Data Protection on IIS hosted web sites needs configuration
blowdart opened this issue · 14 comments
When hosted a website behind IIS the Data Protection stack does not find a suitable place to store the keyring, and uses in memory keys. This means that when your application restarts all forms authentication tokens will be invalid and users will have to login again. In addition any data you protected will no longer be able to be unprotected.
This does not apply to IIS Express.
To configure Data Protection under IIS you must either
- Run a powershell script to create suitable registry entries (Usage
.\Provision-AutoGenKeys.ps1 DefaultAppPool). This will store keys in the registry, protected using DPAPI with a machine wide key. - Configure the IIS Application Pool to load the user profile. This setting is in the Process Model section under the Advanced Settings for the application pool. Set Load User Profile to True. This will store keys under the user profile directory, and protected using DPAPI with a key specific to the user account used for the app pool.
- Adjust your application code to use the file system as a key ring store. If you do this you should use an X509 certificate to protect the key ring and ensure it is a trusted certificate, i.e. if it is a self signed certificate you must place it in the Trusted Root store.
What is the best practice for securing the keys when using IIS in web farm?
That would be to use a file share all machines can access, and then deploy an X509 certificate to each machine. You would have to configure that in code.
@guardrex to be fair adding an azure requirement for local web farms is something even I wouldn't do :D
@blowdart Oooops! I should have re-read that issue first. Geez! Someone says "IIS" my brain goes, "Azure VM IIS ... great idea!" Someone says "webfarm," and my brain goes, "Azure VM's in a Cloud Service ... great idea!" I'll seek some professional help for the addiction.
@blowdart what about the existing web.config machinekey? why not make it easy to deploy in web-farm?
Thanks for the answer @blowdart and @guardrex
I think the link (https://docs.asp.net/en/latest/security/data-protection/implementation/key-encryption-at-rest.html#certificate-based-encryption-with-windows-dpapi-ng) in the linked issue (from @guardrex reply with Azure-info) was interesting. It was describing different approaches to encrypt the configuration with use of the DPAPI-NG.
Is the usage of DPAPI-NG a good approach instead of installing and maintenance the certificate on the machine? All the servers will be joined to the same AD with credentials added on the application pool, HTTPS terminations for visitors is made by ARR or third party loadbalancer.
@abcplex machine key has gone. The reason it's gone is it never changed, once it was set it was like that forever, unless you went through a number of hoops. That's dangerous. The new key mechanism will rotate keys automatically and provides the ability to revoke if the keychain is compromised.
We are closing this issue because no further action is planned for this issue. If you still have any issues or questions, please log a new issue with any additional details that you have.
Configure the IIS Application Pool to load the user profile
Hi, any reason this option from @blowdart is missing from the ASP.NET Core docs? Could not find it in https://docs.microsoft.com/en-us/aspnet/core/publishing/iis#create-a-data-protection-registry-hive , and it sounds like the easiest/fastest fix (to me) to solve the in-mem default issue.
@FruitAndAShape Works well in the single-server hosting scenario. There's no drawback that the engineers have made us aware of for the docs.