Encrypting section of config file using aspnet_regiis.exe - The configuration for physical path ‘*web.config' cannot be opened.

We are already aware that The ASP.NET IIS Registration tool (Aspnet_regiis.exe) is used to register ASP.NET applications with Internet Information Services (IIS). It provides us with some other features as well and maximum of them are on its MSDN article. One such feature is encryption of config file sections and that is obviously for security reasons. Here is an MSDN article How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI which focuses on this feature.

Now, purpose of writing this blog is to put some light on this feature and also pointing out one common mistake while using this feature.

1. We will look when can we get error like “The configuration for physical path ‘*\web.config' cannot be opened.”

2. Using this feature for encryption of config sections of windows/console application’s configuration file i.e. app.config

1. “The configuration for physical path ‘web.config' cannot be opened”

Maximum time this error occurs because of incorrect path of the config file. But in this case when we check the path, it seems that we have correct path. If you will closely look at the command again, you will find a difference from the one mentioned in the above MSDN article. So here is your command

C:\Windows\Microsoft.NET\Framework64\v4.0.30319>aspnet_regiis.exe -pef "appSettings" "C:\inetpub\wwwroot\testweb\web.config" -prov "DataProtectionConfigurationProvider"

Microsoft (R) ASP.NET RegIIS version 4.0.30319.33440

Administration utility to install and uninstall ASP.NET on the local machine.

Copyright (C) Microsoft Corporation. All rights reserved.

Decrypting configuration section...

The configuration for physical path 'C:\inetpub\wwwroot\testweb\web.config' cannot be opened.

Failed!

Did you find the difference? yes there is “web.config” specified in the command. Of course, we should specify the file name which we are targeting for encryption. But hold on, remember Aspnet_regiis.exe is only meant for websites and one more thing that there can be only one web.config file inside any folder. Even if it is web1.config, its of no use because ASP.NET engine is not going to read it. So what’s the point.

Point is that Aspnet_regiis.exe implicitly considers that specified path has web.config file and it will encrypt the specified section of that file. So you have to just specify “'C:\inetpub\wwwroot\testweb” and web.config will

be added by this tool automatically. If web.config file does not exist inside the folder it will create an empty web.config file and empty section inside it and then will encrypt it(Give it a try). Command should look like following

C:\Windows\Microsoft.NET\Framework64\v4.0.30319>aspnet_regiis.exe -pef "appSettings" "C:\inetpub\wwwroot\testweb" -prov "DataProtectionConfigurationProvider"

Same thing applies while decryption as well and command should be like this

C:\Windows\Microsoft.NET\Framework64\v4.0.30319>aspnet_regiis.exe -pdf "appSettings" "C:\inetpub\wwwroot\testweb"

2. Using this feature for encryption of config sections of windows/console application’s configuration file i.e. app.config

Now question is how do we encrypt section of app.config file if aspnet_regiis.exe only looks for web.config file and after building app.config files have the naming convention of AppTitle.exe.config

Here is the screen shot of one such windows application with a configuration file SampleApp.exe.config.

 <?xml version="1.0" encoding="utf-8" ?><configuration>  <startup>    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />  </startup>  <appSettings>    <add key="sConnectionString" value="Provider=SQLOLEDB;Data Source=Your_Server_Name;Initial Catalog=Your_Database_Name;User Id=Your_Username;Password=Your_Password;" />  </appSettings></configuration>

As we are aware of this limitation of aspnet_regiis.exe, we can find a workaround for this. Let’s fool aspnet_regiis.exe, what if we rename SampleApp.exe.config as web.config :)

C:\Windows\Microsoft.NET\Framework64\v4.0.30319>rename E:\SampleApp\SampleApp\SampleApp\bin\Release\SampleApp.exe.config web.config

C:\Windows\Microsoft.NET\Framework64\v4.0.30319>aspnet_regiis.exe -pef "appSettings" E:\SampleApp\SampleApp\SampleApp\bin\Release -prov DataProtectionConfigurationProvider

C:\Windows\Microsoft.NET\Framework64\v4.0.30319>rename web.config E:\SampleApp\SampleApp\SampleApp\bin\Release\SampleApp.exe.config

