how to encrypt database password in web.config file

Discussion in 'ASP .Net' started by Henry, Aug 4, 2004.

  1. Henry

    Henry Guest

    Hi, my asp.net application is accessing a mssql on another server.
    This works fine when I use this in my web.config file:

    <add key="dbkey" value="server=192.12.12.1;database=mydb;user=dbuser;password=mypassword"
    />

    However I don't like to store my password in plain text.

    I played around with aspnet_setreg.exe and I followed those
    instructions:

    http://support.microsoft.com/default.aspx?scid=kb;en-us;Q329290

    However my application says ' Could not create Windows user token from
    the credentials specified in the config file'

    when I use it in the recommended way:

    <identity impersonate="true"
    userName="registry:HKLM\SOFTWARE\MYDB\identity\ASPNET_SETREG,userName"
    password="registry:HKLM\SOFTWARE\MYDB\identity\ASPNET_SETREG,password"
    />

    I don't really need the asp.net worker process to run impersonate. All
    I need is to store and transmit the password encrypted.

    Does anyone have a suggestion?

    Thanks
    Henry, Aug 4, 2004
    #1
    1. Advertising

  2. You can try the dpapi.

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod22.asp

    "Henry" wrote:

    > Hi, my asp.net application is accessing a mssql on another server.
    > This works fine when I use this in my web.config file:
    >
    > <add key="dbkey" value="server=192.12.12.1;database=mydb;user=dbuser;password=mypassword"
    > />
    >
    > However I don't like to store my password in plain text.
    >
    > I played around with aspnet_setreg.exe and I followed those
    > instructions:
    >
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q329290
    >
    > However my application says ' Could not create Windows user token from
    > the credentials specified in the config file'
    >
    > when I use it in the recommended way:
    >
    > <identity impersonate="true"
    > userName="registry:HKLM\SOFTWARE\MYDB\identity\ASPNET_SETREG,userName"
    > password="registry:HKLM\SOFTWARE\MYDB\identity\ASPNET_SETREG,password"
    > />
    >
    > I don't really need the asp.net worker process to run impersonate. All
    > I need is to store and transmit the password encrypted.
    >
    > Does anyone have a suggestion?
    >
    > Thanks
    >
    =?Utf-8?B?Y2hyaXNyb2Nr?=, Aug 4, 2004
    #2
    1. Advertising

  3. What you are doing when you use setreg the way you did was to impersonate the aspnet process, meaning that all the resources that your web app accesses will run under that user. For this to happen, the user that you specified, must be a user with a valid account. Hence your error!

    If you want this to work with SQL Server, you must use windows authentication to connect to your SQL Server, but your connection string shows that you are using SQL authentication.

    So you have two choices.

    1 - Use windows authentication to connect to SQL Server. You can create an account on your web server, set this user account with setreg, and put it in the identity element as you did. Then create the same user and password on the SQL Server and give that user access to your database.

    2 - With setreg there is also an option to store your entire connectionstring in a similar fashion as the username. You can continue using SQL Server authentication, and whenever you need to connect to the database you would retrieve the value of the connectionstring from the web.config file as usual.

    Of the two, I would recommended the first one because the password is stored and transmited with windows NTLM and is thus more secure.

    Hope this helps,
    John

    "Henry" wrote:

    > Hi, my asp.net application is accessing a mssql on another server.
    > This works fine when I use this in my web.config file:
    >
    > <add key="dbkey" value="server=192.12.12.1;database=mydb;user=dbuser;password=mypassword"
    > />
    >
    > However I don't like to store my password in plain text.
    >
    > I played around with aspnet_setreg.exe and I followed those
    > instructions:
    >
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q329290
    >
    > However my application says ' Could not create Windows user token from
    > the credentials specified in the config file'
    >
    > when I use it in the recommended way:
    >
    > <identity impersonate="true"
    > userName="registry:HKLM\SOFTWARE\MYDB\identity\ASPNET_SETREG,userName"
    > password="registry:HKLM\SOFTWARE\MYDB\identity\ASPNET_SETREG,password"
    > />
    >
    > I don't really need the asp.net worker process to run impersonate. All
    > I need is to store and transmit the password encrypted.
    >
    > Does anyone have a suggestion?
    >
    > Thanks
    >
    =?Utf-8?B?Sm9obiBTaXZpbGxh?=, Aug 4, 2004
    #3
  4. Henry

