41

Failed to encrypt the section 'connectionStrings' using provider 'RsaProtectedCo nfigurationProvider'. Error message from the provider: Object already exists.

I followed the guide in http://msdn.microsoft.com/en-us/library/2w117ede.aspx but in step 3 in To grant the ASP.NET identity access to the RSA key container, it says that my identity is my workgroup\username, I do not have impersonation in my web.config file though

I am encrypting web.config using my machine using asp_regiis, then using visual studio to debug then it came with this error

user1663380
  • 1,003
  • 4
  • 18
  • 21
  • 3
    Possible Duplicate : [From other post](http://stackoverflow.com/questions/8344373/encrypting-web-config-using-aspnet-regiis) Actually Running CMD as admin solved the problem for me too! – Yash May 08 '13 at 20:43
  • 5
    Launch the command prompt in administrator mode then proceed. Should fix the problem. – Sam May 07 '14 at 21:26

4 Answers4

83

For using RsaProtectedConfigurationProvider you need to launch your Command prompt or Visual Studio as an Administrator.

For DataProtectionConfigurationProvider it is not required to run under Admin rights.

Steven Muhr
  • 3,339
  • 28
  • 46
  • 3
    My experience is that you can't just log in as an administrative account and launch a generic command prompt. aspnet_regiis fails when I do that. I have to actually do a "Run as administrator" on cmd.exe or the Visual Studio command prompt. Then aspnet_regiis works as expected. – kermit Oct 18 '15 at 23:17
  • Yes, you need to elevate to administrator rights, although this would be depend on your system user settings (as in some circumstances a logged in administrator will not need to elevate an application) in order to make these changes to the machine. – markthewizard1234 Aug 16 '16 at 10:02
  • This gets me all the time. – rageit Aug 30 '16 at 20:12
  • 1
    To make this painfully clear for folks, if you are using: ProtectSection("RsaProtectedConfigurationProvider") Your user must have admin rights. As that is not allowed in many companies, nor is it the default behavior in Windows. Use this instead: ProtectSection("DataProtectionConfigurationProvider") Normal users can then open the encrypted file. – Clarence Klopfstein Apr 21 '20 at 13:45
  • Wow! What a dumb error message. Who would have guessed that "Object already exists" actually means "Not enought access rights". – Tobias Nov 06 '20 at 07:05
4

You can create your own provider using RsaProtectedConfigurationProvider to encrypt your web.xml without administrator privileges.

  1. Create a key store:

    aspnet_regiis -pc "MyKeyStore" -exp

  2. Grant read access for any user:

    aspnet_regiis -pa "MyKeyStore" "Domain/User"

  3. Put a provider section in your web.config

     <configProtectedData>
 <providers>
     <add name="MyRSAProvider" type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=2.0.0.0, Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL"keyContainerName="MyKeyStore"useMachineContainer="true" />
 </providers>
 </configProtectedData>

  4. Encrypt your config sections:

    aspnet_regiis -pef "configSection" "c:\pathToWebConf" -prov "MyRSAProvider"

Sources:

Create RSA key container and provider

Encrypt configuration

Ritzelprimpf
  • 176
  • 1
  • 11
0

This happened on one of my servers whole trying to move web apps from the c drive to another drive.

Because I had encrypted the web.config section on drive C and moved it to another drive, it jammed up the provider causing it to fail to encrypt the section because it believes it already exists.

I'm still trying to fix it.

justdan23
  • 560
  • 7
  • 9
0
aspnet_regiis.exe -pef "connectionStrings" C:\Users\pvdmnu\Projects\MMWebUI\MMPvidon.ASP\StudyASP -prov "DataProtectionConfigurationProvider"

Need to specify provide, for my computer no admin right.

Tyler2P
  • 2,324
  • 26
  • 22
  • 31
user21803769
  • 1