Now I want to encrypt both web.config files so it's hard for someone to modify the authorization section. My problem is when I encrypted it on development PC using this method
and published it to the hosting server, the hosting server was not able to decrypt both the files. I understand that this is because both machines have different keys. Is there a way I can make it work on both machines? I read about storing RSA keys but
not sure if it's worth it since it's quite a process. I tried to specify machine key in the web.config. But still doesn't work.
One more option for me is to encrypt the web.config files on my hosting server and remember to replace them in the hosting server after publishing my site.
Rsa will look for C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys by default, are you sure you have admin permission in your server?
MSDN Community Support
Please remember to click "Mark as Answer" the responses that resolved your issue.
If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
Member
429 Points
1829 Posts
web.config encryption for different levels of folders
Mar 05, 2019 10:03 PM|asplearning|LINK
Hello everyone, I have this requirement and here is the structure of my folder
~/user/manager/web.config
~/user/employee/web.config
So in each web.config, I have authorization rule for different roles:
<authorization>
<allow roles="Managers" />
<deny users="*"/>
</authorization>
and for employee
<authorization>
<allow roles="Employees" />
<deny users="*"/>
</authorization>
Now I want to encrypt both web.config files so it's hard for someone to modify the authorization section. My problem is when I encrypted it on development PC using this method
and published it to the hosting server, the hosting server was not able to decrypt both the files. I understand that this is because both machines have different keys. Is there a way I can make it work on both machines? I read about storing RSA keys but not sure if it's worth it since it's quite a process. I tried to specify machine key in the web.config. But still doesn't work.
One more option for me is to encrypt the web.config files on my hosting server and remember to replace them in the hosting server after publishing my site.
Is there a better to handle this?
Thanks for your input.
Contributor
3500 Points
1300 Posts
Re: web.config encryption for different levels of folders
Mar 06, 2019 02:57 AM|Ackerly Xu|LINK
Hi asplearning,
Rsa will look for C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys by default, are you sure you have admin permission in your server?
https://stackoverflow.com/questions/37142094/how-to-encrypt-decrypt-a-configuration-file-section-with-rsaprotectedconfigura
You could also customize your provider to use user level key
https://docs.microsoft.com/en-us/previous-versions/68ze1hb2(v=vs.140)
Best regards,
Ackerly Xu
Please remember to click "Mark as Answer" the responses that resolved your issue.
If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
Participant
850 Points
492 Posts
Re: web.config encryption for different levels of folders
Mar 15, 2019 11:41 AM|AddWeb Solution|LINK
Have a look at This Article it has some very useful examples. You're basically looking for
System.Configuration.SectionInformation.ProtectSection to help you out here.
Also have a peek at Implementing Protected Configuration