我的應用程序爲運行在這些虛擬目錄中的啓用STS的Web應用程序創建虛擬目錄以及應用程序池。應用程序池在ApplicationPoolIdentity帳戶(IIS APPPOOL \ MyAppPool)下運行。我一直在試圖找出以編程方式授予對已安裝證書訪問權限的方法。即使授予MMC權限後STS鍵集也不存在

我的第一種方法是使用執行WinHttpCertCfg的批處理文件。但是,這種方法僅適用於已「激活」的應用程序池帳戶。通過「激活」,我的意思是我至少瀏覽過一次新應用程序。直到發生這種情況 - WinHttpCertCfg總是返回消息「句柄無效」。

我嘗試的下一個方法是基於solution obtained from here。此解決方案的工作原理是,當我在MMC中瀏覽證書並選擇「管理證書密鑰」時,將列出應用程序池帳戶。即使我運行WinHttpCertCfg以列出具有訪問權限的帳戶時,也會列出新的應用程序池。



public class CertificateHandler 
    private const string CommonApplicationKeys = @"Microsoft\Crypto\RSA\MachineKeys"; 
    private const string PersonalKeys = @"Microsoft\Crypto\RSA\"; 
    private static X509Certificate2 _personalCertificate = null; 
    private static X509Certificate2 _trustedCertificate = null; 

    public CertificateHandler(string thumbPrint) 
     X509Store personalStore = new X509Store(StoreName.My, StoreLocation.LocalMachine); 
     X509Store trustedStore = new X509Store(StoreName.TrustedPeople, StoreLocation.LocalMachine); 

     //open the stores to locate the certificates and cache for future use 
     if (_personalCertificate == null) 
      _personalCertificate = LoadCertificateFromStore(thumbPrint, personalStore); 

     if (_trustedCertificate == null) 
      _trustedCertificate = LoadCertificateFromStore(thumbPrint, trustedStore); 

    /// <summary> 
    /// Grants access to the specified certificate. 
    /// </summary> 
    /// <param name="thumbPrint">The thumb print of the certificate.</param> 
    /// <param name="user">The domain qualified user.</param> 
    public void GrantAccessToCertificate(string user) 
     //open the store to locate the certificate 
     GrantAccessToCertificate(user, _personalCertificate); 
     GrantAccessToCertificate(user, _trustedCertificate); 

    /// <summary> 
    /// Grants access to the specified certificate. 
    /// </summary> 
    /// <param name="user">The domain qualified user.</param> 
    /// <param name="certificate">The certificate to which access is granted</param> 
    private void GrantAccessToCertificate(string user, X509Certificate2 certificate) 
     RSACryptoServiceProvider crypto = certificate.PrivateKey as RSACryptoServiceProvider; 

     if (crypto != null) 
      //determine the location of the key 
      string keyfilepath = FindKeyLocation(crypto.CspKeyContainerInfo.UniqueKeyContainerName); 

      //obtain a file handle on the certificate 
      FileInfo file = new FileInfo(Path.Combine(keyfilepath, crypto.CspKeyContainerInfo.UniqueKeyContainerName)); 

      //Add the user to the access control list for the certificate 
      FileSecurity fileControl = file.GetAccessControl(); 
      NTAccount account = new NTAccount(user); 
      fileControl.AddAccessRule(new FileSystemAccessRule(account, FileSystemRights.FullControl, AccessControlType.Allow)); 

    /// <summary> 
    /// Loads the certificate mathing the thumbprint from the specified store. 
    /// </summary> 
    /// <param name="thumbPrint">The thumb print of the certificate.</param> 
    /// <param name="store">The store.</param> 
    private X509Certificate2 LoadCertificateFromStore(string thumbPrint, X509Store store) 
     X509Certificate2 cert = null; 

      //fetch the certificates in the store 

      //locate by the specified thumbprint 
      var results = store.Certificates.Find(X509FindType.FindByThumbprint, thumbPrint, true); 

      if (results.Count > 0) 
       cert = results[0]; 
       throw new FileNotFoundException("No certificate was found matching the specified thumbprint"); 

     return cert; 

    /// <summary> 
    /// Finds the key location. 
    /// </summary> 
    /// <param name="keyFileName">Name of the key file.</param> 
    /// <returns></returns> 
    private string FindKeyLocation(string keyFileName) 
     string location = string.Empty; 

     //start the search from the common application folder 
     string root = Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData); 
     string commonLocation = Path.Combine(root, CommonApplicationKeys); 

     //filter for the key name 
     var keys = Directory.GetFiles(commonLocation, keyFileName); 

     if (keys.Length > 0) 
      location = commonLocation; 
      //now try the personal application folder 
      root = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData); 
      string privateLocation = Path.Combine(root, PersonalKeys); 

      var subFolders = Directory.GetDirectories(privateLocation); 

      if (subFolders.Length > 0) 
       foreach (string folder in subFolders) 
        //filter for the key 
        keys = Directory.GetFiles(folder, keyFileName); 

        if (keys.Length != 0) 
         location = folder; 
       throw new InvalidOperationException("Private key exists but is not accessible"); 

     return location; 


