Certificate problem calling WCF MSMQ service from ASP.Net application

I have an ASP.Net application that calls a WCF MSMQ service. The
service is hosted in a Windows Service (Windows 2003 Standard) and is
working correctly.

The MSMQ queue only accepts authenticated messages, i.e. each message
must be signed with a certificate.

The service is called from an ASP.Net application that runs in an
application pool with a least privilege user identity. When the web
application calls the web service I get a server error saying the X.
509 certificate could not be found. If I then open a command prompt
"runas" the least privilege user identity, the call to the web service
succeeds.

I am assuming this is to do with the profile for the identity. Asp.Net
performs a network login for the user which doesn't load the user's
profile (that contains the users certificate store). By opening a
command prompt "runas" the user, the profile is loaded and the
certificate can be located.

Please tell me there is a simple way to fix this issue. I have tried a
variety of fixes all to no avail. I have put the certificate in the
machine store which allows the client to locate the certificate but
then MSMQ fails with an MQ_ERROR_INVALID_CERTIFICATE. Again, this goes
away if I put the certificate into the identity's certificate store as
well as in the machine store and also open the command prompt "runas"
the identity.

On Jul 12, 4:57 pm, Dave <pigwi...@gmail.com> wrote:
> I have an ASP.Net application that calls a WCF MSMQ service. The
> service is hosted in a Windows Service (Windows 2003 Standard) and is
> working correctly.
>
> The MSMQ queue only accepts authenticated messages, i.e. each message
> must be signed with a certificate.
>
> The service is called from an ASP.Net application that runs in an
> application pool with a least privilege user identity. When the web
> application calls the web service I get a server error saying the X.
> 509 certificate could not be found. If I then open a command prompt
> "runas" the least privilege user identity, the call to the web service
> succeeds.
>
> I am assuming this is to do with the profile for the identity. Asp.Net
> performs a network login for the user which doesn't load the user's
> profile (that contains the users certificate store). By opening a
> command prompt "runas" the user, the profile is loaded and the
> certificate can be located.
>
> Please tell me there is a simple way to fix this issue. I have tried a
> variety of fixes all to no avail. I have put the certificate in the
> machine store which allows the client to locate the certificate but
> then MSMQ fails with an MQ_ERROR_INVALID_CERTIFICATE. Again, this goes
> away if I put the certificate into the identity's certificate store as
> well as in the machine store and also open the command prompt "runas"
> the identity.

Ok so assuming it's a profile issue, why don't I just try to load the
profile for the least priv user identity (fingers crossed re
formatting):

PROFILEINFO profileInfo = new PROFILEINFO();
profileInfo.lpUserName = WindowsIdentity.GetCurrent().Name;
profileInfo.dwSize = Marshal.SizeOf( typeof( PROFILEINFO));

if (!OpenProcessToken( GetCurrentProcess(),
TOKEN_QUERY |
TOKEN_IMPERSONATE | TOKEN_DUPLICATE,
out m_hProcessToken))
{
int lastError = Marshal.GetLastWin32Error();
LogEvent.Info(string.Format("GetCurrentProcess failed,
Win32Error:{0}", lastError));
}
else if (!LoadUserProfile( m_hProcessToken, ref profileInfo))
{
int lastError = Marshal.GetLastWin32Error();
LogEvent.Info(string.Format("LoadUserProfile failed,
Win32Error:{0}", lastError));
}

Yay, it works, no wait, LoadUserProfile requires " the caller must be
an administrator", curses.