0

We're using aspnet_regiis to encrypt our web.config (and other app.config files). It works if I encrypt it on our webserver, but I need to be able to encrypt the file on another server and deploy it.

I know how to do this, and it works with our other config files on other servers that aren't under IIS. I also tested it by encrypting the file on the web server to make sure the problem wasn't the encryption process in general. The problem seems to be that the IUSR user doesn't have permission to access the key container. When I try the command:

aspnet_regiis -pa "MyKeyContainer" IUSR

It fails with the warning, "The specified username is invalid."

We are using IIS 7. Should we run IIS under a different user instead of IUSR to get this to work? Am I doing something else wrong?

DustinA
  • 499
  • 5
  • 9

1 Answers1

1

After some experimentation, I discovered that I had to grant permission to a user called "IIS APPPOOL\ABC" (where ABC is the 3 letter name of my app) so it could read the key container for IIS to read my encrypted file. I don't know where that name is coming from yet, but since "ABC" is the name of my app pool it's probably that.

To figure out this user, I put the output of the following method into a page in my app and then hit it with a web browser so it would tell me what user things were actually running under:

System.Security.Principal.WindowsIdentity.GetCurrent().Name

When I refreshed my browser, it output me the "IIS APPPOOL\ABC" user. I then ran the following command from the command line:

aspnet_regiis -pa "ABCConfigKeys" "IIS APPPOOL\ABC"

That command gives permission to a user to read the encrypted config file, and that's the user that my app is running under.

My IIS7 Application Pool's identity is set to "ApplicationPoolIdentity". I full expected to see the IUSR user when I printed it out, but instead I got this "IIS APPPOOL\ABC" thing.

Hopefully this helps someone else out.

DustinA
  • 499
  • 5
  • 9