Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
DataProtection no longer uses the correct default when hosted in the IIS/Kestrel combination #102
When I start an IIS hosted app Data Protection self configured as Ephemeral keys, that is it holds a key chain in memory and throws it away once the app stops. This is a huge regression from Helios.
You can see this by turning on verbose logging
The expected behavior is store keys in the registry, protected using machine level DPAPI.
If the same app is run via web.cmd you get what I would expect because you’re running under a user profile. IIS Express also has the correct behavior, again because a user profile is available
The configuration code lies in DataProtectionServices.cs
Cause of issue is that