Encrypting sections of Web.Config

Hot Topic

CLR Thread Object
Collection<T> implementing the List<T> methods?
Different assembly version
Target the Framework version and Redirect Assembly Bindings from 2.0 to 1.1
Any CPU and Managed C++
XMLReader using a different Port
How to read an excel file in compact framework
Printing Directly to Printer
Are .NET assemblies only loaded on demand?
Problem while importing CSV data in DataSet (ASP.Net using C#))

.NET Development

WebRequest and encoding
.net object browser
System.NullReferenceException: Using DataAdapter.Fill
just in time debugger
trial Test of website
Transaction support in MS ACCESS
excel - c# 2005
Windows application built for Framework 1.1 does not run with Framework 2.0
reset computer account in active directory using c#
NEED URGENT HELP!!Creating an xml file based on xsd schema

Encrypting sections of Web.Config

I have a websever running IIs 6.0 and the .Net 2.0 framework. I'm trying to encrypt sections of a web.config file on one of the websites that I host on this server. I have about 20 different websites each with their own IP address.

From several MSDN docs and posts here and there I've learned that I can use the aspnet_regiis command to encrypt certain sections of my web.config. I'd like to encrypt the sections that contain passwords - such as the connectionStrings and the mailSettings. (I'm trying to implement the new Membership classes and the login control).

My problem is that the documentation I have says a couple of things that I'm not sure how to do.

1. In one place in the MSDN doc ( http://msdn.microsoft.com/library/default.asp url=/library/en-us/dnpag2/html/paght000006.asp ) it says:

  1. To encrypt the connectionStrings section, run the following command from a .NET command prompt:

    aspnet_regiis -pe "connectionStrings" -app "/MachineDPAPI" -prov "DataProtectionConfigurationProvider"

The above command with the -app switch assumes that there is an IIS virtual directory called MachineDPAPI. If you are using the Visual Studio .NET 2005 Web server instead of IIS, use the -pef switch, which allows you to specify the physical directory location of your configuration file.

  • The -pe switch specifies the configuration section to encrypt.
  • The -pef switch specifies the configuration section to encrypt and allows you to supply the physical directory path for your configuration file.
  • The -app switch specifies your Web application's virtual path. If it is a nested application, you need to specify the nested path from the root directory; for example, "/test/aspnet/MachineDPAPI".

    • My first question is how to create a .NET command prompt on my webserver. I do not have Visual Studio 2005 installed there, only the .Net 2.0 Framework ( 2.0.50727 ).

    What I actually have is a directory on my drive named: c:\virtual\n8nt\test1 and that directory is where I published my website from on my other computer on which I have Visual Studio 2005. I use the publish website option under the Build tab. On my webserver, the website is actually a subweb under one of my IP addresses - it looks something like http://11.22.33.44/test1 which I get to on the web by a URL something like http://www.mainsite.com/test1 ---

    My web.config contains the following section:

    <configProtectedData>
      <providers>
        <add keyContainerName="Test1ConfigurationKey"
          useMachineContainer="false"
          description="Uses RsaCryptoServiceProvider to encrypt and decrypt"
          name="Test1RSAProtectedConfigurationProvider"
          type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
    </configProtectedData>

    So, for my app which has a web.config in the c:\virtual\mainsite\test1 directory, I can run the aspnet_iis command like this:

    aspnet_regiis -pe "connectionStrings" -app "/mainsite/test1" -prov "Test1RSAProtectedConfigurationProvider"

    and it succeeds. However, when I try to go to that website, I get the following error:

    Parser Error Message: Failed to decrypt using provider 'Test1RSAProtectedConfigurationProvider'. Error message from the provider: The RSA key container could not be opened.

    Source Error: 

    Line 15:  <!-- protect this block -->
Line 16:  <connectionStrings configProtectionProvider="Test1RSAProtectedConfigurationProvider">
Line 17:   <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
Line 18:    xmlns="http://www.w3.org/2001/04/xmlenc#">
Line 19:    <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />

    I wonder if this is because I do not run the aspnet_regiis using the .NET command prompt I am logged into my webserver as a user with admin access, but I can't log in as "NT AUTHORITY\NETWORK SERVICE" which is the user that runs my application for me.

    Now, if I use the other provider to encrypt my web.config file without using user keys, then the encryption works and I can access my website without problems. In that case I remove the <configProtectedData> section from my web.config and then use the following command:

    aspnet_regiis -pe "connectionStrings" -app "/mainsite/test1" -prov "DataProtectionConfigurationProvider"

    It seems that the DataProtectionConfigurationProvider works on a machine level but I'm not sure I want to protect all of my websites on the same machine level. I'd rather do it using the keyContainer method, but can't figure that out.

    Any one know how to do that

    Thanks,

     

    Answer this question

    Encrypting sections of Web.Config

    • Simmy7

      aspnet_regiis -pa "NetFrameworkConfigurationKey" "ASPNET"

      try this.

      Virat




    • d.delft

      I tried using this command.. it doesnt work instead it shows a menu in the .NET cpromt... Any other solution

    • RemcoJVG

      If you have identity tag in your web.config then you should give permission to the user specified in the identity tag.

      aspnet_regiis -pa "NetFrameworkConfigurationKey" "<UserName>".

      I struggled for sometime to find this solution.



    • XenoByteZero

      This is because your ASP.NET application identity does not have access to the .NET Framework configuration key store. To give rights use the following command

      aspnet_regiis -pa.

    • schobmich

      I've tried the following

      aspnet_regiis -pa "NetFrameworkConfigurationKey" "NT Authority\Network Service".

      (Please take a backup copy of machine.config ,web.config in teh frame work folder).

      if this doesn't work,please uninstall .net framework 2.0 reinstall and try the above command again.

      Even i struggled for 1hr to accomplish this. Finally got it!

    • OhioDale

      Please try this. I tried everything that was mentioned in this post, but nothing worked for me. Sad

      I tried to use the DataProtectionConfigurationProvider and it worked for me.

      Using this provider will also reduce the call to apsnet_Regiis -pa ....


      aspnet_Regiis -pef system.web/identity . -prov DataProtectionConfigurationProvider

      Thanks,

      Vinayak
    • Encrypting sections of Web.Config
    Answer this question