CryptoGraphicException: Access is denied

If you are having a problem using Vault, post a message here.

Moderator: SourceGear

Post Reply
DaveSpicer
Posts: 3
Joined: Tue Aug 10, 2004 8:37 am

CryptoGraphicException: Access is denied

Post by DaveSpicer » Tue Aug 10, 2004 8:56 am

I get this eror message every time I create a new user in the Admin module:

System.Security.Cryptography.CryptographicException: Access is denied
at System.Security.Cryptography.RSACryptServiceProvider._GenerateKey

The user ends up in the SQL db however.

I am attempting to run a demo version of Vault on Web Edition Windows Server 2003. The SQL DB is on another Standard Windows Server 2003 on the network. I am logging in on the web server itself.
The admin user works fine. The other users (once "created") cannot login as they get an "Encryption failure(Fail encryption)" message.

Another post suggested granting full rights to "everyone" in \Documents and settings\All users\Application data\Microsoft\Crypto\RSA\Machinekeys, but this hasn't helped.

Any help would be appreciated - we are interested in purchasing Vault, but only if it works in our environment....

Thanks

jclausius
Posts: 3706
Joined: Tue Dec 16, 2003 1:17 pm
Location: SourceGear
Contact:

Post by jclausius » Tue Aug 10, 2004 10:02 am

Dave:

A couple of suggestions here:

1) What information is available in the server's sgvault.log By default, this can be found in %windir%\temp\sgvault\sgvault.log.? Can you post the error message? Does this KB article apply: CryptoAPI error on Windows Server 2003 IIS5.0 isolation mode

2) RSA Security Key Files may have been created with incorrect security permissions.

Delete the following files, if present in %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\MachineKeys:
- e84773cfb2b455e1caa06b53c81fcab1_*
- edb3f753ca89beb7d17f32a80a447d75_*

Also, double check your permissions on the directory. Your ASP.NET Process Account should have read, write, and modify on the folder %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\MachineKeys.

Note, on later versions of IIS and Windows (starting with Windows 7), Microsoft switched to an Application Pool Identity for running IIS Applications. To Identify the Application Pool Identity, use the IIS Admin Tool (inetmgr.exe), and look at the "Basic Settings" for the VaultService app under the installed Web Site (Highlight the VaultService app, and Click "Basic Settings...") By default, this will be the VaultAppPool. Next traverse to Application Pools within the IIS Manager, find the Vault Service application pool (again, VaultAppPool by default), and look at the "Identity". Make note of that value.

Then from within Folder Permissions, you will assign that account read, write and modify on the folder %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\MachineKeys for that ASP.NET account. Note, if the VaultAppPool is using "ApplicationPoolIdentity", you would use the format of "IIS AppPool\<pool_name>" for the user account. For example, a default installation would use "IIS AppPool\VaultAppPool" would be the user account to grant permissions.

Also note, if the "CryptoGraphicException: Access is denied" error appears in the other Vault related log files, then changes to permissions might be required to ALL of the processes for the various Vault related Application Pools seen within the IIS Manager (SgDavAppPool, VaultAppPool, VaultIndexAppPool, VaultNotifyAppPool, and VaultShadowFolderAppPool).

See https://docs.microsoft.com/en-us/iis/ma ... -resources for a more detailed explanation regarding how IIS Application Pools can be references to secure resources. Note, the Vault Application Pool will not be named DefaultAppPool, but the link is a reference explaining on how IIS creates the names. The Application Pool assigned to the VaultService application should be used instead of DefaultAppPool.

3) I am not that familiar with the "Web edition" version of Windows 2003. Does the Web edition also configure the machine to act as a Primary Domain Controller?

