We are already aware that The ASP.NET IIS Registration tool (Aspnet_regiis.exe) is used to register ASP.NET applications with Internet Information Services (IIS). It provides us with some other features as well and maximum of them are on its MSDN article. One such feature is encryption of config file sections and that is obviously for security reasons. Here is an MSDN article How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI which focuses on this feature.

Now, purpose of writing this blog is to put some light on this feature and also pointing out one common mistake while using this feature.

 

1. We will look when can we get error like “The configuration for physical path ‘*\web.config' cannot be opened.”

2. Using this feature for encryption of config sections of windows/console application’s configuration file i.e. app.config

 

1. “The configuration for physical path ‘web.config' cannot be opened”

 

Maximum time this error occurs because of incorrect path of the config file. But in this case when we check the path, it seems that we have correct path. If you will closely look at the command again, you will find a difference from the one mentioned in the above MSDN article. So here is your command

C:\Windows\Microsoft.NET\Framework64\v4.0.30319>aspnet_regiis.exe -pef "appSettings" "C:\inetpub\wwwroot\testweb\web.config" -prov "DataProtectionConfigurationProvider"

Microsoft (R) ASP.NET RegIIS version 4.0.30319.33440

Administration utility to install and uninstall ASP.NET on the local machine.

Copyright (C) Microsoft Corporation.  All rights reserved.

Decrypting configuration section...

The configuration for physical path 'C:\inetpub\wwwroot\testweb\web.config' cannot be opened.

Failed!

image

 

Did you find the difference? yes there is “web.config” specified in the command. Of course, we should specify the file name which we are targeting for encryption. But hold on, remember Aspnet_regiis.exe is only meant for websites and one more thing that there can be only one web.config file inside any folder. Even if it is web1.config, its of no use because ASP.NET engine is not going to read it. So what’s the point.

Point is that Aspnet_regiis.exe implicitly considers that specified path has web.config file and it will encrypt the specified section of that file. So you have to just specify “'C:\inetpub\wwwroot\testweb” and web.config will

be added by this tool automatically. If web.config file does not exist inside the folder it will create an empty web.config file and empty section inside it and then will encrypt it(Give it a try). Command should look like following

   

C:\Windows\Microsoft.NET\Framework64\v4.0.30319>aspnet_regiis.exe -pef "appSettings" "C:\inetpub\wwwroot\testweb" -prov "DataProtectionConfigurationProvider"

   

Same thing applies while decryption as well and command should be like this

C:\Windows\Microsoft.NET\Framework64\v4.0.30319>aspnet_regiis.exe -pdf "appSettings" "C:\inetpub\wwwroot\testweb"

   

2. Using this feature for encryption of config sections of windows/console application’s configuration file i.e. app.config

   

Now question is how do we encrypt section of app.config file if aspnet_regiis.exe only looks for web.config file and after building app.config files have the naming convention of  AppTitle.exe.config

   

Here is the screen shot of one such windows application with a configuration file SampleApp.exe.config.

    

image

 

Following is the content from the configuration file where you can see i have some sensitive database information which we do not want to expose to users of the client’s computer.

 

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <startup>
    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
  </startup>
  <appSettings>
    <add key="sConnectionString" value="Provider=SQLOLEDB;Data Source=Your_Server_Name;Initial Catalog=Your_Database_Name;User Id=Your_Username;Password=Your_Password;" />
  </appSettings>
</configuration>

 

As we are aware of this limitation of aspnet_regiis.exe, we can find a workaround for this. Let’s fool aspnet_regiis.exe, what if we rename SampleApp.exe.config as web.config :)

   
C:\Windows\Microsoft.NET\Framework64\v4.0.30319>rename E:\SampleApp\SampleApp\SampleApp\bin\Release\SampleApp.exe.config web.config
C:\Windows\Microsoft.NET\Framework64\v4.0.30319>aspnet_regiis.exe -pef "appSettings" E:\SampleApp\SampleApp\SampleApp\bin\Release -prov DataProtectionConfigurationProvider
C:\Windows\Microsoft.NET\Framework64\v4.0.30319>rename web.config E:\SampleApp\SampleApp\SampleApp\bin\Release\SampleApp.exe.config

 

Here is the screen shot of encrypted config file. So final step is to rename it back to the SampleApp.exe.config

 
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <startup>
    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
  </startup>
  <appSettings configProtectionProvider="DataProtectionConfigurationProvider">
    <EncryptedData>
      <CipherData>
        <CipherValue>
          AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAVPxdfgBHA02++GKp0N/yYgQAAAACAAAAAAADZgAAwAAAABAAAADZaWlaU2XHAEquSvyREPJWAAAAAASAAACgAAAAEAAAAPbsjf6iKY3mQ0duO6Hk0mSY
          AQAAiwBI8J7lX73foO39YqjhtaSZ5H+e+h0Oc4vgzc2Eegkx1Ch67MBIFek7LhEtMKN06YVWw/lTdc+llLcjcjPfzvieupil2fOLZDAc6CSbTXItunMyhJWu3vlW+O/HPTtowq/c6Hz6TzryInBAxyX8ZBLRaFOU3
          JwhcjwEVoqWRZGNryO8sE5ntHEFatgiTh7pPvqtfMqd0UZz2lWWd+r/xJIr5ig6kfORkKE/plvATpey8zmTQNrxQx1v/dELislsBURDSHAmrL7CIDkbg5tQmj9cHtBh7BSUFHrK8JtCSPbTbUHVU4lcfbjMIrZ/1q
          inc0o0RTfhwusH+KLjSWb224E2ycxm3jubDM35dtZaGPrKCYpZS6KhaX4IVMFr5RMbdK+sJj4JLtN7O2kosM8nmYhPs+P0SUsBeJ117beE7egk5CWt7LdGXIAaRtdfEJVBFXWc5OKQGJQGWJVRPDslxgA/hviXk6y
          uPWS5gEc1aY+iSRAaqO+53nAEBvlurYrCp1MqjE75pTL56kcOrpYET89VN6dcDPWGFAAAALHIG4IJ0+C+oE9TkcY55KxCFkD6
        </CipherValue>
      </CipherData>
    </EncryptedData>
  </appSettings>
</configuration>

Hope you like it!

Please let me know if there is any concerns or queries.

 

Thanks

Gaurav