While reading Microsoft's documentation about DPAPI I found the following text:
DPAPI is focused on providing data protection for users. Because DPAPI requires a password to provide protection, the logical step is for DPAPI to use a user's logon password, which it does, in a way. DPAPI actually uses the user's logon credential. In a typical system, in which the user logs on with a password, the logon credential is simply a hash of the user's password.
That got me thinking - and what about those accounts that do not ask for passwords?
I mean the default accounts installed by Windows and IIS, such as NETWORK SERVICE, LOCAL SERVICE, LOCAL SYSTEM, ASPNET.
If I use DPAPI in a web app that runs under one of these accounts, what credentials will be used for DPAPI MasterKey?
