windows 如何授予帐户访问证书的权限?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4945687/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to grant an account permissions to access a certificate?
提问by mark
I have a certificate in the MSMQ service Personal store and I need to grant the Network Service the permissions to access the certificate.
我在 MSMQ 服务个人存储中有一个证书,我需要授予网络服务访问该证书的权限。
The only way that I know of to do it is using the certutil.exe on win2008/7 like so:
我所知道的唯一方法是在 win2008/7 上使用 certutil.exe,如下所示:
certutil -service -service -repairstore MSMQ\My "" D:PAI(A;;GA;;;BA)(A;;GA;;;SY)(A;;GR;;;NS)
However, certutil on win2003/XP does not recognize the -service parameter, so no good.
但是win2003/XP上的certutil不识别-service参数,所以不好。
My question is how can I do it in a way that works for both Win2003/XP and Win2008/7?
我的问题是我怎样才能以同时适用于 Win2003/XP 和 Win2008/7 的方式做到这一点?
I need a non interactive approach (command line utility, script, COM/.NET/Win32 API).
我需要一种非交互式方法(命令行实用程序、脚本、COM/.NET/Win32 API)。
采纳答案by Jim Flood
If you just need to set ACL rights on the certificate's private key (which your linked page suggests), I just recently posted an answer hereon how I found to do that.
如果您只需要在证书的私钥(您的链接页面建议)上设置 ACL 权限,我最近刚刚在此处发布了一个关于我如何做到这一点的答案。
Open the X509Store and get the current certificate in hand, and then set the ACL on the private key.
打开X509Store拿到手头的当前证书,然后在私钥上设置ACL。
You can use something like this to get the SID of the account needing access (or just use the well-known SID S-1-5-20 if you know it's always Network Service):
您可以使用类似的方法来获取需要访问的帐户的 SID(或者,如果您知道它始终是网络服务,则只需使用众所周知的 SID S-1-5-20):
NTAccount nt = new NTAccount("NT_AUTHORITY", "NetworkService");
SecurityIdentifier sid = (SecurityIdentifier)nt.Translate(typeof(SecurityIdentifier));
My other answerhas the code that sets the ACL. (Caveat: I've run it on Windows Server 2003 but not XP.)
我的另一个答案有设置 ACL 的代码。(警告:我在 Windows Server 2003 上运行过它,但没有在 XP 上运行过。)
回答by Ray Porrata
We had a similar problem with a scheduled app that posts to secured site.
我们在发布到安全站点的预定应用程序中遇到了类似的问题。
The certificate store was not accessible by the client. The link posted below mentioned managing the certificates from the windows 2008 r2 mmc snap in and granting access to the user account in question. We were able to run the schedule process this way and grant access to the account running the client.
客户端无法访问证书存储。下面发布的链接提到管理来自 Windows 2008 r2 mmc 管理单元的证书并授予对相关用户帐户的访问权限。我们能够以这种方式运行调度过程并授予对运行客户端的帐户的访问权限。
The other solution, via the scheduler, was to grant the highest level of access for the program (SECURITY RISK) and allowing it run like an admin.
另一个解决方案是通过调度程序授予程序最高级别的访问权限(安全风险),并允许它像管理员一样运行。
Here is the link referenced above http://msmvps.com/blogs/luisabreu/archive/2010/09/13/grant-access-to-certificate-s-private-key-in-iis-7-5.aspx
