The RSA key container could not be opened

keyboardP picture keyboardP · May 27, 2010 · Viewed 44.6k times · Source

I've been developing an ASP.NET site on an older machine running XP home. I recently got a new Win 7 PC and moved all my project files across. When I try and run the project, I get this error message:

"Failed to decrypt using provider 'MyRsaProtectedConfigurationProvider'. Error message from the provider: The RSA key container could not be opened."

I realised that I encrypted parts of my web.config file using a RSA encryption. This is where the problem now lies. I'm not sure how to get that key working again so that I can use it on my new machine. I exported the key from the older machine and imported it using:

aspnet_regiis -pi "RSAProviderName" "C:\RSA_configkey.xml"

This was imported successfully. I then ran the project, but the same error message came up. I figured it might be a permission thing, so I ran:

aspnet_regiis -pa "RSAProviderName" "\Desktop" -full

This was also successful, but I still get the error. From reading around, I've seen people use "ASPNET" instead of "\Desktop" (Desktop is my machine name). However, when I try and use "ASPNET", I get:

No mapping between account name and security IDs was done. <Exception from HRESULT = 0x80070534

I can't work on the project until this is fixed, so any help is much appreciated. Thanks!

Answer

Dave Cluderay picture Dave Cluderay · May 27, 2010

If you still have access to the older machine, you could always decrypt the configuration section on that machine, then copy the unencrypted config file to the new machine (and, if necessary, re-encrypt the file on the old machine).

On Windows 7, the account under which your IIS application pools run by default will likely be ApplicationPoolIdentity (as opposed to ASPNET). To grant permissions, try this:

aspnet_regiis -pa RSAProviderName "IIS APPPOOL\DefaultAppPool" -full

By the way, if you do decide to persevere with copying the key from the old machine to the new one, you should make sure that, when exporting, you export the private key data too:

aspnet_regiis -px RSAProviderName C:\RSA_configkey.xml -pri

And, optionally, to make the key data exportable during the import:

aspnet_regiis -pi RSAProviderName C:\RSA_configkey.xml -exp