I'm trying to encrypt my connectionStrings section following the instructions at: https://support.discountasp.net/KB/...sections-your-webconfig.aspx?KBSearchID=34194 I've received confirmation from DASP that the key has been installed. When I browse to my application I get: Parser Error Message: Failed to decrypt using provider 'MyRsaProtectedConfigurationProvider'. Error message from the provider: The parameter is incorrect. I've also deployed this same application on a local server with the same encrypted web.config and there are no problems decrypting the connectionStrings etc. So, it seems that my web.config is ok but for some reason the decryption is failing at DASP. Any suggestions what the issue could be? Would DASP have installed the key correctly and also set the permissions correctly? How do you debug an issue like this? Regards Gavin <configProtectedData defaultProvider="MyRsaProtectedConfigurationProvider"> <providers> <add name="MyRsaProtectedConfigurationProvider" type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL" keyContainerName="NetFrameworkConfigurationKey_components1" useMachineContainer="true" /> </providers> </configProtectedData> <connectionStrings configProtectionProvider="MyRsaProtectedConfigurationProvider"> <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#"> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" /> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#"> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" /> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <KeyName>Rsa Key</KeyName> </KeyInfo> <CipherData> <CipherValue>...</CipherValue> </CipherData> </EncryptedKey> </KeyInfo> <CipherData> <CipherValue>...</CipherValue> </CipherData> </EncryptedData> </connectionStrings>
Did you read this knowledge base article too? Also, did you contact support and ask them to install the RSA key on the server? If so maybe there might be something wrong with the install. You can contact our support department and ask them to double check the installation of the RSA key that you requested to make sure it was installed correctly.
Hi Martino. Yes, I followed those instructions to generate and export the key pair to an XML file. I uploaded this file and raised a ticket with support. I received confirmation through that ticket that the keys were installed. I will contact support again.
Just make sure you refer to this forum post and provide us with a link to recreate the issue on our end. Our support department will check to see if the RSA key was correctly installed on the server.
DASP reimported the key but I'm still getting the same error. The only thing I can think to do is to include the exact steps I took (ie following the KB articles) here and ask if someone could check what I've done. Then, I might try creating a new key pair and see if I have any more luck. As I said, decryption works here on a local server so I'm not sure what else I can do. Any suggestions are most welcome.
My web application including its web.config with the encrypted connectionStrings section is installed to a sub-folder ie it's not in the root folder. Does this make a difference?
This is what I did. Could someone let me know if I've done something wrong? Thanks. Generate key pair: aspnet_regiis -pc "NetFrameworkConfigurationKey_components1" -exp Microsoft (R) ASP.NET RegIIS version 4.0.30319.33440 Administration utility to install and uninstall ASP.NET on the local machine. Copyright (C) Microsoft Corporation. All rights reserved. Creating RSA Key container... Succeeded! Export key pair: aspnet_regiis.exe -px "NetFrameworkConfigurationKey_components1" "C:\temp\NetFrameworkConfigurationKey_components1.xml" Microsoft (R) ASP.NET RegIIS version 4.0.30319.33440 Administration utility to install and uninstall ASP.NET on the local machine. Copyright (C) Microsoft Corporation. All rights reserved. Exporting RSA Keys to file... Succeeded! Updated web.config: <configProtectedData defaultProvider="MyRsaProtectedConfigurationProvider"> <providers> <add name="MyRsaProtectedConfigurationProvider" type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL" keyContainerName="NetFrameworkConfigurationKey_components1" useMachineContainer="true" /> </providers> </configProtectedData> Encrypt connectionStrings section: aspnet_regiis -pef connectionStrings C:\Componentspace\WebSite\InstantForum2013-2-Dev\InstantForum2013 Microsoft (R) ASP.NET RegIIS version 4.0.30319.33440 Administration utility to install and uninstall ASP.NET on the local machine. Copyright (C) Microsoft Corporation. All rights reserved. Encrypting configuration section... Succeeded! Updated connectionStrings section: <connectionStrings configProtectionProvider="MyRsaProtectedConfigurationProvider"> <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#"> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" /> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#"> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" /> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <KeyName>Rsa Key</KeyName> </KeyInfo> <CipherData> <CipherValue>...</CipherValue> </CipherData> </EncryptedKey> </KeyInfo> <CipherData> <CipherValue>...</CipherValue> </CipherData> </EncryptedData> </connectionStrings> Uploaded NetFrameworkConfigurationKey_components1.xml and contacted DASP. To test locally, grant permissions to key container: aspnet_regiis -pa NetFrameworkConfigurationKey_components1 everyone Microsoft (R) ASP.NET RegIIS version 4.0.30319.33440 Administration utility to install and uninstall ASP.NET on the local machine. Copyright (C) Microsoft Corporation. All rights reserved. Adding ACL for access to the RSA Key container... Succeeded! Browsing to locally installed copy of application works.
