The RSA key container could not be opened

Asked 27/5, 2010 at 13:38 Answered 13/5, 2022 at 7:51

Solved asp.net configuration permissions rsacryptoserviceprovider

I've been developing an ASP.NET site on an older machine running XP home. I recently got a new Win 7 PC and moved all my project files across. When I try and run the project, I get this error message:

"Failed to decrypt using provider 'MyRsaProtectedConfigurationProvider'. Error message from the provider: The RSA key container could not be opened."

I realised that I encrypted parts of my web.config file using a RSA encryption. This is where the problem now lies. I'm not sure how to get that key working again so that I can use it on my new machine. I exported the key from the older machine and imported it using:

aspnet_regiis -pi "RSAProviderName" "C:\RSA_configkey.xml"

This was imported successfully. I then ran the project, but the same error message came up. I figured it might be a permission thing, so I ran:

aspnet_regiis -pa "RSAProviderName" "\Desktop" -full

This was also successful, but I still get the error. From reading around, I've seen people use "ASPNET" instead of "\Desktop" (Desktop is my machine name). However, when I try and use "ASPNET", I get:

No mapping between account name and security IDs was done. <Exception from HRESULT = 0x80070534

I can't work on the project until this is fixed, so any help is much appreciated. Thanks!

Hamnet answered 27/5, 2010 at 13:38 Comment(0)

If you still have access to the older machine, you could always decrypt the configuration section on that machine, then copy the unencrypted config file to the new machine (and, if necessary, re-encrypt the file on the old machine).

On Windows 7, the account under which your IIS application pools run by default will likely be ApplicationPoolIdentity (as opposed to ASPNET). To grant permissions, try this:

aspnet_regiis -pa RSAProviderName "IIS APPPOOL\DefaultAppPool" -full

By the way, if you do decide to persevere with copying the key from the old machine to the new one, you should make sure that, when exporting, you export the private key data too:

aspnet_regiis -px RSAProviderName C:\RSA_configkey.xml -pri

And, optionally, to make the key data exportable during the import:

aspnet_regiis -pi RSAProviderName C:\RSA_configkey.xml -exp

Zellers answered 27/5, 2010 at 14:17 Comment(4)

Thanks for the help. I should have access to the older machine within the next hour, so will try this method. On a side note, what's the best way to reset the permissions I've granted (such as to \desktop)? Not too important since I'm the only user of the machine, but might be better. – Hamnet 27/5, 2010 at 14:37

You're welcome. To revoke permissions, you can use aspnet_regiis again with the -pr switch. Alternatively, find the file under C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys and change the premissions through Windows. – Zellers 27/5, 2010 at 14:52

Thanks again Dave, great help :) – Hamnet 28/5, 2010 at 1:31

Probably obvious but in case someone did not pick up on it.. you can see what app pool the website is running under. From there you can check the app pool to see what user it is running under. If it says "ApplicationPoolIdentity" this should work great. If you are not using the "DefaultAppPool" then you would change that name to whatever the name of the app pool you are using is ie. "IIS APPPOOL\MYAPPPOOL". – Friary 11/9, 2015 at 15:13

I was facing the same issue, But running the commandprompt/powershell using administrator resolved the issue.

Rhigolene answered 3/12, 2019 at 10:52 Comment(1)

This is such a gotcha – Sorgo 4/7, 2022 at 9:32

In my case, Visual Studio should be executed AS Administrator; Otherwise it cannot open the RSA Keys container.

Tonguetied answered 13/5, 2022 at 7:51 Comment(0)

Recommended topics

Hot tags