TWReynol

Hello,

We include a root certificate with our installation that we try to install using a client configuration tool. This installs a trusted root, so that when a client activates our product, they get their own unique certificate that is trusted by our installed root.

I have included the code that we use to install the root certificate, but it does not seem to work in Vista, as I get an Access Denied when I try to do the store.Add(cert)

In XP, I did not originally have the StorePermission object, and as an administrator on the machine, this worked fine. We require an administrator to run the "utility" that installs the certificates before a user can run the application.

In Vista, even as an adminstrator, we get the Access Denied message.

Does anyone know what I need to do to be able to install this cert in the Root Store. If it is not in the root store, our client issued certificates end up not being trusted.

I am a newbie in the whole security arena, but this code worked fine in XP, even without the StorePermission object.

Thanks!

X509Store store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);

StorePermission sp = new StorePermission(PermissionState.Unrestricted);

sp.Assert();

store.Open(OpenFlags.ReadWrite);

store.Add(cert);

store.Close();



Re: Application Compatibility for Windows Vista Works in XP but not in Vista

MarcD

When you are running the application on Vista are you running with an admin user or are you explicitly right clicking on the application and choosing "run as" and provide administrator credentials. There is a difference between doing these 2 things.

Also have you made sure that your .NET application is requesting all of the appropriate Security permissions There is a dialog in the properties dialog that helps you with this.





Re: Application Compatibility for Windows Vista Works in XP but not in Vista

Brendan Grant

First up... you said that "In Vista, even as an adminstrator, we get the Access Denied message."... when you are running it as administrator... how are you doing so Logging in as admin Right clicking on the executable and "choosing run as administrator "

My guess would be that even though you are running this application from an account that is considered an administrator on the machine, because of UAC, when it is run it is being run as a normal user with low rights instead.

To know for sure... make sure that you are running it as administrator by right clicking on the executable and choosing that option and confirming the choice when the UAC dialog is presented.






Re: Application Compatibility for Windows Vista Works in XP but not in Vista

Bruce N. Baker - MSFT

It would also be a good idea to include a manifest with the application that "requiresAdministrator".




Re: Application Compatibility for Windows Vista Works in XP but not in Vista

TWReynol

I am logged in as an Administrator on the box, and thought that was sufficient. How can I tell the app that it requires admin rights to run. I am more than a little confused about the whole Vista security model.

I am not right-clicking on the executable to "Run as admin" because it is inside of VS 2005. (at this point). Eventually, this will ship in our Vista version of the app to our customers and I would like this to be seamless to them.





Re: Application Compatibility for Windows Vista Works in XP but not in Vista

Bruce N. Baker - MSFT

Here's a link that out to help you start sorting out the UAC information.

Quick resource on how to manifest and develop your application for Vista, with tool information and more.

http://msdn2.microsoft.com/en-us/library/aa480150.aspx






Re: Application Compatibility for Windows Vista Works in XP but not in Vista

TWReynol

Thanks, I found that link and I have a lot of research to do!

I made one slight change, I store my root cert in the CurrentUstore rather than the LocalMachine store, and that seems to work. I wondered if that would still work when a "MereMortal" runs, the app, so I created a new Standard User named MereMortal, and lo and behold, it did indeed store the root cert for that user.

I guess I can live with that compromise, I really wanted to set these once and for all for the entire machine, but as long as the standard user can install their own roots, we are ok.

Thanks, I have a lot of reading to do on the above link