The “&” character breaks passwords that are stored in the web.config

Question

I have an ASP.NET MVC3 C# .NET Application running on IIS 7.5.

We have a Windows NT service account we Impersonate in our code in order to read/write documents to a file share. The user id is compiled in the code and the service account password is stored in the web.config file.

The password contains an ampersand character (i.e.: p&ssword).

This broke the site. When accessing the site we received this error :"Sorry, an error occurred while processing your request".

Here is the code that uses the password:

    var password = ConfigurationManager.AppSettings.Get(Common.SVC_PWD);

    bool isSuccess = LogonUser(
        @"my_svc_acct",
        "my.domain.net",
        password,
        LOGON32_LOGON_NEW_CREDENTIALS,
        LOGON32_PROVIDER_DEFAULT, ref token
    );

Why would this cause the site to break?

I think because web.config is treated as an XML document - see here stackoverflow.com/questions/3824351/… — Scott Selby
My first guess is that the password in the config file is incorrect. But have you tried calling GetLastError (msdn.microsoft.com/en-us/library/windows/desktop/…) to see what the error is? I also have to add that storing a clear-text password in a configuration file is not a good idea; I'd encrypt it at a minimum. — Jeff Siver

Rui Jarimba Rui Jarimba · Accepted Answer · 2013-01-30T15:45:51

I suspect that you didn't encode the password properly in the web.config file. Remember that web.config is a XML file, so entities must be encoded.

Instead of

my&password

try

my&amp;password

You can use sites such as FreeFormatter.com to escape/unescape XML strings.

The “&” character breaks passwords that are stored in the web.config

3 Answers