CryptographicException when login with web impersonation

olivier.destrade · Post by **olivier.destrade** » Thu Mar 15, 2007 3:41 am

Hi,

I have an error running a web application which use the Vault API. The application is a C# aspx .net 2.0 and uses impersonation with an active directory user. It works fine if I run the application on my PC using my own account (run in debug mode from Visual Studio). But, if I change the impersonate user to an other active directory user, I have the following error thrown when using the Login() method:

[CryptographicException: Le fichier spécifié est introuvable.
]
System.Security.Cryptography.CryptographicException.ThrowCryptogaphicException(Int32 hr) +33
System.Security.Cryptography.Utils._CreateCSP(CspParameters param, Boolean randomKeyContainer, SafeProvHandle& hProv) +0
System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) +201
System.Security.Cryptography.RSACryptoServiceProvider.get_PersistKeyInCsp() +67
System.Security.Cryptography.RSACryptoServiceProvider.set_PersistKeyInCsp(Boolean value) +37
VaultLib.VaultUserCrypt.EncryptPassword(String strUnencryptedPassword, Byte[] publicKey, Byte[] exponent, String& strEncryptedPassword, String& strRMKey) +224
VaultClientNetLib.VaultConnection.Login(String strURLBase, String strUsername, String strPassword) +1616
VaultClientOperationsLib.ClientInstance.Login(String urlbase, String username, String password) +59
Vault.Connect(AccessLevelType LevelAccess) in c:\_Developpement\Projects\ManageVersion\WebSites\ManageVersion\App_Code\Vault.cs:160
GlobalParameters.get_VaultClient() in c:\_Developpement\Projects\ManageVersion\WebSites\ManageVersion\App_Code\Parameters.cs:645
StatusAndPatch.RefreshCheckOutNumber() in c:\_Developpement\Projects\ManageVersion\WebSites\ManageVersion\StatusAndPatch.aspx.cs:839
StatusAndPatch.RefreshCheckOut() in c:\_Developpement\Projects\ManageVersion\WebSites\ManageVersion\StatusAndPatch.aspx.cs:297
StatusAndPatch.ButtonRefresh_Click(Object sender, EventArgs e) in c:\_Developpement\Projects\ManageVersion\WebSites\ManageVersion\StatusAndPatch.aspx.cs:401
StatusAndPatch.Page_Load(Object sender, EventArgs e) in c:\_Developpement\Projects\ManageVersion\WebSites\ManageVersion\StatusAndPatch.aspx.cs:92
System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +31
System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) +68
System.Web.UI.Control.OnLoad(EventArgs e) +88
System.Web.UI.Control.LoadRecursive() +74
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3035

The problem is ONLY when running in debug mode from within Visual Studio 2005. When I publish the web site it runs ok.

I have tried the following:
- Make the new user member of the Administrators on my PC
- Run the Identityswitcher_174 tool to change permissions
I have still the pain,

Any idea?

lbauer · Post by **lbauer** » Thu Mar 15, 2007 8:03 am

Have you tried the steps here:

http://support.sourcegear.com/viewtopic.php?t=231

olivier.destrade · Post by **olivier.destrade** » Thu Mar 15, 2007 9:28 am

I'm running XP Pro (development platform) with SP2.

Vault server is under Windows 2003.

On the Vault server, there is no folder Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

On my machine, which runs IIS, I have no file with name begining with edb3...

Beth · Post by **Beth** » Wed Mar 21, 2007 10:05 am

How far down the path, Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys, can you see?

olivier.destrade · Post by **olivier.destrade** » Thu Mar 22, 2007 3:05 am

- On my PC (I am in the Administrators group):
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

- On the Vault server:
C:\Documents and Settings\All Users

Beth · Post by **Beth** » Thu Mar 22, 2007 7:47 am

It looks like maybe the folder options are set to not show hidden folders on your server. Change that and then you should be able to go through the entire path and provide permissions to the account Vault is using for impersonation on the MachineKeys folder.

