RE: ConfigurationErrorException when reading protected config sect

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Hi Steven,

Thanks for the reply. I'm finding this is occuring regardless of which
encryption method I chose (dpapi or rsa). It's really too bad that I have to
load in a new config. To me that seems like a workaround. The
ConfigurationManager should know what to do after I call RefreshSection, and
I shouldn't have to explicitly read from the disk. This becomes even more
important when we start thinking of caching.

For example - in our situation, I have a low-level library that access
connection string information using ConfigurationManager.GetSection. My
application that utilizes the low-level library, however, encrypts the
connection strings section at runtime. This means that, in order for the low
level library to always function correctly, it must always read from disk
rather than the once-only cached version returned by
ConfigurationManager.GetSection - regardless if the section was refreshed.

Is this not a bug in ConfigurationManager?

"Steven Cheng[MSFT]" wrote:

Hello Ryan,

As for the .net 2.0 configuration encryption and section refresh problem
you mentioned, I've just performed some tests according to your description
in my local environment. Here is my test results and some suggestion on
this:

1. When perform the configuration section protection, we can choose which
provider to use, there're two built-in providers(DPAPI provider and RSA
provider). Based on my test, the problem (ConfigurationErrorException will
occur when we use DPAPI provider , but not when using RSA provider).

2. After we have modified the configuration(any sections in it) and save it
to file and refresh the certain sections, we can use the original
configuration object to query the section data again or construcut a new
configuration object(through ConfigurationManager.OpenExeConfiguration ).
And I found that the exception will occur when we use the original
configuration object , but not occur if we reconstruct/reload a new
configuration object(from exe config file).

Therefore, I think the cause of the problem is that when using DPAPI
provider, after refresh the certain Section, the old configuration object
lose the related encryption information(since the informations first
constructed after we protect that section) and result the sequential
loading from the file failes....(it dosn't know that the section is
protected...).

If you're using the DPAPI provider("DataProtectionConfigurationProvider"),
you can consider reload a new configuration object instead of using the
original one. Here is a workable sample console application(not sure
whether you prefer VB.NET or C#, please let me know if you prefer VBNET
one):

=======================================
namespace EncryptSectionConsole
{
class Program
{
static void Main(string[] args)
{
Run();
}


static void Run()
{

Console.WriteLine("press any key to dump the
connectionstrings...");
Console.ReadLine();

DumpConnectionStrings();

Console.WriteLine("press any key to encrypt the
connectionstrings...");
Console.ReadLine();

EncryptConnectionStrings();

Console.WriteLine("press any key to dump the
connectionstrings...");
Console.ReadLine();



NewDumpConnectionStrings();

//will result exception
//DumpConnectionStrings();


}

static void DumpConnectionStrings()
{
foreach(ConnectionStringSettings connstr in
ConfigurationManager.ConnectionStrings)
{
Console.WriteLine("name: {0}, connstring: {1}",
connstr.Name, connstr.ConnectionString);
}
}

static void NewDumpConnectionStrings()
{
Configuration config =
ConfigurationManager.OpenExeConfiguration(ConfigurationUserLevel.None);

foreach (ConnectionStringSettings connstr in
config.ConnectionStrings.ConnectionStrings)
{
Console.WriteLine("name: {0}, connstring: {1}",
connstr.Name, connstr.ConnectionString);
}
}

static void EncryptConnectionStrings()
{
Configuration config =
ConfigurationManager.OpenExeConfiguration(ConfigurationUserLevel.None);

config.ConnectionStrings.SectionInformation.ForceSave= true;

config.ConnectionStrings.SectionInformation.ProtectSection("DataProtectionCo
nfigurationProvider");

config.Save(ConfigurationSaveMode.Modified);


Console.WriteLine("press any key to refresh the section....");
Console.ReadLine();

config.ConnectionStrings.SectionInformation.ForceSave = true;
config.ConnectionStrings.ConnectionStrings.Add(new
ConnectionStringSettings("new connstr", "new value"));


config.Save(ConfigurationSaveMode.Modified);




ConfigurationManager.RefreshSection("connectionStrings");


}


}
}
================================

Hope this helps.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================



This posting is provided "AS IS" with no warranties, and confers no rights.







.

Relevant Pages

  • Re: Any changes to Remote Desktop Connection with upgrade to 2004?
    ... Thank you for posting. ... it appears that you are talking the "Encryption ... Level" configuration in the Terminal service. ... Microsoft Online Partner Support ...
    (microsoft.public.isa)
  • RE: Secure Remote access - windows 2003
    ... Encryption for user-crentials/data access can be easily ... Not really sure if you want users to RDP into your windows servers.. ... clients because they all require specific configuration knowledge. ... TS App Mode is required for more than 2 concurrent users. ...
    (Focus-Microsoft)
  • Re: rdp fips problem
    ... settings in TS configuration. ... Configuring authentication and encryption ... MCSE,CCEA, Microsoft MVP - Terminal Server ... > i traced this back to the terminal services configuration ...
    (microsoft.public.windows.terminal_services)
  • RE: ConfigurationErrorException when reading protected config section
    ... As for the .net 2.0 configuration encryption and section refresh problem ... Microsoft MSDN Online Support Lead ...
    (microsoft.public.dotnet.general)
  • Re: Help Encrypting Connection String
    ... configuration file. ... encrypt and decrypt arbitrary strings, so that will certainly work for what ... connection strings defined in the configuration if you want. ... >> The biggest decision for you here is how you want to store the encryption ...
    (microsoft.public.dotnet.framework.aspnet.security)