MachineKeys on IIS 7.x : Inside Out

Question: What are Machinekeys? On what particular keys IIS 7.x is dependent upon?

Ans: IIS uses MachineKeys for encrypting data like passwords, App Pool identities which are stored in configs(applicationhost.config and web.config)

By default, IIS 7 includes two main providers for securing properties located in applicationhost.config

<configProtectedData>
<providers>

<add name="IISWASOnlyRsaProvider" type="" description="Uses RsaCryptoServiceProvider to encrypt and decrypt" keyContainerName="iisWasKey" cspProviderName="" useMachineContainer="true" useOAEP="false" />

<add name="AesProvider" type="Microsoft.ApplicationHost.AesProtectedConfigurationProvider" description="Uses an AES session key to encrypt and decrypt" keyContainerName="iisConfigurationKey" cspProviderName="" useOAEP="false" useMachineContainer="true" sessionKey="AQIAAA5mAAAApAAAitO83VeqvKDRboksTP0uTVHgRDjrJEwOrnMjBTQQSGgCybl2eeUkjNZOSwXKuydOOZxf/4NY46+XU7Y3w3OmXGVaITw5NRmXY4OPWRR6hhBo2MMLuIoX4K1fJ4VfMX/CHORyi3xR083u70H/OprrmRIHXIof0ItuMQmQZEXIxKc=" />

<add name="IISWASOnlyAesProvider" type="Microsoft.ApplicationHost.AesProtectedConfigurationProvider" description="Uses an AES session key to encrypt and decrypt" keyContainerName="iisWasKey" cspProviderName="" useOAEP="false" useMachineContainer="true" sessionKey="AQIAAA5mAAAApAAAeab1yOPe5FDoeenYJhSQEhfgNmCSd76QFWHamsI13VB1ycmJvgZYGplpEdhdtWmsO8lfLEHQkKPSKfn5XFK+wWMJEudt/wVcN5mOpop/jeCl10uifjqAHaH/CstTp9KIMmeV119zvlJt74yGvm2XeZ2GShOrdl4Op/iECLq1dn4=" />

</providers>
</configProtectedData>

The AesProvider is specific to dealing with encryption and decryption for properties that are in the system.webServer section.

The IISWASOnlyRsaProvider is used for encryption and decryption for properties that are in the system.applicationHost section.

These keys are in the iisConfigurationKey and iisWasKey key containers and are machine-specific located in

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

6de9cb26d2b98c01ec4e9e8b34824aa2_GUID ==> iisConfigurationKey

6de9cb26d2b98c01ec4e9e8b34824aa2_edbabad5-fbea-4646-bc59-468bd5228476

76944fb33636aeddb9590521c2e8815a_GUID ==> iisWasKey

76944fb33636aeddb9590521c2e8815a_edbabad5-fbea-4646-bc59-468bd5228476

IIS 6 Compatibility uses following key(starts with C23 ) encryption and decryption

c2319c42033a5ca7f44e731bfd3fa2b5_GUID

c2319c42033a5ca7f44e731bfd3fa2b5_edbabad5-fbea-4646-bc59-468bd5228476

On windows 2003 box, machine keys was located in C:\Documents and Settings\All users\Application Data\Microsoft\Crypto\RSA\MachineKeys

Question: I've uninstalled and re-installed IIS 7 from Add/Remove feature programs and still do not see new keys created

Ans:

Upon re-installing IIS 7 you would see new only C23 getting created.

But not the iisWasKey 76944fb33636aeddb9590521c2e8815a or iisConfigurationKey 6de9cb26d2b98c01ec4e9e8b34824aa2_GUID because these gets created upon re-installing of Windows Process Activation Service component

 

Question: Why would you bother to get new KEYS at the first place ?
Ans:

Unfortunately some thing bad has happened like disk failure / power failure / OS restoration and IIS services failed to start and/or you might be getting any of following error while starting services":

• The system cannot find the file specified.
• The handle is invalid.
• Service did not responded timely fashion
• Not enough storage is available to process this command.
• GUID stored in registry got changed
• You are seeing mutiple keys for c23 in machinekey folder
• You have newly installed IIS and Copied the ApplicationHost.config from other server and started getting the error
  • Bad KeySet
  • Bad Data
• Invalid Identity

 

Question: What are the recommended best practice?

Ans:

Make your habit to regularly create *password* encrypted backups of the configuration

Inetmgr ==> Server Name ==> Shared Configuration ==> Click on Export Configuration

After exporting successfully and then looking C:\Windows\System32\inetsrv\config\Export you would see 3 files

• administration.config
• applicationHost.config
• configEncKey.key

 

Upon failure

Now you can use these 3 files on nonworking server. Just follow the steps reverse order. :)

Click check box for Enable Shared Configuration , Give path to C:\Windows\System32\inetsrv\config\Export

Click Apply . It would ask for password . Do IISRESET

Again go back to Shared Configuration , UnCheck Radio button and then Click Apply it would show you

 

The IIS Manager will fix your encryption keys so they will work on your local configuration files.

 

Question: Ok I already have a broken server and did not bother to have *password* encrypted configuration earlier. What to do?

Ans:

1. First line of defense check your history folder C:\inetpub\history, this should have automatic back up of applicationhost.config upto last 10 write operation.Copy the applicationhost.config of date/time prior to the problem.
2. You can manually export/import "IISWASKEY" from working sever (from which you have earlier copied config to non working server)

Vijay's blog should help you http://blogs.msdn.com/b/vijaysk/archive/2009/03/14/caution-while-xcopying-iis-7-0-config-files.aspx

Export using the following commands on original working server

aspnet_regiis -px "iisConfigurationKey" "D:\iisConfigurationKey.xml" -pri

aspnet_regiis -px "iisWasKey" "D:\iisWasKey.xml" -pri

And for the import on non-working server

aspnet_regiis -pi "iisConfigurationKey" "D:\iisConfigurationKey.xml"

aspnet_regiis -pi "iisWasKey" "D:\iisWasKey.xml"

 

Question: Can I generate new "iisWasKeys" and "iisConfigurationKey" in MachineKeys folder without re-installing WAS and IIS ?

Ans:

I think answer is Yes. You can use programmatic approach. Here is the sample

http://learn.iis.net/page.aspx/141/using-encryption-to-protect-passwords/ 

If you need further assistance you can also contact PSS IIS support team to help you.