Do you have Admin permissions on the server?

olivier.destrade · Post by **olivier.destrade** » Thu Mar 22, 2007 9:33 am

Folder options are not set to hide system folders.
I have no Admin permissions on Vault Server.

I can't see how the problem can be on the server side, as it does work if I publish my site on my PC. It is only when running from within Visual Studio that it does not work. In both cases the same impersonation user is used.

Beth · Post by **Beth** » Thu Mar 22, 2007 10:20 am

You said it didn't work when you changed the account Vault runs under using the identity switcher tool. If you don't have proper permissions, not all the correct access will be set.

Also, it's not entirely clear what's being run where when you are running that app. If you have been using the IDE integration, then there are bindings involved when you have it open in Visual Studio and then those permissions come into play. When you just run something from disk, it's not going back to Vault for any information and thus doesn't need the permissions.

Here's something that will make this much clearer to me. Can you close your Visual Studio and your app. Just open the Vault Client from your desk top and make yourself a test folder. Add some files and try performing regular operations with them. Check out, edit, check in, view history, etc. If all that works, then that will point this in a different direction.

olivier.destrade · Post by **olivier.destrade** » Thu Mar 22, 2007 10:42 am

Done.
Check out, edit, check in, are working from the Vault Client. I have tried loggin on both user accounts: my own domain account, and the custom domain account used for the web application impersonation. It all works.

Beth · Post by **Beth** » Thu Mar 22, 2007 3:56 pm

What you log into Vault as is not what will make a difference here. When you say "impersonate" I'm assuming you mean what the Vault software runs as.

On that note, what exact account is Vault running under (the domain user and the name you would have put into the identity switcher)?

Next, go to the C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys on the server and see if that exact account is there and that it has read/write. Then go into that folder and make sure the rights were inherited down.

This will all be stuff checked on the server side.

Also, when you say

It works fine if I run the application on my PC using my own account

are you saying that the Vault server impersonation was using your active directory login? Or are you saying you used your Vault Login to log into your application?

olivier.destrade · Post by **olivier.destrade** » Fri Mar 23, 2007 6:15 am

What you log into Vault as is not what will make a difference here. When you say "impersonate" I'm assuming you mean what the Vault software runs as.
-> What I mean is that I made the test twice, opening a Windows session with each Windows account.
-> Impersonation is set in the web.config file of my web application. It tells IIS to run the .net components as the given Windows user account. The web application runs the Vault API using this mecanism.

On that note, what exact account is Vault running under (the domain user and the name you would have put into the identity switcher)?
-> The application impersonation user = user I put into Identity switcher
-> Regarding the Vault Client, I made two tests with each accounts, as said above.

Next, go to the C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys on the server and see if that exact account is there and that it has read/write. Then go into that folder and make sure the rights were inherited down.
-> Gulps... On the Vault server I can't see this folder (see previous posts).

Also, when you say Quote:
It works fine if I run the application on my PC using my own account
are you saying that the Vault server impersonation was using your active directory login? Or are you saying you used your Vault Login to log into your application?
-> I mean my application web.config impersonation was using my active directory login.

Beth · Post by **Beth** » Fri Mar 23, 2007 2:01 pm

I think I'm very confused here. If you do not have admin permissions on the server, then you cannot change what Vault runs under with the identity switcher tool. It may run, but it's not getting access to make the proper security changes.. I'm thinking that is what is going wrong here.

When your web app runs under your active directory name, is that the same that you use to log into Vault? (Are you using Active Directory authentication with Vault?)

olivier.destrade · Post by **olivier.destrade** » Sat Mar 24, 2007 12:41 am

I have run the Identity switcher on my PC (hosting the IIS for my web application). Not on the Vault server.

We are using version of 3.1.2 of Vault: no windows authentication.

Beth · Post by **Beth** » Mon Mar 26, 2007 12:34 pm

After going over this several times, I still think what you are going to have to do here is get an administrator to provide the permissions needed to the folder C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys.