CryptographicException when login with web impersonation
Moderator: SourceGear
-
- Posts: 9
- Joined: Tue May 25, 2004 12:47 am
CryptographicException when login with web impersonation
Hi,
I have an error running a web application which use the Vault API. The application is a C# aspx .net 2.0 and uses impersonation with an active directory user. It works fine if I run the application on my PC using my own account (run in debug mode from Visual Studio). But, if I change the impersonate user to an other active directory user, I have the following error thrown when using the Login() method:
[CryptographicException: Le fichier spécifié est introuvable.
]
System.Security.Cryptography.CryptographicException.ThrowCryptogaphicException(Int32 hr) +33
System.Security.Cryptography.Utils._CreateCSP(CspParameters param, Boolean randomKeyContainer, SafeProvHandle& hProv) +0
System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) +201
System.Security.Cryptography.RSACryptoServiceProvider.get_PersistKeyInCsp() +67
System.Security.Cryptography.RSACryptoServiceProvider.set_PersistKeyInCsp(Boolean value) +37
VaultLib.VaultUserCrypt.EncryptPassword(String strUnencryptedPassword, Byte[] publicKey, Byte[] exponent, String& strEncryptedPassword, String& strRMKey) +224
VaultClientNetLib.VaultConnection.Login(String strURLBase, String strUsername, String strPassword) +1616
VaultClientOperationsLib.ClientInstance.Login(String urlbase, String username, String password) +59
Vault.Connect(AccessLevelType LevelAccess) in c:\_Developpement\Projects\ManageVersion\WebSites\ManageVersion\App_Code\Vault.cs:160
GlobalParameters.get_VaultClient() in c:\_Developpement\Projects\ManageVersion\WebSites\ManageVersion\App_Code\Parameters.cs:645
StatusAndPatch.RefreshCheckOutNumber() in c:\_Developpement\Projects\ManageVersion\WebSites\ManageVersion\StatusAndPatch.aspx.cs:839
StatusAndPatch.RefreshCheckOut() in c:\_Developpement\Projects\ManageVersion\WebSites\ManageVersion\StatusAndPatch.aspx.cs:297
StatusAndPatch.ButtonRefresh_Click(Object sender, EventArgs e) in c:\_Developpement\Projects\ManageVersion\WebSites\ManageVersion\StatusAndPatch.aspx.cs:401
StatusAndPatch.Page_Load(Object sender, EventArgs e) in c:\_Developpement\Projects\ManageVersion\WebSites\ManageVersion\StatusAndPatch.aspx.cs:92
System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +31
System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) +68
System.Web.UI.Control.OnLoad(EventArgs e) +88
System.Web.UI.Control.LoadRecursive() +74
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3035
The problem is ONLY when running in debug mode from within Visual Studio 2005. When I publish the web site it runs ok.
I have tried the following:
- Make the new user member of the Administrators on my PC
- Run the Identityswitcher_174 tool to change permissions
I have still the pain,
Any idea?
I have an error running a web application which use the Vault API. The application is a C# aspx .net 2.0 and uses impersonation with an active directory user. It works fine if I run the application on my PC using my own account (run in debug mode from Visual Studio). But, if I change the impersonate user to an other active directory user, I have the following error thrown when using the Login() method:
[CryptographicException: Le fichier spécifié est introuvable.
]
System.Security.Cryptography.CryptographicException.ThrowCryptogaphicException(Int32 hr) +33
System.Security.Cryptography.Utils._CreateCSP(CspParameters param, Boolean randomKeyContainer, SafeProvHandle& hProv) +0
System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) +201
System.Security.Cryptography.RSACryptoServiceProvider.get_PersistKeyInCsp() +67
System.Security.Cryptography.RSACryptoServiceProvider.set_PersistKeyInCsp(Boolean value) +37
VaultLib.VaultUserCrypt.EncryptPassword(String strUnencryptedPassword, Byte[] publicKey, Byte[] exponent, String& strEncryptedPassword, String& strRMKey) +224
VaultClientNetLib.VaultConnection.Login(String strURLBase, String strUsername, String strPassword) +1616
VaultClientOperationsLib.ClientInstance.Login(String urlbase, String username, String password) +59
Vault.Connect(AccessLevelType LevelAccess) in c:\_Developpement\Projects\ManageVersion\WebSites\ManageVersion\App_Code\Vault.cs:160
GlobalParameters.get_VaultClient() in c:\_Developpement\Projects\ManageVersion\WebSites\ManageVersion\App_Code\Parameters.cs:645
StatusAndPatch.RefreshCheckOutNumber() in c:\_Developpement\Projects\ManageVersion\WebSites\ManageVersion\StatusAndPatch.aspx.cs:839
StatusAndPatch.RefreshCheckOut() in c:\_Developpement\Projects\ManageVersion\WebSites\ManageVersion\StatusAndPatch.aspx.cs:297
StatusAndPatch.ButtonRefresh_Click(Object sender, EventArgs e) in c:\_Developpement\Projects\ManageVersion\WebSites\ManageVersion\StatusAndPatch.aspx.cs:401
StatusAndPatch.Page_Load(Object sender, EventArgs e) in c:\_Developpement\Projects\ManageVersion\WebSites\ManageVersion\StatusAndPatch.aspx.cs:92
System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +31
System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) +68
System.Web.UI.Control.OnLoad(EventArgs e) +88
System.Web.UI.Control.LoadRecursive() +74
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3035
The problem is ONLY when running in debug mode from within Visual Studio 2005. When I publish the web site it runs ok.
