App.config connection string Protection error

Question

I am running into an issue I had before; can't find my reference on how to solve it.

Here is the issue. We encrypt the connection strings section in the app.config for our client application using code below:

        config = ConfigurationManager.OpenExeConfiguration(ConfigurationUserLevel.None)
        If config.ConnectionStrings.SectionInformation.IsProtected = False Then
            config.ConnectionStrings.SectionInformation.ProtectSection(Nothing)

            ' We must save the changes to the configuration file.'
            config.Save(ConfigurationSaveMode.Modified, True)
        End If

The issue is we had a salesperson leave. The old laptop is going to a new salesperson and under the new user's login, when it tries to to do this we get an error. The error is:

Unhandled Exception: System.Configuration.ConfigurationErrorsException: 
An error occurred executing the configuration section handler for connectionStrings. ---> System.Configuration.ConfigurationErrorsException: Failed to encrypt the section 'connectionStrings' using provider 'RsaProtectedConfigurationProvider'. 
Error message from the provider: Object already exists.
---> System.Security.Cryptography.CryptographicException: Object already exists

Answer 1

http://blogs.msdn.com/mosharaf/archive/2005/11/17/protectedConfiguration.aspx#1657603

copy and paste :D

Monday, February 12, 2007 12:15 AM by Naica

re: Encrypting configuration files using protected configuration

Here is a list of all steps I've done to encrypt two sections on my PC and then deploy it to the WebServer. Maybe it will help someone...:

1. To create a machine-level RSA key container

   aspnet_regiis -pc "DataProtectionConfigurationProviderKeys" -exp
   

2. Add this to web.config before connectionStrings section:

    <add name="DataProtectionConfigurationProvider"
   
         type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0,
   
                  Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,
   
                  processorArchitecture=MSIL"
   
         keyContainerName="DataProtectionConfigurationProviderKeys"
   
         useMachineContainer="true" />
   

   Do not miss the <clear /> from above! Important when playing with encrypting/decrypting many times

3. Check to have this at the top of Web.Config file. If missing add it:

   <configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
   

4. Save and close Web.Config file in VS (very important!)

5. In Command Prompt (my local PC) window go to:

   C:\WINNT\Microsoft.NET\Framework\v2.0.50727

6. Encrypt: (Be aware to Change physical path for your App, or use -app option and give the name o virtual directory for app! Because I used VS on my PC I preferred the bellow option. The path is the path to Web.config file)

   aspnet_regiis -pef "connectionStrings" "c:\Bla\Bla\Bla" -prov "DataProtectionConfigurationProvider"

   aspnet_regiis -pef "system.web/membership" "c:\Bla\Bla\Bla" -prov "DataProtectionConfigurationProvider"

7. To Decrypt (if needed only!):

   aspnet_regiis -pdf "connectionStrings" "c:\Bla\Bla\Bla"
   
   aspnet_regiis -pdf "system.web/membership" "c:\Bla\Bla\Bla"
   

8. Delete Keys Container (if needed only!)

   aspnet_regiis -pz "DataProtectionConfigurationProviderKeys"
   

9. Save the above key to xml file in order to export it from your local PC to the WebServer (UAT or Production)

   aspnet_regiis -px "DataProtectionConfigurationProviderKeys" \temp\mykeyfile.xml -pri
   

10. Import the key container on WebServer servers:

    aspnet_regiis -pi "DataProtectionConfigurationProviderKeys" \temp\mykeyfile.xml
    

11. Grant access to the key on the web server

    aspnet_regiis -pa "DataProtectionConfigurationProviderKeys" "DOMAIN\User"
    

    See in IIS the ASP.NET user or use:

    Response.Write(System.Security.Principal.WindowsIdentity.GetCurrent().Name
    

12. Remove Grant access to the key on the web server (Only if required!)

    aspnet_regiis -pr "DataProtectionConfigurationProviderKeys" "Domain\User"
    

13. Copy and Paste to WebServer the encrypted Web.config file.

Answer 2

I found a more elegant solution that in my original answer to myself. I found if I just logged in as th euser who orignally installed the application and caused the config file connectionstrings to be encrypted and go to the .net framework directory in a commadn prompt and run

aspnet_regiis -pa "NetFrameworkConfigurationKey" "{domain}\{user}"

it gave the other user permission to access the RSA encryption key container and it then works for the other user(s).

Just wanted to add it here as I thought I had blogged this issue on our dev blog but found it here, so in case I need to look it up again it will be here. Will add link to our dev blog point at this thread as well.

Answer 3

So I did get it working.

1. removed old users account from laptop
2. reset app.config to have section not protected
3. removed key file from all users machine keys
4. ran app and allowed it to protect the section

But all this did was get it working for this user.

NOW I need to know what I have to do to change the code to protect the section so that multiple users on a PC can use the application. Virtual PC here I come (well after vacation to WDW tomorrow through next Wednesday)!

any advice to help pointing me in right direction, as I am not very experienced in this RSA encryption type stuff.

Answer 4

Sounds like a permissions issue. The (new) user in question has write permissions to the app.config file? Was the previous user a local admin or power user that could have masked this problem?