Problem reading encrypted credentials from registry

[David Coe, MCP]

The user that you are running ASP.NET as (ASPNET, or some customer user) will need to have access to the registry to read it.

[Matthew]

----- David Coe, MCP wrote: ----

The user that you are running ASP.NET as (ASPNET, or some customer user) will need to have access to the registry to read it
---------------------
I am running IIS 6 and Server 2003 so I set the "NETWORK SERVICES" account to have read access (I also tried full access). I checked the processes and ASPNET was not running but I tried ASPNET as well (with both read and full access) and the same error. I also tried to give permissions to all of the users of the running processes and still had the same error. I tried anonomous as well and still the same error

Below is the system.web section of my web.config file. If I comment out the identity section it works correctly. When it is not commented out the error message also points directly to the line that begins the identity section so that seems to be the problem

Do I need to set permissions in some place other than the registry? What else do you suggest

Thanks, Matthe

<system.web><compilation defaultLanguage="vb" debug="true" /><customErrors mode="RemoteOnly" /><authentication mode="Windows" /><identity impersonate="true
userName="registry:HKEY_LOCAL_MACHINE\SOFTWARE\MY_ SECURE_APP\Identity\ASPNET_SETREG,userName
password="registry:HKEY_LOCAL_MACHINE\SOFTWARE\MY_ SECURE_APP\Identity\ASPNET_SETREG,password" /><authorization><allow users="*" /><!-- Allow all users --></authorization><trace enabled="false" requestLimit="10" pageOutput="false" traceMode="SortByTime" localOnly="true" /><sessionState
mode="InProc
stateConnectionString="tcpip=127.0.0.1:42424
sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes
cookieless="false"
timeout="20"
/><globalization requestEncoding="utf-8" responseEncoding="utf-8" /
</system.web>

[Microsoft Newsgroups]

Hi,

I'm getting the same error. I have it working fine on a Windows 2000
server, but I get the same error Matthew does when I do the same thing on
Windows 2003.

Adam


"Matthew" <mhiklem(at)mimh(dot)edu> wrote in message
news:94ABDB4E-24FD-40A9-A904-DB98963EF0D5@microsoft.com...

> ----- David Coe, MCP wrote: -----
>
> The user that you are running ASP.NET as (ASPNET, or some customer

user) will need to have access to the registry to read it.

> ----------------------
> I am running IIS 6 and Server 2003 so I set the "NETWORK SERVICES" account

to have read access (I also tried full access). I checked the processes and
ASPNET was not running but I tried ASPNET as well (with both read and full
access) and the same error. I also tried to give permissions to all of the
users of the running processes and still had the same error. I tried
anonomous as well and still the same error.

>
> Below is the system.web section of my web.config file. If I comment out

the identity section it works correctly. When it is not commented out the
error message also points directly to the line that begins the identity
section so that seems to be the problem.

>
> Do I need to set permissions in some place other than the registry? What

else do you suggest?

>
> Thanks, Matthew
>
> <system.web><compilation defaultLanguage="vb" debug="true" /><customErrors

mode="RemoteOnly" /><authentication mode="Windows" /><identity
impersonate="true"

>

userName="registry:HKEY_LOCAL_MACHINE\SOFTWARE\MY_ SECURE_APP\Identity\ASPNET
_SETREG,userName"

>

password="registry:HKEY_LOCAL_MACHINE\SOFTWARE\MY_ SECURE_APP\Identity\ASPNET
_SETREG,password" /><authorization><allow users="*" /><!-- Allow all
users --></authorization><trace enabled="false" requestLimit="10"
pageOutput="false" traceMode="SortByTime" localOnly="true" /><sessionState

> mode="InProc"
> stateConnectionString="tcpip=127.0.0.1:42424"
> sqlConnectionString="data

source=127.0.0.1;Trusted_Connection=yes"

> cookieless="false"
> timeout="20"
> /><globalization requestEncoding="utf-8" responseEncoding="utf-8" /
> </system.web>

[Microsoft Newsgroups]

Oops -- meant to say that I have it running fine on Windows XP, but not
Windows 2003.


"Matthew" <mhiklem(at)mimh(dot)edu> wrote in message
news:94ABDB4E-24FD-40A9-A904-DB98963EF0D5@microsoft.com...

> ----- David Coe, MCP wrote: -----
>
> The user that you are running ASP.NET as (ASPNET, or some customer

user) will need to have access to the registry to read it.

> ----------------------
> I am running IIS 6 and Server 2003 so I set the "NETWORK SERVICES" account

to have read access (I also tried full access). I checked the processes and
ASPNET was not running but I tried ASPNET as well (with both read and full
access) and the same error. I also tried to give permissions to all of the
users of the running processes and still had the same error. I tried
anonomous as well and still the same error.

