01 April 2008

Addendum to Connection String encryption

On our production servers, we found that people without administrative rights on the server threw an error because the machine could not decrypt the RSA keys.

The solution we found worked was to grant the SYSTEM account access to the crypto key. This is accomplished via the following command line:

C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -pa "nameOfKey" "SYSTEM"

I also found that in order for me to encrypt the key, my account (or group account) had to have access to the Crypto keys. Just because I was local administrator on the box did not give me access.

Microsoft makes it difficult (but not impossible) to add the access. The method is to grant your account to C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys. Right-click on all the keys and attempt to view the security tab. Some of the keys will throw an error and tell you to close and re-open the security. When you re-open the security tab, Windows will allow you access to the key.