how to encrypt database password in web.config file

You can try the dpapi.

http://msdn.microsoft.com/library/de...l/secmod22.asp

"Henry" wrote:

Hi, my asp.net application is accessing a mssql on another server.
This works fine when I use this in my web.config file:

<add key="dbkey" value="server=192.12.12.1;database=mydb;user=dbuse r;password=mypassword"
/>

However I don't like to store my password in plain text.

I played around with aspnet_setreg.exe and I followed those
instructions:

http://support.microsoft.com/default...;en-us;Q329290

However my application says ' Could not create Windows user token from
the credentials specified in the config file'

when I use it in the recommended way:

<identity impersonate="true"
userName="registry:HKLM\SOFTWARE\MYDB\identity\ASP NET_SETREG,userName"
password="registry:HKLM\SOFTWARE\MYDB\identity\ASP NET_SETREG,password"
/>

I don't really need the asp.net worker process to run impersonate. All
I need is to store and transmit the password encrypted.

Does anyone have a suggestion?

Thanks

What you are doing when you use setreg the way you did was to impersonate the aspnet process, meaning that all the resources that your web app accesses will run under that user. For this to happen, the user that you specified, must be a user with a valid account. Hence your error!

If you want this to work with SQL Server, you must use windows authentication to connect to your SQL Server, but your connection string shows that you are using SQL authentication.

So you have two choices.

1 - Use windows authentication to connect to SQL Server. You can create an account on your web server, set this user account with setreg, and put it in the identity element as you did. Then create the same user and password on the SQL Server and give that user access to your database.

2 - With setreg there is also an option to store your entire connectionstring in a similar fashion as the username. You can continue using SQL Server authentication, and whenever you need to connect to the database you would retrieve the value of the connectionstring from the web.config file as usual.

Of the two, I would recommended the first one because the password is stored and transmited with windows NTLM and is thus more secure.

Hope this helps,
John

"Henry" wrote:

Hi, my asp.net application is accessing a mssql on another server.
This works fine when I use this in my web.config file:

<add key="dbkey" value="server=192.12.12.1;database=mydb;user=dbuse r;password=mypassword"
/>

However I don't like to store my password in plain text.

I played around with aspnet_setreg.exe and I followed those
instructions:

http://support.microsoft.com/default...;en-us;Q329290

However my application says ' Could not create Windows user token from
the credentials specified in the config file'

when I use it in the recommended way:

<identity impersonate="true"
userName="registry:HKLM\SOFTWARE\MYDB\identity\ASP NET_SETREG,userName"
password="registry:HKLM\SOFTWARE\MYDB\identity\ASP NET_SETREG,password"
/>

I don't really need the asp.net worker process to run impersonate. All
I need is to store and transmit the password encrypted.

Does anyone have a suggestion?

Thanks

thanks for your answers.
both servers (web,db) have an identical user account (dbuser). Those
are local accounts.
I tried to get it to work without the encryption first:

in my web.config I have:

<authentication mode="Windows" />
<identity impersonate="true"
userName="dbuser"
password="secret"
/>

<add key="dbkey" value="Integrated Security=SSPI;Persist Security
Info=False;Initial Catalog=mydb;Data Source=192.12.12.1;Connect
Timeout=30" />

After I added the proper permissions to the used 'dbuser' I get this
error:

Login failed for user '(null)'. Reason: Not associated with a trusted
SQL Server connection.

It seems that the impersonated user does not get transmitted during
database connection. I also played with the IIS authentication methods
but to no avail.

Thanks, Henry


John Sivilla <Jo*********@discussions.microsoft.com> wrote in message news:<43**********************************@microso ft.com>...

What you are doing when you use setreg the way you did was to impersonate the aspnet process, meaning that all the resources that your web app accesses will run under that user. For this to happen, the user that you specified, must be a user with a valid account. Hence your error!

If you want this to work with SQL Server, you must use windows authentication to connect to your SQL Server, but your connection string shows that you are using SQL authentication.

So you have two choices.

1 - Use windows authentication to connect to SQL Server. You can create an account on your web server, set this user account with setreg, and put it in the identity element as you did. Then create the same user and password on the SQL Server and give that user access to your database.

2 - With setreg there is also an option to store your entire connectionstring in a similar fashion as the username. You can continue using SQL Server authentication, and whenever you need to connect to the database you would retrieve the value of the connectionstring from the web.config file as usual.

Of the two, I would recommended the first one because the password is stored and transmited with windows NTLM and is thus more secure.

Hope this helps,
John

"Henry" wrote:

Hi, my asp.net application is accessing a mssql on another server.
This works fine when I use this in my web.config file:

<add key="dbkey" value="server=192.12.12.1;database=mydb;user=dbuse r;password=mypassword"
/>

However I don't like to store my password in plain text.

I played around with aspnet_setreg.exe and I followed those
instructions:

http://support.microsoft.com/default...;en-us;Q329290

However my application says ' Could not create Windows user token from
the credentials specified in the config file'

when I use it in the recommended way:

<identity impersonate="true"
userName="registry:HKLM\SOFTWARE\MYDB\identity\ASP NET_SETREG,userName"
password="registry:HKLM\SOFTWARE\MYDB\identity\ASP NET_SETREG,password"
/>

I don't really need the asp.net worker process to run impersonate. All
I need is to store and transmit the password encrypted.

Does anyone have a suggestion?

Thanks