Failed to encrypt the section 'connectionStrings' using provider 'RsaProtectedCo
nfigurationProvider'. Error message from the provider: Object already exists.
I followed the guide in http://msdn.microsoft.com/en-us/library/2w117ede.aspx but in step 3 in To grant the ASP.NET identity access to the RSA key container, it says that my identity is my workgroup\username, I do not have impersonation in my web.config file though
I am encrypting web.config using my machine using asp_regiis, then using visual studio to debug then it came with this error
For using RsaProtectedConfigurationProvider you need to launch your Command prompt or Visual Studio as an Administrator.
For DataProtectionConfigurationProvider it is not required to run under Admin rights.
You can create your own provider using RsaProtectedConfigurationProvider to encrypt your web.xml without administrator privileges.
Create a key store:
aspnet_regiis -pc "MyKeyStore" -exp
Grant read access for any user:
aspnet_regiis -pa "MyKeyStore" "Domain/User"
Put a provider section in your web.config
<configProtectedData>
<providers>
<add name="MyRSAProvider" type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=2.0.0.0, Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL"keyContainerName="MyKeyStore"useMachineContainer="true" />
</providers>
</configProtectedData>
Encrypt your config sections:
aspnet_regiis -pef "configSection" "c:\pathToWebConf" -prov "MyRSAProvider"
Sources:
Create RSA key container and provider
Encrypt configuration
This happened on one of my servers whole trying to move web apps from the c drive to another drive.
Because I had encrypted the web.config section on drive C and moved it to another drive, it jammed up the provider causing it to fail to encrypt the section because it believes it already exists.
I'm still trying to fix it.
Related
I want to know how to encrypt web.config in asp.net project?
and how can decrypt it?can asp.net decrypt it at run time or some process have to be did to decrypt the file when launching website?
for example asp.net project MVC-
you have already .net framework in your system where you are hosting IIS, and the credentials of your web.config is correct i believe.
1- open CMD as administrator
2- type "cd C:\Windows\Microsoft.NET\Framework\v4.0.30319" and enter
3- now you need to know the web.config location, example: "C:\inetpub\wwwroot\test"
now for encrypting and decrypting:
4- on CMD
for encrypting :
ASPNET_REGIIS -pef "connectionStrings" "C:\inetpub\wwwroot\test"
for decrypting:
ASPNET_REGIIS -pdf "connectionStrings" "C:\inetpub\wwwroot\test"
check your site and let me know if you face any issue:
I know I can do this to encrypt connection strings in a web site that is already deployed:
aspnet_regiis -pe connectionStrings
I can also encrypt connection strings in a web site before it is deployed by doing this:
aspnet_regiis -pef connectionStrings .\WebApplication1
I also know how to make my own RSA key, install it on several computers, and set up an encryption provider for that key, so I can encrypt it on one machine and publish it on another:
aspnet_regiis -pef connectionStrings .\WebApplication1 -prov MyProvider
I can even tell MSBuild to encrypt the connection strings for me during deployment by adding a line to the .pubxml file (https://msdn.microsoft.com/en-us/library/ee942158%28v=vs.110%29.aspx#encrypt_webconfig).
But what I really need to do is this:
create the web site source code and save it in source control with the connection strings decrypted;
build the web site, transforming the web.config file with web.debug.config or web.release.config;
encrypt the connection strings in the transformed web.config using my custom encryption provider;
and then publish it
all from an automated process. Note: I can't encrypt the connection strings first and then build the web site, because I have to transform the web.config file before encrypting it. I don't want to publish the web site first and then encrypt the connection strings, because I don't want the decrypted connection strings to be on the web server even for a brief time. I want to encrypt the connection strings during the deploy process, but with my own encryption provider. How can I do that? It's got to be possible. Any combination of msbuild commands, msdeploy commands, and .pubxml file settings would be acceptable.
I've tried searching for how to do this -- I really have -- but I can't find a comprehensive reference for msbuild.exe / msdeploy.exe / *.pubxml ANYWHERE. (That's a separate question.)
To encrypt web.config sections on both sites in a farm and single servers, from what I understand using the following command will encrypt my web.config connection strings using the local machine key
aspnet_regiis.exe -pef "connectionStrings" "C:\website\mywebsite"
However I could create my own keys using the -pc operator and use something like this:
<configProtectedData>
<providers>
<add name="MyProvider"
type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0,
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,
processorArchitecture=MSIL"
keyContainerName="MyKeys"
useMachineContainer="true" />
</providers>
What I don't understand is what is the difference? Is RSAProtectedConfigurationProvider less secure as its using the machine key and not possible to change? Should I use my own keys so I can change them? Which is the recommended solution for both a farm and single server? Or is there a better way to encrypt these sections without having to change or write any code?
For a single server you can reuse the key container installed by ASP.NET, if I'm not mistaken it's called NetFrameworkConfigurationKey, you just need to make sure that you give the account running your ASP.NET site the proper permissions to the key container.
For a Web Farm is better to create a custom key container in a machine and then export it to all other machines in the Web Farm, this way you can reuse the same encrypted config file saving you the time to encrypt the file in each Web Farm machine. However, this is not mandatory, you can deploy an unencrypted configuration file and encrypt it in each machine using each machine ASP.NET default key container.
Also the question title is a little misleading, when it comes to encryption you should always use a well established library and not go the roll your own custom encryption logic, which is difficult and easy to get wrong.
In terms of using a custom key container or reusing the one installed by ASP.NET with the RsaProtectedConfigurationProvider there is no difference in terms of the level of security provided.
I've followed through this(http://goo.gl/1LTX) guide to setup FBA in SP 2010, but I get an error...
Note: I have enable WCF error messages
Cannot get Membership Provider with name wss_fba. The membership provider for this process was not properly configured. You must configure the membership provider in the .config file for every SharePoint process.
Any ideas?
I've checked the config and the default for membership and roles is correct as I have setup in IIS 7.
<membership defaultProvider="wss_fba" />
<roleManager defaultProvider="wss_roles" />
You need to add your own membership provider to the web.config file of the SecurityTokenServiceApplication. You can do that either by hand (C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\WebServices\SecurityToken) or by IIS manager (open up SharePoint Web Services and modify the providers in the SecurityTokenServiceApplication webapp).
I have a WCF Service talking to a web application. In the web.config files I want to encrpyt the connetion string section.
I'm using
aspnet_regiis -pe "connectionStrings" -app "/WebAppFolder"
for the web applications web.config and this works fine.
But when I do the same for the WCF service I get an internal server error when I try and connect to it via the web app.
The problem was I needed to give my machine access to the configuration key
aspnet_regiis -pa "NetFrameworkConfigurationKey" "MYMACHINE\ASPNET"