Here is the screen shot of encrypted config file. So final step is to rename it back to the SampleApp.exe.config

 <?xml version="1.0" encoding="utf-8" ?><configuration>  <startup>    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />  </startup>  <appSettings configProtectionProvider="DataProtectionConfigurationProvider">    <EncryptedData>      <CipherData>        <CipherValue>          AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAVPxdfgBHA02++GKp0N/yYgQAAAACAAAAAAADZgAAwAAAABAAAADZaWlaU2XHAEquSvyREPJWAAAAAASAAACgAAAAEAAAAPbsjf6iKY3mQ0duO6Hk0mSY          AQAAiwBI8J7lX73foO39YqjhtaSZ5H+e+h0Oc4vgzc2Eegkx1Ch67MBIFek7LhEtMKN06YVWw/lTdc+llLcjcjPfzvieupil2fOLZDAc6CSbTXItunMyhJWu3vlW+O/HPTtowq/c6Hz6TzryInBAxyX8ZBLRaFOU3          JwhcjwEVoqWRZGNryO8sE5ntHEFatgiTh7pPvqtfMqd0UZz2lWWd+r/xJIr5ig6kfORkKE/plvATpey8zmTQNrxQx1v/dELislsBURDSHAmrL7CIDkbg5tQmj9cHtBh7BSUFHrK8JtCSPbTbUHVU4lcfbjMIrZ/1q          inc0o0RTfhwusH+KLjSWb224E2ycxm3jubDM35dtZaGPrKCYpZS6KhaX4IVMFr5RMbdK+sJj4JLtN7O2kosM8nmYhPs+P0SUsBeJ117beE7egk5CWt7LdGXIAaRtdfEJVBFXWc5OKQGJQGWJVRPDslxgA/hviXk6y          uPWS5gEc1aY+iSRAaqO+53nAEBvlurYrCp1MqjE75pTL56kcOrpYET89VN6dcDPWGFAAAALHIG4IJ0+C+oE9TkcY55KxCFkD6        </CipherValue>      </CipherData>    </EncryptedData>  </appSettings></configuration>

Hope you like it!

Please let me know if there is any concerns or queries.

Thanks

Gaurav

Comments

• Anonymous
  November 13, 2013
  This was a great solution and information. I have multiple config files for my windows apps and it worked like a charm. Thanks you!

• Anonymous
  November 13, 2013
  Thanks for the feedback Archna

• Anonymous
  December 20, 2013
  nice blog! can you please also mention how to go on and use RSA encryption algorithm or 3DES  and specify key using this tool.

• Anonymous
  December 20, 2013
  Thanks Rodrigus! You can change the provider like following -prov "RsaProtectedConfigurationProvider" For more options read following MSDN articles msdn.microsoft.com/.../zhhddkxy(v=vs.100).aspx msdn.microsoft.com/.../2w117ede(v=vs.100).aspx

• Anonymous
  January 14, 2014
  can you get a more small font size?? This is too BIGGG TO READ!!!!

• Anonymous
  February 17, 2014
  I have renamed the config file and encrypted it. But I am unable to rename it to older as it say "The system cannot find the file specified"

• Anonymous
  February 20, 2014
  Hafeez, Are you sure that your directory has web.config file which you are trying to rename now back to app.config? Adam, I think you want me to increase the font size, i will try to fix this soon.  :)

• Anonymous
  March 17, 2014
  I am using multiple external files for the config file. All these external files are in one common folder for easy maintenance. Example my folder "ExternalConfigs" multiple config files in different name. How do i target the specific file in case of multiple external config files

• Anonymous
  April 15, 2014
  Garush, I am  not sure if encrypting external config files is possible till now. Thanks Gaurav

• Anonymous
  January 07, 2016
  I had actually figured out the renaming trick myself, but it was great to find some validation that it is OK to do and works.

• Anonymous
  January 21, 2016
  Hi, After Encription web.config file for connection string, After moving config file for production the file gets overritten often at irregular intervals. Due to which our application is redirecting to login page. Kindly let me know the solutions ASAP.