MachineKeys on IIS 7.x : Inside Out

by jask2002 3. May 2012 04:16

Question: What are Machinekeys? On what particular keys IIS 7.x is dependent upon?

Ans: IIS uses MachineKeys for encrypting data like passwords, App Pool identities which are stored in configs(applicationhost.config and web.config)

By default, IIS 7 includes two main providers for securing properties located in applicationhost.config


<add name="IISWASOnlyRsaProvider" type="" description="Uses RsaCryptoServiceProvider to encrypt and decrypt" keyContainerName="iisWasKey" cspProviderName="" useMachineContainer="true" useOAEP="false" />

<add name="AesProvider" type="Microsoft.ApplicationHost.AesProtectedConfigurationProvider" description="Uses an AES session key to encrypt and decrypt" keyContainerName="iisConfigurationKey" cspProviderName="" useOAEP="false" useMachineContainer="true" sessionKey="AQIAAA5mAAAApAAAitO83VeqvKDRboksTP0uTVHgRDjrJEwOrnMjBTQQSGgCybl2eeUkjNZOSwXKuydOOZxf/4NY46+XU7Y3w3OmXGVaITw5NRmXY4OPWRR6hhBo2MMLuIoX4K1fJ4VfMX/CHORyi3xR083u70H/OprrmRIHXIof0ItuMQmQZEXIxKc=" />

<add name="IISWASOnlyAesProvider" type="Microsoft.ApplicationHost.AesProtectedConfigurationProvider" description="Uses an AES session key to encrypt and decrypt" keyContainerName="iisWasKey" cspProviderName="" useOAEP="false" useMachineContainer="true" sessionKey="AQIAAA5mAAAApAAAeab1yOPe5FDoeenYJhSQEhfgNmCSd76QFWHamsI13VB1ycmJvgZYGplpEdhdtWmsO8lfLEHQkKPSKfn5XFK+wWMJEudt/wVcN5mOpop/jeCl10uifjqAHaH/CstTp9KIMmeV119zvlJt74yGvm2XeZ2GShOrdl4Op/iECLq1dn4=" />


The AesProvider is specific to dealing with encryption and decryption for properties that are in the system.webServer section.

The IISWASOnlyRsaProvider is used for encryption and decryption for properties that are in the system.applicationHost section.

These keys are in the iisConfigurationKey and iisWasKey key containers and are machine-specific located in


6de9cb26d2b98c01ec4e9e8b34824aa2_GUID ==> iisConfigurationKey


76944fb33636aeddb9590521c2e8815a_GUID ==> iisWasKey


IIS 6 Compatibility uses following key(starts with C23 ) encryption and decryption



On windows 2003 box, machine keys was located in C:\Documents and Settings\All users\Application Data\Microsoft\Crypto\RSA\MachineKeys

Question: I've uninstalled and re-installed IIS 7 from Add/Remove feature programs and still do not see new keys created


Upon re-installing IIS 7 you would see new only C23 getting created.

But not the iisWasKey 76944fb33636aeddb9590521c2e8815a or iisConfigurationKey 6de9cb26d2b98c01ec4e9e8b34824aa2_GUID because these gets created upon re-installing of Windows Process Activation Service component



Question: Why would you bother to get new KEYS at the first place ?

Unfortunately some thing bad has happened like disk failure / power failure / OS restoration and IIS services failed to start and/or you might be getting any of following error while starting services":

  • The system cannot find the file specified.
  • The handle is invalid.
  • Service did not responded timely fashion
  • Not enough storage is available to process this command.
  • GUID stored in registry got changed
  • You are seeing mutiple keys for c23 in machinekey folder
  • You have newly installed IIS and Copied the ApplicationHost.config from other server and started getting the error
    • Bad KeySet
    • Bad Data
  • Invalid Identity


Question: What are the recommended best practice?


Make your habit to regularly create *password* encrypted backups of the configuration

Inetmgr ==> Server Name ==> Shared Configuration ==> Click on Export Configuration


After exporting successfully and then looking C:\Windows\System32\inetsrv\config\Export you would see 3 files

  • administration.config
  • applicationHost.config
  • configEncKey.key


Upon failure

Now you can use these 3 files on nonworking server. Just follow the steps reverse order. :)

Click check box for Enable Shared Configuration , Give path to C:\Windows\System32\inetsrv\config\Export

Click Apply . It would ask for password . Do IISRESET

Again go back to Shared Configuration , UnCheck Radio button and then Click Apply it would show you



The IIS Manager will fix your encryption keys so they will work on your local configuration files.


Question: Ok I already have a broken server and did not bother to have *password* encrypted configuration earlier. What to do?


  1. First line of defense check your history folder C:\inetpub\history, this should have automatic back up of applicationhost.config upto last 10 write operation.Copy the applicationhost.config of date/time prior to the problem.
  2. You can manually export/import "IISWASKEY" from working sever (from which you have earlier copied config to non working server)

Vijay's blog should help you

Export using the following commands on original working server

aspnet_regiis -px "iisConfigurationKey" "D:\iisConfigurationKey.xml" -pri

aspnet_regiis -px "iisWasKey" "D:\iisWasKey.xml" -pri

And for the import on non-working server

aspnet_regiis -pi "iisConfigurationKey" "D:\iisConfigurationKey.xml"

aspnet_regiis -pi "iisWasKey" "D:\iisWasKey.xml"


Question: Can I generate new "iisWasKeys" and "iisConfigurationKey" in MachineKeys folder without re-installing WAS and IIS ?


I think answer is Yes. You can use programmatic approach. Here is the sample 

If you need further assistance you can also contact PSS IIS support team to help you.

PayPal — The safer, easier way to pay online. Has this post helped you? Saved you? If you'd like to show your appreciation. Please buy me a coffee or make a small contribution toward blog's maintenance(to keep it Ads free )

Tags: ,

IIS 7 | MachineKeys

Comments (1) -

Zoh Bhar
Zoh Bhar United States
11/29/2012 12:49:59 PM #

Help resolve one issue today. Saved tons of time.


Pingbacks and trackbacks (4)+

Add comment

  Country flag

  • Comment
  • Preview

Tag cloud

Month List


Comment RSS



The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.