Following on from my travails with HttpListeners not working as a non-admin user, it turned out that the Cardspace samples (download them here if you’re interested) had one more sticking point up their sleeve before everything worked. The main example demonstrates how a simple Security Token Service is used to verify the managed card a user wants to send to a site. However, the service is accessible only through the HTTPS protocol on port 7001 and Cardspace was unable to access it. A little digging revealed that the setup scripts for the sample tried and failed to build a copy of httpcfg, a utility found on Windows Server 2003. I didn't have the necessary files to build httpcfg successfully, bit it turns out that the netsh utility that comes with Vista and helped me out previously could also help me out here to.

The command required to add the certificate to a port with netsh is

netsh http add sslcert ipport=0.0.0.0:7001 certhash=thumbprint appid=arbitrary_guid

And the corresponding one to remove it is

netsh http delete sslcert ipport=0.0.0.0:7001

More...

I’ve just started working through the Cardspace samples to learn some more about online identity layers (download them here if you're interested). The first example demonstrates a web service running on http://localhost:4123 requesting a certificate from a client. However, as a non-admin, I get the following error from Visual Studio when running the sample.

AddressAccessDeniedException was unhandled
HTTP could not register URL http://+:4123/HelloService/. Your process does not have access rights to this namespace

Coincidentally, the error is totally analogous to a similar problem I’ve had while trying out the CR_Documentor plug-in that Travis Illig has created and it’s Travis and co that figured out both problems in hindsight. To paraphrase,

By default, only local admins have permission to listen to http prefixes. Other accounts require explicit grant using either httpcfg.exe for WinXp/2003 users or netsh for Vista/2008 users. This isn’t a .net permission, it goes right to the windows urlacl level.

Just as this cardspace demo relies on port 4123 being accessible, so too does CR_Documentor rely on port 11235. The full commands to call either can be found here, explaining the various options.

• http://blogs.msdn.com/drnick/archive/2006/10/16/configuring-http-for-windows-vista.aspx
• http://msdn.microsoft.com/en-us/library/ms733768.aspx

Thus, to solve my cardspace problem, I needed to open a command prompt as an admin and run the following command to match the URL given in the error dialog.

netsh http add urlacl url=http://+:4123/ user=cweb\dan

And hey presto, I can continue debugging my web services as a standard user.

Thanks again to Travis and the CR_Documentor guys for figuring this one out and explaining it here. I’m just passing on the info.