We have web farm scenario and connection string is
encrypted using RSA.
It's working fine on server, but some time (1 case out of 20 cases) iIt shows error like:
"Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: The RSA key container could not be opened"
Environment:
- Windows 2003 server (2 servers - web farm).
- .NET Framework 2.0.
- Connection string encrypted using RSA, I followed steps as given in
http://msdn2.microsoft.com/en-us/library/ms998283.aspx#paght000006_webfarmscenarios
- XML file exported from one server and imported on another server.
- Given rights using aspnet_regiis -pa "CustomKeys" "NT Authority\Network Service"
on both the server.
any suggestion on this.
Thanks,
Gaurang Majithiya
Dont forget to mark as an answer, if any post helped you.
When I deployed my application at that time I had followed all the steps same as link suggested by you.
But problem is:
I am getting this error only some time (Rarely) mostly my application working fine. Suppose I get an error on any page and at the same time if I refresh that page the error gone and I got that page working fine [:)]. Suppose I have done
mistake in deployment, then it should not worked all the time. But it is working fine most the time.
Thanks,
Gaurang Majithiya
Dont forget to mark as an answer, if any post helped you.
As I can not post whole web.config, I am posting only connection string section. Please let me know if you need any other section of the web.config file.
I tried your suggestion (<clear />), but still facing the same problem.
Is there any security issue? I have given permission to only "NT Authority\Network Service" user. Is there any other user to whom need to give permission?
Thanks,
Gaurang Majithiya
Dont forget to mark as an answer, if any post helped you.
Key container for the machine account usually saved in C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA. And the ASP.NET worker process identity (ASPNET user in XP/2000 or Network Service
in case of 2003) should have access to these files to be able to decrypt it or you would get this error message"Failed to decrypt using provider 'RsaProtectedConfigurationProvider'.
Error message from the provider: The RSA key container could not be opened"Fortunately the ASPNet_regiis tool gives us the option to add users
to the ACL of the key containers using the –pa parameter.For example to give access to the ASPNET user
aspnet_regiis -pa "<key container name>" "ASPNET"So, how to get the key container name?By
searching in machine.config (usually in C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG) we would find this section<configProtectedDatadefaultProvider="RsaProtectedConfigurationProvider"><providers><addname="RsaProtectedConfigurationProvider"type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"description="Uses RsaCryptoServiceProvider to encrypt and decrypt"keyContainerName="NetFrameworkConfigurationKey"cspProviderName=""useMachineContainer="true"useOAEP="false" /><addname="DataProtectionConfigurationProvider"type="System.Configuration.DpapiProtectedConfigurationProvider,System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"description="Uses CryptProtectData and CryptUnProtectData Windows APIs to encrypt and decrypt"useMachineProtection="true"keyEntropy="" /></providers></configProtectedData>The
keycontainerName of the RsaProtectedConfigurationProvider is "NetFrameworkconfigurationKey" (it's good practice to change it in the production servers). So the aspnet_regiis would be as followingaspnet_regiis
-pa "NetFrameworkConfigurationKey" "ASPNET"What if I'm using a server farm?In the
server farms environment, you can simple use aspnet_regiis to create and export key container to distribute it to the whole server farm.
Best Regards,
__________________________________________________
Sincerely,
Rex Lin
Microsoft Online Community Support
If there is any question or the issue is not resolved, please feel free to mark the thread as not resolved
I have already followed all the steps for
web farm… Exported XML file from production server and
imported XML file on both the web server, given access rights to Network Services.
Only some times (1 case out of 20 cases) I am getting this error, otherwise its working fine.
Thanks,
Gaurang Majithiya
Dont forget to mark as an answer, if any post helped you.
I have been trying to Learn WCF and have tried to create a simple WCF service using Enterprise Library Framework and consume it in a client application. Unfortunately i have been struggling with the same error - "Failed to decrypt using provider 'RsaProtectedConfigurationProvider'.
Error message from the provider: The RSA key container could not be opened" , when I run my client.
My workstation is a Windows 2003 Standard server. I tried various forums and even the aspnet_regiis -pa "NetFrameworkConfigurationKey" "ASPNET" . But no help. Today after reading your comment, i tried the following:
aspnet_regiis -pa "NetFrameworkConfigurationKey" "Network Service" and GUESS WHAT!!!!!!!!!!!!
