This question is unlikely to help any future visitors; it is only relevant to a small geographic area, a specific moment in time, or an extraordinarily narrow situation that is not generally applicable to the worldwide audience of the internet. For help making this question more broadly applicable, visit the help center.
Closed 9 years ago.
I've encrypted the connectionstring in my web.config file using the steps in the link below:
http://www.codeproject.com/KB/database/WebFarmConnStringsNet20.aspx
However, whenever I call my application, it will give the following error:
Failed to decrypt using provider
'CustomProvider'. Error message from
the provider: The RSA key container
could not be opened.
The server where I perform the encryption is a 64-bit Windows Server 2003 R2 SP2. Because of that I assign the ACL to NT Authority\Network Service. Yet it still doesn't work.
Hope someone has some ideas what else do I need to check to get this working.
PS. If I used the default rsa key NetFrameworkConfigurationKey for encryption, then the connection string will not have an access problem.
Well, I found the source of the problem, and boy was it embarrassing. In the attribute keyContainerName, I spelled the name incorrectly.
That it. That's what caused the problem.
Apparently, the encryption will work even if you provide an incorrect keyContainerName, which I incorrectly assumed will fail. So, once I decrypt the connectionstring and re-encrypt with the right keyContainerName, it works fine.
BTW, make sure to decrypt your existing connectionstring before correcting the keyContainerName. The aspnet_regiis.exe will complain about bad data, because the provider is now different.
Did you remember to add the
<configProtectedData>
to your web.config?
Related
Our asp.net app was working fine, then the DBA decided to encrypt the db password in the web.config. Now I'm getting this error:
System.Security.Cryptography.CryptographicException: Not enough storage is available to process this command.
There is only one other article on SO that has this error listed and the user resorted to a refactor instead of identifying a solution.
The weird thing is that we have plenty of space (RAM, HDD, etc). Even more weird, three of the people on my team don't have this problem (with the exact same url). Another guy had it yesterday, but it works today.
I'm worried about when we move this to prod. Especially, if this needs some kind of incremental storage or permissions for EACH user.
Edit: The other error that seems to show up is:
"Failed to decrypt using provider 'RsaProtectedConfigurationProvider'"
It turns out that this is a generic error message that happens whenever the server has trouble decrypting with RSA. Not very helpful, because it is misleading (at worst) and at best, very vague.
For us, the error was only happening for me because our dev servers are load-balanced (which I didn't know till today). The encryption key was generated on one machine (server1) and installed on both servers. When I got load-balanced onto server2, I see this error (so would anyone else on server2).
The solution is to export the private key from server1 and install it onto server2.
Having difficulty making CryptAcquireContext work for a .NET app. I've created the key, but it's throwing error NTE_BAD_KEYSET.
The documentation suggests that the trouble is with permissions, but I'm not quite sure who to give permission to. So far have tried:
SYSTEM
NETWORK
NETWORK SERVICE
ASPNET
Administrators
Cryptographic Operators
No dice.
Any ideas?
This is a machine key.
UPDATE: Gave access to EVERYONE and that seems to have worked. However, it seems like a bad security practice. The question stands: who should actually be getting access?
This question is unlikely to help any future visitors; it is only relevant to a small geographic area, a specific moment in time, or an extraordinarily narrow situation that is not generally applicable to the worldwide audience of the internet. For help making this question more broadly applicable, visit the help center.
Closed 10 years ago.
I am trying to somehow handle a scenario in which I am getting a corrupted application state:
I first open the same app in two browser windows.
Turn off wi-fi (or 3g) - connection becomes stale because it was not closed from the remote server.
Perform a write operation in the first tab (the second tab will of course not update reactively).
Turn on wi-fi.
Perform a second write in the first tab (the second tab will now update reactively)
So the first tab is now in a corrupted state. The first write will never sync to the server, and if the page reloads, that change will be permanently lost.
Is there a way of handling this stale connection states? Meteor.status().connected remains true throughout this scenario. Is this a Meteor issue that needs to be resolved?
This issue has been tagged as a confirmed bug on Meteor's github page
https://github.com/meteor/meteor/issues/339
edit:
forget it, unfortunately my assumptions didnt work out :(
http://jqm.meteor.com does commit the changes when reconnecting,
but Meteor.status() indeed doesnt work on that page.
on meteor.com it does,
which is weird, because afaik the whole meteor cloud should run on 0.4.0, not only the hosted apps?
have fun
manarius
Considering the recent ASP.NET vulnerability, what should I look for in my httphandlers that would cause such a Padding Oracle vulnerability?
Asked in another way... what did MSFT do wrong and what did they fix in their handlers?
I think the wronge is that they give "too much" informations about the error.
#Sri here analyze it very well
How serious is this new ASP.NET security vulnerability and how can I workaround it?
There were 3 problems with WebResource.axd and ScriptResource.axd:
Working as a padding oracle. This is because these decrypted information send in the query string, and behaved differently when the decrypted string had invalid vs. valid padding - because it had been tampered with. The fix Microsoft made included using a HMAC to prevent the data from being tampered - this is checked before any padding check, so it doesn't expose padding information
Relying on normal encryption/decryption to receive a request for a resource/file. It isn't meant for that, a tamper proof mechanism is needed.
Allowing access of any kind of files, not only JavaScript files
Bottom line, don't allow more access than necessary and only if you really need encryption/decryption tamper proof it.
Back in the day I blogged about how it related to getting different levels of access
The encryption worked properly. But now i am getting an error that says "RsaProtectedConfigurationProvider Bad Data" When checked, i came to know that we need to run the command:
aspnet_regiis -pa "NetFrameworkConfigurationKey" "NT AUTHORITY\NETWORK SERVICE"
My question is, if I run this command in my production environment, will it affect any other websites thats hosted in the same server. Since its an update to the machine.config file will ther be any chnace that some other things will be affected?
It won't (should not) because that command does not modify the machine.config file, but an ACL that controls which accounts have access to the key container. You can read more here:
http://msdn.microsoft.com/en-us/library/yxw286t2.aspx
This is a sentence from the article
"By default, RSA key containers are tightly protected by NTFS access control lists (ACLs) on the server where they are installed. This improves the security of the encrypted information by restricting who can access the encryption key."
As for your specific error, I just worked with web.config file encryption a few days back, and I recall receiving the Bad data error at one point. After a couple of times of repeating the setup steps, I was able to make it work, but I can't confirm which step made it work. My guesses for your case are:
You imported the wrong key file (the exported XML from the original container) into the container on that machine.
The data value on the config was messed with.
The account that is trying to decrypt the config file does not have privileges to that key container. In that case, the command that you ask about is the one to give access to a given account.
You could be referencing a different key container on your configProtectedData section. Hadn't though of this, and I'm not sure if you would get that specific Bad Data error, but it's a thought.
Hope you solved after all. Even though the question is old, I thought the answer might help someone.