    Henry Guest

    thanks for your answers.
    both servers (web,db) have an identical user account (dbuser). Those
    are local accounts.
    I tried to get it to work without the encryption first:

    in my web.config I have:

    <authentication mode="Windows" />
    <identity impersonate="true"
    userName="dbuser"
    password="secret"
    />

    <add key="dbkey" value="Integrated Security=SSPI;Persist Security
    Info=False;Initial Catalog=mydb;Data Source=192.12.12.1;Connect
    Timeout=30" />

    After I added the proper permissions to the used 'dbuser' I get this
    error:

    Login failed for user '(null)'. Reason: Not associated with a trusted
    SQL Server connection.

    It seems that the impersonated user does not get transmitted during
    database connection. I also played with the IIS authentication methods
    but to no avail.

    Thanks, Henry




    John Sivilla <> wrote in message news:<>...
    > What you are doing when you use setreg the way you did was to impersonate the aspnet process, meaning that all the resources that your web app accesses will run under that user. For this to happen, the user that you specified, must be a user with a valid account. Hence your error!
    >
    > If you want this to work with SQL Server, you must use windows authentication to connect to your SQL Server, but your connection string shows that you are using SQL authentication.
    >
    > So you have two choices.
    >
    > 1 - Use windows authentication to connect to SQL Server. You can create an account on your web server, set this user account with setreg, and put it in the identity element as you did. Then create the same user and password on the SQL Server and give that user access to your database.
    >
    > 2 - With setreg there is also an option to store your entire connectionstring in a similar fashion as the username. You can continue using SQL Server authentication, and whenever you need to connect to the database you would retrieve the value of the connectionstring from the web.config file as usual.
    >
    > Of the two, I would recommended the first one because the password is stored and transmited with windows NTLM and is thus more secure.
    >
    > Hope this helps,
    > John
    >
    > "Henry" wrote:
    >
    > > Hi, my asp.net application is accessing a mssql on another server.
    > > This works fine when I use this in my web.config file:
    > >
    > > <add key="dbkey" value="server=192.12.12.1;database=mydb;user=dbuser;password=mypassword"
    > > />
    > >
    > > However I don't like to store my password in plain text.
    > >
    > > I played around with aspnet_setreg.exe and I followed those
    > > instructions:
    > >
    > > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q329290
    > >
    > > However my application says ' Could not create Windows user token from
    > > the credentials specified in the config file'
    > >
    > > when I use it in the recommended way:
    > >
    > > <identity impersonate="true"
    > > userName="registry:HKLM\SOFTWARE\MYDB\identity\ASPNET_SETREG,userName"
    > > password="registry:HKLM\SOFTWARE\MYDB\identity\ASPNET_SETREG,password"
    > > />
    > >
    > > I don't really need the asp.net worker process to run impersonate. All
    > > I need is to store and transmit the password encrypted.
    > >
    > > Does anyone have a suggestion?
    > >
    > > Thanks
    > >
    Henry, Aug 4, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Alex Nitulescu
    Replies:
    3
    Views:
    616
    Alex Nitulescu
    Feb 11, 2005
  2. AAaron123
    Replies:
    2
    Views:
    2,107
    AAaron123
    Jan 16, 2009
  3. AAaron123
    Replies:
    1
    Views:
    1,321
    Oriane
    Jan 16, 2009
  4. Ken

    encrypt string in the Web.Config file

    Ken, Nov 15, 2004, in forum: ASP .Net Web Services
    Replies:
    1
    Views:
    245
    Dino Chiesa [Microsoft]
    Nov 18, 2004
  5. http://ejobseek.com

    Encrypt in Perl, De-encrypt in Javascript

    http://ejobseek.com, Sep 1, 2003, in forum: Perl Misc
    Replies:
    3
    Views:
    271
    James Willmore
    Sep 1, 2003
Loading...

Share This Page