It WORKED!!!!!!!!!!!!! PHEW!!!!!
Windows 2003 ServerWindows Server 2003NETWORK SERVICEweb service configurationEnterprise LibraryWCF
gaurang_gr
Member
135 Points
29 Posts
Encrypt connection string in web farm scenario
Aug 02, 2007 08:59 AM|LINK
Hi all,
We have web farm scenario and connection string is encrypted using RSA.
It's working fine on server, but some time (1 case out of 20 cases) iIt shows error like:
"Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: The RSA key container could not be opened"
Environment:
- Windows 2003 server (2 servers - web farm).
- .NET Framework 2.0.
- Connection string encrypted using RSA, I followed steps as given in
http://msdn2.microsoft.com/en-us/library/ms998283.aspx#paght000006_webfarmscenarios
- XML file exported from one server and imported on another server.
- Given rights using aspnet_regiis -pa "CustomKeys" "NT Authority\Network Service" on both the server.
any suggestion on this.
Thanks,
Gaurang Majithiya
Suprotim Aga...
All-Star
15533 Points
1973 Posts
MVP
Re: Encrypt connection string in web farm scenario
Aug 02, 2007 11:19 AM|LINK
Dear Gaurang,
Try this link
HTH,
Suprotim Agarwal
Free Magazine for ASP.NET Developers
gaurang_gr
Member
135 Points
29 Posts
Re: Encrypt connection string in web farm scenario
Aug 02, 2007 11:50 AM|LINK
Dear Suprotim,
Thanks for reply.
When I deployed my application at that time I had followed all the steps same as link suggested by you.
But problem is:
I am getting this error only some time (Rarely) mostly my application working fine. Suppose I get an error on any page and at the same time if I refresh that page the error gone and I got that page working fine [:)]. Suppose I have done mistake in deployment, then it should not worked all the time. But it is working fine most the time.
Thanks,
Gaurang Majithiya
Suprotim Aga...
All-Star
15533 Points
1973 Posts
MVP
Re: Encrypt connection string in web farm scenario
Aug 02, 2007 11:57 AM|LINK
Dear Gaurang,
Post your web.config file with the RSA configuration.
HTH,
Suprotim Agarwal
Free Magazine for ASP.NET Developers
gaurang_gr
Member
135 Points
29 Posts
Re: Encrypt connection string in web farm scenario
Aug 03, 2007 06:09 AM|LINK
Hi,
As I can not post whole web.config, I am posting only connection string section. Please let me know if you need any other section of the web.config file.
<
connectionStrings configProtectionProvider="CustomProvider"><EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>Rsa Key</KeyName></KeyInfo>
<CipherData>
<CipherValue>L4qc0lX8x9paSHFg/702OtsJ0PZu+CjnY1sH3P8bDwjK0sRgteF++rLRVLhfx1PqMO4iaK57+KB1f1TJvx4Hf1zIpNedM7NKGsVk7omFd+zqHpT6ZTx3owPZOTCmMkr5DMJ0pyPRu4onHFoF6guO+S3l7IIK+O4zBK67NE+5ogc=</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>2t1I/eyOEKvNKOsTy6Vy0sN1WU5GK23Wx+Gfk0Ktf6Xt7WUPJo+ZZXsk+PI2D/9w9X0N94QiFqDRaW38LwTKMrJ1tWnm+/M7yxhcgLA/XXmzRtHzrpu0JL4IlpuixR65gXJq26lmS/tTOql1MxEw08hP35H/dSWTcgyC8sOvRnEqxWQxcKPkCjpGi4uM3KPsLwepmbsf651lDKjKebF2NKRvPBpHIduMUP+qQZ/VqVnsi1cgrB9sHmu26c/CLi6FE3qGHRA2SDujoiikkGTGOf3SGk2aPLDHmHFxSP4t6pk=</CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>
<configProtectedData>
<providers>
<add keyContainerName="CustomKeys" useMachineContainer="true" description="Uses RsaCryptoServiceProvider to encrypt and decrypt" name="CustomProvider" type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</configProtectedData>
Suprotim Aga...
