Program development > C# > ContentRSA assign permissions to Application Data and MachineKeys folders and Access is denied
There is an error of denying access to CreateProvHandle in RSA, usually the user IIS_WPG is assigned to Application Data (C:\Documents and Settings\All Users\Application Data) and MachineKeys (C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto \RSA\MachineKeys) folders Read and Write permissions, the problem can be solved. For details, please refer to the article "The RSA key container could not be opened(System.Security.Cryptography.UtilsCreateProvHandle)". But sometimes this still does not help, even if the patch KB938397 is installed, it still does not solve the problem.
After performing the above operation, it prompts CryptographicException: Access is denied. The detailed error message is as follows:
CryptographicException: Access is denied
Source: mscorlib
Stack:
at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
at System.Security.Cryptography.Utils._GenerateKey(SafeProvHandle hProv, Int32 algid, CspProviderFlags flags, Int32 keySize, SafeKeyHandle& hKey)
at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters)
at LTS.Security.RSACrypto.GetKey(String containerName)
at lt.mk.Login.Page_Load(Object sender, EventArgs e)
at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)
at System.Web.UI.Control.OnLoad(EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
TargetSite: Void ThrowCryptographicException(Int32)
Change the Predefined Account of the Application Pool to Local System and prompt:
Error: The handle is invalid.
Source: mscorlib
Stack:
at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters)
at LTS.Security.RSACrypto.GetKey(String containerName)
at lt.mk.Login.Page_Load(Object sender, EventArgs e) at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)
at System.Web.UI.Control.OnLoad(EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
TargetSite: System.Security.Cryptography.SafeProvHandle CreateProvHandle(System.Security.Cryptography.CspParameters, Boolean)
This problem is quite special. Three of the four websites are fine. The management login that was deployed first is not working, but the user login is fine. The assigned permissions are all allocated and all patches are installed, but it still doesn't work. But it can be determined that it is the problem of unauthorized access to the MachineKey, but I don't know which one. Later, I found that there was a MachineKey file that was only 1 KB and was generated when the management login was performed. Assign the Write permission to it, and the problem was solved.
Solution:
Open the C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys, determine which file is based on the time when the Machinekey is generated (such as 1ec97b70dfe69t3346f89a52d938180_d205c760-w627-6817-y9232f9482h8j1ef). This file is usually only 1 KB. Then assign Write permission to its users IIS_WPG (iis 6) and IIS_IUSRS (iis 7 and above).
The Administrator does not have permission to Read and Write this file by default. You need to change its owner by right-clicking it → Properties → Security tab → Advanced → Owner → Select Administrator → OK. For specific methods, please refer to the article "Regedit unable to save permission changes on Run or RunOnce in windows, how to solve".