I am creating a web service that allows users to request a certificate.
The web service can be accessed with windows authentication.
I would like to impersonate the authenticated user to submit the certificate request, as this code snippet illustrates:
var identity = (WindowsIdentity)HttpContext.Current.User.Identity;
var certRequest = new CCertRequestClass();
using (var context = identity.Impersonate()) {
var disposition = certRequest.Submit(
CR_IN_BASE64HEADER | CR_IN_FORMATANY,
base64CertificateRequest,"CertificateTemplate:MyTemplateName",
@"testca.test.com\Test CA");
}The above code always fails with the error message "The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)"
Instead, the code works if I don't impersonate the current user, but the request is submitted with the credentials of the application pool (a domain account I created).
The code works also if I impersonate the user with the LogonUser API.
Checking the network trace with WireShark, I see that at a certain point there is a DCERPCNTLM authentication call with a NULL user:
1317.9484610002002:808e:8830::808e:88302002:bcb8:15e3::bcb8:15e3DCERPC239AUTH3: call_id: 3, Fragment: Single, NTLMSSP_AUTH, User: \
That call is followed by a RemoteCreateInstance request, that fails withnca_s_fault_access_denied.
Is it possible to submit a certificate request impersonating the current user? Should I configure some special permission for the application pool account, or on the Certification Authority?
Thanks,
Paolo
Paolo Tedesco - http://cern.ch/idm