Simple question: Is there a way in PowerShell or appcmd to create the ConfigEncryptedKey.key normally created through exporting Shared Configuration in IIS 7.5?
Now, an explanation of why I want to do this…
We are trying to use the Shared Configuration feature of IIS 7.5 on Windows Server 2008 R2 Core.
The problem is, every guide to this technology refers to administering this through IIS Manager. On Core, you can only do this remotely (not on the server itself).
This feature (Shared Configuration) does not appear to be available when administering remotely.
Despite this, we have had some success setting it up manually (ie setting up c:\windows\System32\inetsrv\config\redirection.config ourselves). The only issue comes when we try to run an app pool under a specific account (username and password). The existence of a password prompts IIS to encrypt this value in the shared applicationHost.config.
This is fine on the server you set up the app pool on. But when the other server in the shared pair attempts to start the app pool, it cannot decrypt the password in applicationHost.
The error message in the event log reads (System/WAS/Event ID 5021):
The identity of application pool mysitename is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request. If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed,
the application pool will be disabled. The data field contains the error number.
Also note that trying to set the identity on the second server through the IIS Manager UI results in this error dialogue:
There was an error while performing this operation.
Details:
Bad Data. (Exception from HRESULT: 0x80090005)
Normally (when done through the IIS Manager UI we can't use on Core), a file call ConfigEncryptedKey.key is created. This seems to communicate to the second server the key required to decrypt the app pool user password in applicationHost.config.
As we can't use the UI to do this, is there are way to do this programmatically?
Best Answer
You should be able to use the Appendix 3 technique from the Shared Configuration guide below: http://learn.iis.net/page.aspx/264/shared-configuration/
In short: ASPNET_REGIIS -px to export the IISConfigurationKey and IISWasKey, and -pi on the target box to import and synchronize them.