Encrypting Web Config using ASPNET_REGIIS

Question

I need to encrypt certain parts of web config. After reading some tutorials I have learned that using the tool ASPNET_REGIIS is the way to go. This is what I am trying at the moment: From the Command Prompt

ASPNET_REGIIS -pef "identity" "D:\IIS\admin.mySite.com"

"The configuration section 'system.web\identity' was not found."

ASPNET_REGIIS -pef "system.web\identity" "D:\IIS\admin.mySite.com"

"The configuration section 'system.web\identity' was not found."

ASPNET_REGIIS -pef "system.web/identity" "D:\IIS\admin.mySite.com"

"Failed to encrypt the section 'system.web/identity' using provider 'RsaProtectedConfigurationProvider' Error message from the provider: Object already exists."

To try and see if am getting anything right I tried the following:

ASPNET_REGIIS -pef "connectionStrings" "D:\IIS\admin.mySite.com"

"Failed to encrypt the section 'connectionStrings' using provider 'RsaProtectedConfigurationProvider' Error message from the provider: Object already exists."

ASPNET_REGIIS -pef "connectionStrings" "D:\IIS\admin.mySite.com"

"Failed to encrypt the section 'connectionStrings' using provider 'RsaProtectedConfigurationProvider' Error message from the provider: Object already exists."

ASPNET_REGIIS -pef "DoesNotExist" "D:\IIS\admin.mySite.com"

"The configuration section 'DoesNotExist' was not found."

Help!

I believe the key gets stored here: `C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys`, do you see it? If so, try removing it and running the encryption with `connectionStrings` as a test to see if it works. — StoriKnow, Dec 21 '12 at 19:13
For Windows 7 and onward, it looks like they are stored here `C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys` — dana, Oct 05 '15 at 17:19

score 35 · Answer 1 · answered May 14 '12 at 23:33

35

I had a similar problem and when I tried running it from a command prompt with elevated privileges ("run as administrator") solved the problem.

answered May 14 '12 at 23:33

yoel halb

12,188
3
57
52

Oded · Answer 2 · 2011-12-02T09:26:57.660

8

Try this:

ASPNET_REGIIS -pef "system.web/identity" "D:\IIS\admin.mySite.com"

If the section you are trying to encrypt is not directly under the configuration element you need to supply the full path to it.

edited Dec 02 '11 at 09:26

answered Dec 01 '11 at 16:11

Oded

489,969
99
883
1,009

It is as you said, like this: But still im getting the message that the section cant be found. I got the path from right cklicking the file to make sure it is the right path. – Daarwin Dec 02 '11 at 08:21
@Lautaro - I may have made as mistake with the back slash - try using a `/` instead. – Oded Dec 02 '11 at 09:27
I tried it and a bunch of others as an experiment. So it seems that the forwards slash was the way to go. I also seems that the web config file is found. So i dont understand what i am doing wrong. Thanks for helping me with this. – Daarwin Dec 02 '11 at 10:41
Could it be that its a website, and not an applikation? – Daarwin Dec 05 '11 at 08:33
yes ofcourse, but it can be a webbapplikation or a website, and they have som differences. – Daarwin Dec 05 '11 at 12:26

score 3 · Answer 3 · answered Apr 23 '12 at 03:57

The "object not found" error message occurs when aspnet_regiis runs as a user who cannot read the RSA key container.

The keys are held in the "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys". The default key container is named "NetFrameworkConfigurationKey". Make sure you have read permission to this key container.

Note that you'll need to grant read access to the identity under which your app will run. The easiest method to do this is via the aspnet_regiis tool: aspnet_regiis -pa "NetFrameworkConfigurationKey" "Yourdomain\username".

score 3 · Answer 4 · edited May 20 '16 at 00:26

3

1- Run cmd as administrator 2- go to the aspnet_regiis.exe command line folder

3-To Encrypt: aspnet_regiis.exe -pef "connectionStrings" "C:..\YourApplication" -prov "DataProtectionConfigurationProvider

4-To Decrypt: aspnet_regiis.exe -pdf "connectionStrings" "C:..\YourApplication"

edited May 20 '16 at 00:26

Alex

158
2
7

answered Jan 03 '16 at 07:47

Amir

105
5

score 1 · Answer 5 · edited Jul 28 '16 at 21:51

I'm so glad with this post and I would like to confirm on how to encrypt the connection string and also how to decrypt it using ASPNET_REGIIS Tool :

For encryption :

aspnet_regiis.exe -pef "connectionStrings" "D:\ProjectAcc"

For Decryption :

aspnet_regiis.exe -pdf "connectionStrings" "D:\ProjectAcc"

N.B:

When I'm doing this operation I found some issues I would like to notify it :

1) The operation of encryption filed at first because I didn't install ASP.NET run time to IIS by running as the following command:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -i

2) when I was working on the first issue I got another silly one :), which is every time I installed it I got this error :

An error has occurred: 0x8007b799 You must have administrative rights on this machine in order to run this tool.

Solution : Turning off the UAC fixes this issue. From Start Menu > Control Panel > System and Security > Action Center > Choose Your UAC Level - Set this to Never Notify (Requires a restart).

Thank you and I wish that I could help.

Launch the command prompt in administrator mode then proceed as noted above. — Sam, May 07 '14 at 21:26

score 0 · Answer 6 · answered Mar 15 '17 at 03:39

0

I test aspnet_regiis.exe -pef "connectionStrings" "C:..\YourApplication", if not run as administrator, it will have error "Object already exists". If run it as administrator, it works.

answered Mar 15 '17 at 03:39

Felix Liang

1
1

Encrypting Web Config using ASPNET_REGIIS

6 Answers6

Linked