how to encrypt database password in web.config file

H

Henry

Hi, my asp.net application is accessing a mssql on another server.
This works fine when I use this in my web.config file:

<add key="dbkey" value="server=192.12.12.1;database=mydb;user=dbuser;password=mypassword"
/>

However I don't like to store my password in plain text.

I played around with aspnet_setreg.exe and I followed those
instructions:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q329290

However my application says ' Could not create Windows user token from
the credentials specified in the config file'

when I use it in the recommended way:

<identity impersonate="true"
userName="registry:HKLM\SOFTWARE\MYDB\identity\ASPNET_SETREG,userName"
password="registry:HKLM\SOFTWARE\MYDB\identity\ASPNET_SETREG,password"
/>

I don't really need the asp.net worker process to run impersonate. All
I need is to store and transmit the password encrypted.

Does anyone have a suggestion?

Thanks
 
G

Guest

What you are doing when you use setreg the way you did was to impersonate the aspnet process, meaning that all the resources that your web app accesses will run under that user. For this to happen, the user that you specified, must be a user with a valid account. Hence your error!

If you want this to work with SQL Server, you must use windows authentication to connect to your SQL Server, but your connection string shows that you are using SQL authentication.

So you have two choices.

1 - Use windows authentication to connect to SQL Server. You can create an account on your web server, set this user account with setreg, and put it in the identity element as you did. Then create the same user and password on the SQL Server and give that user access to your database.

2 - With setreg there is also an option to store your entire connectionstring in a similar fashion as the username. You can continue using SQL Server authentication, and whenever you need to connect to the database you would retrieve the value of the connectionstring from the web.config file as usual.

Of the two, I would recommended the first one because the password is stored and transmited with windows NTLM and is thus more secure.

Hope this helps,
John
 
H

Henry

thanks for your answers.
both servers (web,db) have an identical user account (dbuser). Those
are local accounts.
I tried to get it to work without the encryption first:

in my web.config I have:

<authentication mode="Windows" />
<identity impersonate="true"
userName="dbuser"
password="secret"
/>

<add key="dbkey" value="Integrated Security=SSPI;Persist Security
Info=False;Initial Catalog=mydb;Data Source=192.12.12.1;Connect
Timeout=30" />

After I added the proper permissions to the used 'dbuser' I get this
error:

Login failed for user '(null)'. Reason: Not associated with a trusted
SQL Server connection.

It seems that the impersonated user does not get transmitted during
database connection. I also played with the IIS authentication methods
but to no avail.

Thanks, Henry
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Error reading web.config 0
How to Create a random password generator in a separate window 4
How can I upload a tar.bz2 file to OpenStack swift object storage container using the Python swift client? 1
Encrypt identity password 1
Windows Server 2008 - Error reading configuration information fromthe registry. 5
Database username and password in web.config 6
ASP.NET Impersonation to access Oracle database... 1
Net::SCP download from windows to linux and encrypt password 1

Members online

Total: 28 (members: 1, guests: 27)
Robots: 371

Forum statistics

Threads
473,755
Messages
2,569,536
Members
45,013
Latest member
KatriceSwa

Latest Threads

Top