"The RSA key container could not be opened" Error even after ACL Permission (for some users)

Question

We are getting the following error (in asp.net website) when applied encryption.

Parser Error Message: Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: The RSA key container could not be opened.

Note: Please see the steps listed below that we followed. (We have granted ACL permission for NT Authority\Network Service on NetFrameworkConfigurationKey)

Note: We are using Windows Authentication Enabled and ASP.NET impersonation Enabled in IIS7. It is running in Windows Server 2008. The access is controlled based on whether a user is part of allowed AD group (which will be listed in config file).

The interesting part is that this error happens when users of group1 (from location1) access it. When users of group2 (from locatiob2) try to access it, the error does not come.

Any thoughts on how to correct it?

We have followed the steps listed below from our deployment document.

1. Run the Command Window in Administrator Mode. (In Windows Server 2008 , type cmd and press CTRL+SHIFT+ENTER)
2. Go to the folder C:\Windows\Microsoft.Net\Framework\v4.0.30319\ using change directory command (cd).
3. Type the following command to create RSA Key Container. aspnet_regiis -pc "NetFrameworkConfigurationKey" –exp
4. Type the following (to add ACL for access to the RSA Key Container) and press enter aspnet_regiis -pa "NetFrameworkConfigurationKey" "NT Authority\Network Service"
5. Type the following (after replacing the highlighted text with the location where the service is deployed) and press enter to encrypt the connections string in Service’s Web.Config. aspnet_regiis.exe -pef "connectionStrings" "C:\MyWCF\ServiceName"
6. Type the following (after replacing the highlighted text with the location where the website is deployed) and press enter to encrypt the connections string in Website’s Web.Config. aspnet_regiis.exe -pef "connectionStrings" "C:\MyWeb\WebsiteName"
7. Type the following (after replacing the highlighted text with the location where the web.config file for the website is available) and press enter to encrypt the sessionState values in Website’s Web.Config. aspnet_regiis.exe -pef "system.web/sessionState" "C:\MyWeb\WebsiteName"
8. Verify that the connection strings and SessionState values are encrypted.
9. Verify the following details in configProtectedData section in Machine.Config.

• Verify that defaultProvider="RsaProtectedConfigurationProvider"

• Verify that keyContainerName="NetFrameworkConfigurationKey"

Note: Default location for machine.config is C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\Config

Answer 1

Following is an approach I tried which does not involve Machine config.

Note: If the destination is in Windows Sever 2008, the encryption steps need to be executed in a Windows Server 2008 itself.

Executed the below codes in server A

Note:- Registering key

 cd C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319
 aspnet_regiis.exe -pc "MyProjectKeys" -exp

Note:- GRANTING ACCESS on SERVER A only

aspnet_regiis.exe -pa "MyProjectKeys" "IIS APPPOOL\testpsreloservices"
aspnet_regiis.exe -pa "MyProjectKeys" "NT AUTHORITY\NETWORK"

Exported XML file containing RSA Key

aspnet_regiis.exe -px "MyProjectKeys" E:\wmapps\webroot\myservice\MyProjectKey.xml –pri

Added the following in web.config

<configProtectedData>
  <providers>
    <clear/>
<remove name="RSAProtectedConfigurationProvider" />
     <add name="RSAProtectedConfigurationProvider" keyContainerName="MyProjectKeys" 
    type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0,&#xD;&#xA;                
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,&#xD;&#xA; processorArchitecture=MSIL"
          useMachineContainer="true" />
  </providers>
</configProtectedData>

Encrypted

aspnet_regiis -pef "connectionStrings" "E:\wmapps\webroot\myservice" -prov "RsaProtectedConfigurationProvider"

Copied the encrypted files in B Server. Copied the key xml file into the B Server.

Created batch file with the following commands and Executed (for Key registration and granting access)

c:
cd C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319
aspnet_regiis.exe -pi "MyProjectKeys" E:\wmapps\webroot\myservice\MyProjectKey.xml
aspnet_regiis.exe -pa "MyProjectKeys" "IIS APPPOOL\testpsreloservices"
aspnet_regiis.exe -pa "MyProjectKeys" "NT AUTHORITY\NETWORK"

Answer 2

If you have impersonation enabled, the RSA key container will be accessed using the identity of the user accessing the application---not Network Service.

You'll either need to disable impersonation, or add all the users that can access the application to the ACL of the key container.