http://blogs.msdn.com/alejacma/archive/tags/XEnroll/default.aspxTags: XEnrollen-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.msdn.com/alejacma/archive/2008/09/02/filenotfoundexception-when-using-xenroll-in-asp-net.aspxTue, 02 Sep 2008 13:09:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:8919734alejacma3http://blogs.msdn.com/alejacma/comments/8919734.aspxhttp://blogs.msdn.com/alejacma/commentrss.aspx?PostID=8919734<P>Hi all,</P> <P>If you ever try to use <STRONG>XEnroll.dll</STRONG> in your <STRONG>ASP.NET</STRONG> application (through <STRONG>Interop.XENROLLLib.dll</STRONG>, of course), you may face an issue like the following:</P> <P>Your ASP.NET app <STRONG>impersonates</STRONG> the client&nbsp;<STRONG>user</STRONG> and tries to make a <STRONG>certificate request</STRONG> on her behalf:</P><PRE>using <STRONG>XENROLLLib</STRONG>; <STRONG>CEnroll</STRONG> objEnroll = new CEnrollClass(); string strCertRequest = objEnroll.<STRONG>createRequest</STRONG>(XECR_CMC , "CN=Alex", "1.3.6.1.4.1.311.2.1.21"); </PRE> <P>But <A class="" href="http://msdn.microsoft.com/en-us/library/aa382827(VS.85).aspx" mce_href="http://msdn.microsoft.com/en-us/library/aa382827(VS.85).aspx">createRequest</A> fails with the following exception:</P><PRE><STRONG>System.IO.FileNotFoundException</STRONG> was unhandled by user code Message="<STRONG>The system cannot find the file specified</STRONG>. (Exception from HRESULT: 0x80070002)" Source="<STRONG>Interop.XENROLLLib</STRONG>" StackTrace: at <STRONG>XENROLLLib.CEnrollClass.createRequest</STRONG>(Int32 Flags, String strDNName, String Usage) ... </PRE> <P>If we run the very same code from a <STRONG>VBScript</STRONG>, it <STRONG>works</STRONG>! Mmmmmm,&nbsp;this error looks&nbsp;familiar to me... Check this out: <A class="" href="http://blogs.msdn.com/alejacma/archive/2007/12/03/rsacryptoserviceprovider-fails-when-used-with-asp-net.aspx" mce_href="http://blogs.msdn.com/alejacma/archive/2007/12/03/rsacryptoserviceprovider-fails-when-used-with-asp-net.aspx">RSACryptoServiceProvider fails when used with ASP.NET</A>.</P> <P>The exception is a bit different, but the error message is the same and the cause, too. In order to create a request on user's behalf, that <STRONG>user's profile needs to be loaded</STRONG>. By default, <STRONG>ASP.NET won't load user profiles</STRONG> for us as we already know. And we need the user profile to i.e. create keys associated to the cert request.</P> <P>That also explains why the code works when running in a script. We logged on the server to run the script and the user profile got loaded.</P> <P>Summing up (see the other post I mentioned for details), we have several options here:</P> <P>1) Load user profile via <STRONG>LoadUserProfile</STRONG> API. This API requires many permissions to call it and&nbsp;I wouldn't recommend promoting a standard user to admin to be able to call this API, for instance.</P> <P>2) Load user profile via <STRONG>dummy&nbsp;Windows service</STRONG>. This is not feasible if we are impersonating many users.</P> <P>3) Use <STRONG>machine profile</STRONG> instead of user profile. This way we don't need to load user profile.&nbsp;We can use <A class="" href="http://msdn.microsoft.com/en-us/library/aa383164(VS.85).aspx)" mce_href="http://msdn.microsoft.com/en-us/library/aa383164(VS.85).aspx)">ICEnroll4::MyStoreFlags Property</A> to select <STRONG>CERT_SYSTEM_STORE_LOCAL_MACHINE</STRONG> instead of the default CERT_SYSTEM_STORE_CURRENT_USER before calling createRequest.</P> <P mce_keep="true">&nbsp;</P> <P>I hope this helps.</P> <P>Kind regards,</P> <P mce_keep="true">&nbsp;</P> <P>Alex (Alejandro Campos Magencio)</P><img src="http://blogs.msdn.com/aggbug.aspx?PostID=8919734" width="1" height="1">XEnroll