次の方法で共有


RSACryptoServiceProvider fails when used with ASP.NET

Hi, welcome back,

I will talk today about a very common issue we face when we try to use .NET's RSACryptoServiceProvider class in ASP.NET.

When we try to create a new RSACryptoServiceProvider object in this scenario, we may get the following exception:

"System.Security.Cryptography.CryptographicException: The system cannot find the file specified".

 

By using my CryptoAPI Tracer script we can take a look to the CryptoAPI calls that .NET is making behind the scenes. Thanks to this script we will be able to see the exact API that is failing and the exact error (which most of the time .NET masks).

In our case, the API that fails is CryptAcquireContext, and it fails with error #2 (ERROR_FILE_NOT_FOUND). According to CryptAcquireContext documentation, this error means the following:
"
The profile of the user is not loaded and cannot be found. This happens when the application impersonates a user, for example, the IUSR_ComputerName account.
"

By default, ASP.NET won't load the user profile. Take a look to the parameters of the problematic CryptAcquireContext call as being shown in the log file that my script generated. If this API is not being called with CRYPT_MACHINE_KEYSET (to use the machine profile) or CRYPT_VERIFYCONTEXT (to use temporary key stores), it will try to access the key stores in the user profile, and it will fail because its not loaded.

Which options do we have here then?

1) If we need each user running your ASP.NET app to use their own key stores, we will have to load their user profile. We can do it with LoadUserProfile API. The only problem is that the privileges needed to execute this API are quite powerful for a standard user.

2) If we still need the user profile and don't want to give users enough privileges to run LoadUserProfile, there is a trick we can use: Service Control Manager (SCM) will automatically load the profile of the user that a Windows service uses to run. So we may create a dummy Windows service which runs with our user's credentials. This service won't need to do anything special, just stay alive. SCM will load the user profile for us and ASP.NET will be able to use it automatically once it gets loaded.

3) We may also use machine key stores instead of user's. We just have to pass CRYPT_MACHINE_KEYSET flag to CryptAcquireContext. In order to do that in .NET, we may use a code like this: 

 CspParameters RSAParams = new CspParameters();
RSAParams.Flags = CspProviderFlags.UseMachineKeyStore;
RSACryptoServiceProvider sp = new RSACryptoServiceProvider(1024, RSAParams);

Note. When we use machine key stores, any user in that machine may have access to those keys.

 

I hope this helps.

Cheers,

 

Alex (Alejandro Campos Magencio)

Comments

  • Anonymous
    December 08, 2007
    Hello Alex,I found your Blog by Nacho's one, I didn't notice you were writing here. Reading briefly some of your entries, you seem to be surrounded by the power of WinDBG, which everything must be said, is insane. :-PI wish you all the best, take care,Marcos, your mentee
  • Anonymous
    December 12, 2007
    The comment has been removed
  • Anonymous
    December 12, 2007
    Hi KAI,You just gave me an idea for a new post which may help you troubleshoot this issue:Key Containers: Basicshttp://blogs.msdn.com/alejacma/archive/2007/12/13/key-containers-basics.aspxProcess Monitor may help you find out why you are getting Access Denied.I hope this helps.Alex
  • Anonymous
    February 13, 2008
    The comment has been removed
  • Anonymous
    September 02, 2008
    Alex,Thanks for the script.  I have the error message, but still do not know what to do with it - "Indicates the specified environment variable name was not found in the specified environment block".  I have a custom identity for the IIS process and hacve granted it access to everything I can think of,but still get this error.  How can I know which environment variable it is looking for?  Thanks for any help,David
  • Anonymous
    May 13, 2009
    I also came across this problem. Option 3 helps me out.Thank you. I will follow yours for a couple of time.
  • Anonymous
    April 08, 2010
    Option 3 is in the money for me.  Cured the problem straight away.  Thanks very much.
  • Anonymous
    May 05, 2010
    Alex,Thank you very much for your explanation, diagnosis and possibles workarounds. As one said before me... "I was going mad" with this issue. Solution number 3 was the perfect for me; I tried and it worked fine!Thanks again!Marc
  • Anonymous
    June 17, 2010
    Alex,Thank you for the useful post.  Could you elaborate on the statement "Note. When we use machine key stores, any user in that machine may have access to those keys." ?  Darrell
  • Anonymous
    June 17, 2010
    Darrell, what I mean by that is that if users have NTFS permissions on the folder where keys are stored, they may be able to access them. By default only admins should be able to access those keys. More details here:Key Containers: Basicsblogs.msdn.com/.../key-containers-basics.aspx
  • Anonymous
    November 30, 2010
    I'm having this problem one of two machines in a small web farm. One runs perfectly, the otherthrows the crypto exception. Our code base has not changed in years.We did move the two machines about the time this problem appeared. I also don't know the update history of the machines. We've rebuilt the bad machine but the exception keeps appearing. I think it's a config or environmental issue.I can reproduce the issue on my DEV machine by deleting the user profile for the App Pool under which the web site is running. If I recreate the profile on my DEV machine, it corrects the problem.We've confirmed the correct profile for the App Pool exists and that the web site is running under the correct App Pool. We've also looked for any differences between the two machines with no luck. Both machines are manually setup.This is in a test environment. Our production environment is the same, and it's running fineAny thoughts on where to look?
  • Anonymous
    November 30, 2010
    Hi epaetz41,I would get Process Monitor logs (technet.microsoft.com/.../bb896645.aspx) to see which file we cannot access. That may give us some ideas...
  • Anonymous
    December 23, 2010
    Hello Everyone,I am glad that i found the one alternative for this issueSystem.Security.Cryptography.CryptographicException: The system cannot find the file specified".while importing the pfx file,I solved this by temperorily saving the pfx file in project folder and then using it after this issue get solved it works now. Hope this will help someone.
  • Anonymous
    February 17, 2011
    Thank you very much ! I have sloved my problem by your method.
  • Anonymous
    October 10, 2012
    Option 2 worked for me thanks for your help.........ThanksRizwan
  • Anonymous
    July 12, 2015
    There is an option in IIS to enable LoadUserProfile. Setting that to true solved our issue.