Encrypting Web Config using ASPNET_REGIIS

16
votes

I need to encrypt certain parts of web config. After reading some tutorials I have learned that using the tool ASPNET_REGIIS is the way to go. This is what I am trying at the moment: From the Command Prompt 

ASPNET_REGIIS -pef "identity" "D:\IIS\admin.mySite.com"

"The configuration section 'system.web\identity' was not found."

ASPNET_REGIIS -pef "system.web\identity" "D:\IIS\admin.mySite.com"

"The configuration section 'system.web\identity' was not found." 

ASPNET_REGIIS -pef "system.web/identity" "D:\IIS\admin.mySite.com"

"Failed to encrypt the section 'system.web/identity' using provider 'RsaProtectedConfigurationProvider' Error message from the provider: Object already exists."

To try and see if am getting anything right I tried the following:

ASPNET_REGIIS -pef "connectionStrings" "D:\IIS\admin.mySite.com"

"Failed to encrypt the section 'connectionStrings' using provider 'RsaProtectedConfigurationProvider' Error message from the provider: Object already exists." 

ASPNET_REGIIS -pef "connectionStrings" "D:\IIS\admin.mySite.com"

"Failed to encrypt the section 'connectionStrings' using provider 'RsaProtectedConfigurationProvider' Error message from the provider: Object already exists." 

ASPNET_REGIIS -pef "DoesNotExist" "D:\IIS\admin.mySite.com"

"The configuration section 'DoesNotExist' was not found."

Help!

6
asp.netweb-config
I believe the key gets stored here: C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys, do you see it? If so, try removing it and running the encryption with connectionStrings as a test to see if it works.StoriKnow
For Windows 7 and onward, it looks like they are stored here C:\ProgramData\Microsoft\Crypto\RSA\MachineKeysdana

6 Answers

35
votes

I had a similar problem and when I tried running it from a command prompt with elevated privileges ("run as administrator") solved the problem.

7
votes

Try this:

ASPNET_REGIIS -pef "system.web/identity" "D:\IIS\admin.mySite.com"

If the section you are trying to encrypt is not directly under the configuration element you need to supply the full path to it.

3
votes

The "object not found" error message occurs when aspnet_regiis runs as a user who cannot read the RSA key container.

The keys are held in the "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys". The default key container is named "NetFrameworkConfigurationKey". Make sure you have read permission to this key container.

Note that you'll need to grant read access to the identity under which your app will run. The easiest method to do this is via the aspnet_regiis tool: aspnet_regiis -pa "NetFrameworkConfigurationKey" "Yourdomain\username".

3
votes

1- Run cmd as administrator 2- go to the aspnet_regiis.exe command line folder

3-To Encrypt: aspnet_regiis.exe -pef "connectionStrings" "C:..\YourApplication" -prov "DataProtectionConfigurationProvider

4-To Decrypt: aspnet_regiis.exe -pdf "connectionStrings" "C:..\YourApplication"

1
votes

I'm so glad with this post and I would like to confirm on how to encrypt the connection string and also how to decrypt it using ASPNET_REGIIS Tool :

For encryption : 

aspnet_regiis.exe -pef "connectionStrings" "D:\ProjectAcc"

For Decryption : 

aspnet_regiis.exe -pdf "connectionStrings" "D:\ProjectAcc"

N.B:

  • When I'm doing this operation I found some issues I would like to notify it :

1) The operation of encryption filed at first because I didn't install ASP.NET run time to IIS by running as the following command:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -i

2) when I was working on the first issue I got another silly one :), which is every time I installed it I got this error :

An error has occurred: 0x8007b799 You must have administrative rights on this machine in order to run this tool.

Solution : Turning off the UAC fixes this issue. From Start Menu > Control Panel > System and Security > Action Center > Choose Your UAC Level - Set this to Never Notify (Requires a restart).

Thank you and I wish that I could help.

0
votes

I test aspnet_regiis.exe -pef "connectionStrings" "C:..\YourApplication", if not run as administrator, it will have error "Object already exists". If run it as administrator, it works.