I have an application which is making use of the RSACryptoServiceProvider to decrypt some data using a known private key (stored in a variable).
When the IIS Application Pool is configured to use Network Service, everything runs fine.
However, when we configure the IIS Application Pool to run the code under a different Identity, we get the following:
System.Security.Cryptography.CryptographicException: The system cannot find the file specified. at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) at System.Security.Cryptography.RSACryptoServiceProvider.ImportParameters(RSAParameters parameters) at System.Security.Cryptography.RSA.FromXmlString(String xmlString)
The code is something like this:
byte[] input;
byte[] output;
string private_key_xml;
var provider = new System.Cryptography.RSACryptoServiceProvider(this.m_key.Key_Size);
provider.FromXmlString(private_key_xml); // Fails Here when Application Pool Identity != Network Service
ouput = provider.Decrypt(input, false); // False = Use PKCS#1 v1.5 Padding
There are resources which attempt to answer it by stating that you should give the user read access to the machine key store - however there is no definitive answer to solve this issue.
Environment: IIS 6.0, Windows Server 2003 R2, .NET 3.5 SP1
I fixed this by setting "Load User Profile" to True (was False) in the Application Pool's Advanced Settings / Process Model section.
The application had been working perfectly on Server 2003 R2 / IIS 6 and the problem appeared as I was configuring it on our new 2008 R2 server.
Got the idea to try it at:
http://social.msdn.microsoft.com/forums/en-US/clr/thread/7ea48fd0-8d6b-43ed-b272-1a0249ae490f/
YMMV