I have an application which is making use of the RSACryptoServiceProvider to decrypt some data using a known private key (stored in a variable).
When the IIS Application Pool is configured to use Network Service, everything runs fine.
However, when we configure the IIS Application Pool to run the code under a different Identity, we get the following:
System.Security.Cryptography.CryptographicException: The system cannot find the file specified. at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) at System.Security.Cryptography.RSACryptoServiceProvider.ImportParameters(RSAParameters parameters) at System.Security.Cryptography.RSA.FromXmlString(String xmlString)
The code is something like this:
byte[] input;
byte[] output;
string private_key_xml;
var provider = new System.Cryptography.RSACryptoServiceProvider(this.m_key.Key_Size);
provider.FromXmlString(private_key_xml); // Fails Here when Application Pool Identity != Network Service
ouput = provider.Decrypt(input, false); // False = Use PKCS#1 v1.5 Padding
There are resources which attempt to answer it by stating that you should give the user read access to the machine key store - however there is no definitive answer to solve this issue.
Environment: IIS 6.0, Windows Server 2003 R2, .NET 3.5 SP1