I ran the following command to encrypt credentials in web.config on my dev machine and tested the code and worked fine, however I published to the web server and it would fail as apparently the encryption is specific to the machine.
I then tried to run the same command on the unencrypted web.config on my web server and it completed successfully, however the same symptoms are still present within the website, where it cannot find the credentials. What am I doing wrong? What is the proper process encrypting a web.config section and then publishing to another machine?
aspnet_regiis.exe -pef "secureAppSettings" "C:\Users\project" -prov "DataProtectionConfigurationProvider"
Related
I am new to web development. We are having a legacy intranet web application using ASP.NET web forms.
We have encrypted web.config using ASPNET_REGIIS tool for the connection strings, based on security feedback. I am able to test it locally using IISExpress.
What are the steps to follow to update the old web.config with new web.config, in an environment.
We need to update web.config in multiple environments(DEV,TEST, UAT) before refreshing in production.
We will be announcing downtime for the same. Please list down the steps like resetting IIS etc.
Since the key used for encrypt/decrypt is different on different server. You can decrypt the connection string section before publishing. Then just override the web.config on your target server, then encrypt the connection string with asp_regiis tool again. You can find aspnet_regiis under the root folder of .NET framework.
Of course, there is a way to sync up RSA container for mutiple servers.
https://learn.microsoft.com/en-us/previous-versions/aspnet/yxw286t2(v=vs.100)
After that, please don't forget to grant permission for machinekey file in \Microsoft\Crypto\RSA\MachineKeys.
Finally you just have to recyle the application pool.
I had to do below steps:
First and Foremost: Took a backup of existing web.config, so that, if something goes wrong, I can fallback to original web.config
As web.config encryption is machine specific, I encrypted the web.config using ASPNET_REGIIS tool, as mentioned in the codeproject Link
Web.config changes are automatically picked by IIS. I did not have to restart IIS or recycle APPPool. The site was working fine with the new web.config changes, I made.
I have a batch script step that runs at the end of my web deploy the script encrypts a connection string in web.config using aspnet_regiis.exe, In the logs it looks like it went fine but it doesnt acctually encrypt the connectionString, when i run the batch locally on my remote machine it works. Is there a way to do through Release definition or the user has to run the batch locally every time?
here is the code.
start C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -pe "connectionStrings" -app "/" -site "2"
echo Encryption Successfull!
pause
First suggest you using your build service account RDP to the remote machine and run the batch script. Double check if you are missing any permission for the account.
Since , the logs it looks like it went fine but it doesn't actually encrypt the connectionString. Also try to do some test below to perform it:
Have you compared the transformed web.config file that is deployed to
server to the original encrypted config file? Test with both files on
server.
Try unencrypting the config file on server and see if you get the
correct connection strings back.
I am working on an asp.net mvc-5 web application. and i am calling a 3rd party API from my server side using security token generated by the 3rd party application.
now i am passing the token in a secure manner as follow:-
i am adding the token to the http header.
and we are using https to communicate with the 3rd party system.
so i think the token can not be hacked during its transmission. but the problem i am facing is how i can store and read the token itself. currently i am storing this inside our web.config section:-
<appSettings>
.....
.....
<add key="SecureToken" value="12345" />
.....
.....
</appSettings>
and i am retrieving the value inside my application as follow:-
string Token = System.Web.Configuration.WebConfigurationManager.AppSettings["SecureToken"]
so the security problem i am facing is that if someone access the live server he can read the web.config file and get the secure token. so i read that i can encrypt part of the web.config sections using aspnet_iisreg command. but now i am not sure how i can force this to work across my environments? i mean where i need to run the aspnet_iisreg inside one environemnt let say the Dev ? or i need to run this command on the three environments seperately?
It should run through a deployment script, it can be a msi or powershell or something else. If you deploy manually, it requires aspnet_regiis -pe "yourappsettings" -app ... which is also a manual job and error prone. So develop a package with all your pages, dlls, .js, images etc. and install that package (msi or powershell or something else) and install that to your server. In that package include a script which does aspnet_regiis command and this command should run after virtual directory creation, mainly it should be kinds of last action. If you are using powershell, it's a set of instructions - so one instruction should be aspnet_regiis command. Try with post build event for VS web deployment package.
I know I can do this to encrypt connection strings in a web site that is already deployed:
aspnet_regiis -pe connectionStrings
I can also encrypt connection strings in a web site before it is deployed by doing this:
aspnet_regiis -pef connectionStrings .\WebApplication1
I also know how to make my own RSA key, install it on several computers, and set up an encryption provider for that key, so I can encrypt it on one machine and publish it on another:
aspnet_regiis -pef connectionStrings .\WebApplication1 -prov MyProvider
I can even tell MSBuild to encrypt the connection strings for me during deployment by adding a line to the .pubxml file (https://msdn.microsoft.com/en-us/library/ee942158%28v=vs.110%29.aspx#encrypt_webconfig).
But what I really need to do is this:
create the web site source code and save it in source control with the connection strings decrypted;
build the web site, transforming the web.config file with web.debug.config or web.release.config;
encrypt the connection strings in the transformed web.config using my custom encryption provider;
and then publish it
all from an automated process. Note: I can't encrypt the connection strings first and then build the web site, because I have to transform the web.config file before encrypting it. I don't want to publish the web site first and then encrypt the connection strings, because I don't want the decrypted connection strings to be on the web server even for a brief time. I want to encrypt the connection strings during the deploy process, but with my own encryption provider. How can I do that? It's got to be possible. Any combination of msbuild commands, msdeploy commands, and .pubxml file settings would be acceptable.
I've tried searching for how to do this -- I really have -- but I can't find a comprehensive reference for msbuild.exe / msdeploy.exe / *.pubxml ANYWHERE. (That's a separate question.)
Appreciate help on below issue where we are using a decryption program written in .net from a web application to decrypt and encrypt files on server.
This program is working fine on Windows 2008 server when launched from command line. However when we are calling the same program from Asp.net code in an application hosted on IIS 7.5 --> Its not working at all.
Its not even showing any error. Even checked event logs. It simply does not decrypts.
Please note we are using ProcStart to launch this decryption program and passing necessary parameters. The Keys are well places on server in a local folder and the exe file with required config files is placed in another folder on server. All these folders have been provided full access to everyone right now just to make sure there are no access issues with files when accessing through IIS.
Also, the same program works fine when we run the site in debug mode on server (from visual studio after logging with localadmin).
Please help if we are missing some settings somewhere which are not allowing the decryption program to work when launched by a web user from website.
Unless we have any error it is difficult to troubleshoot but can you try to configure an apppool with some user/system idenitity. Give that identity full previledge on files to encrylt/decrypt and program. Run your asp.net website using this configured apppool.