Error with Encrypting identity section of web.config

Discussion in 'ASP .Net Security' started by Lane, Apr 27, 2006.

  1. Lane

    Lane Guest

    I am deploying a asp.net 2.0 web app to a server farm and have followed the
    instructions from
    http://channel9.msdn.com/wiki/defau...onfigurationSectionsUsingRsaInAspNet20?diff=y
    and
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGHT000006.asp
    and specifically the section of those pages that involves deploying the
    encryption in a webfarm environment. Those pages talk about encrypting the
    ConnectionStrings section, but not the identity section. After hunting
    around I found that the command I needed to encrypt only that section is
    aspnet_regiis -pe "system.web/identity" -app "/WebFarmRSA" -prov
    "CustomProvider". This successfully encrypts the web.config, but now when I
    browse to the site I get the following error:
    ================================================
    Server Error in '/' Application.
    --------------------------------------------------------------------------------

    Configuration Error
    Description: An error occurred during the processing of a configuration file
    required to service this request. Please review the specific error details
    below and modify your configuration file appropriately.

    Parser Error Message: Unrecognized element.

    Source Error:


    Line 107: </CipherData>
    Line 108: </EncryptedData>
    Line 109: </identity>
    Line 110: !-- AUTHORIZATION
    Line 111: This section sets the authorization policies of the
    application. You can allow or deny access

    =====================================================

    So I am wondering if there is a specific problem since the identity section
    is a subsection of system.web, or where exactly the problem is on this. This
    is all on a Windows Server 2003 SP1 64Bit box running Framework ASP.NET
    Version:2.0.50727.42. Any help would be most appreciated!!

    Thanks,

    Lane
    Lane, Apr 27, 2006
    #1
    1. Advertising

  2. You cannot encrypt the identity section using ProtectedConfiguration...

    This settings has to be read by the ISAPI extension before it calls into
    the HttpRuntime. Thats too early for protected configuration

    for these special section there's a tools called aspnet_setreg

    http://support.microsoft.com/kb/329290


    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > I am deploying a asp.net 2.0 web app to a server farm and have
    > followed the
    >
    > instructions from
    >
    > http://channel9.msdn.com/wiki/default.aspx/Channel9.HowToEncryptConfig
    > urationSectionsUsingRsaInAspNet20?diff=y
    >
    > and
    >
    > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag
    > 2/html/PAGHT000006.asp
    >
    > and specifically the section of those pages that involves deploying
    > the
    >
    > encryption in a webfarm environment. Those pages talk about
    > encrypting the
    >
    > ConnectionStrings section, but not the identity section. After
    > hunting
    >
    > around I found that the command I needed to encrypt only that section
    > is
    >
    > aspnet_regiis -pe "system.web/identity" -app "/WebFarmRSA" -prov
    >
    > "CustomProvider". This successfully encrypts the web.config, but now
    > when I
    >
    > browse to the site I get the following error:
    >
    > ================================================
    >
    > Server Error in '/' Application.
    >
    > ----------------------------------------------------------------------
    > ----------
    >
    > Configuration Error Description: An error occurred during the
    > processing of a configuration file required to service this request.
    > Please review the specific error details below and modify your
    > configuration file appropriately.
    >
    > Parser Error Message: Unrecognized element.
    >
    > Source Error:
    >
    > Line 107: </CipherData>
    > Line 108: </EncryptedData>
    > Line 109: </identity>
    > Line 110: !-- AUTHORIZATION
    > Line 111: This section sets the authorization policies of the
    > application. You can allow or deny access
    > =====================================================
    >
    > So I am wondering if there is a specific problem since the identity
    > section is a subsection of system.web, or where exactly the problem is
    > on this. This is all on a Windows Server 2003 SP1 64Bit box running
    > Framework ASP.NET Version:2.0.50727.42. Any help would be most
    > appreciated!!
    >
    > Thanks,
    >
    > Lane
    >
    Dominick Baier [DevelopMentor], Apr 27, 2006
    #2
    1. Advertising

  3. Lane

    Lane Guest

    Actually Dominick it does work just fine. The initial problem with the
    web.config file was a missing "<" character for a remark which was causing
    the error. I then ran into another error saying that it could not open the
    Custom Provider Container. I then ran the following command on both web
    servers to ensure that the NetworkService Account had the necessary ACLs on
    that custom provider container:
    aspnet_regiis -pa "CustomKeys" "NT Authority\Network Service"

    That fixed the issue and allows us to use the aspnet_regiis tool to provide
    RSA encryption of the identity section of the web.config.

