Reputation: 442
Windows service can't open RSA key container
Some background:
I have a solution that consists of:
- IIS Application (ASP.NET)
- Windows Service
Both the IIS application and windows service are run under the same domain account. They also connect to the same database.
Database access credentials are stored in a common config file and are encrypted using the aspnet_regiis.exe tool. An ACL permission grants read access to the key container for the domain account.
The web application can access the key container and decrypt the connection string.
The service on the other hand can not access the RSA key container. I get the error:
Unexpected error attempting to connect to the database; exception: System.Configuration.ConfigurationErrorsException: Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: The RSA key container could not be opened. (C:\ApplicationDir\ConnectionSettings.config line 2) ---> System.Configuration.ConfigurationErrorsException: The RSA key container could not be opened.
Workarounds:
- Add the domain account to the Administrators group (Yikes!)
- Add the domain account to the IIS_IUSRS group
- Change the permission entry on the Everyone group. By default, the read permission is applied to This folder only. Changing this value to This folder, subfolders and files seems to work.
- Add a permission entry for the domain account on the MachineKeys folder
I'm leaning towards option 2, but what the heck is going on here?
Why can the application pool run under said domain account work and not the windows service which is running under the same domain account?
Is this a situation where under certain circumstances the domain account is not considered part of the Everyone group?
What's the best practice for handling this situation?
Thanks, Kevin
Upvotes: 1
Views: 4857
Answers (1)
Reputation: 442
So it turns out that read access needs to be granted to the "NetFrameworkConfigurationKey" for the domain account.
aspnet_regiis -pa "NetFrameworkConfigurationKey" "[DOMAIN_NAME]\[USER_ACCOUNT]"
More info: http://msdn.microsoft.com/en-us/library/yxw286t2(v=vs.100).aspx
Upvotes: 5
Related Questions
- The RSA key container could not be opened
- "System.Security.Cryptography.CryptographicException: Bad Key." for RSACryptoServiceProvider.Decrypt()
- RSACryptoServiceProvider not working in .net core
- File not found on RSACryptoServiceProvider, service account permissions?
- RSACryptoServiceProvider failed to verify on windows
- RSACryptoServiceProvider "Key does not exist" on .Net 4.6.2
- asp.net web.config encryption - The RSA key container was not found
- The RSA key container could not be opened for one of two sections
- Creating an RSA Key container sometimes it works sometimes it does not
- Simple use of RSACryptoServiceProvider KeyPassword fails