Encrypting Identities In Web.config

Rob Howard wrote a piece for MSDN Magazine on “Keeping Secrets in ASP.NET 2.0”. The article is a good introduction on how to encrypt configuration data in web.config.

Something I’ve had to do which wasn’t immediately obvious to me was encrypt the identity section of web.config for a specific location. For example, let’s say I don’t want the username and password in the following web.config file to appear in plain text.

<?xml version="1.0"?>
<
configuration>

  <
identity impersonate="false"/>

  <
appSettings/>
  <
connectionStrings/>
  <
system.web>
     <
compilation debug="true"/>
     <
authentication mode="Windows"/>
  </
system.web>

  <
location path="admin">
   <
system.web>
      <
identity impersonate="true"
            
userName="***"

            
password="***
"
     />
   </
system.web>
  </
location>

</
configuration>

From the command line, a first crack at encryption might look like the following …

>aspnet_Regiis -pef system.web/identity e:\[path to website]
Encrypting configuration section...
Succeeded!

… except the above command only encrypts the first identity section, not the identity section inside of the <location> tag. The only way to reach the second identity section is to specify a location parameter, which is not available with the –pef switch, but is available with the –pe switch.

>aspnet_regiis -pe system.web/identity -app /[vdir] -location admin
Encrypting configuration section...
Succeeded!

The difference between –pef and –pe is subtle. The –pef switch uses a physical directory path to find web.config, while –pe uses a virtual path.

Print | posted @ Tuesday, May 30, 2006 3:52 AM

Comments on this entry:

Gravatar # re: Encrypting Identities In Web.config
by Gary Joslin at 7/26/2006 8:06 PM

Hello,

I have not figured out to encrypt a location specific section within the server level web.config file. How would you specify the location since there is not really a virtual root file?

Any ideas?

Thanks
  
Gravatar # re: Encrypting Identities In Web.config
by Alexander Higgins at 12/17/2009 4:00 PM

Parser Error Message: Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: The RSA key container could not be opened.
  
Gravatar # re: Encrypting Identities In Web.config
by scott at 12/17/2009 9:36 PM

You need to give your worker process identity (NETWORK SERVICE perhaps) access to the key.
  
Gravatar # re: Encrypting Identities In Web.config
by Tom at 4/21/2010 7:17 PM

Actually, you can't put a 'location' tag inside a 'system.web' tag - has to be directly off of the 'configuration' section.

Better to just put the 'identity' tag within 'system.web' and reference it like this:

aspnet_regiis -pe "system.web/identity" -app "/MySite"

-Tom
  
Comments have been closed on this topic.
Scott Allen
Posts - 869
Comments - 4493
Stories - 14