    Thanks though!!

    Lane

    "Dominick Baier [DevelopMentor]" wrote:

    > You cannot encrypt the identity section using ProtectedConfiguration...
    >
    > This settings has to be read by the ISAPI extension before it calls into
    > the HttpRuntime. Thats too early for protected configuration
    >
    > for these special section there's a tools called aspnet_setreg
    >
    > http://support.microsoft.com/kb/329290
    >
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > I am deploying a asp.net 2.0 web app to a server farm and have
    > > followed the
    > >
    > > instructions from
    > >
    > > http://channel9.msdn.com/wiki/default.aspx/Channel9.HowToEncryptConfig
    > > urationSectionsUsingRsaInAspNet20?diff=y
    > >
    > > and
    > >
    > > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag
    > > 2/html/PAGHT000006.asp
    > >
    > > and specifically the section of those pages that involves deploying
    > > the
    > >
    > > encryption in a webfarm environment. Those pages talk about
    > > encrypting the
    > >
    > > ConnectionStrings section, but not the identity section. After
    > > hunting
    > >
    > > around I found that the command I needed to encrypt only that section
    > > is
    > >
    > > aspnet_regiis -pe "system.web/identity" -app "/WebFarmRSA" -prov
    > >
    > > "CustomProvider". This successfully encrypts the web.config, but now
    > > when I
    > >
    > > browse to the site I get the following error:
    > >
    > > ================================================
    > >
    > > Server Error in '/' Application.
    > >
    > > ----------------------------------------------------------------------
    > > ----------
    > >
    > > Configuration Error Description: An error occurred during the
    > > processing of a configuration file required to service this request.
    > > Please review the specific error details below and modify your
    > > configuration file appropriately.
    > >
    > > Parser Error Message: Unrecognized element.
    > >
    > > Source Error:
    > >
    > > Line 107: </CipherData>
    > > Line 108: </EncryptedData>
    > > Line 109: </identity>
    > > Line 110: !-- AUTHORIZATION
    > > Line 111: This section sets the authorization policies of the
    > > application. You can allow or deny access
    > > =====================================================
    > >
    > > So I am wondering if there is a specific problem since the identity
    > > section is a subsection of system.web, or where exactly the problem is
    > > on this. This is all on a Windows Server 2003 SP1 64Bit box running
    > > Framework ASP.NET Version:2.0.50727.42. Any help would be most
    > > appreciated!!
    > >
    > > Thanks,
    > >
    > > Lane
    > >

    >
    >
    >
    Lane, Apr 27, 2006
    #3
  4. hey,

    you are right - i somehow thought that identity is on that list too

    from MSDN

    You cannot use protected configuration to encrypt the configProtectedData
    section of a configuration file. You also cannot use protected configuration
    to encrypt the configuration sections that do not employ a section handler
    or sections that are part of the managed cryptography configuration. The
    following is a list of configuration sections that cannot be encrypted using
    protected configuration: processModel, runtime, mscorlib, startup, system.runtime.remoting,
    configProtectedData, satelliteassemblies, cryptographySettings, cryptoNameMapping,
    and cryptoClasses. It is recommended that you use other means of encrypting
    sensitive information, such as the ASP.NET Set Registry console application
    (Aspnet_setreg.exe) tool, to protect sensitive information in these configuration
    sections. For information on the ASP.NET Set Registry console application
    (Aspnet_setreg.exe), see article Q329290, "How to use the ASP.NET utility
    to encrypt credentials and session state connection strings," in the Microsoft
    Knowledge Base at the Microsoft support Web site.


