20

I've been developing an ASP.NET site on an older machine running XP home. I recently got a new Win 7 PC and moved all my project files across. When I try and run the project, I get this error message:

"Failed to decrypt using provider 'MyRsaProtectedConfigurationProvider'. Error message from the provider: The RSA key container could not be opened."

I realised that I encrypted parts of my web.config file using a RSA encryption. This is where the problem now lies. I'm not sure how to get that key working again so that I can use it on my new machine. I exported the key from the older machine and imported it using:

aspnet_regiis -pi "RSAProviderName" "C:\RSA_configkey.xml"

This was imported successfully. I then ran the project, but the same error message came up. I figured it might be a permission thing, so I ran:

aspnet_regiis -pa "RSAProviderName" "\Desktop" -full

This was also successful, but I still get the error. From reading around, I've seen people use "ASPNET" instead of "\Desktop" (Desktop is my machine name). However, when I try and use "ASPNET", I get:

No mapping between account name and security IDs was done. <Exception from HRESULT = 0x80070534

I can't work on the project until this is fixed, so any help is much appreciated. Thanks!

keyboardP
  • 68,824
  • 13
  • 156
  • 205

3 Answers3

28

If you still have access to the older machine, you could always decrypt the configuration section on that machine, then copy the unencrypted config file to the new machine (and, if necessary, re-encrypt the file on the old machine).

On Windows 7, the account under which your IIS application pools run by default will likely be ApplicationPoolIdentity (as opposed to ASPNET). To grant permissions, try this:

aspnet_regiis -pa RSAProviderName "IIS APPPOOL\DefaultAppPool" -full

By the way, if you do decide to persevere with copying the key from the old machine to the new one, you should make sure that, when exporting, you export the private key data too:

aspnet_regiis -px RSAProviderName C:\RSA_configkey.xml -pri

And, optionally, to make the key data exportable during the import:

aspnet_regiis -pi RSAProviderName C:\RSA_configkey.xml -exp
Community
  • 1
  • 1
Dave Cluderay
  • 7,268
  • 1
  • 29
  • 28
  • Thanks for the help. I should have access to the older machine within the next hour, so will try this method. On a side note, what's the best way to reset the permissions I've granted (such as to `\desktop`)? Not too important since I'm the only user of the machine, but might be better. – keyboardP May 27 '10 at 14:37
  • 4
    You're welcome. To revoke permissions, you can use aspnet_regiis again with the `-pr` switch. Alternatively, find the file under `C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys` and change the premissions through Windows. – Dave Cluderay May 27 '10 at 14:52
  • Thanks again Dave, great help :) – keyboardP May 28 '10 at 01:31
  • 1
    Probably obvious but in case someone did not pick up on it.. you can see what app pool the website is running under. From there you can check the app pool to see what user it is running under. If it says "ApplicationPoolIdentity" this should work great. If you are not using the "DefaultAppPool" then you would change that name to whatever the name of the app pool you are using is ie. "IIS APPPOOL\MYAPPPOOL". – Tony Sep 11 '15 at 15:13
8

I was facing the same issue, But running the commandprompt/powershell using administrator resolved the issue.

Sachin Vishwakarma
  • 854
  • 7
  • 9
1

In my case, Visual Studio should be executed AS Administrator; Otherwise it cannot open the RSA Keys container.

Roger
  • 333
  • 2
  • 13