All-Star
15533 Points
1973 Posts
MVP
Re: Encrypt connection string in web farm scenario
Aug 03, 2007 03:21 PM|LINK
Dear gaurang,
You config looks ok. Do one thing. Try adding the <clear/> tag after <providers>
Eg:
<configProtectedData>
<providers>
<clear />
Check and see if it works fine.
HTH,
Suprotim Agarwal
Free Magazine for ASP.NET Developers
gaurang_gr
Member
135 Points
29 Posts
Re: Encrypt connection string in web farm scenario
Aug 06, 2007 10:23 AM|LINK
Dear Suprotim,
Thanks for giving me reply.
I tried your suggestion (<clear />), but still facing the same problem.
Is there any security issue? I have given permission to only "NT Authority\Network Service" user. Is there any other user to whom need to give permission?
Thanks,
Gaurang Majithiya
Rex Lin - MS...
All-Star
17422 Points
2116 Posts
Re: Encrypt connection string in web farm scenario
Aug 07, 2007 02:26 AM|LINK
HI, gaurang_gr:
Key container for the machine account usually saved in C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA. And the ASP.NET worker process identity (ASPNET user in XP/2000 or Network Service in case of 2003) should have access to these files to be able to decrypt it or you would get this error message "Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: The RSA key container could not be opened" Fortunately the ASPNet_regiis tool gives us the option to add users to the ACL of the key containers using the –pa parameter.For example to give access to the ASPNET user aspnet_regiis -pa "<key container name>" "ASPNET" So, how to get the key container name?By searching in machine.config (usually in C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG) we would find this section<configProtectedData defaultProvider="RsaProtectedConfigurationProvider"> <providers> <add name="RsaProtectedConfigurationProvider" type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" description="Uses RsaCryptoServiceProvider to encrypt and decrypt" keyContainerName="NetFrameworkConfigurationKey" cspProviderName="" useMachineContainer="true" useOAEP="false" /> <add name="DataProtectionConfigurationProvider" type="System.Configuration.DpapiProtectedConfigurationProvider,System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" description="Uses CryptProtectData and CryptUnProtectData Windows APIs to encrypt and decrypt" useMachineProtection="true" keyEntropy="" /> </providers> </configProtectedData> The keycontainerName of the RsaProtectedConfigurationProvider is "NetFrameworkconfigurationKey" (it's good practice to change it in the production servers). So the aspnet_regiis would be as following aspnet_regiis -pa "NetFrameworkConfigurationKey" "ASPNET" What if I'm using a server farm?In the server farms environment, you can simple use aspnet_regiis to create and export key container to distribute it to the whole server farm.__________________________________________________
Sincerely,
Rex Lin
Microsoft Online Community Support
If there is any question or the issue is not resolved, please feel free to mark the thread as not resolved
gaurang_gr
Member
135 Points
29 Posts
Re: Encrypt connection string in web farm scenario
Aug 07, 2007 04:48 AM|LINK
Hi Rex Lin
Thanks for reply.I have already followed all the steps for web farm… Exported XML file from production server and imported XML file on both the web server, given access rights to Network Services.
Only some times (1 case out of 20 cases) I am getting this error, otherwise its working fine.Thanks,
Gaurang Majithiya
micjohny
Member
2 Points
1 Post
The RSA key container could not be opened + WCF + Enterprise Library
Feb 14, 2008 12:46 PM|LINK
Excellento. Thank you Rex Lin - MSFT
I have been trying to Learn WCF and have tried to create a simple WCF service using Enterprise Library Framework and consume it in a client application. Unfortunately i have been struggling with the same error - "Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: The RSA key container could not be opened" , when I run my client.
My workstation is a Windows 2003 Standard server. I tried various forums and even the aspnet_regiis -pa "NetFrameworkConfigurationKey" "ASPNET" . But no help. Today after reading your comment, i tried the following:
aspnet_regiis -pa "NetFrameworkConfigurationKey" "Network Service" and GUESS WHAT!!!!!!!!!!!!
It WORKED!!!!!!!!!!!!! PHEW!!!!!
Windows 2003 Server Windows Server 2003 NETWORK SERVICE web service configuration Enterprise Library WCF