I am using TFS 2017 Realese definition to deploy my website, My password and username enviromental variables are hidden but when the connection string is passed Web.config file shows the password and the username how can encrypt the Connection sctring in web.config file?
You can run this command in a command prompt(cmd.exe):
%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -pe "connectionStrings" -app "/SampleApplication"
Where SampleApplication is the name of your application in IIS
See this article for more information.
Update
To encrypt the Connection string in web.config file, TFS build task could not do this. It's more related to IIS. Suggest you take a look at this blog: Encrypting connectionStrings in Web.Config using the NetFrameworkConfigurationKey in an IIS Web Farm scenario
You could try to replace the specific value in the web.config through Replace Token task during release in VSTS. Sample screenshot:
For this configuration of Replace Token task, it can replace #{con}#
to the con variable value (Create a variable (variable name: con) in
Variable tab of build definition) for all .config files (have #{con}#
code) in $(System.DefaultWorkingDirectory) location.
<connectionStrings>
<add name="DefaultConnection" connectionString="#{con}#" providerName="System.Data.SqlClient" />
</connectionStrings>
I got it working using #Arman answer but had to modify it a bit, i had to specify the site number by default its 1 which is a different website check this link on how to find your website number. link
%%windir%%\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -pe "connectionStrings" -app "/" -site "2"
In my case the site was number 2. Also you have to run the command prompt as Administrator.
Thanks for all your answers.
You have to browse aspnet_regiis and then executing the command with pef and pdf commands along with section name and the path of the webconfig file.
Related
I am using the following command to use a machine key to encrypt part of my web.config (it is actually an app.config for a .net app, renamed to web.config so the aspnet_regiis will work with it):
aspnet_regiis -pef "section-to-encrypt" "C:\inetpub\path-to-web.config\bin\Release" -prov "provider-name"
Before running this, I add the section < configProtectedData>, which seems to be required (to hook "provider-name" to machine crypto, it appears).
Problem: After running the above command, the < configSections> is removed from the .config file, damaging it.
What am I doing wrong?
I had a similar issue which I just resolved. If I insert the configProtectedData. section before the configSections section it was wiping out configSections. If I added it after the configSections section it does not.
I'm encrypting a regular web.config file but I don't believe that difference matters.
I've got a .ps1 file that I would like to link readers to. Unfortunately, navigating to that URL only results in a 404. If memory serves, this is being "blocked" just like .config files, but there's a way to change that configuration in web.config ... but I can't seem to find the correct thing via search.
TL;DR, how can I expose a .ps1 powershell script so that it's accessible (though not executable, obviously) via HTTP.
I believe you need to add a MIME type for .ps1. In your IIS Manager, select the server node on the tree, and click "MIME Types". Then click "Add..." on the right panel. For extension, set it to .ps1, and set the MIME type to text/plain.
Now IIS should serve .ps1 files.
You could use a MIME Type of application/octet-stream instead of text/plain. Using the former will cause most browsers to download it rather than try to display it.
You can do this for a specific web application or virtual directory, too. If you are doing this through web.config, it would look something like this:
<configuration>
<system.webServer>
<staticContent>
<mimeMap fileExtension=".ps1" mimeType="text/plain" /><!-- or application/octet-stream -->
</staticContent>
</system.webServer>
</configuration>
We used this same strategy for continuous integration with IIS static site resources - the powershell to do this same action is below in case this helps others wishing to script this change for CI. We were receiving HTTP 404s when asking for unlisted or non-standard file types (sql, ps1, etc.).
Add Additional Static MIME Type to IIS (.ps1)
Remove-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webServer/staticContent" -name "." -AtElement #{fileExtension='.ps1'}
Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webServer/staticContent" -name "." -value #{fileExtension='.ps1';mimeType='text/plain'}
This is re-entrant to support repeatable release deployments / desired state, etc.
We are using a custom config section (via the NameValueConfigSection) to contain our settings.
These settings are externalised from web.config via configSource.
