I have followed the instructions here


I runnning windows 2003 IIS6 with a seperate user account for the Application pool I give this user access to the private key using cacls.exe. This works fine.

However whenever something changes with the asp.net site or IIS the permission if lost. For example if I change the web.config file. restart IIS, wait 5 hours then the call to the SSL certifiate fails and I can no longer access it from my client that is trying to consume the WFC service. I logon as the APP POOL account run the cacls.exe again and it fixes it.

How do i fix this perminatly as currently it stops every 5 hours or so.


I have actually gone backwards. Now I cannot get it to work at all. These are the steps I follow

C:\FindPrivateKey>FindPrivateKey.exe Trustedpeople currentuser
Private key directory:
C:\Documents and Settings\MYUSER\Application Data\Microsoft\Crypto\RSA\S--5-21-2205538328-2105125954-533649117-1053
Private key file name:

Give permssions

Cacls.exe "C:\Documents and Settings\MYUSER\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2205538328-2105125954-533649117-1053\ab715bc6d3b1ae3bdb1a9e8e21a3b851_817f45df-79ce-4f15-9345-15b5c81281a1" /E /G "WWWTEST2\MYUSER":R

Check permissions

 Cacls.exe "C:\Documents and Settings\MYUSER\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2205538328-2105125954-533649117-1053\ab715bc6d3b1ae3bdb1a9e8e21a3b851_817f45df-79ce-4f15-9345-15b5c81281a1"

Set owner

subinacl /file "C:\Documents and Settings\MYUSER\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2205538328-2105125954-533649117-1053\ab715bc6d3b1ae3bdb1a9e8e21a3b851_817f45df-79ce-4f15-9345-15b5c81281a1" /setowner=WWWTEST2\MYUSER

Error I get from asp.net site trying to consume the sevice

Exception: System.InvalidOperationException 
Message: Cannot find the X.509 certificate using the following search criteria: StoreName 'TrustedPeople', StoreLocation 'CurrentUser', FindType 'FindByThumbprint', FindValue 'b33e04f057a52cb73007aec81eee86d2f75e3c69'. 
Source: System.ServiceModel 
at System.ServiceModel.Security.SecurityUtils

When I login as MYUSER the account running the IIS app pool and go to "mmc" cetertifates snap in I can see the certificate in My User account under TrustedPeople


I was able to get it working by installing the cert on Local Machine / Personal and using winhttpcertcfg instead of cacls

  • 21
  • 1
  • 8
  • Have you tried this? http://stackoverflow.com/questions/1271497/asp-net-permissions-to-root-certificate-store – Greg Askew Jan 23 '12 at 04:35
  • not yet, shoud I? – Daveo Jan 23 '12 at 04:45
  • Are you setting permissions on the file, or the folder? It needs to be the file that corresponds to the certificate. – Greg Askew Jan 23 '12 at 05:24
  • @greg I run findPrivateKey.exe to get the path to the file and then calcs.exe to grant permissions on the specific file. I do this for the IIS App Pool user – Daveo Jan 23 '12 at 08:51
  • what's `cacls ` returns right after you reset ACL, and as soon as you notice it stops working? – yrk Jan 23 '12 at 10:19
  • As a test, can you manually edit the permissions, assign your app account as the owner and full control, and reduce system and administrators to read/execute? – Greg Askew Jan 23 '12 at 16:58
  • @GregAskew yes I tried this no difference - see updated question – Daveo Jan 24 '12 at 05:57
  • @yarek I updated the answer to show what it returns after I set it. But not it is never working at all – Daveo Jan 24 '12 at 05:57

1 Answers1


To fix this issue, you first need to know what to fix.

To determine what causes the private keys DACL to changes, enable Object Access Auditing and add an auditing entry for Permissions changes to the private key, applying the Everyone. To do so, follow these simple steps.

  1. Enable Object Access Auditing

    1. Goto Control Panel -> Administrative Tools -> Local Security Policy (gpedit)
    2. Expand Computer Configuration \ Windows Settings \ Security Settings \ Local Policies and select Audit Policy
    3. Double-click the Audit Object Access policy
    4. Make sure the Define these policy settings and Success boxes are checked.
    5. Apply this change, and succesful Object Access attempt auditing is now enabled.

  2. Add an audit entry for the Private Key

    1. Goto C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\
    2. Right-click the private key in question, select Properties
    3. On the Security tab, select Advanced
    4. Select the Auditing tab and add an entry for the Everyone group denomination.
    5. Check the Change Permissions boxes

Once the permissions seem to "reset":

  1. Check the Security log
    1. Goto Control Panel -> Administrative Tools -> Event Viewer (eventvwr)
    2. Select the Security log
    3. Filter the log by Event ID: 567
    4. Search for "WRITE_DAC"

The WRITE_DAC permission is the permission to change DACL's. Whenever this permission is exercised on an object, Event ID 567 will be logged, given that the object is audited. This way, you'll be able to determine what process changed the permissions you set.

Mathias R. Jessen
  • 24,907
  • 4
  • 62
  • 95
  • Thanks, I cannot see and 567 event must be something else occurring? – Daveo Jan 23 '12 at 08:52
  • If not, look for Event ID 560. – Mathias R. Jessen Jan 23 '12 at 14:39
  • thanks but now its not working at all for me, see updated question – Daveo Jan 24 '12 at 05:56
  • Have you tried moving it to the Machine account/local computer store, instead of a user store? – Mathias R. Jessen Jan 24 '12 at 06:11
  • yes I tried this. When I do this I get an error "The remote server returned an error: (403) Forbidden." which I belive is when the WCF service I call gets the wrong certificate or no certificate, I think this is because the service account does not have permissions to read the private key file even though set it up. When I run calcs I can see MYUSER has permissions. However when I login as that use and run `FindPrivateKey.exe TrustedPeople LocalMachine` it shows the Certifcate but when I click it instead of showing the path it says _Unable to obtain private key file name_ – Daveo Jan 24 '12 at 22:58