Skip to content
This repository has been archived by the owner. It is now read-only.

DataProtection no longer uses the correct default when hosted in the IIS/Kestrel combination #102

Closed
blowdart opened this issue Nov 11, 2015 · 6 comments

Comments

@blowdart
Copy link
Member

commented Nov 11, 2015

When I start an IIS hosted app Data Protection self configured as Ephemeral keys, that is it holds a key chain in memory and throws it away once the app stops. This is a huge regression from Helios.

You can see this by turning on verbose logging

warning : [Microsoft.Framework.DependencyInjection.DataProtectionServices] Neither user profile nor HKLM registry available. Using an ephemeral key repository. Protected data will be unavailable when application exits.
warning : [Microsoft.AspNet.DataProtection.Repositories.EphemeralXmlRepository] Using an in-memory repository. Keys will not be persisted to storage.

The expected behavior is store keys in the registry, protected using machine level DPAPI.

If the same app is run via web.cmd you get what I would expect because you’re running under a user profile. IIS Express also has the correct behavior, again because a user profile is available

info    : [Microsoft.Framework.DependencyInjection.DataProtectionServices] Userprofile is available. Using 'C:\Users\bdorrans\AppData\Local\ASP.NET\DataProtection-Keys' as key repository and Windows DPAPI to encrypt keys at rest.

The configuration code lies in DataProtectionServices.cs

@blowdart blowdart added the bug label Nov 11, 2015

@pakrym pakrym added the 2 - Working label Nov 11, 2015

@pakrym pakrym self-assigned this Nov 11, 2015

@blowdart

This comment has been minimized.

Copy link
Member Author

commented Nov 11, 2015

For now you can fix it by changing the app pool to load the user profile. This will then act like IIS Express, and use the file system.

@pakrym

This comment has been minimized.

Copy link
Member

commented Nov 12, 2015

Cause of issue is that SOFTWARE\Microsoft\ASP.NET\4.0.30319.0\AutoGenKeys does not exist.
An that happen because:

  1. We are running wrong bitness of dnx vs w3wp
    or
  2. App domain doesn't have CLR set for it so IIS doesn't create a key for us. (Which it does only when running managed domain)
@pakrym

This comment has been minimized.

Copy link
Member

commented Nov 14, 2015

Script that seems to solve the issue: #106

@muratg

This comment has been minimized.

Copy link

commented May 25, 2016

@blowdart What should we do with this bug? Is it only providing documentation and scripts, plus trying to get IIS implement what we want? If so, can we close this one?

Putting it in 1.0.1 for now as there doesn't seem to be an action in rtm.

@muratg muratg modified the milestones: 1.0.1, 1.0.0 May 25, 2016

@blowdart

This comment has been minimized.

Copy link
Member Author

commented May 25, 2016

Yup, for now it's scripts. The request to fix it is in with the IIS folks, so we can bump it, and keep the pressure on.

@muratg

This comment has been minimized.

Copy link

commented Sep 2, 2016

Closing this bug as there's no code change that can fix this on our stack. My understanding is this is purely an IIS fix that may or may not happen

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
3 participants
You can’t perform that action at this time.