Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

RSACryptoServiceProvider code and identity issues

175 views
Skip to first unread message

Taiwo

unread,
Aug 29, 2002, 1:48:55 PM8/29/02
to

Running code that uses the "RSACryptoServiceProvider" class gives "CryptoAPI
cryptographic service provider (CSP) for this implementation could not be
acquired" if the current identity is a "Limited User" but works fine if the
identity is an "Administrator" account.

For impersonation in IIS, this forces me to impersonate a privileged account
to run code using RSACryptoServiceProvider, which I think is too dangerous.

Does anyone have any recommendation to avoid using a privileged account to
run Crypto code? It doesn't matter whether I am using the user key store or
the machine key store.

Here is more info on the error:

?ex.message
"CryptoAPI cryptographic service provider (CSP) for this implementation
could not be acquired."
?ex.stacktrace
" at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32
dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
at
System.Security.Cryptography.RSACryptoServiceProvider..ctor(CspParameters
parameters)
..."


---
Thanks,

Taiwo

Jonathan Schafer

unread,
Aug 29, 2002, 9:03:46 PM8/29/02
to
Search the archives for the answer to this. The short of it is that
the ASPNET system account does not have a profile, so it doesn't have
access to the RSA key stuff. If you search in
Microsoft.Public.Dotnet.* ng's for Jonathan Schafer, you'll find my
previous answer to this.

Jonathan Schafer

Joseph

unread,
Sep 16, 2002, 5:09:08 AM9/16/02
to
Jonathan,

I couldn't find your answer to this post. Can you repost it again? Thanks.

Joseph

"Jonathan Schafer" <jschafer@*NOSPAM*brierley.a.b.c.com> wrote in message
news:c0htmucns5tot5mu5...@4ax.com...

Jonathan Schafer

unread,
Sep 16, 2002, 5:30:51 AM9/16/02
to
If you are using the default constructor for
RSACryptoServiceProvider (the one with no parameters), the
constructor will attempt to use the key container for the
currently logged in user. Since the ASPNET user is never
logged in, the operation will fail.

The easier way to fix the problem and not compromise
security is to tell the constructor to use the machine
keystore. This can be done with the following code:

CspParameters cspParams;
cspParams = new CspParameters(1);
cspParams.KeyContainerName
= "MyContainer";
cspParams.Flags =
CspProviderFlags.UseMachineKeyStore;
RSACryptoServiceProvider rsaCSP = new
RSACryptoServiceProvider(cspParams);

Note that it is important to specify the container.
Otherwise a new container will be created each time
consuming disk resources.
In addition to the above code, the ASPNET user will need
to be given the appropriate access privileges to the
following folder:

C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys

This is required since the ASPNET user will be creating,
reading, and modifying files in this folder. You can
either set full control for the ASPNET user or be a bit
more restrictive.

Jonathan Schafer

On Mon, 16 Sep 2002 17:09:08 +0800, "Joseph" <jos...@bluefield.com.hk>
wrote:

0 new messages