admin管理员组文章数量:1404561
I have an ASP.NET Core application running under IIS where I configure data protection using this code:
var dataProtectionEncryptionCertificate = X509CertificateLoader.LoadPkcs12FromFile(path, password);
services.AddDataProtection()
.PersistKeysToFileSystem(dataProtectionPathDI)
.SetDefaultKeyLifetime(TimeSpan.FromDays(100 * 365))
.ProtectKeysWithCertificate(dataProtectionEncryptionCertificate);
All variables are correct and the certificate is loaded without any issue. It also contains the private key. Data protection keys are correctly created in the path provided by dataProtectionPathDI, so permissions seem to be OK. Just in case I tried also giving full control to the data protection paths (both the location of the certificate and the location for the keys) to Everyone, without any change in behavior.
I have two machines, one Windows 11 Pro and one Windows Server 2019.
On the Windows 11 Pro machine, restarting IIS has no negative negative effect: the data protection key created on initial use is reused and the application runs fine.
On the Windows Server 2019 machine, restarting IIS causes it to try to read the initially created key but it fails with an error, so a new key is created. This invalidates all existing tokens and causes problems with the application. The error and warning I receive in the log are:
Error: An exception occurred while processing the key element '<key id="618da4c7-9d25-4568-a62d-09ddd301db3b" version="1" />'. Warn: Key {618da4c7-9d25-4568-a62d-09ddd301db3b} is ineligible to be the default key because its CreateEncryptor method failed after the maximum number of retries.
Turning on Trace and Debug for the log, I get these details:
Debug: Reading data from file 'C:\DataProtectionKeys\key-618da4c7-9d25-4568-a62d-09ddd301db3b.xml'. Debug: Found key {618da4c7-9d25-4568-a62d-09ddd301db3b}. Debug: Considering key {618da4c7-9d25-4568-a62d-09ddd301db3b} with expiration date 2125-02-14 20:19:43Z as default key. Debug: Forwarded activator type request from Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor, Microsoft.AspNetCore.DataProtection, Version=9.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60 to Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor, Microsoft.AspNetCore.DataProtection, Culture=neutral, PublicKeyToken=adb9793829ddae60 Error: An exception occurred while processing the key element '<key id="618da4c7-9d25-4568-a62d-09ddd301db3b" version="1" />'. Trace: An exception occurred while processing the key element '<key id="618da4c7-9d25-4568-a62d-09ddd301db3b" version="1"> <creationDate>2025-03-10T20:19:43.5963112Z</creationDate> <activationDate>2025-03-10T20:19:43.5963112Z</activationDate> <expirationDate>2125-02-14T20:19:43.5963112Z</expirationDate> <descriptor deserializerType="Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorDescriptorDeserializer, Microsoft.AspNetCore.DataProtection, Version=9.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60"> <descriptor> <encryption algorithm="AES_256_CBC" /> <validation algorithm="HMACSHA256" /> <encryptedSecret decryptorType="Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor, Microsoft.AspNetCore.DataProtection, Version=9.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60" xmlns=";> <EncryptedData Type="; xmlns=";> <EncryptionMethod Algorithm="; /> <KeyInfo xmlns=";> <EncryptedKey xmlns=";> <EncryptionMethod Algorithm="; /> <KeyInfo xmlns=";> <X509Data> <X509Certificate>MIIDGjCCAgKgAwI...NgyW0QdIYkO</X509Certificate> </X509Data> </KeyInfo> <CipherData> <CipherValue>LpIVIjb9h5sZdrRWxk...LPqHC53bw==</CipherValue> </CipherData> </EncryptedKey> </KeyInfo> <CipherData> <CipherValue>pf04vUsQsLUUTrDZ9rb...SCKQSew==</CipherValue> </CipherData> </EncryptedData> </encryptedSecret> </descriptor> </descriptor> </key>'. Debug: Key {618da4c7-9d25-4568-a62d-09ddd301db3b} method CreateEncryptor failed. Retrying.
Unfortunately, there are no details about the exact exception.
As I am loading the certificate for the key encryption from a file and this file is always the same and unchanged, I expect that the keys can be decrypted without an issue, like it works on the Windows 11 Pro machine but this is not the case.
What am I missing?
I have an ASP.NET Core application running under IIS where I configure data protection using this code:
var dataProtectionEncryptionCertificate = X509CertificateLoader.LoadPkcs12FromFile(path, password);
services.AddDataProtection()
.PersistKeysToFileSystem(dataProtectionPathDI)
.SetDefaultKeyLifetime(TimeSpan.FromDays(100 * 365))
.ProtectKeysWithCertificate(dataProtectionEncryptionCertificate);
All variables are correct and the certificate is loaded without any issue. It also contains the private key. Data protection keys are correctly created in the path provided by dataProtectionPathDI, so permissions seem to be OK. Just in case I tried also giving full control to the data protection paths (both the location of the certificate and the location for the keys) to Everyone, without any change in behavior.
I have two machines, one Windows 11 Pro and one Windows Server 2019.
On the Windows 11 Pro machine, restarting IIS has no negative negative effect: the data protection key created on initial use is reused and the application runs fine.
