User permissions to configure SSL certificate for IIS HTTPS binding

I have a configuration tool that configures IIS SSL certificate for a website. It creates a new binding in IIS configuration for "Default Web Site" and then assigns an SSL certificate to it. The tool works fine when I run it on behalf of administrative account, but fails when running under regular user account with "access denied" error.

Here is the code of the tool:

using Microsoft.Web.Administration;
using System;
using System.Globalization;
using System.Linq;

namespace TestIisSslCert
{
    class Program
    {
        static void Main(string[] args)
        {
            try
            {
                var sslCertThumbprint = "733AD4B4A8FA5F7DE2F4640F91B176BDB1D2BE25";

                // calculating certificate hash

                var certificateHash = new byte[20];
                for (int i = 0, j = 0; i < sslCertThumbprint.Length; i += 2, j++)
                {
                    string s = sslCertThumbprint[i].ToString().ToLower() + sslCertThumbprint[i + 1].ToString().ToLower();
                    byte o = byte.Parse(s, NumberStyles.HexNumber);
                    certificateHash[j] = o;
                }

                // adding a binding with a reference to the certificate:

                var siteName = "Default Web Site";
                using (var serverManager = new ServerManager())
                {
                    var site = serverManager.Sites[siteName];
                    var bindings = site.Bindings.ToList();
                    foreach (var binding in bindings)
                    {
                        if (binding.Protocol == "https")
                            site.Bindings.Remove(binding);
                    }

                    site.Bindings.Add(":443:", certificateHash, "My");
                    serverManager.CommitChanges();
                }
            }
            catch (Exception e)
            {
                Console.WriteLine(e);
            }

            Console.ReadKey();
        }
    }
}

Here is the error I'm getting when I run it as a user:

System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
at Microsoft.Web.Administration.Interop.IAppHostMethodInstance.Execute()
at Microsoft.Web.Administration.Binding.AddSslCertificate(Byte[] certificateHash, String certificateStoreName)
at Microsoft.Web.Administration.BindingManager.Save()
at Microsoft.Web.Administration.ServerManager.CommitChanges()

I have added full control over the following folders:

  • "C:\Windows\System32\inetsrv\config"
  • "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys"
  • "C:\inetpub\wwwroot"

I also tried the following link but it didn't help: https://support.comodo.com/index.php?/Knowledgebase/Article/View/1129/37/access-denied-exception-from-hresult-0x80070005-e_accessdenied

Is there any other security setting or policy that I need to grant to my user?

Some additional details: I checked if there is anything that may require permissions in ProcessMonitor, but I didn't find any registry keys nor files with "ACCESS DENIED". There was only one registry key, which I added, but it doesn't do any difference: HKLM\System\CurrentControlSet\Services\WinSock2\Parameters.

Also it is possible to add a new binding without certificate, but when I specify certificate hash it fails. It is as if some policy doesn't allow me to run the code, probably something related to COM, since Microsoft.Web.Administration is a wrapper over COM interfaces, but I'm not sure.


Solution 1:

I tried to run the same operation with netsh:

netsh http add sslcert ipport=0.0.0.0:443 certhash=35e010f567bf61
62e8eb7974ee98eb64c4ed2c55 appid={00112233-4455-6677-8899-AABBCCDDEEFF}

SSL Certificate add failed, Error: 5
The requested operation requires elevation (Run as administrator).

It seems that there is no workaround for this and I must use administrator account. Also I got a similar response for the same question on IIS forum.