Error with Encrypting identity section of web.config

L

Lane

I am deploying a asp.net 2.0 web app to a server farm and have followed the
instructions from
http://channel9.msdn.com/wiki/defau...onfigurationSectionsUsingRsaInAspNet20?diff=y
and
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGHT000006.asp
and specifically the section of those pages that involves deploying the
encryption in a webfarm environment. Those pages talk about encrypting the
ConnectionStrings section, but not the identity section. After hunting
around I found that the command I needed to encrypt only that section is
aspnet_regiis -pe "system.web/identity" -app "/WebFarmRSA" -prov
"CustomProvider". This successfully encrypts the web.config, but now when I
browse to the site I get the following error:
================================================
Server Error in '/' Application.
--------------------------------------------------------------------------------

Configuration Error
Description: An error occurred during the processing of a configuration file
required to service this request. Please review the specific error details
below and modify your configuration file appropriately.

Parser Error Message: Unrecognized element.

Source Error:


Line 107: </CipherData>
Line 108: </EncryptedData>
Line 109: </identity>
Line 110: !-- AUTHORIZATION
Line 111: This section sets the authorization policies of the
application. You can allow or deny access

=====================================================

So I am wondering if there is a specific problem since the identity section
is a subsection of system.web, or where exactly the problem is on this. This
is all on a Windows Server 2003 SP1 64Bit box running Framework ASP.NET
Version:2.0.50727.42. Any help would be most appreciated!!

Thanks,

Lane
 
D

Dominick Baier [DevelopMentor]

You cannot encrypt the identity section using ProtectedConfiguration...

This settings has to be read by the ISAPI extension before it calls into
the HttpRuntime. Thats too early for protected configuration

for these special section there's a tools called aspnet_setreg

http://support.microsoft.com/kb/329290
 
L

Lane

Actually Dominick it does work just fine. The initial problem with the
web.config file was a missing "<" character for a remark which was causing
the error. I then ran into another error saying that it could not open the
Custom Provider Container. I then ran the following command on both web
servers to ensure that the NetworkService Account had the necessary ACLs on
that custom provider container:
aspnet_regiis -pa "CustomKeys" "NT Authority\Network Service"

That fixed the issue and allows us to use the aspnet_regiis tool to provide
RSA encryption of the identity section of the web.config.

Thanks though!!

Lane
 
D

Dominick Baier [DevelopMentor]

hey,

you are right - i somehow thought that identity is on that list too

from MSDN

You cannot use protected configuration to encrypt the configProtectedData
section of a configuration file. You also cannot use protected configuration
to encrypt the configuration sections that do not employ a section handler
or sections that are part of the managed cryptography configuration. The
following is a list of configuration sections that cannot be encrypted using
protected configuration: processModel, runtime, mscorlib, startup, system.runtime.remoting,
configProtectedData, satelliteassemblies, cryptographySettings, cryptoNameMapping,
and cryptoClasses. It is recommended that you use other means of encrypting
sensitive information, such as the ASP.NET Set Registry console application
(Aspnet_setreg.exe) tool, to protect sensitive information in these configuration
sections. For information on the ASP.NET Set Registry console application
(Aspnet_setreg.exe), see article Q329290, "How to use the ASP.NET utility
to encrypt credentials and session state connection strings," in the Microsoft
Knowledge Base at the Microsoft support Web site.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,901
Latest member
Noble71S45

Latest Threads

Top