App.config connection string Protection error

Question

I am running into an issue I had before; can't find my reference on how to solve it.

Here is the issue. We encrypt the connection strings section in the app.config for our client application using code below:

        config = ConfigurationManager.OpenExeConfiguration(ConfigurationUserLevel.None)
        If config.ConnectionStrings.SectionInformation.IsProtected = False Then
            config.ConnectionStrings.SectionInformation.ProtectSection(Nothing)

            ' We must save the changes to the configuration file.'
            config.Save(ConfigurationSaveMode.Modified, True)
        End If

The issue is we had a salesperson leave. The old laptop is going to a new salesperson and under the new user's login, when it tries to to do this we get an error. The error is:

Unhandled Exception: System.Configuration.ConfigurationErrorsException: 
An error occurred executing the configuration section handler for connectionStrings. ---> System.Configuration.ConfigurationErrorsException: Failed to encrypt the section 'connectionStrings' using provider 'RsaProtectedConfigurationProvider'. 
Error message from the provider: Object already exists.
---> System.Security.Cryptography.CryptographicException: Object already exists

Answer 1

Sounds like a permissions issue. The (new) user in question has write permissions to the app.config file? Was the previous user a local admin or power user that could have masked this problem?

Answer 2

So I did get it working.

1. removed old users account from laptop
2. reset app.config to have section not protected
3. removed key file from all users machine keys
4. ran app and allowed it to protect the section

but all this did was get it working for this user.

NOW I need to know what I have to do to change the code to protect the section so that multiple users on a PC can use the application. Virtual PC here I come (well after vacation to WDW tomorrow through next wednesday)!

any advice to help pointing me in right direction, as I am not very experienced in this RSA encption type stuff.

Thanks Mike

Answer 3

@boojiboy

we had installed the app for new user, using the clickonce install. both users were in admin group on the pc.

from what I have found online it appears to be the fact the default RSA key is machine specific and when different users use it to protect thier version of the app.config it causes errors. I think I need to protect using some user specific key, now just need to find out how. :)

Thanks for replying!

Mike

Answer 4

I found a more elegant solution that in my original answer to myself. I found if I just logged in as th euser who orignally installed the application and caused the config file connectionstrings to be encrypted and go to the .net framework directory in a commadn prompt and run

aspnet_regiis -pa "NetFrameworkConfigurationKey" "{domain}\{user}"

it gave the other user permission to access the RSA encryption key container and it then works for the other user(s).

Just wanted to add it here as I thought I had blogged this issue on our dev blog but found it here, so in case I need to look it up again it will be here. Will add link to our dev blog point at this thread as well.

Answer 5

aspnet_regiis -pa "NetFrameworkConfigurationKey" "{domain}{user}"

I am still facing the issue. When I execute above line. It gives me

"The RSA Key container was not found." "Failed!"

Then I tried to create one

aspnet_regiis -pc "NetFrameworkConfigurationKey" -exp Creating RSA Key Container... The RSA key container could not be opened. Failed!

Can anyone help?

Answer 6

http://blogs.msdn.com/mosharaf/archive/2005/11/17/protectedConfiguration.aspx#1657603

copy and paste :D

Monday, February 12, 2007 12:15 AM by Naica

re: Encrypting configuration files using protected configuration

Here is a list of all steps I've done to encrypt two sections on my PC and then deploy it to the WebServer. Maybe it will help someone...:

1. To create a machine-level RSA key container

aspnet_regiis -pc "DataProtectionConfigurationProviderKeys" -exp

1. Add this to web.config before connectionStrings section:

 <add name="DataProtectionConfigurationProvider"

      type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0,

               Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,

               processorArchitecture=MSIL"

      keyContainerName="DataProtectionConfigurationProviderKeys"

      useMachineContainer="true" />

Do not miss the from above! Important when playing with encripting/decripting many times

1. Check to have this at the top of Web.Config file. If missing add it:

1. Save and close Web.Config file in VS (very important!)

2. In Command Prompt (my local PC) window go to:

C:\WINNT\Microsoft.NET\Framework\v2.0.50727

1. Encrypt: (Be aware to Change phisical path for your App, or use -app option and give the name o virtual directory for app! Because I used VS on my PC I prefered the bellow option. The path is the path to Web.config file)

aspnet_regiis -pef "connectionStrings" "c:\Bla\Bla\Bla" -prov "DataProtectionConfigurationProvider"

aspnet_regiis -pef "system.web/membership" "c:\Bla\Bla\Bla" -prov "DataProtectionConfigurationProvider"

1. To Decrypt (if needed only!):

aspnet_regiis -pdf "connectionStrings" "c:\Bla\Bla\Bla"

aspnet_regiis -pdf "system.web/membership" "c:\Bla\Bla\Bla"

1. Delete Keys Container (if needed only!)

aspnet_regiis -pz "DataProtectionConfigurationProviderKeys"

1. Save the above key to xml file in order to export it from your local PC to the WebServer (UAT or Production)

aspnet_regiis -px "DataProtectionConfigurationProviderKeys" \temp\mykeyfile.xml -pri

1. Import the key container on WebServer servers:

aspnet_regiis -pi "DataProtectionConfigurationProviderKeys" \temp\mykeyfile.xml

1. Grant access to the key on the web server

aspnet_regiis -pa "DataProtectionConfigurationProviderKeys" "DOMAIN\User"

See in IIS the ASP.NET user or use:

Response.Write(System.Security.Principal.WindowsIdentity.GetCurrent().Name

1. Remove Grant access to the key on the web server (Only if required!)

aspnet_regiis -pr "DataProtectionConfigurationProviderKeys" "Domain\User"

1. Copy and Paste to WebServer the encrypted Web.config file.