Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AspNet Core using in memory repo for data protection when running in IIS

I'm running a production server (Windows Server 2012) with an AspNet Mvc Core RC1 website.

I'm seeing the following in the logs:

Neither user profile nor HKLM registry available. Using an ephemeral key repository. Protected data will be unavailable when application exits. 

After inspecting the source code for DataProtection, I tracked the problem to the following method call:

Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) 

This is probably returning null on the server for some reason. I don't have any special custom configuration in place and I've read the docs so I thought the default would work.

I think the problem is with the IIS website not running in a certain user's context but I have no idea how to confirm or fix this. My website is configured with its own pool.

As an aside: the result of running an in memory repository for storing keys causes them to recycle whenever the application exits which is very annoying and not even intended for use in production environments.

like image 385
mrahhal Avatar asked May 08 '16 11:05

mrahhal


People also ask

What is data protection .NET core?

The ASP.NET Core data protection provides a cryptographic API to protect data, including key management and rotation. Web applications often need to store security-sensitive data. Windows provides a data protection API, DPAPI, but Windows DPAPI isn't intended for use in web applications.

What is data protection key ring?

The data-protection system automatically creates new keys when old keys are near to expiration. The collection of all the available keys is called the key ring. The data-protection system manages key rotation internally, creating new keys when old ones expire.

Does ASP.NET Core require IIS?

The most important thing to understand about hosting ASP.NET Core is that it runs as a standalone, out of process Console application. It's not hosted inside of IIS and it doesn't need IIS to run.

What is key in asp net?

The Key attribute is used to denote the property that uniquely identifies an entity (the EntityKey ), and which is mapped to the Primary Key field in a database: public class Order. { [Key] public int OrderNumber { get; set; }


2 Answers

User profile should be loaded in IIS configuration.

Open IIS, right click on Application Pools then Advanced Settings. And set "Load user profile" to true. Restart your app and it should work perfectly.

like image 197
mrahhal Avatar answered Sep 18 '22 08:09

mrahhal


Data Protection keys used by ASP.NET applications are stored in registry hives external to the applications. When running your application as an AppPool Identity you have to create a registry hive for every AppPool used with an ASP.NET Core application.

For standalone IIS installations, you may use the Data Protection PowerShell script for each application pool used with an ASP.NET Core application. The keys will be persisted in the registry.

Like clearly stated in the logs since the registry hive that Data Protection looks for does not exist, keys will not be persisted to disk. Instead, they will be ephemeral and live in-memory only.

In web farm scenarios, an application can be configured to use a UNC path to store its data protection key ring. By default, the data protection keys are not encrypted. You can deploy an x509 certificate to each machine to encrypt the key ring.

See the official ASP.NET Core doc about data-protection for more information

like image 21
Sourabh Shirhatti Avatar answered Sep 18 '22 08:09

Sourabh Shirhatti