Question: What are Machinekeys? On what particular keys IIS 7.x is dependent upon?
Ans: IIS uses MachineKeys for encrypting data like passwords, App Pool identities which are stored in configs(applicationhost.config and web.config)
By default, IIS 7 includes two main providers for securing properties located in applicationhost.config
<add name="IISWASOnlyRsaProvider" type="" description="Uses RsaCryptoServiceProvider to encrypt and decrypt" keyContainerName="iisWasKey" cspProviderName="" useMachineContainer="true" useOAEP="false" />
<add name="AesProvider" type="Microsoft.ApplicationHost.AesProtectedConfigurationProvider" description="Uses an AES session key to encrypt and decrypt" keyContainerName="iisConfigurationKey" cspProviderName="" useOAEP="false" useMachineContainer="true" sessionKey="AQIAAA5mAAAApAAAitO83VeqvKDRboksTP0uTVHgRDjrJEwOrnMjBTQQSGgCybl2eeUkjNZOSwXKuydOOZxf/4NY46+XU7Y3w3OmXGVaITw5NRmXY4OPWRR6hhBo2MMLuIoX4K1fJ4VfMX/CHORyi3xR083u70H/OprrmRIHXIof0ItuMQmQZEXIxKc=" />
<add name="IISWASOnlyAesProvider" type="Microsoft.ApplicationHost.AesProtectedConfigurationProvider" description="Uses an AES session key to encrypt and decrypt" keyContainerName="iisWasKey" cspProviderName="" useOAEP="false" useMachineContainer="true" sessionKey="AQIAAA5mAAAApAAAeab1yOPe5FDoeenYJhSQEhfgNmCSd76QFWHamsI13VB1ycmJvgZYGplpEdhdtWmsO8lfLEHQkKPSKfn5XFK+wWMJEudt/wVcN5mOpop/jeCl10uifjqAHaH/CstTp9KIMmeV119zvlJt74yGvm2XeZ2GShOrdl4Op/iECLq1dn4=" />
The AesProvider is specific to dealing with encryption and decryption for properties that are in the system.webServer section.
The IISWASOnlyRsaProvider is used for encryption and decryption for properties that are in the system.applicationHost section.
These keys are in the iisConfigurationKey and iisWasKey key containers and are machine-specific located in
6de9cb26d2b98c01ec4e9e8b34824aa2_GUID ==> iisConfigurationKey
76944fb33636aeddb9590521c2e8815a_GUID ==> iisWasKey
IIS 6 Compatibility uses following key(starts with C23 ) encryption and decryption
On windows 2003 box, machine keys was located in C:\Documents and Settings\All users\Application Data\Microsoft\Crypto\RSA\MachineKeys
Question: I've uninstalled and re-installed IIS 7 from Add/Remove feature programs and still do not see new keys created
Upon re-installing IIS 7 you would see new only C23 getting created.
But not the iisWasKey 76944fb33636aeddb9590521c2e8815a or iisConfigurationKey 6de9cb26d2b98c01ec4e9e8b34824aa2_GUID because these gets created upon re-installing of Windows Process Activation Service component
Question: Why would you bother to get new KEYS at the first place ?
Unfortunately some thing bad has happened like disk failure / power failure / OS restoration and IIS services failed to start and/or you might be getting any of following error while starting services":
- The system cannot find the file specified.
- The handle is invalid.
- Service did not responded timely fashion
- Not enough storage is available to process this command.
- GUID stored in registry got changed
- You are seeing mutiple keys for c23 in machinekey folder
- You have newly installed IIS and Copied the ApplicationHost.config from other server and started getting the error
- Invalid Identity
Question: What are the recommended best practice?
Make your habit to regularly create *password* encrypted backups of the configuration
Inetmgr ==> Server Name ==> Shared Configuration ==> Click on Export Configuration
After exporting successfully and then looking C:\Windows\System32\inetsrv\config\Export you would see 3 files
Now you can use these 3 files on nonworking server. Just follow the steps reverse order. :)
Click check box for Enable Shared Configuration , Give path to C:\Windows\System32\inetsrv\config\Export
Click Apply . It would ask for password . Do IISRESET
Again go back to Shared Configuration , UnCheck Radio button and then Click Apply it would show you
The IIS Manager will fix your encryption keys so they will work on your local configuration files.
Question: Ok I already have a broken server and did not bother to have *password* encrypted configuration earlier. What to do?
- First line of defense check your history folder C:\inetpub\history, this should have automatic back up of applicationhost.config upto last 10 write operation.Copy the applicationhost.config of date/time prior to the problem.
- You can manually export/import "IISWASKEY" from working sever (from which you have earlier copied config to non working server)
Vijay's blog should help you http://blogs.msdn.com/b/vijaysk/archive/2009/03/14/caution-while-xcopying-iis-7-0-config-files.aspx
Export using the following commands on original working server
aspnet_regiis -px "iisConfigurationKey" "D:\iisConfigurationKey.xml" -pri
aspnet_regiis -px "iisWasKey" "D:\iisWasKey.xml" -pri
And for the import on non-working server
aspnet_regiis -pi "iisConfigurationKey" "D:\iisConfigurationKey.xml"
aspnet_regiis -pi "iisWasKey" "D:\iisWasKey.xml"
Question: Can I generate new "iisWasKeys" and "iisConfigurationKey" in MachineKeys folder without re-installing WAS and IIS ?
I think answer is Yes. You can use programmatic approach. Here is the sample
If you need further assistance you can also contact PSS IIS support team to help you.