I went through the exact same steps above including DASP installing the new key pair (I received confirmation from them) and I'm still seeing the same error. At this stage I have no idea what else I can do. The only things I can think of are: 1. Could someone please check the steps I've listed above? Am I doing something wrong? 2. My web application, including its web.config with the encrypted connectionStrings section, is installed in a sub-folder ie it's not in the root folder. Does this make a difference? 3. I'm running on a Windows 2012 server. Could this somehow be a problem?
Ok, it looks like there's no more help through the ticketing system. My only hope now is this forum. Can anybody tell me what I'm doing wrong????? Thanks.
The only suggestion I can think of is to put the encryption setting in the root web.config. It probably does make a difference because of web.config inheritance issues. I'm not sure if marking the sub-folder as Web Application will make the error go away.
I agree with RayH on this one. If you have a web.config on the root of the site account. It might be possible that it's inheriting the settings from the root of the site account to the child application where you have the other web.config with the setting. A quick way to check this is to rename the web.config on the root of the site account to something different so the server doesn't see it as a web.config file. This web page article will also show you how to prevent inheritance in the web.config here: http://codeblog.shawson.co.uk/stop-...herited-by-child-applications-in-sub-folders/
Thanks Ray and Martino. I tried moving the <configProtectedData> and <connectionStrings> sections from the web.config of my child application to the root web.config but got the exact same error. I'll try disabling inheritance as suggested and will report back.
Still no luck. Here's what I tried: 1. Moved the <configProtectedData> and <connectionStrings> sections from the web.config of my child application to the root web.config. Failed with the original error. 2. Put <location path="." inheritInChildApplications="false"> around <system.web> section of root web.config. Failed with the original error. 3. Put <location path="." inheritInChildApplications="false"> around all child nodes of <configuration> in root web.config. Failed as the web.config syntax is invalid. Regarding web.config inheritance, I don't think this is the issue as the child web.config overrides any setting in the root web.config. The only issue I see is decryption of the connectionStrings. Any other suggestions? My local testing is on the same machine where I ran aspnet_regiis to generate the key pair. I will test on a different local server. How exactly do you import the key pair into the DASP server? Do you just run aspnet_regiis -pi and then aspnet_regiis -pa to grant permissions? Could you tell me exactly what you do so I can try to replicate the problem here? Thanks.
Has anyone got any suggestions? I'm happy to try almost anything at this stage. If someone could tell me exactly what DASP does at their end to install the key pair I will try the same steps here to see if I can reproduce the issue. At this stage I don't know what else to try. Thanks.
I believe I've found the problem. I was able to reproduce the problem locally by running aspnet_regiis -pz to delete the container and then aspnet_regiis -pi to import the key pair. I ran aspnet_regiis -pa to grant permissions. I then got the same "parameter is incorrect" error locally. I found a useful article at: http://msdn.microsoft.com/library/yxw286t2.aspx This mentions the -pri argument when exporting the key pair. I had been looking at the following page which makes no mention of this argument: http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.100).aspx Then, I went back to the DASP page: http://support.discountasp.net/KB/a335/how-to-install-your-rsa-keys-webconfig-encryption-on.aspx It includes the -pri argument that I'd somehow missed. So, I went through the same steps to generate, export (but now including the private key), delete, import and grant permissions. Now I can load the page locally. I also noticed that my original key pair file (presumably with only the public key) was 243 bytes long. The new key pair file (public and private key) is 915 bytes. I need to confirm this works with DASP once they import my new key pair file but this looks like a case of not reading the instructions properly. Sorry about that.
That's great to hear and I'm glad you resolved your issue. Thank you for post what you did to resolve it too. I'm sure it might help someone else if they get the same problem as you.
