"The RSA key container could not be opened" Error even after ACL Permission (for some users)

c# asp.net iis iis-7 windows-server-2008

37,998

Solution 1

Following is an approach I tried which does not involve Machine config.

Note: If the destination is in Windows Sever 2008, the encryption steps need to be executed in a Windows Server 2008 itself.

Executed the below codes in server A

Note:- Registering key

 cd C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319
 aspnet_regiis.exe -pc "MyProjectKeys" -exp

Note:- GRANTING ACCESS on SERVER A only

aspnet_regiis.exe -pa "MyProjectKeys" "IIS APPPOOL\testpsreloservices"
aspnet_regiis.exe -pa "MyProjectKeys" "NT AUTHORITY\NETWORK"

Exported XML file containing RSA Key

aspnet_regiis.exe -px "MyProjectKeys" E:\wmapps\webroot\myservice\MyProjectKey.xml –pri

Added the following in web.config

<configProtectedData>
  <providers>
    <clear/>
<remove name="RSAProtectedConfigurationProvider" />
     <add name="RSAProtectedConfigurationProvider" keyContainerName="MyProjectKeys" 
    type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0,&#xD;&#xA;                
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,&#xD;&#xA; processorArchitecture=MSIL"
          useMachineContainer="true" />
  </providers>
</configProtectedData>

Encrypted

aspnet_regiis -pef "connectionStrings" "E:\wmapps\webroot\myservice" -prov "RsaProtectedConfigurationProvider"

Copied the encrypted files in B Server. Copied the key xml file into the B Server.

Created batch file with the following commands and Executed (for Key registration and granting access)

c:
cd C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319
aspnet_regiis.exe -pi "MyProjectKeys" E:\wmapps\webroot\myservice\MyProjectKey.xml
aspnet_regiis.exe -pa "MyProjectKeys" "IIS APPPOOL\testpsreloservices"
aspnet_regiis.exe -pa "MyProjectKeys" "NT AUTHORITY\NETWORK"

Solution 2

If you have impersonation enabled, the RSA key container will be accessed using the identity of the user accessing the application---not Network Service.

You'll either need to disable impersonation, or add all the users that can access the application to the ACL of the key container.

37,998

Author by

LCJ

.Net / C#/ SQL Server Developer Some of my posts listed below -- http://stackoverflow.com/questions/3618380/log4net-does-not-write-the-log-file/14682889#14682889 http://stackoverflow.com/questions/11549943/datetime-field-overflow-with-ibm-data-server-client-v9-7fp5/14215249#14215249 http://stackoverflow.com/questions/12420314/one-wcf-service-two-clients-one-client-does-not-work/12425653#12425653 http://stackoverflow.com/questions/18014392/select-sql-server-database-size/25452709#25452709 http://stackoverflow.com/questions/22589245/difference-between-mvc-5-project-and-web-api-project/25036611#25036611 http://stackoverflow.com/questions/4511346/wsdl-whats-the-difference-between-binding-and-porttype/15408410#15408410 http://stackoverflow.com/questions/7530725/unrecognized-attribute-targetframework-note-that-attribute-names-are-case-sen/18351068#18351068 http://stackoverflow.com/questions/9470013/do-not-use-abstract-base-class-in-design-but-in-modeling-analysis http://stackoverflow.com/questions/11578374/entity-framework-4-0-how-to-see-sql-statements-for-savechanges-method http://stackoverflow.com/questions/14486733/how-to-check-whether-postback-caused-by-a-dynamic-link-button

Updated on July 21, 2022

Comments

LCJ almost 2 years
We are getting the following error (in asp.net website) when applied encryption.

Parser Error Message: Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: The RSA key container could not be opened.

Note: Please see the steps listed below that we followed. (We have granted ACL permission for NT Authority\Network Service on NetFrameworkConfigurationKey)

Note: We are using Windows Authentication Enabled and ASP.NET impersonation Enabled in IIS7. It is running in Windows Server 2008. The access is controlled based on whether a user is part of allowed AD group (which will be listed in config file).

The interesting part is that this error happens when users of group1 (from location1) access it. When users of group2 (from locatiob2) try to access it, the error does not come.

Any thoughts on how to correct it?

We have followed the steps listed below from our deployment document.
1. Run the Command Window in Administrator Mode. (In Windows Server 2008 , type cmd and press CTRL+SHIFT+ENTER)
2. Go to the folder C:\Windows\Microsoft.Net\Framework\v4.0.30319\ using change directory command (cd).
3. Type the following command to create RSA Key Container. aspnet_regiis -pc "NetFrameworkConfigurationKey" –exp
4. Type the following (to add ACL for access to the RSA Key Container) and press enter aspnet_regiis -pa "NetFrameworkConfigurationKey" "NT Authority\Network Service"
5. Type the following (after replacing the highlighted text with the location where the service is deployed) and press enter to encrypt the connections string in Service’s Web.Config. aspnet_regiis.exe -pef "connectionStrings" "C:\MyWCF\ServiceName"
6. Type the following (after replacing the highlighted text with the location where the website is deployed) and press enter to encrypt the connections string in Website’s Web.Config. aspnet_regiis.exe -pef "connectionStrings" "C:\MyWeb\WebsiteName"
7. Type the following (after replacing the highlighted text with the location where the web.config file for the website is available) and press enter to encrypt the sessionState values in Website’s Web.Config. aspnet_regiis.exe -pef "system.web/sessionState" "C:\MyWeb\WebsiteName"
8. Verify that the connection strings and SessionState values are encrypted.
9. Verify the following details in configProtectedData section in Machine.Config.
• Verify that defaultProvider="RsaProtectedConfigurationProvider"

• Verify that keyContainerName="NetFrameworkConfigurationKey"

Note: Default location for machine.config is C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\Config
Amogh Natu almost 9 years

Apparantly, I had given access to one account and my application app pool was running on another account. As soon as I gave access to the correct account, it worked. Thanks! :)
iMatoria almost 5 years

Providing permissions to correct user is very important. I struggled for 4 hours and than finally got that we need to provide permissions to atleast correct app pool as well. Not sure of NETWORK.
Mike almost 2 years

I had the same error after rebuilding my project and updating the project dll in the bin folder on the server. The problem was sorted as soon as I re-granted access to the application pool identity for the site. E.g. "IIS APPPOOL\YourSite". I just exported the key container to my dev machine. Hopefully using LCJ's approach will everything synced.