2

I would like to encrypt the connection string of my web.config. Here I have found a nice example on how to do this. I implemented this and on my development machine this runs find. However if I upload it to the provider, it does not work with the following error:

[SecurityException: Request failed.] System.Configuration.DpapiProtectedConfigurationProvider.Encrypt(XmlNode node)

In this blog I have read, that this is because of the web probably runs in medium trust and therefore WebConfigurationManager.OpenWebConfiguration can not be used. Instead of this, WebConfigurationManager.GetSection should be used. However, if I get the section as proposed, the call to ProtectSection fails with the following error message:

System.InvalidOperationException: This operation does not apply at runtime

Can anyone lead me to a solution, how I can encode (and decode) the connection string in the web.config file (at runtime)?

Update
Not a real answer to the question, but the hoster gave full trust to the web and now, all worked fine. I leave the quesion open, maybe someone posts a solution to the original question and helps with this people having the same problem but not getting full trust.

Improve this question

1 Answer 1

Reset to default
1

From http://msdn.microsoft.com/en-us/library/89211k9b%28v=vs.80%29.aspx

static void ToggleWebEncrypt()
{
    // Open the Web.config file.
    Configuration config = WebConfigurationManager.
        OpenWebConfiguration("~");

    // Get the connectionStrings section.
    ConnectionStringsSection section =
        config.GetSection("connectionStrings")
        as ConnectionStringsSection;

    // Toggle encryption.
    if (section.SectionInformation.IsProtected)
    {
        section.SectionInformation.UnprotectSection();
    }
    else
    {
        section.SectionInformation.ProtectSection(
            "DataProtectionConfigurationProvider");
    }

    // Save changes to the Web.config file.
    config.Save();
}

UPDATE

Also, ensure that your service account has write permissions to the Web.config. Also, be aware that granting write permissions to your service account on the Web.config increases somewhat the security footprint of your application. Only do so if you understand and accept the risks.

Improve this answer
Sign up to request clarification or add additional context in comments.

10 Comments

Thanks for your answer. However is the line Configuration config = WebConfigurationManager.OpenWebConfiguration("~"); the source of the exception, IIS does not execute it and throws a SecurityException!
@HCL: Does your service account have write permissions on the web.config file?
@kbrimington: Yes, the configuration tool of the hoster allows me to grant permission on a directory base and I gave testwise IUSR read/write permissions on the root (also of the virtual directory).
@kbrimington: It seems really like the Shahed Khan writes in his post, the description of the error is as follows: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file
@HCL: Am I correct that it is still not working? If so, note that unless you are using impersonation, granting IUSR permissions does not solve the problem. It is the service account, not the user account that needs write permissions. You can use Environment.UserName to ferret out the name of the account, if you don't know it already.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.