Discussion:
CryptoAPI - CertOpenStore - ASP.Net - Access denied - ERROR_ACCESS_DENIED (0x8007005)
(too old to reply)
Raj
2014-03-10 22:56:49 UTC
Permalink
Hello Experts,
I wrote an API that encrypts a string and decrypts across a client - server architecture. This work's perfectly fine for destok based applications.

When a Asp.net web service tries to encrypt the same string under a IUSR_ account, i get ERROR_ACCESS_DENIED (0x8007005) for CertOpenStore.

hXchngCertStoreCtxt = CertOpenStore(CERT_STORE_PROV_SYSTEM,
0,
NULL,
CERT_SYSTEM_STORE_CURRENT_USER,
L"ADDRESSBOOK");


IUSR_ require's both read and write access permissions to the Other people's certificate store because, it retrieves server's public key certificate from a trusted network share and installs it to the ADDRESSBOOK/Other people's certificate store.

So i cannot open my certificate store with only read access.
And i cannot give administrator rights to my IUSR_ account either.

Is there any approach that i can follow to resolve this issue?
Will i be able to modify permissions for IUSR_ to grant write access?

I cannot understand why permission's is restricted for Other people store. As the name suggests its other people store right?
a***@yahoo.com
2014-04-23 00:35:56 UTC
Permalink
Post by Raj
Hello Experts,
I wrote an API that encrypts a string and decrypts across a client - server architecture. This work's perfectly fine for destok based applications.
When a Asp.net web service tries to encrypt the same string under a IUSR_ account, i get ERROR_ACCESS_DENIED (0x8007005) for CertOpenStore.
hXchngCertStoreCtxt = CertOpenStore(CERT_STORE_PROV_SYSTEM,
0,
NULL,
CERT_SYSTEM_STORE_CURRENT_USER,
L"ADDRESSBOOK");
IUSR_ require's both read and write access permissions to the Other people's certificate store because, it retrieves server's public key certificate from a trusted network share and installs it to the ADDRESSBOOK/Other people's certificate store.
So i cannot open my certificate store with only read access.
And i cannot give administrator rights to my IUSR_ account either.
Is there any approach that i can follow to resolve this issue?
Will i be able to modify permissions for IUSR_ to grant write access?
I cannot understand why permission's is restricted for Other people store. As the name suggests its other people store right?
a***@gmail.com
2016-09-22 12:18:12 UTC
Permalink
The way to get around this is to use CertOpenStore and pass the
(CERT_STORE_READONLY_FLAG | CERT_SYSTEM_STORE_CURRENT_USER) flags
Loading...