Web.config Encryption Error

Question

Having problem with encryption. I gave full permissions to all users to RSA folders. I did

C:\>aspnet_regiis -pe "appSettings" -location "web.config" -prov "RsaProtectedCo
nfigurationProvider"
Encrypting configuration section...
An error occurred executing the configuration section handler for appSettings.

Failed to encrypt the section 'appSettings' using provider 'RsaProtectedConfigur
ationProvider'. Error message from the provider: Object already exists.

Failed!

Then I did

C:\>aspnet_regiis -pa "NetFrameworkConfigurationKey" "administrator"
Adding ACL for access to the RSA Key container...
The RSA key container was not found.
Failed!

Followed by

C:\>aspnet_regiis -pc "NetFrameworkConfigurationKey" -exp
Creating RSA Key container...
The RSA key container could not be opened.
Failed!

Nothing is working for me.

Can anyone help?

Thanks

Answer 1

I was getting the same issue with this failing:

aspnet_regiis -pa "NetFrameworkConfigurationKey" "{Domain}{Username}"

The above line was returning "The RSA key container was not found."

To fix this issue, I had to run Command Prompt as Administrator (open up Start > Accessories > then right-click Command Prompt and choose Run as administrator...). I had to do this even though my account was an administrator account.

Answer 2

C:\>aspnet_regiis -pe "appSettings" -location "web.config"
       -prov "RsaProtectedConfigurationProvider"

In this line your location is incorrect. When you use the -pd switch location is based on IIS's application paths and web.config is assumed as the point of encryption.

So for example if you have an application named "Website 1" and another named "Website 2" in IIS, and you want the web.config in "Website 1" to be encrypted you would use this line:

C:\>aspnet_regiis -pe "appSettings" -location "Website 1"
        -prov "RsaProtectedConfigurationProvider"

Personally, I found it easier to use the -pef switch as I can point directly to the web app's physical directory.

Follow MSDN's tutorial on Encrypting Configuration Information Using Protected Configuration . I've used it multiple times and have yet to have an issue doing encyrption.

Answer 3

You need to change "administrator" to whatever the account your ASP.NET service is running as. Because, chances are, you aren't running ASP.NET as administrator service account. If you are, then you should reconsider your decision.

For example, here's what I use:

 aspnet_regiis -pa "NetFrameworkConfigurationKey" "NT Authority\Network Service"

or

aspnet_regiis -pa "NetFrameworkConfigurationKey" "ASPNET"

Then for encryption, I use:

  aspnet_regiis -pef "connectionStrings"

or

 aspnet_regiis -pef "appSettings"

Answer 4

I had to find the folder where the certs are installed and take ownership/give permissions before the errors with the above commands would go away. The errors said the key container could not be found, but really it was just that I didn't have permissions to the cert. In my case I had inherited a development machine from someone else and needed to give myself permissions to the files before I could run the necessary commands.

I had hoped to give a more detailed response with cert folder locations, detailed steps, etc. but haven't had time and just wanted to note what I had to do in my scenario.