Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

"The RSA key container could not be opened" Error even after ACL Permission (for some users)

Tags:

c#

asp.net

iis

iis-7

windows-server-2008

We are getting the following error (in asp.net website) when applied encryption.

Parser Error Message: Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: The RSA key container could not be opened.

Note: Please see the steps listed below that we followed. (We have granted ACL permission for NT Authority\Network Service on NetFrameworkConfigurationKey)

Note: We are using Windows Authentication Enabled and ASP.NET impersonation Enabled in IIS7. It is running in Windows Server 2008. The access is controlled based on whether a user is part of allowed AD group (which will be listed in config file).

The interesting part is that this error happens when users of group1 (from location1) access it. When users of group2 (from locatiob2) try to access it, the error does not come.

Any thoughts on how to correct it?

We have followed the steps listed below from our deployment document.

  1. Run the Command Window in Administrator Mode. (In Windows Server 2008 , type cmd and press CTRL+SHIFT+ENTER)
  2. Go to the folder C:\Windows\Microsoft.Net\Framework\v4.0.30319\ using change directory command (cd).
  3. Type the following command to create RSA Key Container. aspnet_regiis -pc "NetFrameworkConfigurationKey" –exp
  4. Type the following (to add ACL for access to the RSA Key Container) and press enter aspnet_regiis -pa "NetFrameworkConfigurationKey" "NT Authority\Network Service"
  5. Type the following (after replacing the highlighted text with the location where the service is deployed) and press enter to encrypt the connections string in Service’s Web.Config. aspnet_regiis.exe -pef "connectionStrings" "C:\MyWCF\ServiceName"
  6. Type the following (after replacing the highlighted text with the location where the website is deployed) and press enter to encrypt the connections string in Website’s Web.Config. aspnet_regiis.exe -pef "connectionStrings" "C:\MyWeb\WebsiteName"
  7. Type the following (after replacing the highlighted text with the location where the web.config file for the website is available) and press enter to encrypt the sessionState values in Website’s Web.Config. aspnet_regiis.exe -pef "system.web/sessionState" "C:\MyWeb\WebsiteName"
  8. Verify that the connection strings and SessionState values are encrypted.
  9. Verify the following details in configProtectedData section in Machine.Config.

• Verify that defaultProvider="RsaProtectedConfigurationProvider"

• Verify that keyContainerName="NetFrameworkConfigurationKey"

Note: Default location for machine.config is C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\Config

like image 560
LCJ Avatar asked Feb 17 '12 10:02

LCJ

People also ask

Is the RSA key container could not be opened?

If the account you are using does not have permission to the key container then when you try to grant permission to it ( aspnet_regiis -pa "KeyContainerName" "dmz\UserName" ) you get the Key Container not found error. However the key does exist; hence, the error when you try to re-create it.

What is Aspnet_regiis?

The ASP.NET IIS Registration Tool (Aspnet_regiis.exe) allows an administrator or installation program to easily update the script maps for an ASP.NET application to point to the ASP.NET ISAPI version that is associated with the tool. The tool can also be used to display the status of all installed versions of ASP.

What is key container?

A Key container is a part of the key database in Windows that contains all the key pairs (public and private keys) belonging to a specific user or machine. Creates a new user or machine level key container used to encrypt or decrypt information for applications that run under the specific user or machine identity.

2 Answers

Following is an approach I tried which does not involve Machine config.

Note: If the destination is in Windows Sever 2008, the encryption steps need to be executed in a Windows Server 2008 itself.

Executed the below codes in server A

Note:- Registering key

 cd C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319
 aspnet_regiis.exe -pc "MyProjectKeys" -exp

Note:- GRANTING ACCESS on SERVER A only

aspnet_regiis.exe -pa "MyProjectKeys" "IIS APPPOOL\testpsreloservices"
aspnet_regiis.exe -pa "MyProjectKeys" "NT AUTHORITY\NETWORK"

Exported XML file containing RSA Key

aspnet_regiis.exe -px "MyProjectKeys" E:\wmapps\webroot\myservice\MyProjectKey.xml –pri

Added the following in web.config

<configProtectedData>
  <providers>
    <clear/>
<remove name="RSAProtectedConfigurationProvider" />
     <add name="RSAProtectedConfigurationProvider" keyContainerName="MyProjectKeys" 
    type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0,&#xD;&#xA;                
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,&#xD;&#xA; processorArchitecture=MSIL"
          useMachineContainer="true" />
  </providers>
</configProtectedData>

Encrypted

aspnet_regiis -pef "connectionStrings" "E:\wmapps\webroot\myservice" -prov "RsaProtectedConfigurationProvider"

Copied the encrypted files in B Server. Copied the key xml file into the B Server.

Created batch file with the following commands and Executed (for Key registration and granting access)

c:
cd C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319
aspnet_regiis.exe -pi "MyProjectKeys" E:\wmapps\webroot\myservice\MyProjectKey.xml
aspnet_regiis.exe -pa "MyProjectKeys" "IIS APPPOOL\testpsreloservices"
aspnet_regiis.exe -pa "MyProjectKeys" "NT AUTHORITY\NETWORK"
like image 185
LCJ Avatar answered Nov 15 '22 05:11

LCJ

If you have impersonation enabled, the RSA key container will be accessed using the identity of the user accessing the application---not Network Service.

You'll either need to disable impersonation, or add all the users that can access the application to the ACL of the key container.

like image 29
Andy Wilson Avatar answered Nov 15 '22 04:11

Andy Wilson
Sign in to Comment

Related questions

Extract PDF text by coordinates
What's difference between ShowDialog() and ShowDialog(IWin32Window) in c#?
How to store an object in the viewstate?
Initializing a new class in its own constructor
Class inheritance, forcing new classes to implement certain functions
String Manipulation.Find string between 2 indexes
C# Display a tooltip on disabled textbox (Form)
.NET BackGroundWorker - InvalidOperationException : Cross-thread operation not valid
LINQ's ForEach on HashSet?
Collections use in foreach loop
Checking if List<T> contains specified integer number [closed]
What's the differences between .ToString() and + ""
Is there a way to FAKE inheritance in C#/VB.NET?
Substring formatting to get all characters after the first underscore but before the 2nd underscore?
In C# does calling Dispose delete the object from Heap?
Strange behavior of Windows Forms combobox control
Perfect Powers check
Equality operator overloading in struct and classes
StringBuilder, add Tab between Values
Make a running process the active Window

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!