asp.net web.config encryption - The RSA key container was not found

3
votes

I've done the following in order to encrypt the web.config using RSA provider.

RDP to Web Server and opened the VS Command Prompt with my account.

Create a custom RSA encryption key:

aspnet_regiis -pc "MyKey" -exp

Encrypt the connectionStrings section using the custom RSA key:

aspnet_regiis.exe -pef "connectionStrings" "D:\Web\" -prov "MyRsaProvider"

I can see that the web.config has been encrypted. However when I try to load the web page it throws an error below:

"....The RSA key container was not found."

I then tried these commands one by one and tested:

aspnet_regiis -pa "MyKey" "domain\appPool_serviceAccount"

aspnet_regiis -pa "MyKey" "ASPNET"

aspnet_regiis -pa MyKey" IIS APPPOOL\CRSAppPool" -full

aspnet_regiis -pa "MyKey" "NT Authority\Network Service"

And, I still get this error:

"....The RSA key container was not found."

Could some one please help me whether it's a framework bug or am I doing something not right?

4
asp.net
Those commands only work from a cmd prompt with admin permissionsRob Sedgwick
This is true, except for the fact that when this is done from a cmd prompt with admin permissions, the commands do NOT work.Michael Glenn

4 Answers

2
votes

Are you sure you got the correct identity that the app pool of your web app is running?

Try this. Create an aspx page in your web app with this content 

<%@ Page Language="C#" %>
<%
    Response.Write(System.Security.Principal.WindowsIdentity.GetCurrent().Name);
%>

call it whatever you like then navigate to it and it will give you the actual identity that the web app is using. If you didn't already grant access to the key for that user then grant it and see if it works.

Ref: Walkthrough: Creating and Exporting an RSA Key Container

1
votes

just try this and it will work

aspnet_regiis -px "MyKeys" "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\keys.xml" -pri

all keys will be stored there

1
votes

Does your web.config contain the correct encryption header?

 <configuration>
  <configProtectedData defaultProvider="MyRsaProvider">
<providers>
  <add name="MyRsaProvider" 
    type="System.Configuration.RsaProtectedConfigurationProvider, 
          System.Configuration, Version=2.0.0.0, Culture=neutral, 
          PublicKeyToken=b03f5f7f11d50a3a,
          processorArchitecture=MSIL"
    keyContainerName="MyKeys" 
    useMachineContainer="true" />
</providers>

See here: http://msdn.microsoft.com/en-us/library/68ze1hb2(v=vs.100).aspx

1
votes

For me the issue was that my web application was running in impersonate mode and the user I was impersonating did not have access to the key. To fix I assume the app pool identity when doing DB connects:

            var revert = new RevertToAppPool();
            revert.UseAppPoolIdentity();
            database = DB.GetDatabase();
            revert.ReturnToImpersonatingCurrentUser();