tags:

views:

773

answers:

1
Q: 

Microsoft.Web.Administration.ServerManager can't read config sections containing encrypted passwords in applicationHost.config

I have some sites in IIS7 that are configured to run as domain users (MYDOMAIN\someuser).

I'm using the Microsoft.Web.Administration namespace to scan my server configuration, but it's throwing an exception when I hit one of these "impersonator" sites:

using (ServerManager sm = new ServerManager()) {
    foreach (Site site in sm.Sites) {
        foreach (Application app in site.Applications.Reverse()) {
            foreach (VirtualDirectory vdir in app.VirtualDirectories.Reverse()) {
                var config = app.GetWebConfiguration();
                foreach (var locationPath in config.GetLocationPaths()) {
                    // error occurs in GetLocationPaths()
                }
            }
        }
    }
}

The actual error message is:

COMException was unhandled 
Filename: \\?\C:\Windows\system32\inetsrv\config\applicationHost.config 
Line number: 279
Error: Failed to decrypt attribute 'password' because the keyset does not exist

It appears that IIS is storing the MYDOMAIN\someuser password encrypted in applicationHost.config, which is great in terms of security - but I have no idea how to get the ServerManager to decrypt this.

Any tips on how I can either allow ServerManager to decrypt this, or just tell IIS to store the passwords in plain text?

This is on IIS7 under Windows 7 RC, by the way.

A: 

IIS uses encryption for attributes that are marked as "encrypted=true" in its schema. Also in its schema it defines the provider to use for the encryption (See C:\Windows\System32\inetsrv\config\schema\IIS_Schema.xml), in the case of password inside the Virtual Directory it uses the AesProvider which is defined in the section configProtectedData inside ApplicationHost.config.

In there you will be able to see the KeyContainerName that you need to grant permissions for whatever account you want to be able to decrypt, which for security reasons, by default only includes Administrators.

This leads me to my question, if your code is failing I would guess that you have granted access to ApplicationHost.config to a user that is not an Administrator, is that the case? If that is, then I would suggest making sure this is not going to open security risks for your environment.

CarlosAg  2010-05-23 03:35:30

related questions

Change .NET Framework version of application pool to 3.5?
How can I determine the number of users on an ASP.NET site (IIS)? And their info?
Hitting Webservice on Different Subnet
WebResource.asd giving 403 error in ASP.Net Post backs using IIS7
How do you Install a SSL Certificate
Can IIS7 be installed on XP?
Is IIS7 migration a piece of cake
Posting forms to a 404 + HttpHandler in IIS7: why has all POST data gone missing?
WAS hosting vs. Windows Service hosting
How do I fix 404.17 error on Win Server 2k8 and IIS7
Force IIS7 to suggest downloading *.exe files in "Local intranet" zone
Sending 'application/javascript' MIME t Type Header Causes 500 Error with PHP5 & IIS7
How to configure IIS7 to allow zip file uploads using classic asp?
What is the worker process for IIS7?
IIS Integrated Request Processing Pipeline -- Modify Request
How to setup GIT bare HTTP-available repository on IIS-machine
What is the ASP.NET process for IIS 7.0?
IIS7: HTTP->HTTPS Cleanly
URL Rewrite Module for IIS 7
ASP.NET Forms Authorization
Does CruiseControl.NET run on IIS 7.0?
How do I get PHP and MySQL working on IIS 7.0 ?
Convert an asp.net application to IIS7 integrated mode
Impersonation in IIS 7.0
How do I stop IIS7 dropping my cookies?