On the Windows Server 2019 machine, restarting IIS causes it to try to read the initially created key but it fails with an error, so a new key is created. This invalidates all existing tokens and causes problems with the application. The error and warning I receive in the log are:
Error: An exception occurred while processing the key element '<key id="618da4c7-9d25-4568-a62d-09ddd301db3b" version="1" />'. Warn: Key {618da4c7-9d25-4568-a62d-09ddd301db3b} is ineligible to be the default key because its CreateEncryptor method failed after the maximum number of retries.
Turning on Trace and Debug for the log, I get these details:
Debug: Reading data from file 'C:\DataProtectionKeys\key-618da4c7-9d25-4568-a62d-09ddd301db3b.xml'. Debug: Found key {618da4c7-9d25-4568-a62d-09ddd301db3b}. Debug: Considering key {618da4c7-9d25-4568-a62d-09ddd301db3b} with expiration date 2125-02-14 20:19:43Z as default key. Debug: Forwarded activator type request from Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor, Microsoft.AspNetCore.DataProtection, Version=9.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60 to Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor, Microsoft.AspNetCore.DataProtection, Culture=neutral, PublicKeyToken=adb9793829ddae60 Error: An exception occurred while processing the key element '<key id="618da4c7-9d25-4568-a62d-09ddd301db3b" version="1" />'. Trace: An exception occurred while processing the key element '<key id="618da4c7-9d25-4568-a62d-09ddd301db3b" version="1"> <creationDate>2025-03-10T20:19:43.5963112Z</creationDate> <activationDate>2025-03-10T20:19:43.5963112Z</activationDate> <expirationDate>2125-02-14T20:19:43.5963112Z</expirationDate> <descriptor deserializerType="Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorDescriptorDeserializer, Microsoft.AspNetCore.DataProtection, Version=9.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60"> <descriptor> <encryption algorithm="AES_256_CBC" /> <validation algorithm="HMACSHA256" /> <encryptedSecret decryptorType="Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor, Microsoft.AspNetCore.DataProtection, Version=9.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60" xmlns="http://schemas.asp/2015/03/dataProtection"> <EncryptedData Type="http://www.w3./2001/04/xmlenc#Element" xmlns="http://www.w3./2001/04/xmlenc#"> <EncryptionMethod Algorithm="http://www.w3./2001/04/xmlenc#aes256-cbc" /> <KeyInfo xmlns="http://www.w3./2000/09/xmldsig#"> <EncryptedKey xmlns="http://www.w3./2001/04/xmlenc#"> <EncryptionMethod Algorithm="http://www.w3./2001/04/xmlenc#rsa-1_5" /> <KeyInfo xmlns="http://www.w3./2000/09/xmldsig#"> <X509Data> <X509Certificate>MIIDGjCCAgKgAwI...NgyW0QdIYkO</X509Certificate> </X509Data> </KeyInfo> <CipherData> <CipherValue>LpIVIjb9h5sZdrRWxk...LPqHC53bw==</CipherValue> </CipherData> </EncryptedKey> </KeyInfo> <CipherData> <CipherValue>pf04vUsQsLUUTrDZ9rb...SCKQSew==</CipherValue> </CipherData> </EncryptedData> </encryptedSecret> </descriptor> </descriptor> </key>'. Debug: Key {618da4c7-9d25-4568-a62d-09ddd301db3b} method CreateEncryptor failed. Retrying.
Unfortunately, there are no details about the exact exception.
As I am loading the certificate for the key encryption from a file and this file is always the same and unchanged, I expect that the keys can be decrypted without an issue, like it works on the Windows 11 Pro machine but this is not the case.
What am I missing?
Share Improve this question edited Mar 12 at 6:24 Jason 22.5k2 gold badges22 silver badges45 bronze badges asked Mar 10 at 20:55 VladimirVladimir 1,4181 gold badge19 silver badges33 bronze badges 1- Please try testing with .NET 8 as we need to determine if this is a .NET 9 issue. If not, we can further explore the differences between Data Protection on Windows 11 and Windows Server 2019. – Jason Commented Mar 12 at 6:24
1 Answer
Reset to default 0When decrypting data, EncryptedXml searches for the corresponding certificate and private key in the Windows certificate store based on the certificate thumbprint in the key file. If the certificate is not installed in the store, decryption will fail.
So we need to install the certificate to the LocalMachine store or install it manually in windows server 2019.
You can try to use below code:
var cert = new X509Certificate2("cert.pfx", "password", X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
using (var store = new X509Store(StoreName.My, StoreLocation.LocalMachine))
{
store.Open(OpenFlags.ReadWrite);
store.Add(cert);
store.Close();
}
services.AddDataProtection()
.PersistKeysToFileSystem(new DirectoryInfo(dataProtectionPathDI))
.SetDefaultKeyLifetime(TimeSpan.FromDays(100 * 365))
.ProtectKeysWithCertificate(cert);
本文标签: Data Protection in ASPNET Core 9 works on Windows 11fails on Windows ServerStack Overflow
版权声明:本文标题:Data Protection in ASP.NET Core 9 works on Windows 11, fails on Windows Server - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744823883a2626943.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论