Publishing to IIS Data Protection RRS feed

  • Question

  • User1300194280 posted

    In follow the instructions given in the Documentation on how to set up your IIS server to host ASP.net 5 sites it talks about a Power Shell configuration script to set up Data Protection in the registry of the server.

    Here is the script :

    param (     [Parameter(Mandatory = $True)]     [string] $appPoolName   )

    # Provisions the HKLM registry so that the specified user account can persist auto-generated machine keys. function Provision-AutoGenKeys {   [CmdletBinding()]   param (     [ValidateSet("2.0", "4.0")]     [Parameter(Mandatory = $True)]     [string] $frameworkVersion,     [ValidateSet("32", "64")]     [Parameter(Mandatory = $True)]     [string] $architecture,     [Parameter(Mandatory = $True)]     [string] $sid   )   process {     # We require administrative permissions to continue.     if (-Not (new-object System.Security.Principal.WindowsPrincipal([System.Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)) {         Write-Error "This cmdlet requires Administrator permissions."         return     }     # Open HKLM with an appropriate view into the registry     if ($architecture -eq "32") {         $regView = [Microsoft.Win32.RegistryView]::Registry32;     } else {         $regView = [Microsoft.Win32.RegistryView]::Registry64;     }     $baseRegKey = [Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, $regView)     # Open ASP.NET base key     if ($frameworkVersion -eq "2.0") {         $expandedVersion = "2.0.50727.0"     } else {         $expandedVersion = "4.0.30319.0"     }     $softwareMicrosoftKey = $baseRegKey.OpenSubKey("SOFTWARE\Microsoft\", $True);

        $aspNetKey = $softwareMicrosoftKey.OpenSubKey("ASP.NET", $True);     if ($aspNetKey -eq $null)     {         $aspNetKey = $softwareMicrosoftKey.CreateSubKey("ASP.NET")     }

        $aspNetBaseKey = $aspNetKey.OpenSubKey("$expandedVersion", $True);     if ($aspNetBaseKey -eq $null)     {         $aspNetBaseKey = $aspNetKey.CreateSubKey("$expandedVersion")     }

        # Create AutoGenKeys subkey if it doesn't already exist     $autoGenBaseKey = $aspNetBaseKey.OpenSubKey("AutoGenKeys", $True)     if ($autoGenBaseKey -eq $null) {         $autoGenBaseKey = $aspNetBaseKey.CreateSubKey("AutoGenKeys")     }     # SYSTEM, ADMINISTRATORS, and the target SID get full access     $regSec = New-Object System.Security.AccessControl.RegistrySecurity     $regSec.SetSecurityDescriptorSddlForm("D:P(A;OICI;GA;;;SY)(A;OICI;GA;;;BA)(A;OICI;GA;;;$sid)")     $userAutoGenKey = $autoGenBaseKey.OpenSubKey($sid, $True)     if ($userAutoGenKey -eq $null) {         # Subkey didn't exist; create and ACL appropriately         $userAutoGenKey = $autoGenBaseKey.CreateSubKey($sid, [Microsoft.Win32.RegistryKeyPermissionCheck]::Default, $regSec)     } else {         # Subkey existed; make sure ACLs are correct         $userAutoGenKey.SetAccessControl($regSec)     }   } }

    $ErrorActionPreference = "Stop" Try {     $poolSid = (New-Object System.Security.Principal.NTAccount("IIS APPPOOL\$appPoolName")).Translate([System.Security.Principal.SecurityIdentifier]).Value } Catch [System.Security.Principal.IdentityNotMappedException] {     Write-Error "Application pool '$appPoolName' account cannot be resolved." }

    Provision-AutoGenKeys "4.0" "32" $poolSid Provision-AutoGenKeys "4.0" "64" $poolSid

    I'm on a Windows 2012 server, and I add '= "ApppoolName"' to the declaration of the $appPoolName variable up top to define the name of an AppPool running on my IIS server for ASP.net 5 sites.

    I get the same error as when the variable is not defined -

    Write-Error Application Pool $appPoolName cannot be resolved

    What should I do now?

    Monday, April 25, 2016 8:11 PM


  • User-166373564 posted


    After I research how to configure Data Protection under IIS, I get the following information in Bing.

    To configure Data Protection under IIS you must either:

    • Run a powershell script to create suitable registry entries (Usage .\Provision-AutoGenKeys.ps1 DefaultAppPool). This will store keys in the registry, protected using DPAPI with a machine wide key.
    • Configure the IIS Application Pool to load the user profile. This setting is in the Process Model section under the Advanced Settings for the application pool. Set Load User Profile to True. This will store keys under the user profile directory, and protected using DPAPI with a key specific to the user account used for the app pool.
    • Adjust your application code to use the file system as a key ring store. If you do this you should use an X509 certificate to protect the key ring and ensure it is a trusted certificate, i.e. if it is a self signed certificate you must place it in the Trusted Root store.

    Have a good day.


    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, April 26, 2016 8:30 AM