Encrypted Web.Config sections after deployment

Posted Friday, January 27, 2006 11:21 AM by C-Dog's .NET Tip of the Day

A while back I posted about using aspnet_regiis to encrypt a section of a web.config. When trying this on a local machine, you will probably find that it works great. However, after deploying it I found a couple of things to look out for. First, is of course, make sure that the machine.config has a machineKey specified and it is the same across machines (including the original machine you did the encrpytion on).

I had already done that but when I tried to access the data, I found that I got the error "Failed to decrypt using provider 'RsaProtectedConfigurationProvider'.". This is because the network service account does not have access to the keytore by default, so you have to go and grant it on each target server. To do that run the command below.

aspnet_regiis -pa "NetFrameworkConfigurationKey" "NT Authority\Network Service"

The Network Service account is the account asp.net typically runs under on Windows Server 2003. You would have to change this if you are running on Windows 2000.

After running this you shouldn't have any problem using an encrypted configuration section. If you need more help, refer to the article below from Microsoft.

How To: Encrypt Configuration Sections

Read the complete post at http://www.dotnettipoftheday.com/blog.aspx?id=248