"Steven Cheng [MSFT]" wrote:

> Hi Chuck,
>
> From your description, you're encountering some problems about encypting
> web.config via exportable RSA provider, correct?
>
> According to the RSA encryption reference, I've performed some local tests,
> the normal process of encrypting web.config section via RSA provider and
> move to other machine is as below:
>
> ======================
> Step 1
>
> Create a machine-level RSA key container:
> aspnet_regiis -pc "MyTestKeys" -exp
>
> Step 2
>
> Grant Read Access to the RSA Encryption Key:
>
> aspnet_regiis -pa "MyTestKeys" "NT AUTHORITY\NETWORK SERVICE"
>
> Step 3
>
> Encrypt the config file:
> aspnet_regiis -pef "connectionStrings" "physical path of the web site
> folder" -prov MyRSAProvider
>
>
> export the container and import it back to other machine using the
> following steps
>
> Step 4
>
> Export the machine-level RSA key container:
> aspnet_regiis -px "MyTestKeys" "c:\Config-Key.xml" -pri
>
> Step 5
>
> Copy Config-Key.xml to c:\ on 2nd server
>
> Step 6
>
> Import the the machine-level RSA key container on the 2nd server:
> aspnet_regiis -pi "MyTestKeys" "c:\Config-Key.xml"
>
> Step 7
>
> Grant Read Access to the RSA Encryption Key:
> aspnet_regiis -pa "MyTestKeys" "NT AUTHORITY\NETWORK SERVICE"
>
> Step 8
>
> Copy encrypted web.config to 2nd server
>
> ========================
>
> Based on the steps you mentioned, I think most of the process you've
> followed should be correct. So far I'd like to suggest you check the
> following things:
>
> 1. Check your custom RSA provider setting to see whether it is correctly
> copied to target machine also and set to use Machine container
>
> ========encrypt config section=======
> <configProtectedData>
> <providers>
> <add keyContainerName="MyTestKeys"
> useMachineContainer="true"
> description="Uses RsaCryptoServiceProvider to encrypt and
> decrypt"
> name="MyRSAProvider"
>
> type="System.Configuration.RsaProtectedConfigurationProvider,System.Configur
> ation, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
> </providers>
> </configProtectedData>
> =======================
>
>
> 2. AS in the above steps, after you create RSA key container, you need to
> use "aspnet_regiis -pa" to make sure that the certain account(which will
> run your ASP.NET application) has the sufficient access permission to the
> key container. Generally, when you use VS 2008/VS 2005 test server to run
> ASP.NET application, you're using the logon user(which is probably the
> admin), however, if you run the ASP.NET in IIS (or after move to other
> server which is using another different process account), you need to make
> sure the certain process account have been granted the permission.
>
> You can check them to see whether the problem is due to some of them.
>
> Sincerely,
>
> Steven Cheng
>
> Microsoft MSDN Online Support Lead
>
>
> Delighting our customers is our #1 priority. We welcome your comments and
> suggestions about how we can improve the support we provide to you. Please
> feel free to let my manager know what you think of the level of service
> provided. You can send feedback directly to my manager at:
> msdnmg@microsoft.com.
>
> ==================================================
> Get notification to my posts through email? Please refer to
> http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at
> http://msdn.microsoft.com/subscriptions/support/default.aspx.
> ==================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
>
>
> --------------------
> >Thread-Topic: rsa encrtyption
> >thread-index: Aciu+8jtjzMaoNRFQOC625A+xhVV9A==
> >X-WBNR-Posting-Host: 207.46.19.197
> >From: =?Utf-8?B?Q2h1Y2sgUA==?= <Chuck@newsgroup.nospam>
> >Subject: rsa encrtyption
> >Date: Mon, 5 May 2008 15:03:01 -0700
>
> >
> >I created a key for encrypting my web.config
> >
> >aspnet_regiis -pz WebEncryptionKeys
> >aspnet_regiis -pc WebEncryptionKeys -exp
> >
> >exported them
> >aspnet_regiis -px WebEncryptionKeys c:\WebEncryptionKeys_Public.xml -pri
> >
> >imported them to developers and server machines
> >aspnet_regiis -pi "WebEncryptionKeys" "c:\WebEncryptionKeys_Public.xml "
> >
> >
> >Then in MsBuild I run
> > <Target Name="AfterBuild">
> > <Exec WorkingDirectory="$(OutputPath)"
> >Command="$(Registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSBuild\ToolsVers
> ions\2.0@MSBuildToolsPath)aspnet_regiis.exe
> >-pef connectionStrings $(OutputPath) -prov HrCustomProvider" />
> >
> >This works fine from my machine, the web.config gets encrypted and moved
> to
> >the server.
> >However, if a co-worker runs the same msBuild on her machine, we get a bad
> >data error when the website is hit on the server. If I deploy to the
> server,
> >she can logon to the server and encrypt and decrpyt the web.config.
> >
> >I re-imported the encryption keys to her machine with the same results.
> >
> >The only thing I can think of is that her machine is using a different
> >version of the encrtyption algorithims?
> >
> >So I had her run windows update on her machine, couple things got updated
> >sql server mostly.
> >
> >I logged on to her machine, deployment worked.
> >She logged on to her machine, deployment worked.
> >
> >The keys were created months ago. Any idea what happened?
> >
> >
>