is a better solution to force the profile of this user 
to be loaded with process.start...

-- 
Thibaut Blanchin
DT - Plate formes & Systèmes
CEGID


"Thibaut Blanchin" wrote:


> Does anybody know how to launch correctly signtool.exe inside a Web Service ?
> I'm having headache trying....
> 
>  For security and authentication reasons I use Impersonation. (configured in 
> web.config file). I've create a WS that uses process.start to launch signtool.
> I'm getting error : "SignTool Error: CoCreateInstance returned error: 
> 0x80040150 Could not read key from registry"
> After some search I've found that processes are lauched under the IIS 
> Application Pool instead of Impersonated user. So, I've create a new 
> application pool running under a domain account (CertExe) which is having 
> administrator rights on the web server and change my application to run 
> inside this pool.
> This  implies to create a SPN or to change authentication on IIS from 
> kerberos to NTLM. I've tried both, the process is actually running under 
> CertExe account but I still have the error. To verify, I logged on the web 
> server with CertExe account, then I retreived the command line generated by 
> the Web Service and launched it in cmd.exe, it worked perfectly.
> I've also found a thread here:
> http://groups.google.fr/group/microsoft.public.dotnet.framework.aspnet/browse_thread/thread/142d3115518ec324/270b82cb52a28853%23270b82cb52a28853
> He suggests to call kernel32.dll to launch the process but the problem is 
> that it doesn't work (I mean it is actually working but signtool doesn't do 
> the job) and I can't get access to standard and error output to see what 
> happens...
> Finally I've use sysinternals filemon and process monitor to have a look on 
> what is accessed by signtool.
> Unfortunatly, signtool is opening a huge amount of keys in the registry but 
> always successfully.... It seems that the error "could not read key from 
> registry" is not appropriate. Something else is going wrong but I don't know 
> what...
> If somebody is having an idea, I would appreciate a lot since I'm a bit lost 
> now !
> 
> -- 
> Thibaut Blanchin
> DT - Plate formes & Systèmes
> CEGID
Date:Wed, 25 Jul 2007 06:46:06 -0700   Author:  

Google
 
Web dotnetnewsgroup.com


COPYRIGHT ?2005, EUROFRONT WORLDWIDE LTD., ALL RIGHT RESERVE  |   Contact us