I just learned the command to encrypt a connection string in my Web.config file.
aspnet_regiis -pe "connectionStrings" "/MyApp"
This command does encrypt Web.config. However, In my app I have a Web.config file for several environments: Web.test.config, Web.production.config, etc. Is it possible to specify which env/config file to encrypt? I tried:
aspnet_regiis -pe "connectionStrings" "/MyApp/Web.test.config"
But this did not work.
Don't use web.XXX.config because it has to be stored in your source code. You should be using environment variables (which you can still access via your existing code that reads web.config).
The environment variables can be defined on the server directly and this bypasses your problem, e.g. the production server has different connection string than UAT.
Related
Server is in Linux but we tried to publish .net core folder. It's working fine in IIS but not working in Linux server.
We are following below manner of project deployment to google server.
https://cloud.google.com/blog/products/gcp/4-ways-you-can-deploy-an-aspnet-core-app-to-gcp
Tried since 4 days.
I need to convert my certificate read code into linux sever mode is below.
string base64str = Convert.ToBase64String(Certificate);
X509Certificate2 certificate = new X509Certificate2(baseBytes, "notasecret", X509KeyStorageFlags.Exportable);
We are used above line for generating signed url of which file are stored at google repositories.
I had the same error when running docker locally and what fixed it is by specifying the cert and password.
docker run -i -p 443:443 -e ASPNETCORE_Kestrel__Certificates__Default__Path="name_of_file.pfx" -e ASPNETCORE_Kestrel__Certificates__Default__Password="password_here"
Note that you need to specify the correct case in the filename and also use double quotes and not single quotes. No quotes also work but if the text needs escaping then it will be trouble so better use double quotes.
In my case, I had wrong path for this environment variable.
ASPNETCORE_Kestrel__Certificates__Default__Path: 'path/localhost.pfx'
So I corrected the path to required pfx file and it worked like a charm.
My project Web.config has connection strings defined in a separate file using the following construct:
<connectionStrings configSource="ConnectionStrings.config">
</connectionStrings>
This is handy when collaborating on a project or when deploying the project. However, I was unable to get the VSO Build working as it shows me the following error:
C:\Program Files
(x86)\MSBuild\14.0\bin\Microsoft.Common.CurrentVersion.targets (4105,
5) Could not copy the file
"C:\a\1\s\MyProject\ConnectionStrings.config" because it was not
found.
The connection string must be already defined in the web.config and the connection string name must be the same as the connection string name you set in Azure. Then the connection string can be updated by Azure. Refer to the description from Azure:
Connection strings work in a similar fashion, with a small additional
requirement. Remember from earlier that there is a connection string
called “example-config_db” that has been associated with the website.
If the website’s web.config file references the same connection string
in the configuration section, then Windows Azure
Web Sites will automatically update the connection string at runtime
using the value shown in the portal.
However, if Windows Azure Web Sites cannot find a connection string
with a matching name from the web.config, then the connection string
entered in the portal will only be available as an environment
variable (as shown earlier).
And
Remember though that for Windows Azure Web Sites to override a
connection string and materialize it in the .NET Framework’s
connection string configuration collection, the connection string must
already be defined in the web.config. For this example website, the
web.config has been updated as shown below:
For more information, please see this link: https://azure.microsoft.com/en-us/blog/windows-azure-web-sites-how-application-strings-and-connection-strings-work/
I know you already mark your question answered but I think I should post my solution here for anyone's having same issue.
I create a transformation for the connectionStrings section in other environment with a dummy connectionstring value like this:
<connectionStrings xdt:Transform="Replace">
<add name="Your_ConnectionString_Name" connectionString="dummy_value"
providerName="System.Data.SqlClient" />
</connectionStrings>
so that I can keep the configSource attribute in my local machine and when I deploy to other environments, I have some dummy connectionstring for Azure to replace.
I am encrypying my .NET config file using this command and it works just fine:
aspnet_regiis -pe "connectionStrings" -app "/SampleApplication"
For this to work though I have to have a virtual directory called SampleApplication pointing to the folder my web.config file is under.
Is there a way to just specify the path to the file and not have to have a virtual dir?
