Re: Export / Import key problem

From: Diane Droubay <DianeDroubay@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 27 Aug 2007 15:36:02 -0700

Thanks. I'll give that a try.

Diane

"Dominick Baier" wrote:

use aspnet_regiis for the im/export...

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

I have encrypted the identity section of my web.config file, using the
RSA provider. The built-in encrypt/decrypt works just fine. The
problem is, when I move the app to another machine.

My web.config provider entry looks like this.

<configProtectedData>
<providers>
<add name="MyProvider"
type="System.Configuration.RsaProtectedConfigurationProvider,
System.Configuration, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL"
keyContainerName="MyKey" useMachineContainer="false"/>
</providers>
</configProtectedData>
I moved the app, exported the key using the Certificate snap-in in
mmc, then imported it into the other machine and used aspnet_regiis to
grant permissions to the ASPNET user. When I try to run my app on this
box, I get the following error:

Configuration Error Description: An error occurred during the
processing of a configuration file required to service this request.
Please review the specific error details below and modify your
configuration file appropriately.

Parser Error Message: Failed to decrypt using provider
'RsaProtectedConfigurationProvider'. Error message from the provider:
The RSA key container could not be opened.

Source Error:

Line 68: <authentication mode="Windows"/>
Line 69: <identity
configProtectionProvider="RsaProtectedConfigurationProvider">
Line 70: <EncryptedData
Type="http://www.w3.org/2001/04/xmlenc#Element";
Line 71: xmlns="http://www.w3.org/2001/04/xmlenc#";>
Line 72: <EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"; />
If I delete the encrypted section in the web.config file on the new
box, then re-encrypt from there, it works fine again, but is not
portable to my other machine. This makes me think that the
export/import is not working correctly.

Any ideas?

Thanks.

References:
- Re: Export / Import key problem
  - From: Dominick Baier

Prev by Date: Re: Defining Roles, Groups?
Next by Date: MembershipUser deactivation
Previous by thread: Re: Export / Import key problem
Next by thread: Unable to retrieve the user sid from context
Index(es):
- Date
- Thread

Relevant Pages

Re: Export / Import key problem
... RSA provider. ... The built-in encrypt/decrypt works just fine. ... My web.config provider entry looks like this. ... processing of a configuration file required to service this request. ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: Failed to decrypt
... If you are using the new encrypt/decrypt methods of the IO.File be aware that only the user that encrypts can decrypt. ... "Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. ... Error message from the provider. ...
(microsoft.public.dotnet.languages.vb)
Failed to decrypt
... and I encrypt connectionstring in configuration file. ... "Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. ... Error message from the provider. ...
(microsoft.public.dotnet.languages.vb)