pan machine dpapi user mode problems (roaming profiles & keys)

[Martin]

Hi,

I have a web app that uses dpapi in user mode. It's important that the keys
are usable across more than one machine - in case of disaster recovery, and
scaling path.

On a small test lan running windows 2000 and xp, I have this working - dpapi
service account with a roaming profile can encrypt on one machine and
decrypt on another.

In the live environment running windows 2003 and xp, across a site to site
vpn I have a number of problems:
1) using roaming profile across vpn is unreliable - had a situation with
existing local profile and no profile on remote machine (where the profile
path points) - logged in and out of local machine as the relevant account -
it didn't upload the profile in the location referenced by profile path for
that user.

2) therefore I did a manual backup and restore of the local profile
(documents and settings\username\*) from one machine to another (side
stepping roaming profile). Whilst each computer could encrypt and decrypt
on it's own, I couldn't decrypt on one, what had been encrypted on the
other.

Is there any way to view the user profile keys used by dpapi?

Should doing a manual backup and restore of the profile to another machine
have preserved the original keys so that I can encyrpt on one, and decyrpt
on the other machine?

Thanks
Martin

[Martin]

I read in "How to troubleshoot the Data Protection API (DPAPI)"
section "DPAPI and Roaming Profiles"
([url]http://support.microsoft.com/default.aspx?scid=kb;en-us;309408#6[/url]) that "For
DPAPI to work correctly when it uses roaming profiles, the domain user must
only be logged on to a single computer in the domain. If the user wants to
log on to a different computer that is in the domain, the user must log off
the first computer before the user logs on to the second computer. If the
user is logged on to multiple computers at the same time, it is likely that
DPAPI will not be able to decrypt existing encrypted data correctly."

In an ASP.Net with enterprise services for DPAPI environment (as outlined
the ASP.Net dpapi user mode how to) , where the dpapiservice is running as
the account with the roaming profile, what happens if the service is running
on multiple machines simultaneously? Is this equivelent to the same user
being logged in multiple times? Is there any role for mandatory profiles to
stabalise the situation?

Is there any way for dpapi to be used in a web farm scenario?

Thanks
Martin


"Martin" <x@y.z> wrote in message
news:u3t1%23nesEHA.3940@TK2MSFTNGP10.phx.gbl...

> Hi,
>
> I have a web app that uses dpapi in user mode. It's important that the

keys

> are usable across more than one machine - in case of disaster recovery,

and

> scaling path.
>
> On a small test lan running windows 2000 and xp, I have this working -

dpapi

> service account with a roaming profile can encrypt on one machine and
> decrypt on another.
>
> In the live environment running windows 2003 and xp, across a site to site
> vpn I have a number of problems:
> 1) using roaming profile across vpn is unreliable - had a situation with
> existing local profile and no profile on remote machine (where the profile
> path points) - logged in and out of local machine as the relevant

account -

> it didn't upload the profile in the location referenced by profile path

for

> that user.
>
> 2) therefore I did a manual backup and restore of the local profile
> (documents and settings\username\*) from one machine to another (side
> stepping roaming profile). Whilst each computer could encrypt and decrypt
> on it's own, I couldn't decrypt on one, what had been encrypted on the
> other.
>
> Is there any way to view the user profile keys used by dpapi?
>
> Should doing a manual backup and restore of the profile to another machine
> have preserved the original keys so that I can encyrpt on one, and decyrpt
> on the other machine?
>
> Thanks
> Martin
>
>