Encrypting Identities In Web.config

Tuesday, May 30, 2006

Rob Howard wrote a piece for MSDN Magazine on “Keeping Secrets in ASP.NET 2.0”. The article is a good introduction on how to encrypt configuration data in web.config.

Something I’ve had to do which wasn’t immediately obvious to me was encrypt the identity section of web.config for a specific location. For example, let’s say I don’t want the username and password in the following web.config file to appear in plain text.

<?xml version="1.0"?>
<configuration>

  <identity impersonate="false"/>

  <appSettings/>
  <connectionStrings/>
  <system.web>
     <compilation debug="true"/>
     <authentication mode="Windows"/>
  </system.web>

  <location path="admin">
   <system.web>
      <identity impersonate="true"
            userName="***"
            password="***"
     />
   </system.web>
  </location>

</configuration>

From the command line, a first crack at encryption might look like the following …

>aspnet_Regiis -pef system.web/identity e:\[path to website]
Encrypting configuration section...
Succeeded!

… except the above command only encrypts the first identity section, not the identity section inside of the <location> tag. The only way to reach the second identity section is to specify a location parameter, which is not available with the –pef switch, but is available with the –pe switch.

>aspnet_regiis -pe system.web/identity -app /[vdir] -location admin
Encrypting configuration section...
Succeeded!

The difference between –pef and –pe is subtle. The –pef switch uses a physical directory path to find web.config, while –pe uses a virtual path.

Comments
Gary Joslin Wednesday, July 26, 2006
Hello,

I have not figured out to encrypt a location specific section within the server level web.config file. How would you specify the location since there is not really a virtual root file?

Any ideas?

Thanks
gravatar Alexander Higgins Thursday, December 17, 2009
Parser Error Message: Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: The RSA key container could not be opened.
gravatar scott Thursday, December 17, 2009
You need to give your worker process identity (NETWORK SERVICE perhaps) access to the key.
gravatar Tom Wednesday, April 21, 2010
Actually, you can't put a 'location' tag inside a 'system.web' tag - has to be directly off of the 'configuration' section.

Better to just put the 'identity' tag within 'system.web' and reference it like this:

aspnet_regiis -pe "system.web/identity" -app "/MySite"

-Tom
Comments are now closed.
Follow Me On Twitter
RSS Subscribe
Contact
Search Archives
by K. Scott Allen
K.Scott Allen