I am attempting to create web.config files for testing, QA and production environments. When the web.config file is unencrypted, all transformations work as expected, replacing connection strings and app settings where appropriate. After encryption of
the connection strings and app settings sections, transformation no longer occurs during publication.
The idea behind publication of these to the various servers in our environment is that after they are published, they should run as expected or if published using a file location, the site should be able to be xcopied to its final location and run as expected.
I should be able to publish the applications using the various configurations and expect that the IDE has replaced the appropriate sections with my transformations. After all, .NET is smart enough to decrypt the web.config file in order to get at the information
in the encrypted portions at run time. Is there a reason that during a publish .NET cannot decrypt those sections, transform them, then re-encrypt and publish to my target location??
Since the encryption of the web.config sections requires the site be installed in a virtual directory, I cannot simply publish the unencrypted web.config to the target, in this case a file location, and encrypt those sections there. My problem is that the
application is ALREADY running from a virtural directory in IIS on my local machine to facilitate creations of the application in an SSL environment, so it is easy to start with an encrypted web.config file there. As it is, I have to publish to a different virtual
directory on my machine, then encrypt those sections, then copy the site to QA or production. If I have to go through all of these steps already, I might as well create 3 different web.config files, one for each destination target, and completely disregard
transformations. That way when I encrypt the site and publish, it will be ready to go.
Maybe I'm missing something, maybe I just don't get how transformations work, but if that is the case, why is all well before encryption and all is broken afterward. Aren't we supposed to use security best practices and encrypt those sections? How do I
use the .NET 4 framework transformations and RSA machine-level encryptions of those sections at the same time?
I am trying to do the same. Were you ever successful in doing it?
I want to have all configuration files except development encrypted and saved to TFS and then perform web.config transforms and deploy to various environments.
To anyone having issues encrypting, if your site is on a different drive or you're using iis7, try this:
aspnet_regiis.exe -pef "connectionStrings" "D:\sitefolder\website"
This seems to work. Took me a while to find, maybe save someone some time:
I think you are working in a cluster server environment. You can replicate the file (web.config) once changed in any of your server. Replication on one server would replicate to other servers also. But you have to be very careful for the machine key, Please
try to set the encryption key in IIS using the same machine key and try to run it on one server.
Please first test this in a test environment and then apply it on the main cluster.
I want to encrypt my connection data on both my web.config and my transformation files as described by clevy. Doing the web.config is easy... but what do I do to encrypt the connection string information on the transformation files?
The replies on here do not appear to address that. Has anyone had any success on how to do this?
This will replace your connection string section with the appropriate encrypted connection string when transformation happens. Note that the encrypted section contains the encrypted connection string from your web.config that you encrypted.
Ok, it seemed to get past the transformation part of the build, but it does not appear to have changed both of the connection strings appropriatly. My connectionstring section has 2 connection strings prior to the encryption.
Here is what was encrypted in the web.config on my server as instructed:
The Output shows as if the transform works properly.....
2>ExcludeFilesByExtension
2>Transformed Web.config using D:\Data\TARS\website\TARS\Web.DVLP.config into obj\DVLP\TransformWebConfig\transformed\Web.config.
2>Copying all files to temporary location below for package/publish:
BUT I get the following error in the Output when it tries to publish as if the 2nd connection string isn't being updated. I have tested the encrypted web.config on the server and it works properly.
2>Start Web Deploy Publish the Application/package to http://XXXXXXX/MSDEPLOYAGENTSERVICE ...
2>C:\Program Files (x86)\MSBuild\Microsoft\VisualStudio\v11.0\Web\Microsoft.Web.Publishing.targets(4193,5): Error : The 'ADService-Web.config Connection String' argument cannot be null or empty.
Did I not set up the transform properly per your instructions?
To me everything looks good as per as transformation goes. It does not matter how many connection strings you have. I have been successful in transforming 3 encrypted connection strings in a web.config. Here are some tests to perform:
1) Have you compared the transformed web.config file that is deployed to server to the original encrypted config file? Test with both files on server.
2) Try unencrypting the config file on server and see if you get the correct connection strings back.
clevy
Member
4 Points
3 Posts
Transformation of Encrypted web.config file
Mar 30, 2011 02:07 PM|LINK
I am attempting to create web.config files for testing, QA and production environments. When the web.config file is unencrypted, all transformations work as expected, replacing connection strings and app settings where appropriate. After encryption of the connection strings and app settings sections, transformation no longer occurs during publication.
The idea behind publication of these to the various servers in our environment is that after they are published, they should run as expected or if published using a file location, the site should be able to be xcopied to its final location and run as expected. I should be able to publish the applications using the various configurations and expect that the IDE has replaced the appropriate sections with my transformations. After all, .NET is smart enough to decrypt the web.config file in order to get at the information in the encrypted portions at run time. Is there a reason that during a publish .NET cannot decrypt those sections, transform them, then re-encrypt and publish to my target location??
