DPAPI User Store Does Not Work as advertised

Discussion in 'ASP .Net Security' started by omar, Nov 17, 2004.

  1. omar

    omar Guest

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT09.asp

    I am following the above article to implement DPAPI User Store to
    store Credit Card Info in my database.

    I am doing exactly what the article says. I can encrypt and decrypt
    from the same machine but not from different machines…. What I have
    read is that if I have a roaming or a domain based user profile, I am
    able to do that. I have created a domain account that my win services
    on both machines and my COM+ compoenents also on both machines uses.
    Still no cigar.

    Any ideas?
    omar, Nov 17, 2004
    #1
    1. Advertising

  2. Take a look at this MSDN Magazine article that describe a component that
    tackles this problem.

    http://msdn.microsoft.com/msdnmag/issues/04/11/CryptoUtility/default.aspx

    However an alternate approach to solve this issue (actually a key management
    topic) might somthing like this:
    1) Create a session key (might be a derived random entropy material)
    2) Protect this key with asymetric encryption (X509 Certificate installed on
    the app server that will do the encr/decr operations)
    3) Store this key on a central store
    4) All app server will get this key, decrpyt it with its locally
    public/private key pair (provided by the X509 Cert) and proceed to use this
    master key to do the ecryption/decryption operations.


    Hernan de Lahitte
    http://weblogs.asp.net/hernandl


    "omar" <> escribió en el mensaje
    news:...
    > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT09.asp
    >
    > I am following the above article to implement DPAPI User Store to
    > store Credit Card Info in my database.
    >
    > I am doing exactly what the article says. I can encrypt and decrypt
    > from the same machine but not from different machines.. What I have
    > read is that if I have a roaming or a domain based user profile, I am
    > able to do that. I have created a domain account that my win services
    > on both machines and my COM+ compoenents also on both machines uses.
    > Still no cigar.
    >
    > Any ideas?
    Hernan de Lahitte, Nov 17, 2004
    #2
    1. Advertising

  3. omar

    omar Guest

    Thank you for your suggestion. However, it is Key Management that I am trying
    to avoid. My problem is that I have followed the guide from Microsoft exactly
    and I can encryt and decrypt, however, whatever I encrypt on one machine, i
    cannot decrypt on another machine even though I am running under the same
    profile as the How-To guide instructs. It seems like I am using the machine
    store. I am sure I am using the User Store but the behaviour is that of a
    user store.

    "Hernan de Lahitte" wrote:

    > Take a look at this MSDN Magazine article that describe a component that
    > tackles this problem.
    >
    > http://msdn.microsoft.com/msdnmag/issues/04/11/CryptoUtility/default.aspx
    >
    > However an alternate approach to solve this issue (actually a key management
    > topic) might somthing like this:
    > 1) Create a session key (might be a derived random entropy material)
    > 2) Protect this key with asymetric encryption (X509 Certificate installed on
    > the app server that will do the encr/decr operations)
    > 3) Store this key on a central store
    > 4) All app server will get this key, decrpyt it with its locally
    > public/private key pair (provided by the X509 Cert) and proceed to use this
    > master key to do the ecryption/decryption operations.
    >
    >
    > Hernan de Lahitte
    > http://weblogs.asp.net/hernandl
    >
    >
    > "omar" <> escribió en el mensaje
    > news:...
    > > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT09.asp
    > >
    > > I am following the above article to implement DPAPI User Store to
    > > store Credit Card Info in my database.
    > >
    > > I am doing exactly what the article says. I can encrypt and decrypt
    > > from the same machine but not from different machines.. What I have
    > > read is that if I have a roaming or a domain based user profile, I am
    > > able to do that. I have created a domain account that my win services
    > > on both machines and my COM+ compoenents also on both machines uses.
    > > Still no cigar.
    > >
    > > Any ideas?

    >
    >
    >
    omar, Nov 17, 2004
    #3
  4. omar

    omar Guest

    Hernan, can you please elaborate some more on the X509 Certificate approach
    you suggested? Are there any articles you can direct me to?

    "Hernan de Lahitte" wrote:

    > Take a look at this MSDN Magazine article that describe a component that
    > tackles this problem.
    >
    > http://msdn.microsoft.com/msdnmag/issues/04/11/CryptoUtility/default.aspx
    >
    > However an alternate approach to solve this issue (actually a key management
    > topic) might somthing like this:
    > 1) Create a session key (might be a derived random entropy material)
    > 2) Protect this key with asymetric encryption (X509 Certificate installed on
    > the app server that will do the encr/decr operations)
    > 3) Store this key on a central store
    > 4) All app server will get this key, decrpyt it with its locally
    > public/private key pair (provided by the X509 Cert) and proceed to use this
    > master key to do the ecryption/decryption operations.
    >
    >
    > Hernan de Lahitte
    > http://weblogs.asp.net/hernandl
    >
    >
    > "omar" <> escribió en el mensaje
    > news:...
    > > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT09.asp
    > >
    > > I am following the above article to implement DPAPI User Store to
    > > store Credit Card Info in my database.
    > >
    > > I am doing exactly what the article says. I can encrypt and decrypt
    > > from the same machine but not from different machines.. What I have
    > > read is that if I have a roaming or a domain based user profile, I am
    > > able to do that. I have created a domain account that my win services
    > > on both machines and my COM+ compoenents also on both machines uses.
    > > Still no cigar.
    > >
    > > Any ideas?

