Shared configuration with IIS 10 (Windows 2016) and IISCngProvider + IISWASOnlyCngProviderRSS

7 replies

Last post Aug 20, 2020 04:18 PM by bab5470

‹ Previous Thread|Next Thread ›
  • Shared configuration with IIS 10 (Windows 2016) and IISCngProvider + IISWASOnlyCngProvider

    Dec 15, 2016 08:56 PM|Vladimir Kolyada|LINK

    Hello, my dear friends ^__^

    In my shared configuration:

    <add name="IISCngProvider" type="Microsoft.ApplicationHost.CngProtectedConfigurationProvider" description="Uses Win32 Crypto CNG to encrypt and decrypt" keyContainerName="iisCngConfigurationKey" useMachineContainer="true" />

    <add name="IISWASOnlyCngProvider" type="Microsoft.ApplicationHost.CngProtectedConfigurationProvider" description="(WAS Only) Uses Win32 Crypto CNG to encrypt and decrypt" keyContainerName="iisCngWasKey" useMachineContainer="true" />

    So, after set domain user and password, i can see for pool:

    <processModel identityType="SpecificUser" userName="domain\mydomainame" password="[enc:IISWASOnlyCngProvider:XXXXXXXXX]"....

    Oh, my password encrypt with CNG, and keys iisCngWasKey or iisCngConfigurationKey can't export/import. 

    And i can start one pool, where i set user and password, but other pool can't because they can't decrypt password.
    Why? What is doing?

  • Re: Shared configuration with IIS 10 (Windows 2016) and IISCngProvider + IISWASOnlyCngProvider

    Dec 16, 2016 05:59 AM|lextm|LINK

    Lex Li
    Affordable IIS Consulting Services at https://support.lextudio.com/services/consulting.html
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Re: Shared configuration with IIS 10 (Windows 2016) and IISCngProvider + IISWASOnlyCngProvider

    Dec 16, 2016 09:17 AM|Vladimir Kolyada|LINK

    Okey, thisi is a good news, keys for decrypt in shared foldes, i can saw this in my folder. But how to set  Encryption keys password on second and other IIS. IIS on Windows Core, only powershell, cmd ... :), but first iis on Windows with GUI. 

  • Re: Shared configuration with IIS 10 (Windows 2016) and IISCngProvider + IISWASOnlyCngProvider

    Dec 16, 2016 09:20 AM|Vladimir Kolyada|LINK

    Activate on second and other iis by script:

    Set adminManager = WScript.CreateObject("Microsoft.ApplicationHost.WritableAdminManager")
    adminManager.CommitPath = "MACHINE/REDIRECTION"
    Set configurationRedirection = adminManager.GetAdminSection( "configurationRedirection", "MACHINE/REDIRECTION" )
    configurationRedirection.Properties.Item( "enabled" ).Value = True
    configurationRedirection.Properties.Item( "path" ).Value = "\\server\iis-config"
    configurationRedirection.Properties.Item( "userName" ).Value = "ourdomain\userA"
    configurationRedirection.Properties.Item( "password" ).Value= "password"
    adminManager.CommitChanges

    And this script without  Encryption keys password:(

  • Re: Shared configuration with IIS 10 (Windows 2016) and IISCngProvider + IISWASOnlyCngProvider

    Dec 19, 2016 06:18 PM|Vladimir Kolyada|LINK

    Other?:)

  • Re: Shared configuration with IIS 10 (Windows 2016) and IISCngProvider + IISWASOnlyCngProvider

    Dec 29, 2016 06:38 AM|Yuk Ding|LINK

    Yuk Ding

    MSDN Community Support
    Please remember to "Mark as Answer" the responses that resolved your issue.
  • Re: Shared configuration with IIS 10 (Windows 2016) and IISCngProvider + IISWASOnlyCngProvider

    Feb 01, 2017 08:50 AM|kriks|LINK

    Hi,

    Configuration redirection works, but when i set up application pool for instance, with domain domain user, only one server can decrypt the password and its encrypted with IISCngProvider.

    Is there a way to sync  IISCngProvider keys also? just copiing machinekeys does not work.

    Or in server 2016/IIS10 there is no way to use shared configuration on servercore?

  • Re: Shared configuration with IIS 10 (Windows 2016) and IISCngProvider + IISWASOnlyCngProvider

    Aug 20, 2020 04:18 PM|bab5470|LINK

    I know this post is fairly old but I ran into this today myself so I am posting it for the benefit of others (or myself if I should end up in the same situation in the future).

    IIS Shared Configuration can now be managed using Powershell cmdlets, and the new powershell take care of the CNG Provider for you. Here's an example:

    # Export
    $KeyEncryptionPassword = ConvertTo-SecureString -AsPlainText -String "your-password" -Force
    Export-IISConfiguration -PhysicalPath "\\some\shared\location" -KeyEncryptionPassword "your-password"


    # Enable Shared Config
    $KeyEncryptionPassword = ConvertTo-SecureString -AsPlainText -String "your-password" -Force
    $Password = ConvertTo-SecureString "your-password" -AsPlainText -Force
    Enable-IISSharedConfig -PhysicalPath "\\some\shared\location" -KeyEncryptionPassword $KeyEncryptionPassword -UserName "your-username" -Password $Password

    Hopefully this helps someone else in the future!
    Brad

‹ Previous Thread|Next Thread ›