Since the encryption of the web.config sections requires the site be installed in a virtual directory, I cannot simply publish the unencrypted web.config to the target, in this case a file location, and encrypt those sections there. My problem is that the application is ALREADY running from a virtural directory in IIS on my local machine to facilitate creations of the application in an SSL environment, so it is easy to start with an encrypted web.config file there. As it is, I have to publish to a different virtual directory on my machine, then encrypt those sections, then copy the site to QA or production. If I have to go through all of these steps already, I might as well create 3 different web.config files, one for each destination target, and completely disregard transformations. That way when I encrypt the site and publish, it will be ready to go.
Maybe I'm missing something, maybe I just don't get how transformations work, but if that is the case, why is all well before encryption and all is broken afterward. Aren't we supposed to use security best practices and encrypt those sections? How do I use the .NET 4 framework transformations and RSA machine-level encryptions of those sections at the same time?
TFSAdmin
Member
6 Points
3 Posts
Re: Transformation of Encrypted web.config file
Jul 24, 2012 08:33 PM|LINK
Hello,
I am trying to do the same. Were you ever successful in doing it?
I want to have all configuration files except development encrypted and saved to TFS and then perform web.config transforms and deploy to various environments.
Anyone else trying to do something similar?
Thanks
jablanc
Member
2 Points
2 Posts
Re: Transformation of Encrypted web.config file
Dec 18, 2012 02:17 AM|LINK
To anyone having issues encrypting, if your site is on a different drive or you're using iis7, try this:
aspnet_regiis.exe -pef "connectionStrings" "D:\sitefolder\website"
This seems to work. Took me a while to find, maybe save someone some time:
riteshtandon...
Member
273 Points
68 Posts
Re: Transformation of Encrypted web.config file
Dec 26, 2012 07:31 AM|LINK
Hi,
I think you are working in a cluster server environment. You can replicate the file (web.config) once changed in any of your server. Replication on one server would replicate to other servers also. But you have to be very careful for the machine key, Please try to set the encryption key in IIS using the same machine key and try to run it on one server.
Please first test this in a test environment and then apply it on the main cluster.
donndela
Member
6 Points
3 Posts
Re: Transformation of Encrypted web.config file
May 09, 2013 09:38 PM|LINK
I want to encrypt my connection data on both my web.config and my transformation files as described by clevy. Doing the web.config is easy... but what do I do to encrypt the connection string information on the transformation files?
The replies on here do not appear to address that. Has anyone had any success on how to do this?
TFSAdmin
Member
6 Points
3 Posts
Re: Transformation of Encrypted web.config file
May 10, 2013 12:53 PM|LINK
Please try this.
1) Encrypt the web.config on the server where you want to run your application.
2) Then on your transformation config file add this ;
This will replace your connection string section with the appropriate encrypted connection string when transformation happens. Note that the encrypted section contains the encrypted connection string from your web.config that you encrypted.donndela
Member
6 Points
3 Posts
Re: Transformation of Encrypted web.config file
May 10, 2013 02:27 PM|LINK
Ok, it seemed to get past the transformation part of the build, but it does not appear to have changed both of the connection strings appropriatly. My connectionstring section has 2 connection strings prior to the encryption.
Here is what was encrypted in the web.config on my server as instructed:
This is what I put in the transform file based on your suggested change above:
The Output shows as if the transform works properly.....
2>ExcludeFilesByExtension
2>Transformed Web.config using D:\Data\TARS\website\TARS\Web.DVLP.config into obj\DVLP\TransformWebConfig\transformed\Web.config.
2>Copying all files to temporary location below for package/publish:
BUT I get the following error in the Output when it tries to publish as if the 2nd connection string isn't being updated. I have tested the encrypted web.config on the server and it works properly.
2>Start Web Deploy Publish the Application/package to http://XXXXXXX/MSDEPLOYAGENTSERVICE ...
2>C:\Program Files (x86)\MSBuild\Microsoft\VisualStudio\v11.0\Web\Microsoft.Web.Publishing.targets(4193,5): Error : The 'ADService-Web.config Connection String' argument cannot be null or empty.
Did I not set up the transform properly per your instructions?
Thanks again for all your help!
TFSAdmin
Member
6 Points
3 Posts
Re: Transformation of Encrypted web.config file
May 10, 2013 03:08 PM|LINK
To me everything looks good as per as transformation goes. It does not matter how many connection strings you have. I have been successful in transforming 3 encrypted connection strings in a web.config. Here are some tests to perform:
1) Have you compared the transformed web.config file that is deployed to server to the original encrypted config file? Test with both files on server.
2) Try unencrypting the config file on server and see if you get the correct connection strings back.
Let me know how it goes. Good Luck.
donndela
Member
6 Points
3 Posts
Re: Transformation of Encrypted web.config file
May 10, 2013 03:31 PM|LINK
I compared the transformed file and you were right, it was correct.
I found the problem, it was in the way the publishing was done.
Working great now, thanks for all the help!!