If so, you may need to run the Vault Server under a Custom.Net impersonated account. See Running Vault Server under an Impersonated Windows Account to configure a Custom .Net account, and then try re-installing the Vault server using the Custom account configuration.
Jeff Clausius
SourceGear

DaveSpicer
Posts: 3
Joined: Tue Aug 10, 2004 8:37 am

Post by DaveSpicer » Tue Aug 10, 2004 10:45 am

Jeff,

1) IIS 6.0 is not running in IIS 5.0 isolation mode.
No error messages seem to appear in the log -all I get is this :
----2004/08/10 06:31:49 PM admin--magnet(192.168.10.2)--SSL Disabled
Login
----2004/08/10 06:32:15 PM admin--magnet(192.168.10.2)--SSL Disabled
Logout

2) neither of the files you mentioned exist in the RSA\MachineKeys folder...
I granted R/W/M rights for ASPNET to the folder, but still no joy.

3) Web edition is a "limited functionality" version of Server 2003, intended to support web server functionality only. It does not support SQL server and is not configured to act as a PDC, so there is no need to impersonate a windows account...

BTW
I have attempted to attach the error dialog as a JPG, but get this message :
Upload Error: Could not upload Attachment to ./files/vault_error.jpg.

jclausius
Posts: 3706
Joined: Tue Dec 16, 2003 1:17 pm
Location: SourceGear
Contact:

Post by jclausius » Tue Aug 10, 2004 12:51 pm

DaveSpicer wrote:I granted R/W/M rights for ASPNET to the folder, but still no joy.
By default IIS 6.0 runs under the NETWORK SERVICE account. Was this changed in your configuration to LOCALMACHINE\ASPNET? You can verify the process account in the Identity of Vault Server's Application Pool's Properties -> Identity Tab.

Also, check your w3wp.exe's owner in task manager, it should provide the ASP.Net's process account.

If the account is NETWORK SERVICE, verify NETWORK SERVICE has the correct permissions to that directory.

As for the image, try a name like "davespicer_rsaerror.jpg"
Jeff Clausius
SourceGear

DaveSpicer
Posts: 3
Joined: Tue Aug 10, 2004 8:37 am

Post by DaveSpicer » Wed Aug 11, 2004 1:20 am

Jeff,

IIS 6.0 is running under the NETWORK SERVICE account.

w3wp.exe's owner was Administrator; I changed it to ASP.NET, but no joy.

NETWORK SERVICE did not have permissions to the directory. I granted them, but still not working.

I tried to attach the error dialog for you, but am getting :
"Upload Error: Could not upload Attachment to ./files/davespicer_rsaerror.jpg."


Dave

jclausius
Posts: 3706
Joined: Tue Dec 16, 2003 1:17 pm
Location: SourceGear
Contact:

Post by jclausius » Wed Aug 11, 2004 6:53 am

DaveSpicer wrote:IIS 6.0 is running under the NETWORK SERVICE account.

w3wp.exe's owner was Administrator; I changed it to ASP.NET, but no joy.

NETWORK SERVICE did not have permissions to the directory. I granted them, but still not working.
I'm a bit confused.

If IIS 6.0 has NETWORK SERVICE as the identity account in Vault's application pool, then w3wp.exe should also be running as NETWORK SERVICE. If it is running as ASP.NET, how did you make the change?

Here's the description of the problem:

1) On NTFS drives, Vault needs read/write/modify security permissions to %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\MachineKeys.
2) IIS will run the Vault server under a Windows based account, which must get access to the directory in 1. By default, IIS 6's process is named w3wp.exe.

From the description you've provided, it seems there is a mismatch between the two.

When you installed the Vault server, which option did you choose for the ASP.Net process model? If a setting does not match ASP.Net's process configuration, Vault will not operate correctly.

If you can verify the Default App Pool is running under NETWORK SERVICE, and w3wp.exe is also running under NETWORK SERVICE, perhaps the easiest thing to do is to uninstall / reinstall the Vault server. Only this time around, keep the existing Vault database (you'll be prompted to drop the database on un-installation / installation). Also make sure you specify Machine (MACHINE\NETWORK SERVICE) as the ASP.Net process model.

If you need some more information about this, send me an email (click the email button below), and we can solve this problem off line.
Jeff Clausius
SourceGear

Post Reply