We are getting the following error (in asp.net website) when applied encryption.
Parser Error Message: Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: The RSA key container could not be opened.
Note: Please see the steps listed below that we followed. (We have granted ACL permission for NT Authority\Network Service on NetFrameworkConfigurationKey)
Note: We are using Windows Authentication Enabled and ASP.NET impersonation Enabled in IIS7. It is running in Windows Server 2008. The access is controlled based on whether a user is part of allowed AD group (which will be listed in config file).
The interesting part is that this error happens when users of group1 (from location1) access it. When users of group2 (from locatiob2) try to access it, the error does not come.
Any thoughts on how to correct it?
We have followed the steps listed below from our deployment document.
- Run the Command Window in Administrator Mode. (In Windows Server 2008 , type cmd and press CTRL+SHIFT+ENTER)
- Go to the folder C:\Windows\Microsoft.Net\Framework\v4.0.30319\ using change directory command (cd).
- Type the following command to create RSA Key Container. aspnet_regiis -pc "NetFrameworkConfigurationKey" –exp
- Type the following (to add ACL for access to the RSA Key Container) and press enter aspnet_regiis -pa "NetFrameworkConfigurationKey" "NT Authority\Network Service"
- Type the following (after replacing the highlighted text with the location where the service is deployed) and press enter to encrypt the connections string in Service’s Web.Config. aspnet_regiis.exe -pef "connectionStrings" "C:\MyWCF\ServiceName"
- Type the following (after replacing the highlighted text with the location where the website is deployed) and press enter to encrypt the connections string in Website’s Web.Config. aspnet_regiis.exe -pef "connectionStrings" "C:\MyWeb\WebsiteName"
- Type the following (after replacing the highlighted text with the location where the web.config file for the website is available) and press enter to encrypt the sessionState values in Website’s Web.Config. aspnet_regiis.exe -pef "system.web/sessionState" "C:\MyWeb\WebsiteName"
- Verify that the connection strings and SessionState values are encrypted.
- Verify the following details in configProtectedData section in Machine.Config.
• Verify that defaultProvider="RsaProtectedConfigurationProvider"
• Verify that keyContainerName="NetFrameworkConfigurationKey"
Note: Default location for machine.config is C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\Config
If you have impersonation enabled, the RSA key container will be accessed using the identity of the user accessing the application---not Network Service.
You'll either need to disable impersonation, or add all the users that can access the application to the ACL of the key container.