I have tried the following:
- Make the new user member of the Administrators on my PC
- Run the Identityswitcher_174 tool to change permissions
I have still the pain,
Any idea?
-
- Posts: 9
- Joined: Tue May 25, 2004 12:47 am
-
- Posts: 9
- Joined: Tue May 25, 2004 12:47 am
It looks like maybe the folder options are set to not show hidden folders on your server. Change that and then you should be able to go through the entire path and provide permissions to the account Vault is using for impersonation on the MachineKeys folder.
Do you have Admin permissions on the server?
Do you have Admin permissions on the server?
-
- Posts: 9
- Joined: Tue May 25, 2004 12:47 am
Folder options are not set to hide system folders.
I have no Admin permissions on Vault Server.
I can't see how the problem can be on the server side, as it does work if I publish my site on my PC. It is only when running from within Visual Studio that it does not work. In both cases the same impersonation user is used.
I have no Admin permissions on Vault Server.
I can't see how the problem can be on the server side, as it does work if I publish my site on my PC. It is only when running from within Visual Studio that it does not work. In both cases the same impersonation user is used.
You said it didn't work when you changed the account Vault runs under using the identity switcher tool. If you don't have proper permissions, not all the correct access will be set.
Also, it's not entirely clear what's being run where when you are running that app. If you have been using the IDE integration, then there are bindings involved when you have it open in Visual Studio and then those permissions come into play. When you just run something from disk, it's not going back to Vault for any information and thus doesn't need the permissions.
Here's something that will make this much clearer to me. Can you close your Visual Studio and your app. Just open the Vault Client from your desk top and make yourself a test folder. Add some files and try performing regular operations with them. Check out, edit, check in, view history, etc. If all that works, then that will point this in a different direction.
Also, it's not entirely clear what's being run where when you are running that app. If you have been using the IDE integration, then there are bindings involved when you have it open in Visual Studio and then those permissions come into play. When you just run something from disk, it's not going back to Vault for any information and thus doesn't need the permissions.
Here's something that will make this much clearer to me. Can you close your Visual Studio and your app. Just open the Vault Client from your desk top and make yourself a test folder. Add some files and try performing regular operations with them. Check out, edit, check in, view history, etc. If all that works, then that will point this in a different direction.
-
- Posts: 9
- Joined: Tue May 25, 2004 12:47 am
What you log into Vault as is not what will make a difference here. When you say "impersonate" I'm assuming you mean what the Vault software runs as.
On that note, what exact account is Vault running under (the domain user and the name you would have put into the identity switcher)?
Next, go to the C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys on the server and see if that exact account is there and that it has read/write. Then go into that folder and make sure the rights were inherited down.
This will all be stuff checked on the server side.
Also, when you say
On that note, what exact account is Vault running under (the domain user and the name you would have put into the identity switcher)?
Next, go to the C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys on the server and see if that exact account is there and that it has read/write. Then go into that folder and make sure the rights were inherited down.
This will all be stuff checked on the server side.
Also, when you say
are you saying that the Vault server impersonation was using your active directory login? Or are you saying you used your Vault Login to log into your application?It works fine if I run the application on my PC using my own account
-
- Posts: 9
- Joined: Tue May 25, 2004 12:47 am
What you log into Vault as is not what will make a difference here. When you say "impersonate" I'm assuming you mean what the Vault software runs as.
-> What I mean is that I made the test twice, opening a Windows session with each Windows account.
-> Impersonation is set in the web.config file of my web application. It tells IIS to run the .net components as the given Windows user account. The web application runs the Vault API using this mecanism.
On that note, what exact account is Vault running under (the domain user and the name you would have put into the identity switcher)?
-> The application impersonation user = user I put into Identity switcher
-> Regarding the Vault Client, I made two tests with each accounts, as said above.
Next, go to the C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys on the server and see if that exact account is there and that it has read/write. Then go into that folder and make sure the rights were inherited down.
-> Gulps... On the Vault server I can't see this folder (see previous posts).
Also, when you say Quote:
It works fine if I run the application on my PC using my own account
are you saying that the Vault server impersonation was using your active directory login? Or are you saying you used your Vault Login to log into your application?
-> I mean my application web.config impersonation was using my active directory login.
-> What I mean is that I made the test twice, opening a Windows session with each Windows account.
-> Impersonation is set in the web.config file of my web application. It tells IIS to run the .net components as the given Windows user account. The web application runs the Vault API using this mecanism.
On that note, what exact account is Vault running under (the domain user and the name you would have put into the identity switcher)?
-> The application impersonation user = user I put into Identity switcher
-> Regarding the Vault Client, I made two tests with each accounts, as said above.
Next, go to the C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys on the server and see if that exact account is there and that it has read/write. Then go into that folder and make sure the rights were inherited down.
-> Gulps... On the Vault server I can't see this folder (see previous posts).
Also, when you say Quote:
It works fine if I run the application on my PC using my own account
are you saying that the Vault server impersonation was using your active directory login? Or are you saying you used your Vault Login to log into your application?
-> I mean my application web.config impersonation was using my active directory login.
I think I'm very confused here. If you do not have admin permissions on the server, then you cannot change what Vault runs under with the identity switcher tool. It may run, but it's not getting access to make the proper security changes.. I'm thinking that is what is going wrong here.
When your web app runs under your active directory name, is that the same that you use to log into Vault? (Are you using Active Directory authentication with Vault?)
When your web app runs under your active directory name, is that the same that you use to log into Vault? (Are you using Active Directory authentication with Vault?)
-
- Posts: 9
- Joined: Tue May 25, 2004 12:47 am