问题描述

我正在开发一个asp.net核心应用程序以在Web上进行远程调整，并且我正在使用"AddDataProtection"来保护静态密钥加密(如文档所建议的那样)，但是当我部署应用程序并直接运行时从带有AppPool标识的IIS中，永远不会创建密钥，并且在DpapiNG Windows日志中会出现错误.

I've developing an asp.net core application to tun on a web far, and I'm using "AddDataProtection" to protect for key encryption at rest like, the documentation recommends, but when I deploy my application and run directly from IIS with AppPool identity, the key is never created and I get errors on the DpapiNG windows logs.

我的代码如下:

services.AddDataProtection(opt => opt.ApplicationDiscriminator = ApplicationConfig.dataProtectionApplicationDiscriminator)
            .PersistKeysToFileSystem(new DirectoryInfo(encKeyPath))
            .ProtectKeysWithDpapiNG(string.Format("CERTIFICATE=HashId:{0}", ApplicationConfig.dataProtectionCertThumbprint),
                flags: DpapiNGProtectionDescriptorFlags.None);

通过Visual Studio调试，一切运行正常，但是我在管理员权限下运行VS，因此这里的权限不是问题.

Debugging from visual studio, everything runs fine, but I'm running VS under administrator rights, so permission is not an issue here.

我尝试将权限直接从MMC自身添加到自己的私钥的AppPool App用户的权限，但没有成功，甚至授予了应按以下说明创建密钥的位置的完整路径的权限 https://docs.microsoft.com/zh-cn/aspnet/core/security/data-protection/configuration/overview (检查第一条评论)，但也没有用.

I've tried adding permissions to the AppPool App user to the private key it self directly from MMC, but it did not worked, and even gave permission on the full path to the location were the keys should be created like stated here https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview (check first comment) but also it did not worked.

我只能通过将AppPool设置为以管理员身份运行才能使其正常工作，但是显然这是不行的，我只是想确保这是某个地方的权限问题.

I was only able to make it work by setting the AppPool to run with the identity of an Administrator, but clearly this is a no go, I just wanted to make sure this was a permission issue somewhere.

有人遇到同样可以帮助您的问题吗?

Is anybody facing the same issue that is able to help?

关于，安德烈(André)

Regards,André

推荐答案

您的问题很可能是您试图将密钥存储在一起折叠的文件夹路径中的某个位置(或什至使用AddDataProtection提供的默认路径) )使用诸如％LOCALAPPDATA％之类的环境路径.示例:％LOCALAPPDATA％\ ASP.NET \ DataProtection-Keys".通常，默认情况下，IIS不会使用环境路径变量(例如％LOCALAPPDATA％)来设置您的应用程序池帐户.该值最终为空，然后您的应用程序尝试将密钥写入错误的文件夹(例如\ ASP.NET \ DataProtection-Keys而不是％LOCALAPPDATA％\ ASP.NET \ DataProtection-Keys).

Most likely your issue is you are trying to store your keys somewhere in a folder path that you are cobbling together (or even by using the default path that AddDataProtection provides) that uses an environment path such as %LOCALAPPDATA%. Example: "%LOCALAPPDATA%\ASP.NET\DataProtection-Keys".Usually, by default IIS DOES NOT set up your app pool accounts with environment path variables such as %LOCALAPPDATA%. The value ends up being blank and your app then tries to write keys to the wrong folder (such as \ASP.NET\DataProtection-Keys instead of %LOCALAPPDATA%\ASP.NET\DataProtection-Keys).

修复:在％WINDIR％\ System32 \ inetsrv \ config \ applicationHost.config中，设置setProfileEnvironment = true.我认为您也必须重新启动IIS.

Fix: Within %WINDIR%\System32\inetsrv\config\applicationHost.config set setProfileEnvironment=true. I think you have to restart IIS as well.

这篇关于IIS-AddDataProtection PersistKeysToFileSystem未创建的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！