So, entries in web.config look something like this:
<configSections>
<section name="customSettings" type="System.Configuration.NameValueSectionHandler" />
</configSections>
<customSettings configSource="config\customSettings.config" />
We want to encrypt this "customSettings.config" file on our production server, so run this command, as recommended by Microsoft (here: http://msdn.microsoft.com/en-us/library/zhhddkxy.aspx)
aspnet_regiis -pe customSettings -site 4 -app /
And this produces the following output:
Encrypting configuration section...
Succeeded!
However, it does not succeed at all, leaving the file exactly as it was
(incidentally, this command does work if encrypting a non-custom section, such as an externalised connectionStrings section)
I have been able to write a little console app that does work ok, but we really want to use the standard tools to do what should be a standard operation - can anyone tell me if this is a limitation or where I am going wrong?
Thanks :)
I'm comparing your code with this:
To encrypt the connectionStrings section with the DPAPI provider with the machine key store (the default configuration), run this command from a command prompt:
aspnet_regiis -pe "connectionStrings" -app "/MachineDPAPI" -prov "DataProtectionConfigurationProvider"
where:
-pe specifies the configuration section to encrypt.
-app specifies the web app's virtual path. If the app is nested, specify the nested path from the root directory, for example "/test/aspnet/MachineDPAPI"
-prov specifies the provider name.
I wonder if you need to provide the app name? And/or the provider?
And their version encloses the attribute values in quotes.
I am just trying to test this.
And here is my command line:
aspnet_regiis.exe -pdf "connectionStrings" c:\web.config
And this is the error I got.
Error – "The configuration for physical path ‘C:\Web.Config’ cannot be opened.
And the permissions of that file is not read only.
Can anyone please suggest.
This is a very old post but I was searching for it myself today and found that if you omit the file name it will pickup Web.config in the directory you specify:
aspnet_regiis -pdf "connectionStrings" c:\temp
If you add a trailing \ or the full name c:\temp\Web.config it will still fail.
Also, the c:\ may have been an administrator privilege issue reading and writing to the root.
Cheers
You should keep web.config in a folder close the application code. The root folder (c:) is an admin-only folder and shouldn't be used for anything!
I know that ppl have already asked questions regarding encrypting web.config.
im also trying to encrypt my test config file, but im getting this error.
aspnet_regiis -pef "connectionStrings" "C:\encryptedWeb.config"
Encrypting configuration section...
The configuration for physical path 'C:\EncryptedWeb.config' cannot be opened.
Failed!
I just want to know, what could be reasons that it failed.
I got the answer, it was the readonly property of the web.config which was the problem.
After I removed the readonly It worked like a charm.
for the command "aspnet_regiis -pef" the path of configuration file is the physical path (Not virtual) and also it is the path of directory/folder where web.config resides. So one should not include the name of file in path e.g.
if your web.config path is at D:\MyConfiguration\web.config then while encrypting/decrypting you will use it as follow:
encrypt:
aspnet_regiis -pef [sectionName] "D:\MyConfiguration"
decrypt:
aspnet_regiis -pdf [sectionName] "D:\MyConfiguration"
I know this is old, but I've just had the same issue and none of the other answers got the problem.
You're not supposed to put the filename in the path, and the file MUST be called web.config. So for your example, if your web.config file is actually in C:\ you would put:
aspnet_regiis -pef "connectionStrings" "C:\"
and your file MUST be called web.config as the tool will only look for that file.
For those people whose file isn't in C:\ you'll need to put the full path to the file (root of the site). You'll also need to cd into the directory containing the aspnet_regiis.exe file or put the full file path for the tool as well:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis -pef "ConnectionStrings" "C:\Ghron\Projects\Company\trunk\project1\project1"
Also, some of the other answers are valid points - the parameters are case sensitive, so your paths and section names must be in the right case. I wasted about 20 minutes using "ConnectionStrings" instead of "connectionStrings" (lower case c).
The Sections are CASE SENSITIVE.
Do not Add \ at the end of the path (no web.config needed).
You don't need to do it straight on a site; instead, copy the file to any location.
