We are getting the following error (in asp.net website) when applied encryption.
Parser Error Message: Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: The RSA key container could not be opened.
Note: Please see the steps listed below that we followed. (We have granted ACL permission for NT Authority\Network Service on NetFrameworkConfigurationKey)
Note: We are using Windows Authentication Enabled and ASP.NET impersonation Enabled in IIS7. It is running in Windows Server 2008. The access is controlled based on whether a user is part of allowed AD group (which will be listed in config file).
The interesting part is that this error happens when users of group1 (from location1) access it. When users of group2 (from locatiob2) try to access it, the error does not come.
Any thoughts on how to correct it?
We have followed the steps listed below from our deployment document.
- Run the Command Window in Administrator Mode. (In Windows Server 2008 , type cmd and press CTRL+SHIFT+ENTER)
- Go to the folder C:\Windows\Microsoft.Net\Framework\v4.0.30319\ using change directory command (cd).
- Type the following command to create RSA Key Container. aspnet_regiis -pc "NetFrameworkConfigurationKey" –exp
- Type the following (to add ACL for access to the RSA Key Container) and press enter aspnet_regiis -pa "NetFrameworkConfigurationKey" "NT Authority\Network Service"
- Type the following (after replacing the highlighted text with the location where the service is deployed) and press enter to encrypt the connections string in Service’s Web.Config. aspnet_regiis.exe -pef "connectionStrings" "C:\MyWCF\ServiceName"
- Type the following (after replacing the highlighted text with the location where the website is deployed) and press enter to encrypt the connections string in Website’s Web.Config. aspnet_regiis.exe -pef "connectionStrings" "C:\MyWeb\WebsiteName"
- Type the following (after replacing the highlighted text with the location where the web.config file for the website is available) and press enter to encrypt the sessionState values in Website’s Web.Config. aspnet_regiis.exe -pef "system.web/sessionState" "C:\MyWeb\WebsiteName"
- Verify that the connection strings and SessionState values are encrypted.
- Verify the following details in configProtectedData section in Machine.Config.
• Verify that defaultProvider="RsaProtectedConfigurationProvider"
• Verify that keyContainerName="NetFrameworkConfigurationKey"
Note: Default location for machine.config is C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\Config
Best Answer
Following is an approach I tried which does not involve Machine config.
Note: If the destination is in Windows Sever 2008, the encryption steps need to be executed in a Windows Server 2008 itself.
Executed the below codes in server A
Note:- Registering key
Note:- GRANTING ACCESS on SERVER A only
Exported XML file containing RSA Key
Added the following in web.config
Encrypted
Copied the encrypted files in B Server. Copied the key xml file into the B Server.
Created batch file with the following commands and Executed (for Key registration and granting access)