How to install client certificate on IIS Server for ServerXMLHTTP request object (301429)


The information in this article applies to:

  • Microsoft XML 3.0 SP1
This article was previously published under Q301429

SUMMARY

Starting with the Microsoft XML Parser version 3.0 Service Pack 1 (SP1) release (Msxml3.dll, file version 8.10.8308), ServerXMLHTTP supports Secure Sockets Layer (SSL) with client certificates. This article describes how to install a client certificate on Microsoft Internet Information Server (IIS). A client certificate is required to make HTTPS requests to Web servers that require client digital certificates.

MORE INFORMATION

Currently, the ServerXMLHTTP object in MSXML 3.0 SP1 looks only in the personal certificate store of the user account where the IIS process runs. For IIS applications that are set to run with medium or high application protection levels, that account is typically the IWAM_machinename account or the Network Service account. The ServerXMLHTTP object in MSXML 3.0 SP1 does not look in the Local Computer certificate store.

Note By default, the process identity on IIS 6.0 is the Network Service account. The process identity on the version that is earlier than IIS 6.0 is the IWAM_machinename account.

The ServerXMLHTTP object that is included in MSXML 3.0 SP2 is in the Local Computer certificate store. Therefore, you can use MSXML3.0 SP2 as a workaround.

Installing client certificates on the local computer under the IWAM_machinename account or under the Network Service account may require the user to change the IWAM_machinename account password or the Network Service account password, synchronize the IIS metabase, update the IIS COM+ component manager, and so on. To install a client certificate on the local computer under the IWAM_machinename account or under the Network Service account, follow these steps:

Note Currently MSXML 3.0 SP1 requires these steps even when you are connecting to Web servers that do not require client certificates with ServerXMLHTTP. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

302080 BUG: "Access is denied" error message when making HTTPS requests with ServerXMLHTTP

  1. For IIS 5.0, log on as the IWAM_machinename user on the server that is running IIS. Because installing a certificate requires local administrative credentials, make sure that the IWAM_machinename account has been temporarily assigned Administrator user rights for the local computer. For IIS 6.0, log on as an Administrator on the server that is running IIS, and then temporarily add the Network Service account to the Administrator user rights for the local computer.

    Note To log on as the IWAM_machinename user, you must know the password for the IWAM_machinename account, which is typically managed by the server that is running IIS. If you do not have the password, you can go through an administrator for the computer to change it.

    Notice that the Network Service account has the same level of access to resources and objects as members of the Users group. You do not have to assign Administrator user rights to the Network Service account if the Administrator account is in the Users group.
  2. After the password is changed in NT User Account Manager, you must synchronize and update the password for the IWAM_machinename account or for the Network Service account in the IIS metabase. This does not occur by default. For more information about how to manually update the IIS metabase, click the following article numbers to view the articles in the Microsoft Knowledge Base:

    269367 Synciwam utility does not function and generates Error 80110414

    296851 Error "User password/validation failed" when you set IIS 5.0 application to High (Isolated)

    255770 "Logon failure: unknown user name or bad password" when you run out-of-process webs

    297989 Configured identity is incorrect for IWAM account

    For more information, see the following Microsoft Developer Network (MSDN) Web site:

    WAMUserPass
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/html/a2a76b85-c784-440f-b0bf-62651583b8e1.asp

  3. For IIS 5.0, you must also update the IWAM_machinename password in the COM+ Component Services manager. By default, the COM+ Component Services manager is located in Administrative Tools under Component Services. To update the password, follow these steps:
    1. Open the Component Services manager, expand Component Services, expand My Computer, and expand COM+ Applications.
    2. Right-click IIS Out-of-process Pooled Applications, click Properties, and then click the Identity tab.
    3. If IIS Out-of-process Pooled Applications is configured to run as the IWAM_machinename account, type the new password, and then click Apply.

      Note The IWAM_machinename password must also be updated on any High (Isolated) Web packages.
    For IIS 6.0, you must set the Identity property of IIS Out-of-process Pooled Applications to Network Service in the COM+ Component Services manager. By default, the COM+ Component Services manager is located in Administrative Tools under Component Services. To perform this task, follow these steps:
    1. Open the Component Services manager, expand Component Services, expand My Computer, and then expand COM+ Applications.
    2. Right-click IIS Out-of-process Pooled Applications, click Properties, and then click the Identity tab.
    3. Select System Account, select Network Service, and then click Apply.
  4. After you log on as the IWAM_machinename account or the Administrator account, use Internet Explorer to either install or import a client certificate. In Internet Explorer, click Internet Options on the Tools menu, click the Content tab, click Certificates, and then click Import. The wizard begins and leads you to add or import the client certificate.
  5. After the installation, open Internet Explorer. On the Tools menu, click Internet Options, click the Content tab, click Certificates, and then click the Personal tab. You should see the corresponding certificate (for example, "My Store").
  6. Double-click the certificate that you just installed. On the General tab, verify that you see the You have a private key that corresponds to this certificate statement. Click the Certification Path tab on the certificate, and then confirm that there are no errors. To check for errors, click each certificate in the path. You may receive error message that are similar to the following:
    This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.
    -or-
    The issuer of this certificate could not be found.
    For more information about these error messages, click the following article number to view the article in the Microsoft Knowledge Base:

    297681 Error message: This security certificate was issued by a company that you have not chosen to trust

Important After you have installed the client certificate, you must remove the IWAM_machinename account or the Network Service account from the local Administrators group.

Restart IIS server.Note If you have multiple client certificates are installed, you can use the setOptions method and the SXH_OPTION_SELECT_CLIENT_SSL_CERT(Option 3) parameter with the ServerXMLHTTP object in MSXML 3.0 SP1 to specify the name of the client certificate, as follows: 
sxh.setOption(3) = "Common Name (CN) part of certificate's Subject name"
If you specify an empty string ("") value, the first certificate in the store (which is also the default value) is used.

Important COM+ Packages do not load the HKEY_CURRENT_USER registry hive corresponding to the identity of the COM+ package. For this reason, the client certificate will no longer be available if the IIS server that contains the ASP page that calls the ServerXMLHTTP object is rebooted. Therefore, you must install the client certificate that is explained earlier, and you must also create and run a service application that is described in the following Microsoft Knowledge Base article. For more information about COM+ behavior, click the following article number to view the article in the Microsoft Knowledge Base:

202785 MTS and COM+ processes do not load the HKCU registry hive

To obtain the sample code of the service application, click the following article number to view the article in the Microsoft Knowledge Base:

189996 How to manage threads in a Windows NT, Windows 2000, and Windows XP System Service

When certificate is specified from the ASP pages, call setOption with the full path to the certificate:
setOption(SXH_OPTION_SELECT_CLIENT_SSL_CERT) = "LOCAL_MACHINE\My\<Cert Common Name>"

REFERENCES

For more information about how to enable SSL/TLS on Web sites of an IIS Web server, click the following article numbers to view the articles in the Microsoft Knowledge Base:

228821 Generating a certificate request file using the Certificate Wizard in IIS 5.0

228836 Installing a new certificate with Certificate Wizard for use in SSL/TLS

If you already have a Web server certificate, click the following article number to view the article in the Microsoft Knowledge Base:

232137 How to import a server certificate for use in Internet Information Services 5.0

Modification Type:MajorLast Reviewed:1/10/2006
Keywords:kbhowto kbMSXMLnosweep KB301429 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.