    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Actually Dominick it does work just fine. The initial problem with
    > the
    > web.config file was a missing "<" character for a remark which was
    > causing
    > the error. I then ran into another error saying that it could not
    > open the
    > Custom Provider Container. I then ran the following command on both
    > web
    > servers to ensure that the NetworkService Account had the necessary
    > ACLs on
    > that custom provider container:
    > aspnet_regiis -pa "CustomKeys" "NT Authority\Network Service"
    > That fixed the issue and allows us to use the aspnet_regiis tool to
    > provide RSA encryption of the identity section of the web.config.
    >
    > Thanks though!!
    >
    > Lane
    >
    > "Dominick Baier [DevelopMentor]" wrote:
    >
    >> You cannot encrypt the identity section using
    >> ProtectedConfiguration...
    >>
    >> This settings has to be read by the ISAPI extension before it calls
    >> into the HttpRuntime. Thats too early for protected configuration
    >>
    >> for these special section there's a tools called aspnet_setreg
    >>
    >> http://support.microsoft.com/kb/329290
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> I am deploying a asp.net 2.0 web app to a server farm and have
    >>> followed the
    >>>
    >>> instructions from
    >>>
    >>> http://channel9.msdn.com/wiki/default.aspx/Channel9.HowToEncryptConf
    >>> ig urationSectionsUsingRsaInAspNet20?diff=y
    >>>
    >>> and
    >>>
    >>> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnp
    >>> ag 2/html/PAGHT000006.asp
    >>>
    >>> and specifically the section of those pages that involves deploying
    >>> the
    >>>
    >>> encryption in a webfarm environment. Those pages talk about
    >>> encrypting the
    >>>
    >>> ConnectionStrings section, but not the identity section. After
    >>> hunting
    >>>
    >>> around I found that the command I needed to encrypt only that
    >>> section is
    >>>
    >>> aspnet_regiis -pe "system.web/identity" -app "/WebFarmRSA" -prov
    >>>
    >>> "CustomProvider". This successfully encrypts the web.config, but
    >>> now when I
    >>>
    >>> browse to the site I get the following error:
    >>>
    >>> ================================================
    >>>
    >>> Server Error in '/' Application.
    >>>
    >>> --------------------------------------------------------------------
    >>> -- ----------
    >>>
    >>> Configuration Error Description: An error occurred during the
    >>> processing of a configuration file required to service this request.
    >>> Please review the specific error details below and modify your
    >>> configuration file appropriately.
    >>>
    >>> Parser Error Message: Unrecognized element.
    >>>
    >>> Source Error:
    >>>
    >>> Line 107: </CipherData>
    >>> Line 108: </EncryptedData>
    >>> Line 109: </identity>
    >>> Line 110: !-- AUTHORIZATION
    >>> Line 111: This section sets the authorization policies of
    >>> the
    >>> application. You can allow or deny access
    >>> =====================================================
    >>> So I am wondering if there is a specific problem since the identity
    >>> section is a subsection of system.web, or where exactly the problem
    >>> is on this. This is all on a Windows Server 2003 SP1 64Bit box
    >>> running Framework ASP.NET Version:2.0.50727.42. Any help would be
    >>> most appreciated!!
    >>>
    >>> Thanks,
    >>>
    >>> Lane
    >>>
    Dominick Baier [DevelopMentor], Apr 27, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Sonal
    Replies:
    0
    Views:
    326
    Sonal
    Nov 26, 2004
  2. Sonal
    Replies:
    3
    Views:
    5,503
    Sonal
    Nov 26, 2004
  3. Chuck
    Replies:
    1
    Views:
    421
    Zhi-Qiang Ni[MSFT]
    May 13, 2010
  4. Rob Roberts

    Error encrypting identity element in web.config

    Rob Roberts, May 9, 2006, in forum: ASP .Net Security
    Replies:
    1
    Views:
    539
    Rob Roberts
    May 11, 2006
  5. kampy
    Replies:
    9
    Views:
    318
    Steven D'Aprano
    Oct 19, 2012
Loading...

Share This Page