User permissions to configure SSL certificate for IIS HTTPS binding

2

I have a configuration tool that configures IIS SSL certificate for a website. It creates a new binding in IIS configuration for "Default Web Site" and then assigns an SSL certificate to it. The tool works fine when I run it on behalf of administrative account, but fails when running under regular user account with "access denied" error.

Here is the code of the tool:

using Microsoft.Web.Administration;
using System;
using System.Globalization;
using System.Linq;

namespace TestIisSslCert
{
    class Program
    {
        static void Main(string[] args)
        {
            try
            {
                var sslCertThumbprint = "733AD4B4A8FA5F7DE2F4640F91B176BDB1D2BE25";

                // calculating certificate hash

                var certificateHash = new byte[20];
                for (int i = 0, j = 0; i < sslCertThumbprint.Length; i += 2, j++)
                {
                    string s = sslCertThumbprint[i].ToString().ToLower() + sslCertThumbprint[i + 1].ToString().ToLower();
                    byte o = byte.Parse(s, NumberStyles.HexNumber);
                    certificateHash[j] = o;
                }

                // adding a binding with a reference to the certificate:

                var siteName = "Default Web Site";
                using (var serverManager = new ServerManager())
                {
                    var site = serverManager.Sites[siteName];
                    var bindings = site.Bindings.ToList();
                    foreach (var binding in bindings)
                    {
                        if (binding.Protocol == "https")
                            site.Bindings.Remove(binding);
                    }

                    site.Bindings.Add(":443:", certificateHash, "My");
                    serverManager.CommitChanges();
                }
            }
            catch (Exception e)
            {
                Console.WriteLine(e);
            }

            Console.ReadKey();
        }
    }
}

Here is the error I'm getting when I run it as a user:

System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
at Microsoft.Web.Administration.Interop.IAppHostMethodInstance.Execute()
at Microsoft.Web.Administration.Binding.AddSslCertificate(Byte[] certificateHash, String certificateStoreName)
at Microsoft.Web.Administration.BindingManager.Save()
at Microsoft.Web.Administration.ServerManager.CommitChanges()

I have added full control over the following folders:

  • "C:\Windows\System32\inetsrv\config"
  • "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys"
  • "C:\inetpub\wwwroot"

I also tried the following link but it didn't help: https://support.comodo.com/index.php?/Knowledgebase/Article/View/1129/37/access-denied-exception-from-hresult-0x80070005-e_accessdenied

Is there any other security setting or policy that I need to grant to my user?

Some additional details: I checked if there is anything that may require permissions in ProcessMonitor, but I didn't find any registry keys nor files with "ACCESS DENIED". There was only one registry key, which I added, but it doesn't do any difference: HKLM\System\CurrentControlSet\Services\WinSock2\Parameters.

Also it is possible to add a new binding without certificate, but when I specify certificate hash it fails. It is as if some policy doesn't allow me to run the code, probably something related to COM, since Microsoft.Web.Administration is a wrapper over COM interfaces, but I'm not sure.

ssl
permissions
ssl-certificate
iis-8.5
asked on Server Fault Mar 15, 2018 by username • edited Mar 28, 2018 by username

2 Answers

1

I tried to run the same operation with netsh:

netsh http add sslcert ipport=0.0.0.0:443 certhash=35e010f567bf61
62e8eb7974ee98eb64c4ed2c55 appid={00112233-4455-6677-8899-AABBCCDDEEFF}

SSL Certificate add failed, Error: 5
The requested operation requires elevation (Run as administrator).

It seems that there is no workaround for this and I must use administrator account. Also I got a similar response for the same question on IIS forum.

answered on Server Fault Apr 2, 2018 by username
0

I had the same requirements and after so many searches it was clear that Administrator Rights are required in any case.

I have solved this issue by creating a new Application pool with Custom Account as Identity.

Basically my server was having 2 users. one Administrator and other user_account with same administrator group. But still user_account was unable to host any site thru code on IIS.

  1. Go to IIS
  2. Then click Application Pool
  3. Add new Application Pool and choose appropriate settings and press OK.
  4. Click on newly created pool and select Advance property
  5. Goto the process model section and Click on three dots in Identity property
  6. Select Custom Account.
  7. Enter Administrator (or whatever name is for administrator account)
  8. Enter Administrator Password(If you dnt have then ask network head or whom so ever having the same as this is just one time) and press OK

Now your site/web api will run as administrator account.

Hopes it helps in any way

answered on Server Fault May 14, 2019 by Arjun

User contributions licensed under CC BY-SA 3.0