Encrypting section of config file using aspnet_regiis.exe – The configuration for physical path ‘*web.config’ cannot be opened.


 

We are already aware that The ASP.NET IIS Registration tool (Aspnet_regiis.exe) is used to register ASP.NET applications with Internet Information Services (IIS). It provides us with some other features as well and maximum of them are on its MSDN article. One such feature is encryption of config file sections and that is obviously for security reasons. Here is an MSDN article How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI which focuses on this feature.

Now, purpose of writing this blog is to put some light on this feature and also pointing out one common mistake while using this feature.


 

1. We will look when can we get error like “The configuration for physical path ‘*\web.config’ cannot be opened.”

2. Using this feature for encryption of config sections of windows/console application’s configuration file i.e. app.config

 

1. “The configuration for physical path ‘web.config’ cannot be opened”

 

Maximum time this error occurs because of incorrect path of the config file. But in this case when we check the path, it seems that we have correct path. If you will closely look at the command again, you will find a difference from the one mentioned in the above MSDN article. So here is your command

C:\Windows\Microsoft.NET\Framework64\v4.0.30319>aspnet_regiis.exe -pef “appSettings” “C:\inetpub\wwwroot\testweb\web.config” -prov “DataProtectionConfigurationProvider”

Microsoft (R) ASP.NET RegIIS version 4.0.30319.33440

Administration utility to install and uninstall ASP.NET on the local machine.

Copyright (C) Microsoft Corporation.  All rights reserved.

Decrypting configuration section…

The configuration for physical path ‘C:\inetpub\wwwroot\testweb\web.config’ cannot be opened.

Failed!

image

 

Did you find the difference? yes there is “web.config” specified in the command. Of course, we should specify the file name which we are targeting for encryption. But hold on, remember Aspnet_regiis.exe is only meant for websites and one more thing that there can be only one web.config file inside any folder. Even if it is web1.config, its of no use because ASP.NET engine is not going to read it. So what’s the point.

Point is that Aspnet_regiis.exe implicitly considers that specified path has web.config file and it will encrypt the specified section of that file. So you have to just specify “’C:\inetpub\wwwroot\testweb” and web.config will

be added by this tool automatically. If web.config file does not exist inside the folder it will create an empty web.config file and empty section inside it and then will encrypt it(Give it a try). Command should look like following

   

C:\Windows\Microsoft.NET\Framework64\v4.0.30319>aspnet_regiis.exe -pef “appSettings” “C:\inetpub\wwwroot\testweb” -prov “DataProtectionConfigurationProvider”

   

Same thing applies while decryption as well and command should be like this

C:\Windows\Microsoft.NET\Framework64\v4.0.30319>aspnet_regiis.exe -pdf “appSettings” “C:\inetpub\wwwroot\testweb”

   

2. Using this feature for encryption of config sections of windows/console application’s configuration file i.e. app.config

   

Now question is how do we encrypt section of app.config file if aspnet_regiis.exe only looks for web.config file and after building app.config files have the naming convention of  AppTitle.exe.config

   

Here is the screen shot of one such windows application with a configuration file SampleApp.exe.config.

    

image

 

Following is the content from the configuration file where you can see i have some sensitive database information which we do not want to expose to users of the client’s computer.

 

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <startup>
    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
  </startup>
  <appSettings>
    <add key="sConnectionString" value="Provider=SQLOLEDB;Data Source=Your_Server_Name;Initial Catalog=Your_Database_Name;User Id=Your_Username;Password=Your_Password;" />
  </appSettings>
</configuration>

 

As we are aware of this limitation of aspnet_regiis.exe, we can find a workaround for this. Let’s fool aspnet_regiis.exe, what if we rename SampleApp.exe.config as web.config 🙂

   

C:\Windows\Microsoft.NET\Framework64\v4.0.30319>rename E:\SampleApp\SampleApp\SampleApp\bin\Release\SampleApp.exe.config web.config
C:\Windows\Microsoft.NET\Framework64\v4.0.30319>aspnet_regiis.exe -pef “appSettings” E:\SampleApp\SampleApp\SampleApp\bin\Release -prov DataProtectionConfigurationProvider
C:\Windows\Microsoft.NET\Framework64\v4.0.30319>rename web.config E:\SampleApp\SampleApp\SampleApp\bin\Release\SampleApp.exe.config

