[ACCEPTED]-The RSA key container could not be opened" Error even after ACL Permission (for some users)-windows-server-2008

Accepted answer
Score: 13

Following is an approach I tried which does 12 not involve Machine config.

Note: If the 11 destination is in Windows Sever 2008, the 10 encryption steps need to be executed in 9 a Windows Server 2008 itself.

Executed the 8 below codes in server A

Note:- Registering 7 key

 cd C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319
 aspnet_regiis.exe -pc "MyProjectKeys" -exp

Note:- GRANTING ACCESS on SERVER A only

aspnet_regiis.exe -pa "MyProjectKeys" "IIS APPPOOL\testpsreloservices"
aspnet_regiis.exe -pa "MyProjectKeys" "NT AUTHORITY\NETWORK"

Exported 6 XML file containing RSA Key

aspnet_regiis.exe -px "MyProjectKeys" E:\wmapps\webroot\myservice\MyProjectKey.xml –pri

Added the following 5 in web.config

<configProtectedData>
  <providers>
    <clear/>
<remove name="RSAProtectedConfigurationProvider" />
     <add name="RSAProtectedConfigurationProvider" keyContainerName="MyProjectKeys" 
    type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0,&#xD;&#xA;                
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,&#xD;&#xA; processorArchitecture=MSIL"
          useMachineContainer="true" />
  </providers>
</configProtectedData>

Encrypted

aspnet_regiis -pef "connectionStrings" "E:\wmapps\webroot\myservice" -prov "RsaProtectedConfigurationProvider"

Copied the encrypted 4 files in B Server. Copied the key xml file 3 into the B Server.

Created batch file with 2 the following commands and Executed (for 1 Key registration and granting access)

c:
cd C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319
aspnet_regiis.exe -pi "MyProjectKeys" E:\wmapps\webroot\myservice\MyProjectKey.xml
aspnet_regiis.exe -pa "MyProjectKeys" "IIS APPPOOL\testpsreloservices"
aspnet_regiis.exe -pa "MyProjectKeys" "NT AUTHORITY\NETWORK"
Score: 5

If you have impersonation enabled, the RSA 6 key container will be accessed using the 5 identity of the user accessing the application---not 4 Network Service.

You'll either need to disable 3 impersonation, or add all the users that 2 can access the application to the ACL of 1 the key container.

Score: 0

In my case, I had made my connection strings 13 encrypted using ASPNET_REGIIS. I had one 12 last application I finally got around to 11 modifying to move from an older server to 10 this server where encryption key was used. There 9 was an older version of this application 8 deployed already but not used. When I deployed 7 (Published) the latest version to the server, I 6 used the Replace method instead of delete. I 5 came across this error, and stumbled here. None 4 of the solutions worked for me.

My Fix: so 3 I decided to clear the contents of the application 2 folder, and re-publish.

Doing so corrected 1 my issue.

More Related questions