    >
    >
    >
    omar, Nov 17, 2004
    #4
  5. Are you using "exactly" the same Credentials? it´s not the same to have
    THISMACHINE\pjutard than MYDOMAIN\pjutard

    Also be aware that in order to use the User Store, the User Profile must be
    loaded, so if you are not logged as the user but you are impersonating it in
    a a Windows Service you must be sure that the Profile exists, for this you
    MUST login at least once using this user credentials.

    Cheers,

    Patricio Jutard

    "omar" wrote:

    > Thank you for your suggestion. However, it is Key Management that I am trying
    > to avoid. My problem is that I have followed the guide from Microsoft exactly
    > and I can encryt and decrypt, however, whatever I encrypt on one machine, i
    > cannot decrypt on another machine even though I am running under the same
    > profile as the How-To guide instructs. It seems like I am using the machine
    > store. I am sure I am using the User Store but the behaviour is that of a
    > user store.
    Patricio Jutard, Nov 17, 2004
    #5
  6. omar

    omar Guest

    Thank you Patricio. I am following the How-To guide to the letter except
    that I am using a domain account so that I will be able to use that across
    machines. So I am using one account with one password "domain/DPAPIAccount".
    And as to your other question, yes, I did log on with the domian account and
    a profile was created. Another thing I made sure is that when the service got
    started it actually forced the Serviced Component to start too. Any other
    sugestions?

    "Patricio Jutard" wrote:

    > Are you using "exactly" the same Credentials? it´s not the same to have
    > THISMACHINE\pjutard than MYDOMAIN\pjutard
    >
    > Also be aware that in order to use the User Store, the User Profile must be
    > loaded, so if you are not logged as the user but you are impersonating it in
    > a a Windows Service you must be sure that the Profile exists, for this you
    > MUST login at least once using this user credentials.
    >
    > Cheers,
    >
    > Patricio Jutard
    >
    > "omar" wrote:
    >
    > > Thank you for your suggestion. However, it is Key Management that I am trying
    > > to avoid. My problem is that I have followed the guide from Microsoft exactly
    > > and I can encryt and decrypt, however, whatever I encrypt on one machine, i
    > > cannot decrypt on another machine even though I am running under the same
    > > profile as the How-To guide instructs. It seems like I am using the machine
    > > store. I am sure I am using the User Store but the behaviour is that of a
    > > user store.
    omar, Nov 18, 2004
    #6
  7. Look at this extract from
    http://msdn.microsoft.com/msdnmag/issues/04/11/CryptoUtility/default.aspx :

    "... to allow for encryption and decryption across multiple machines,
    roaming profiles must be enabled..."

    May be you should try roaming profiles...

    Please mantain me informed of your progress.

    Cheers & good luck



    "omar" wrote:

    > Thank you Patricio. I am following the How-To guide to the letter except
    > that I am using a domain account so that I will be able to use that across
    > machines. So I am using one account with one password "domain/DPAPIAccount".
    > And as to your other question, yes, I did log on with the domian account and
    > a profile was created. Another thing I made sure is that when the service got
    > started it actually forced the Serviced Component to start too. Any other
    > sugestions?
    >
    > "Patricio Jutard" wrote:
    >
    > > Are you using "exactly" the same Credentials? it´s not the same to have
    > > THISMACHINE\pjutard than MYDOMAIN\pjutard
    > >
    > > Also be aware that in order to use the User Store, the User Profile must be
    > > loaded, so if you are not logged as the user but you are impersonating it in
    > > a a Windows Service you must be sure that the Profile exists, for this you
    > > MUST login at least once using this user credentials.
    > >
    > > Cheers,
    > >
    > > Patricio Jutard
    > >
    > > "omar" wrote:
    > >
    > > > Thank you for your suggestion. However, it is Key Management that I am trying
    > > > to avoid. My problem is that I have followed the guide from Microsoft exactly
    > > > and I can encryt and decrypt, however, whatever I encrypt on one machine, i
    > > > cannot decrypt on another machine even though I am running under the same
    > > > profile as the How-To guide instructs. It seems like I am using the machine
    > > > store. I am sure I am using the User Store but the behaviour is that of a
    > > > user store.
    Patricio Jutard, Nov 20, 2004
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Brian D
    Replies:
    4
    Views:
    873
    Brian D
    Jan 6, 2010
  2. Martin

    Further DPAPI (user store) problems

    Martin, Sep 12, 2004, in forum: ASP .Net Security
    Replies:
    8
    Views:
    173
    Martin
    Sep 22, 2004
  3. Jason Duckers

    DPAPI failing with user store (revisited)

    Jason Duckers, Jan 27, 2005, in forum: ASP .Net Security
    Replies:
    0
    Views:
    125
    Jason Duckers
    Jan 27, 2005
  4. Dominick Baier

    DPAPI failing with user store (revisited)

    Dominick Baier, Jan 27, 2005, in forum: ASP .Net Security
    Replies:
    1
    Views:
    118
    Jason Duckers
    Jan 28, 2005
  5. Mark Seger

    Threads don't seem to work as advertised

    Mark Seger, Jul 3, 2008, in forum: Perl Misc
    Replies:
    1
    Views:
    111
    Ben Morrow
    Jul 4, 2008
Loading...

Share This Page