Web Config Encryption/Decryption in Framework 4.0

December 20, 2010 Leave a Comment

The RSAProtectedConfigurationProvider is the default protected configuration providers. It supports machine level and user level key containers for key storage. RSA machine key containers are stored in “c:\Documents and Settings\All users\Application data\Microsoft\Crypto\RSA\MachineKeys” in Windows server 2003. The default ‘keycontainerName’ for RSAProtectedConfigurationProvider in machine.config is called ‘NetFrameworkConfigurationKey’ (it’s good practice to change it in the production servers).

To encrypt a web.config file with Framework 4.0 I have used the following steps,

1. Find the location of the root web folder. In this case its “D:\Inetpub\wwwroot\DemoWebsite
Create an RSA keypair in ContainerName:
2. The default ‘keycontainerName’ for RSAProtectedConfigurationProvider in machine.config is called ‘NetFrameworkConfigurationKey’ (it’s good practice to change it in the production servers). Modify the web.config in the root folder of the DemoWebsite by adding the following sub-section within the Configuration tag section. I have modified the KeyContainerName to “DemoWebsiteConfigurationKey” and the key name to “DemoWebsiteRSAProtectedConfigurationprovide”.

<configProtectedData>
<providers>
<add keyContainerName="DemoWebsiteConfigurationKey"
description="Uses RsaCryptoServiceProvider to encrypt and decrypt"
name="DemoWebsiteRSAProtectedConfigurationprovider"
type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</configProtectedData>

Note: The keyContainerName default lives in machine.config (usually in C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\CONFIG) we would find this section. We do not want to modify the default machine config, so create a configProtectedData tag in teh DemoWebsite’s web.config file.


<configProtectedData defaultProvider="RsaProtectedConfigurationProvider">
<providers>
<add name="RsaProtectedConfigurationProvider"
type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
description="Uses RsaCryptoServiceProvider to encrypt and decrypt"
keyContainerName="NetFrameworkConfigurationKey"
cspProviderName=""
useMachineContainer="true"
useOAEP="false" />
<add name="DataProtectionConfigurationProvider"
type="System.Configuration.DpapiProtectedConfigurationProvider,System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
description="Uses CryptProtectData and CryptUnProtectData Windows APIs to encrypt and decrypt"
useMachineProtection="true"
keyEntropy="" />
</providers>
</configProtectedData>

3. Windows > Run > cmd. If you are using Framework 4.0 the go to folder C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319. Run below to create the RSA cryptographic key container called “DemoWebsiteConfigurationKey”,
aspnet_regiis -pc “DemoWebsiteConfigurationKey” –exp

4. Grant access to the key container by the default asp.net account:
aspnet_regiis -pa “DemoWebsiteConfigurationKey” “NT Authority\Network Service”

Note: If you do not do this step you might see this error “Failed to decrypt using provider ‘RsaProtectedConfigurationProvider’. Error message from the provider: The RSA key container could not be opened”

5. Back up the web.config file, in case.Now to encrypt connection string type below and enter.
aspnet_regiis.exe -pef "connectionStrings" "D:\Inetpub\wwwroot\DemoWebsite" -prov "DemoWebsiteRSAProtectedConfigurationProvider"

6. Now to encrypt appSettings type below and enter.
aspnet_regiis.exe -pef "appSettings" "D:\Inetpub\wwwroot\DemoWebsite" -prov "DemoWebsiteRSAProtectedConfigurationProvider"

Now if you want to modify your web.config you have to decrypt using the steps below first. Then modify and encrypt again. To decrypt I did the following,

1. Windows > Run > cmd.
2. Go to folder C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319.
3. Find the location of the root web folder. In this case its “D:\Inetpub\wwwroot\DemoWebsite
4. Now to decrypt connection string type below and enter.
aspnet_regiis.exe -pdf "connectionStrings" "D:\Inetpub\wwwroot\DemoWebsite"
5. Now to decrypt appSettings type below and enter.
aspnet_regiis.exe -pdf "appSettings" "D:\Inetpub\wwwroot\DemoWebsite"

Reference:
http://msdn.microsoft.com/en-us/library/zhhddkxy.aspx
ASP.NET IIS Registration Tool
Encrypting the connection string in ASP.NET V2.0
RSA Algorithm
Encrypting configuration files using protected configuration
Managing Connection Strings for Web Farms in ASP.NET 2.0

Filed under ASP.NET, Security Tagged with

How to get rid of Event Viewer errors?

September 23, 2010 Leave a Comment

Error:
The description for Event ID ( 0 ) in Source ( Learning Management System ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event:

In registry:
1. Open regedit and go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\Learning Management System.
2. If ‘EventMessageFile’ is missing then the error above show is the event log. See the image below.

RegistryKey

RegistryKey

Code and solution :
The code below has ‘EventLog.CreateEventSource’ which creates ‘Learning Management System’ key under ‘HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application’ in registy and also create ‘EventMessageFile’ expandable string value with details below:
Value name:EventMessageFile
Value data: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\EventLogMessages.dll

If the ‘EventMessageFile’ string is missing it show the error message above. On my xp machine I do not see the above message because when I run the code it creates the ‘Learning Management System’ and EventMessageFile string. If you have manually created the key in the registry on the Windows 2003 server because you are getting security exception while the application trying to create the key, then you have to mannually create the EventMessageFile string with the above mention details. 

//Check if the ATLAS web services working
 if (reqHTTPGetADFWebServices.StatusCode == 0)
 {
    //Check if the event log application exist
    if (System.Diagnostics.EventLog.Exists("Application"))
    {
       //Check if the event log source exist
       if (!System.Diagnostics.EventLog.SourceExists("Learning Management System"))
       {
          //Register the source                            
          EventLog.CreateEventSource("Learning Management System""Application");
          // The source is created.  Exit the application to allow it to be registered.                          
       }

   // Write an source, message and type entry to the event log.  
   System.Diagnostics.EventLog.WriteEntry("Learning Management System""FAILED:
 ADF web services are not available."EventLogEntryType.Error);                      
}

Resources:
Error Message When ASP.NET Application Tries to Write New EventSource in the EventLog

Filed under C#

How to check whether the application is single sign on or form authentication from C# code?

July 30, 2010 Leave a Comment

Suppose you have a C# web application which need to run on a internal (inside network) and external (DMZ) web servers. These two application talks to the same database. The internal application need single sign on (SSO) and the external application is form authentication. Now in Visual studio you have one project for both these applications. Depending on the web.config’s configurations the application either do SSO or form authentication.

For SSO the web.config settings are,
<authentication mode="Windows"></authentication>

For form the web.config settings are,
<authentication mode="Forms">
<forms name="LegalAidLogin" loginUrl="~/login.aspx" defaultUrl="~/default.aspx" timeout="30" protection="All" enableCrossAppRedirects="true">
</forms>
</authentication>

Now, when you in login page which you have to need to check the authentication mode on page load, use the code below,

// Load web.config
System.Xml.XmlDocument config = new System.Xml.XmlDocument();
config.Load(AppDomain.CurrentDomain.SetupInformation.ConfigurationFile);
System.Xml.XmlNode node = config.SelectSingleNode(”//configuration/system.web/authentication”);

// Check the login mode for forgot your password
if (node.Attributes["mode"].Value == “Forms”)
{}

If you are already login in and you need to check the authentication mode use code below,

if (HttpContext.Current.User.Identity.AuthenticationType != “Forms”)
{}

Filed under C#

Older posts

Newer posts

Follow

Get every new post delivered to your Inbox.

Join 116 other followers