CODEWITHSUNDEEP
c#
Alexander
Alexander

Reputation: 20244

Encrypting App.config / Web.config file

I am abusing the Web.config file as the config file of some windows service exe files, because the service mostly needs the same settings as the IIS:

Directory.SetCurrentDirectory(AppDomain.CurrentDomain.BaseDirectory);

if (File.Exists("..\\Web.config"))
{
    var path = Path.GetFullPath("..\\Web.config");
    logger.Info("Web.config gefunden in {0}", path);
    AppConfig.Change(path);
}

Someone else has tried to encrypt parts of the Web.config file:

aspnet_regiis -pe connectionStrings -app /ourapp

Renaming an original App.config to Web.config and back seems to be Microsoft's recommended way of encrypting an App.config file:

https://weblogs.asp.net/jongalloway/encrypting-passwords-in-a-net-app-config-file

However, the windows services won't start:

Anwendung: MyService.exe
Frameworkversion: v4.0.30319
Beschreibung: Der Prozess wurde aufgrund einer unbehandelten Ausnahme beendet.
Ausnahmeinformationen: System.Configuration.ConfigurationErrorsException 

bei System.Configuration.RsaProtectedConfigurationProvider.ThrowBetterException(Boolean)  
bei System.Configuration.RsaProtectedConfigurationProvider.GetCryptoServiceProvider(Boolean, Boolean)  
bei System.Configuration.RsaProtectedConfigurationProvider.Decrypt(System.Xml.XmlNode)  
bei System.Configuration.ProtectedConfigurationSection.DecryptSection(System.String, System.Configuration.ProtectedConfigurationProvider)  
bei System.Configuration.Internal.InternalConfigHost.System.Configuration.Internal.IInternalConfigHost.DecryptSection(System.String, System.Configuration.ProtectedConfigurationProvider, System.Configuration.ProtectedConfigurationSection)  
bei System.Configuration.Internal.DelegatingConfigHost.DecryptSection(System.String, System.Configuration.ProtectedConfigurationProvider, System.Configuration.ProtectedConfigurationSection)  
bei System.Configuration.BaseConfigurationRecord.CallHostDecryptSection(System.String, System.Configuration.ProtectedConfigurationProvider, System.Configuration.ProtectedConfigurationSection)  
bei System.Configuration.RuntimeConfigurationRecord.CallHostDecryptSection(System.String, System.Configuration.ProtectedConfigurationProvider, System.Configuration.ProtectedConfigurationSection)  
bei System.Configuration.BaseConfigurationRecord.DecryptConfigSection(System.Configuration.ConfigXmlReader, System.Configuration.ProtectedConfigurationProvider)

Ausnahmeinformationen: System.Configuration.ConfigurationErrorsException 

bei System.Configuration.BaseConfigurationRecord.EvaluateOne(System.String[], System.Configuration.SectionInput, Boolean, System.Configuration.FactoryRecord, System.Configuration.SectionRecord, System.Object)  
bei System.Configuration.BaseConfigurationRecord.Evaluate(System.Configuration.FactoryRecord, System.Configuration.SectionRecord, System.Object, Boolean, Boolean, System.Object ByRef, System.Object ByRef)  
bei System.Configuration.BaseConfigurationRecord.GetSectionRecursive(System.String, Boolean, Boolean, Boolean, Boolean, System.Object ByRef, System.Object ByRef)  
bei System.Configuration.BaseConfigurationRecord.GetSectionRecursive(System.String, Boolean, Boolean, Boolean, Boolean, System.Object ByRef, System.Object ByRef)  
bei System.Configuration.BaseConfigurationRecord.GetSectionRecursive(System.String, Boolean, Boolean, Boolean, Boolean, System.Object ByRef, System.Object ByRef)  
bei System.Configuration.BaseConfigurationRecord.GetSection(System.String)  
bei System.Configuration.ClientConfigurationSystem.System.Configuration.Internal.IInternalConfigSystem.GetSection(System.String)  
bei System.Configuration.ConfigurationManager.GetSection(System.String)  
bei System.Configuration.ConfigurationManager.get_ConnectionStrings()  
bei MyService.Program.Main(System.String[])

Why is this and how can I fix it?

Upvotes: 3

Views: 1254

Answers (1)

Evk
Evk

Reputation: 101633

You need to grant permissions to access RSA container with which your section has been encrypted to the account under which your service runs. By default (with aspnet_regiis command you used in your question), that container is named "NetFrameworkConfigurationKey", so you need to do this:

aspnet_regiis -pa "NetFrameworkConfigurationKey" "YourServiceAccountHere"

Upvotes: 6

Related Questions