DpapiProtectedConfigurationProvider fails while decrypting web.config (ASP.NET)
Hi, welcome back,
The other day we faced a very similar issue to the one I commented on this post: RSACryptoServiceProvider fails when used with ASP.NET. We were getting a very similar exception:
"System.Configuration.ConfigurationErrorsException: Failed to decrypt using provider 'MyProtectedConfigurationProvider'. Error message from the provider: The system cannot find the file specified. (Exception from HRESULT: 0x80070002)"
But this time we got it while System.Configuration.DpapiProtectedConfigurationProvider was trying to decrypt a protected configuration section of our web.config file. This provider was configured to work with user-level key storage (DpapiProtectedConfigurationProvider.UseMachineProtection set to False) but the user profile was not loaded.
"The system cannot find the file specified" is a very typical error that appears when we can't access the private key we need to decrypt information, as those keys are usually stored in files in the user profile.
Additionally, if DPAPI works with user-level key storage, it requires the user profile to be loaded in order to store i.e. the master key it uses (see Windows Data Protection for details on this).
As we saw already (check previous RSACryptoServiceProvider post for details), neither IIS nor ASP.NET will load the profile automatically. We may be able to load it by calling LoadUserProfile API or by using a dummy Windows Service (and Service Control Manager -SCM- will load the profile on our behalf). If this doesn't work for us, we will have to use machine-level key storage instead.
I hope this helps.
Cheers,
Alex (Alejandro Campos Magencio)