>
> Below is the system.web section of my web.config file. If I comment out

the identity section it works correctly. When it is not commented out the
error message also points directly to the line that begins the identity
section so that seems to be the problem.

>
> Do I need to set permissions in some place other than the registry? What

else do you suggest?

>
> Thanks, Matthew
>
> <system.web><compilation defaultLanguage="vb" debug="true" /><customErrors

mode="RemoteOnly" /><authentication mode="Windows" /><identity
impersonate="true"

>

userName="registry:HKEY_LOCAL_MACHINE\SOFTWARE\MY_ SECURE_APP\Identity\ASPNET
_SETREG,userName"

>

password="registry:HKEY_LOCAL_MACHINE\SOFTWARE\MY_ SECURE_APP\Identity\ASPNET
_SETREG,password" /><authorization><allow users="*" /><!-- Allow all
users --></authorization><trace enabled="false" requestLimit="10"
pageOutput="false" traceMode="SortByTime" localOnly="true" /><sessionState

> mode="InProc"
> stateConnectionString="tcpip=127.0.0.1:42424"
> sqlConnectionString="data

source=127.0.0.1;Trusted_Connection=yes"

> cookieless="false"
> timeout="20"
> /><globalization requestEncoding="utf-8" responseEncoding="utf-8" /
> </system.web>

[Microsoft Newsgroups]

Okay -- I figured out my problem. I needed to set permissions for the local
NETWORK SERVICE account.
When selecting users to add permissions for, click the Advanced button, then
the Locations button. Select the local server name at the top and click OK.
Click the Find Now button and select the NETWORK SERVICE account. This is
the account that needs permissions on the reg key you created.

Good luck!


"Microsoft Newsgroups" <afroio@cmins.com> wrote in message
news:ukpz8DYTEHA.1232@TK2MSFTNGP09.phx.gbl...

> Oops -- meant to say that I have it running fine on Windows XP, but not
> Windows 2003.
>
>
> "Matthew" <mhiklem(at)mimh(dot)edu> wrote in message
> news:94ABDB4E-24FD-40A9-A904-DB98963EF0D5@microsoft.com...

> > ----- David Coe, MCP wrote: -----
> >
> > The user that you are running ASP.NET as (ASPNET, or some customer

> user) will need to have access to the registry to read it.

> > ----------------------
> > I am running IIS 6 and Server 2003 so I set the "NETWORK SERVICES"

account

> to have read access (I also tried full access). I checked the processes

and

> ASPNET was not running but I tried ASPNET as well (with both read and full
> access) and the same error. I also tried to give permissions to all of the
> users of the running processes and still had the same error. I tried
> anonomous as well and still the same error.

> >
> > Below is the system.web section of my web.config file. If I comment out

> the identity section it works correctly. When it is not commented out the
> error message also points directly to the line that begins the identity
> section so that seems to be the problem.

> >
> > Do I need to set permissions in some place other than the registry? What

> else do you suggest?

> >
> > Thanks, Matthew
> >
> > <system.web><compilation defaultLanguage="vb" debug="true"

/><customErrors

> mode="RemoteOnly" /><authentication mode="Windows" /><identity
> impersonate="true"

> >

>

userName="registry:HKEY_LOCAL_MACHINE\SOFTWARE\MY_ SECURE_APP\Identity\ASPNET

> _SETREG,userName"

> >

>

password="registry:HKEY_LOCAL_MACHINE\SOFTWARE\MY_ SECURE_APP\Identity\ASPNET

> _SETREG,password" /><authorization><allow users="*" /><!-- Allow all
> users --></authorization><trace enabled="false" requestLimit="10"
> pageOutput="false" traceMode="SortByTime" localOnly="true" /><sessionState

> > mode="InProc"
> > stateConnectionString="tcpip=127.0.0.1:42424"
> > sqlConnectionString="data

> source=127.0.0.1;Trusted_Connection=yes"

> > cookieless="false"
> > timeout="20"
> > /><globalization requestEncoding="utf-8" responseEncoding="utf-8" /
> > </system.web>

>
>

[Matthew]

"David Coe, MCP" wrote:

> The user that you are running ASP.NET as (ASPNET, or some customer user) will need to have access to the registry to read it.

I tried a number of times to set permissions for the Network service account. but it failed to access it each time. Finally, after a 3 week vacation I tried again and was successful. I think my problem was that I set the permissions to high on the registry tree. Setting them on the lowest branch lead to success.

I did run into another problem with the password. I could read it from the registry but it could not create a valid user token from it. This even though when I used the same password as a simple string it would create the user. After some experimentation I discovered that the percent character "%" which I had included in the password was causing the problem. Changing that to another character alowed the password to be read correctly. I am not sure where the "%" was causing the problem (encryption, storage, retrieval, decryption) but changing it took care of my problems.

Thanks for the assistance.

Matthew