 

Here is the screen shot of encrypted config file. So final step is to rename it back to the SampleApp.exe.config

 
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <startup>
    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
  </startup>
  <appSettings configProtectionProvider="DataProtectionConfigurationProvider">
    <EncryptedData>
      <CipherData>
        <CipherValue>
          AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAVPxdfgBHA02++GKp0N/yYgQAAAACAAAAAAADZgAAwAAAABAAAADZaWlaU2XHAEquSvyREPJWAAAAAASAAACgAAAAEAAAAPbsjf6iKY3mQ0duO6Hk0mSY
          AQAAiwBI8J7lX73foO39YqjhtaSZ5H+e+h0Oc4vgzc2Eegkx1Ch67MBIFek7LhEtMKN06YVWw/lTdc+llLcjcjPfzvieupil2fOLZDAc6CSbTXItunMyhJWu3vlW+O/HPTtowq/c6Hz6TzryInBAxyX8ZBLRaFOU3
          JwhcjwEVoqWRZGNryO8sE5ntHEFatgiTh7pPvqtfMqd0UZz2lWWd+r/xJIr5ig6kfORkKE/plvATpey8zmTQNrxQx1v/dELislsBURDSHAmrL7CIDkbg5tQmj9cHtBh7BSUFHrK8JtCSPbTbUHVU4lcfbjMIrZ/1q
          inc0o0RTfhwusH+KLjSWb224E2ycxm3jubDM35dtZaGPrKCYpZS6KhaX4IVMFr5RMbdK+sJj4JLtN7O2kosM8nmYhPs+P0SUsBeJ117beE7egk5CWt7LdGXIAaRtdfEJVBFXWc5OKQGJQGWJVRPDslxgA/hviXk6y
          uPWS5gEc1aY+iSRAaqO+53nAEBvlurYrCp1MqjE75pTL56kcOrpYET89VN6dcDPWGFAAAALHIG4IJ0+C+oE9TkcY55KxCFkD6
        </CipherValue>
      </CipherData>
    </EncryptedData>
  </appSettings>
</configuration>

Hope you like it!

Please let me know if there is any concerns or queries.

 

Thanks

Gaurav


Comments (11)

  1. Archna says:

    This was a great solution and information. I have multiple config files for my windows apps and it worked like a charm. Thanks you!

  2. Gaurav says:

    Thanks for the feedback Archna

  3. rodrigus says:

    nice blog! can you please also mention how to go on and use RSA encryption algorithm or 3DES  and specify key using this tool.

  4. Gaurav says:

    Thanks Rodrigus!

    You can change the provider like following

    -prov "RsaProtectedConfigurationProvider"

    For more options read following MSDN articles

    msdn.microsoft.com/…/zhhddkxy(v=vs.100).aspx

    msdn.microsoft.com/…/2w117ede(v=vs.100).aspx

  5. Adam says:

    can you get a more small font size?? This is too BIGGG TO READ!!!!

  6. Hafeez says:

    I have renamed the config file and encrypted it. But I am unable to rename it to older as it say "The system cannot find the file specified"

  7. Hafeez,

    Are you sure that your directory has web.config file which you are trying to rename now back to app.config?

    Adam,

    I think you want me to increase the font size, i will try to fix this soon.  🙂

  8. Garush666 says:

    I am using multiple external files for the config file. All these external files are in one common folder for easy maintenance.

    Example my folder "ExternalConfigs" multiple config files in different name.

    How do i target the specific file in case of multiple external config files

  9. Gaurav says:

    Garush,

    I am  not sure if encrypting external config files is possible till now.

    Thanks

    Gaurav

  10. Jason L says:

    I had actually figured out the renaming trick myself, but it was great to find some validation that it is OK to do and works.

  11. After Encription timeout Issue says:

    Hi,

    After Encription web.config file for connection string, After moving config file for production the file gets overritten often at irregular intervals.

    Due to which our application is redirecting to login page.

    Kindly let me know the solutions ASAP.

Skip to main content