I tried with
aspnet_regiis -pe "connectionStrings" -location "c:\FoldercontainingWebConfigFile"
but i get the error: " path attribute must be a relative virtual path". And cannot contain any of ":" "\" etc...
I am looking here:
http://msdn.microsoft.com/en-us/library/k6h9cz8h%28v=vs.80%29.aspx
Is there any way to do this?
I got it with!
-pef "sectionName" "full path to directory containing web.config file"
Have a look at this tool - it loads all your IIS sites and vdirs, and lets you pick the file (and section) you want to encrypt/decrypt.
During the installation of our program we run this method to encrpyt sections of the app.config:
// Get the application configuration file.
Configuration config =
ConfigurationManager.OpenExeConfiguration(ConfigurationUserLevel.None);
// Define the Rsa provider name.
const string provider = "RsaProtectedConfigurationProvider";
// Get the section to protect.
ConfigurationSection connStrings = config.ConnectionStrings;
if (connStrings != null)
{
if (!connStrings.SectionInformation.IsProtected)
{
if (!connStrings.ElementInformation.IsLocked)
{
// Protect the section.
connStrings.SectionInformation.ProtectSection(provider);
connStrings.SectionInformation.ForceSave = true;
config.Save(ConfigurationSaveMode.Full);
}
}
}
Works fine so far. But if I run this program, we encounter of several machines the following error "Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: The RSA key container could not be opened".
Of course I searched and found this help, but this doesn't work. Any ideas?
I ran into similar issues while debugging within Visual Studio 2010 on Win 7 with UAC set to it's default protection.
In order for me to get around this issue, I had to run Visual Studio as the Administrator ("Run as Administrator").
I had the same issue with trying to run the aspnet_regiis.exe to encrypt the section of my web.config. If I didn't run the commandline/console "as Administrator" I would get a commandline error that was even more cryptic: "Object already exists."
Yes.
Reason is those machines working have RsaProtectedConfigurationProvider setup in their machine.config. Those not working, don't have it - just manually add it for those machines.
I imagine that's one of the steps aspnet_regiis.exe does. I can't imagine you want to run that on all client machines.
UPDATE
OK, I have made the main part of the error in bold in your question - you are right it is a different issue. It is a security issue. If you look at the location C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys or C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys depending the operating system, you see a number of files. Your process does have access to the folder so just give files access to the whole folder for the identity of the application or a particular file (timestamp will tell you if you have created it).
I got this on an app.config that was running on a Windows Server set up as a SQL Server. It did not have IIS installed. The machine.config file listed RSAProtectedConfigurationProvider as the default, but when we looked in the two folders mentioned by Aliostad above the folders were empty.There were no keys installed. We used the aspnet_regiis tool to create a custom key. then we used it to grant access to the identity the batch job runs under. All of this was running cmd.exe and aspnet_regiis As Administrator.
I see several others have posted this question, however, none of the solutions I've tried have fixed this yet. I have a 32-bit XP running VS 2008 and I am trying to encrypt my connection string in my web.config file.
But I am getting the error:
The configuration section '...' was not found. Failed!
The command I give it:
C:\Program Files\Microsoft Visual Studio 9.0\VC>Aspnet_regiis.exe -pe "system.we
b/AdventureWorksConnectionString2" -app "/Documents and Settings/Admin/My Docume
nts/Visual Studio 2008/Projects/AddFileToSQL2"
Also, how does -app map virtual directory? In other words the path above is the directory right below c:. Is this the correct path to use? And AddFileToSQL2 is the name of my project, although it is part of the AddFileToSQL solution.
I have this folder web shared with all of the permissions.
And the relevant part of my web.config file:
<add name="AdventureWorksConnectionString2" connectionString="Data Source=SIDEKICK;Initial Catalog=AdventureWorks;Persist Security Info=true; User ID=AdventureWorks;Password=sqlMagic"
providerName="System.Data.SqlClient" />
With DPAPI, you can only encrypt whole sections as far as I know. Thus, you cannot encrypt just your one connection string but the entire connectionStrings section. Second the -app refers to the virtual path to the application on your IIS server in which it should find the given section and config file. Thus, if your site look like this:
root
/appFoo
And you wanted to encrypt the connection strings in /appFoo you would do
aspnet_regiis -pe "connectionStrings" -app "/appFoo"
How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI