locked
Delete RSA key from machine key store from Web Forms RRS feed

  • Question

  • Hi,

    I have some keys I am storing in the machine key store.  Occasionally there is a need to dump the old key and create a new one.  I have provided a web form for that purpose, however when I set the RSACryptoServiceProvider property PersistKeyInCsp to false, in order to remove the old one, I get the exception:

    The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation.

    at System.Security.AccessControl.Privilege.ToggleState(Boolean enable)

    at System.Security.Cryptography.Utils.GetKeySetSecurityInfo(SafeProvHandle hProv, AccessControlSections accessControlSections)

    at System.Security.Cryptography.CspKeyContainerInfo.get_CryptoKeySecurity()

    If I don't remove the old one the new one fails with an already exists error.

    Is there anyway to raise/elevate/grant this privilege programmatically on .NET 4.5?

    Thanks!

    Tuesday, December 9, 2014 11:31 PM

All replies

  • Hello Jeff,

    It seems this error is caused by that the current account does not have adequate permissions.

    >> Is there anyway to raise/elevate/grant this privilege programmatically on .NET 4.5?

    You could check this PrincipalPermission class, it could elevate your privileges from standard user to administrator when you start your application even you do not run it as the administrator role as:

    public static void Main()
    
        {
    
            AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);
    
            PrincipalPermission principalPerm = new PrincipalPermission(null, "Administrators");
    
            principalPerm.Demand();
    
            Console.WriteLine("Demand succeeded.");
    
    }
    

    Also you could use the Process class to start your application with administrator privileges, for details, you could check this discussion:

    http://stackoverflow.com/questions/133379/elevating-process-privilege-programatically

    If this does not work for, please feel free let me know.

    Regards.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Wednesday, December 10, 2014 7:21 AM
  • This is a web form.  I am pretty sure you were thinking Windows app yes?

    Making the web application administrator is not an option.

    Monday, December 15, 2014 3:36 PM
  • Hello Jeff,

     >> I am pretty sure you were thinking Windows app yes?

    Yes, I have more focused on the .NET about this issue, while it seems to be not correct, for this issue, I am trying to invoke someone experienced to help look into it, this may take some time and as soon as we get any result, we will post back to this forum.

    Regards.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Tuesday, December 16, 2014 6:59 AM
  • This is designed behavior that IIS work process w3wp.exe's identity has no such permission. You can change its identity to a local admin though it is not recommended because of security issue. Alternatively, you can impersonate to a local admin account temporarily for this requirement.

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Regards,
    Jacky Wu
    Microsoft Online Community Support

    Wednesday, April 29, 2015 7:53 AM