Why is access denied when installing SSL cert on IIS 5?

Question

I'm working with a support person who is supposed to be able to install SSL certs on a web server he maintains. He has local admin rights to the server via a domain security group. He also has permissions on our internal CA running Windows 2003 Server Certificate Authority: "Request cert" and "Issue and Manage certs".

The server he's working with is running Windows 2000 SP4 / IIS 5. When he attempts to create an online server cert the IIS wizard ends with "Failed to install. Access is Denied.". The event viewer is not working properly, so I can't find any details there. I suspect the permission issue is locally and not with the CA.

My account is a domain admin account and I know I am able to do this operation, however I need to make this work for others that are not domain admins.

Any ideas why he can't perform this operation?

Answer 1

I had this exact same issue a few months ago when I was setting up a cert for a client.

There's a MachineKeys folder that the Administrator need rights -

\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

give Administrator (or the Administrator group) Full Control over this directory. I don't think you have to restart IIS, but it never hurts .

I have no idea why Admin doesn't control this as default. Once this is changed, the Certificate Creation Wizard will successfully generate the certificate request.

I think there's even a Microsoft KB article about it somewhere.

EDIT: Here's the KB article : http://support.microsoft.com/kb/908572

-Jon

Answer 2

Worked like a charm. I keep on forgetting about this and have to seach and remember how to fix it.