7

I'm exploring ways of managing IIS with puppet. Applications are run across multiple servers, so I need the keys to be consistent across applications so if people move from one web server to the other auth is consistent.

That being said, The Keys - They're coming outta the goddamn walls!

I have found a lot of how-tos and information regarding shared configuration etc. But in terms of automating this without shared configuration, I would like to actually understand the role of these various keys within Windows Server 2016. I have been trouble finding that information.

In particular, the relationship between the following 3 keys (assuming these are different things):

  • The Machine Key (As displayed by the IIS gui, or Get-WebConfigurationProperty -PSPath Machine/Webroot /system.web/machineKey -name * | select *) which seems to match the settings of the IIS GUI after I change them from auto generated to specific keys.
  • Also Machine Keys? The IISCofigurationKey and iisWasKey keys that you can get with the aspnet_regiis.

So how do the Machine Keys in the Webroot, and the RSA keys exported from aspnet_regiss related and what is each of their specific purpose?

Are they all needed to be consistent across the web farm (assuming not overload by webconfig) for consistent auth in aspnet apps running on them, or is it only the machine keys as displayed in the IIS gui as long as you don't try to copy the actual applicationhost files?

Kyle Brandt
  • 83,619
  • 74
  • 305
  • 448

1 Answers1

7

There are only really two keys not three.

There is the IISConfigurationKey ("Machine Key") Which can live in the webroot, or in the global system config, and the iisWasKey. Essentially you can override the global machine key by having one in the app config.

The Machine Key is used to encrypt configuration sections. This is the key that will be used to encrypt things like configuration strings, and other bits that you can specify as part of the app.config.

The iisWasKey is used to encrypt the application pool identity.

So you need the private key from the machine that setup the IIS configuration on all IIS server in the farm to be able to decrypt and run the config you are pushing out.

Reference 1
Reference 2

Zypher
  • 37,405
  • 5
  • 53
  • 95
  • 1
    Ah okay, so after digging around and reading reference 2, I think the rub with Windows 2016 is that there is no simple way to export the iisWas*Cng*Key and import it like you could with the old RSA keys. So seems like enabling shared configuration to generate the import is the easiest way to go (if not actually using shared configuration to point to a single source). – Kyle Brandt Feb 07 '18 at 23:55