Encrypting:
aspnet_regiis -pef "SECTIONTOENTRYPT" "d:\tempEnCrypt" -prov WhateverProviderYouAreUsing
Decrypting:
aspnet_regiis -pdf "SECTIONTOENTRYPT" "d:\tempEncrypt"
You can use this to encrypt an app.config as well, just rename the file for the encryption/decryption as web.config
Encrypt/Decrypt web.config
source is taken from this link https://mywebanecdotes.com/2016/09/17/encrypting-credentials-in-app-config-for-multiple-machines/
Firstly, if you have App.config, you need to rename to Web.config. And when done rename it back. This is because aspnet_regiis.exe recognize only Web.config file.
Then create a custom attribute SecuredSettings(any name is fine) either in you App.config or Web.config file.
<configuration>
<configSections>
<section name="SecuredSettings" type="System.Configuration.NameValueSectionHandler" />
</configSections>
<SecuredSettings>
<add key="pwrd" value="password" />
</SecuredSettings>
<configProtectedData>
<providers>
<add keyContainerName="MyCustomKeys"
useMachineContainer="true"
name="MyEncryptionProvider"
type="System.Configuration.RsaProtectedConfigurationProvider"/>
</providers>
</configProtectedData>
</configuration>
In C# you can retrieve these values as you would do it normally. eg:
var attr = ConfigurationManager.GetSection("SecuredSettings") as NameValueCollection;
var value = attr["pwrd"];
The rest is ecrypting or decrypting
Run cmd As Administrator , and locate to C:\Windows\Microsoft.NET\Framework\v4.0.30319
"Create a public/private RSA key pair with a specfic container name. They should also be marked as exportable (otherwise what is the point!)"
aspnet_regiis.exe -pc MyCustomKeys -exp
"Grant permissions for accounts to access the container"
aspnet_regiis.exe -pa MyCustomKeys "NT AUTHORITY\NETWORK SERVICE"
"The following line will now encrypt your section (the pwdr value). The -pef switch is telling the application to look for a web.config file and to use provider that is declared in the beginning (which is using type RsaProtectedConfigurationProvider)"
aspnet_regiis.exe -pef "SecuredSettings" "C:\DEV\ConsoleApp\DEX" -prov MyEncryptionProvider
Export those Keys to another machine (if needed)
aspnet_regiis.exe -px MyCustomKeys keys.xml -pri it will generate keys.xml file in C:\Windows\Microsoft.NET\Framework\v4.0.30319
copy this file and put it in another machine where you would like to use it, to the same location C:\Windows\Microsoft.NET\Framework\v4.0.30319, and run:
aspnet_regiis -pi MyCustomKeys keys.xml
after you can delete the file from both sides.
Don't forget to rename Web.config to App.config, if you did so at the beginning.
TO Decrypt the file:
aspnet_regiis.exe -pdf "SecuredSettings" "C:\DEV\ConsoleApp\DEX"
I was experiencing the same problem and here's what worked for me:
add the aspnet_regiis tool's folder path to your %PATH% variable. This ensures that the tool is accessable from any folder in your command line. See this page for a brief explanation of how to add %PATH% variables: http://geekswithblogs.net/renso/archive/2009/10/21/how-to-set-the-windows-path-in-windows-7.aspx
navigate to your web root folder (don't know if this is necessary but that's where I was navigated when I executed the command)
execute the command with the -pe argument and the -app argument like such:
aspnet_regiis -pe {section to encrypt} -app "{path from root folder to app, like: "/myappname", use quotes}
Take a look at this , see if you set it up correctly
http://msdn.microsoft.com/en-us/library/ms998283.aspx
A possibiliity is to specify the site with
-site "SiteName"
otherwise it will use the default web site.
You could try and use this tool to encrypt you web config
I am having same issue while encrypting configuration file from a web site.
Provide command to encrypt from a site and not default website.
Below command works when application is in defaultwebsite:
aspnet_regiis.exe -pe "connectionStrings" -app "/sitename" -prov "DataProtectionConfigurationProvider"
I got an "illegal characters in path" error that went away when I removed the double quotes that surrounded my path name. Doesn't make any sense, but there you are.
I also wrote a PowerShell script to do the encrypt/decrypt without dealing with aspnet_regiis : https://github.com/mhenry1384/EncryptDecryptConfig
Don't forget to run CMD as administrator, as I did today, if your servers make use of that feature. Quite a simple mistake to make.