All geek questions in one place

“RSA key container cannot be opened” Error even after ACL permission (for some users)

When using encryption, we get the following error (on the asp.net website).

Parser error message: Failed to decrypt using the RsaProtectedConfigurationProvider provider. Vendor error message: RSA key container could not be opened.

Note. Please see the steps below that we have completed. (We have granted ACL permission for NT Authority \ Network Service in NetFrameworkConfigurationKey)

Note. We use Windows Enabled authentication and ASP.NET impersonation. Included in IIS7 . It runs on Windows Server 2008 . Access control is carried out depending on whether the user is part of an allowed AD group (which will be specified in the configuration file).

Interestingly, this error occurs when users of group 1 (from location1) access it. When users of group2 (from locatiob2) try to access it, the error does not come.

Any thoughts on how to fix this?

We have completed the following steps from our deployment document.

  • Launch the command window in administrator mode. (In Windows Server 2008, type cmd and press CTRL + SHIFT + ENTER)
  • Go to the C: \ Windows \ Microsoft.Net \ Framework \ v4.0.30319 \ folder using the change directory (cd) command.
  • Enter the following command to create the RSA key container. aspnet_regiis -pc "NetFrameworkConfigurationKey" -exp
  • Type the following (to add an ACL to access the RSA key container) and press Enter aspnet_regiis -pa "NetFrameworkConfigurationKey" "NT Service \ Network Service"
  • Enter the following (after replacing the selected text with the location where the service is deployed) and press the enter key to encrypt the connection string in Services Web.Config. aspnet_regiis.exe -pef "connectionStrings" "C: \ MyWCF \ ServiceName"
  • Enter the following (after replacing the highlighted text with the deployment location of the website) and press the enter key to encrypt the connection string on Web.Config websites. aspnet_regiis.exe -pef "connectionStrings" "C: \ MyWeb \ WebsiteName"
  • Enter the following (after replacing the selected text with the location where the web.config file for the website is available) and press the enter key to encrypt the sessionState values ​​in the Web.Config websites. aspnet_regiis.exe -pef "system.web / sessionState" "C: \ MyWeb \ WebsiteName"
  • Verify that the connection strings and SessionState values ​​are encrypted.
  • Check the following information in the configProtectedData section of Machine.Config.

• Make sure defaultProvider = "RsaProtectedConfigurationProvider"

• Make sure keyContainerName = "NetFrameworkConfigurationKey"

Note. The default location for machine.config is C: \ WINDOWS \ Microsoft.NET \ Framework \ v4.0.30319 \ Config

+5
source share
3 answers

Below is the approach I used that is not related to Machine configuration.

Note. If the destination is on Windows Sever 2008, the encryption steps must be performed on Windows Server 2008 itself.

The following codes are executed on server A

Note: - Registration key

cd C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319 aspnet_regiis.exe -pc "MyProjectKeys" -exp

Note: - GRANTING ACCESS TO THE SERVER Only

 aspnet_regiis.exe -pa "MyProjectKeys" "IIS APPPOOL\testpsreloservices" aspnet_regiis.exe -pa "MyProjectKeys" "NT AUTHORITY\NETWORK"

Exported XML file containing RSA key

 aspnet_regiis.exe -px "MyProjectKeys" E:\wmapps\webroot\myservice\MyProjectKey.xmlpri

The following is added to web.config

 <configProtectedData> <providers> <clear/> <remove name="RSAProtectedConfigurationProvider" /> <add name="RSAProtectedConfigurationProvider" keyContainerName="MyProjectKeys" type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0,&#xD;&#xA; Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,&#xD;&#xA; processorArchitecture=MSIL" useMachineContainer="true" /> </providers> </configProtectedData>

Encrypted

 aspnet_regiis -pef "connectionStrings" "E:\wmapps\webroot\myservice" -prov "RsaProtectedConfigurationProvider"

I copied the encrypted files on server B. I copied the xml key file to server B.

A batch file was created with the following commands and Executed (for registering keys and providing access)

 c: cd C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319 aspnet_regiis.exe -pi "MyProjectKeys" E:\wmapps\webroot\myservice\MyProjectKey.xml aspnet_regiis.exe -pa "MyProjectKeys" "IIS APPPOOL\testpsreloservices" aspnet_regiis.exe -pa "MyProjectKeys" "NT AUTHORITY\NETWORK"
+11
source

If you have impersonation mode enabled, the identifier of the RSA key will be accessed by the identifier of the user accessing the application, and not the network service.

You need to either disable impersonation or add all users who can access the application in the ACL of the key container.

+5
source

In my case, my connection strings were encrypted using ASPNET_REGIIS. I had one last application that I finally found to change it in order to switch from the old server to this server where the encryption key was used. An older version of this application was deployed, but it was not used. When I deployed (published) the latest version to the server, I used the Replace method instead of delete. I came across this error and came across here. None of the solutions helped me.

My fix: so I decided to clear the contents of the application folder and republish.

This fixed my problem.

0
source

Source: https://habr.com/ru/post/1397013/

More articles:


All Articles