web.config with impersonate
In my web.config file, I have the standard impersonate line:
<identity impersonate="true" userName="domain\username" password="password"/>
Which works great and after I publish the site, I run an encryption on this section so security is not really an issue. However, I am trying to update my sites so that the password is read from a table (which is stored in an encrypted format) via a function that also runs a decryption. I'm not sure if I can do this in a web.config or not, but barring that, are there any other suggestions for how to accomplish this? The end result is that I would like to be able to change the password in my table and have that change automatically go down to all my sites that use this account.
Ideally, I would like the impersonate line to read:
<identity impersonate="true" userName="domain\username" password="myDecryptFunction.Decrypt(username)"/>
Re: web.config with impersonate
There are few ways .
1. From MSDN.
Quote:
To encrypt the user name and password and store them in the registry, set the userName and password as follows.
Copy
userName="registry:HKLM\Software\AspNetProcess,Name"
password="registry:HKLM\Software\AspNetProcess,Pwd"
The portion of the string after the keyword registry and before the comma indicates the name of the registry key that ASP.NET opens. The portion after the comma contains a single string value name from which ASP.NET will read the credentials. The comma is required, and the credentials must be stored in the HKLM hive. If the configuration format is incorrect, ASP.NET will not launch the worker process and the current account creation failure code path will be followed.
The credentials must be in REG_BINARY format, containing the output of a call to the Windows API function CryptProtectData. You can create the encrypted credentials and store them in the registry with the ASP.NET Set Registry console application (Aspnet_setreg.exe), which uses CryptProtectData to accomplish the encryption. To download Aspnet_setreg.exe, along with the Visual C++ source code and documentation, visit the Web site
www.asp.net and search for "aspnet_setreg".
You should configure access to the key storing the encrypted credentials so that access is provided only to Administrators and SYSTEM. Because the key will be read by the ASP.NET process running as SYSTEM, you should set the following permissions:
Administrators:F
SYSTEM:F
CREATOR OWNER:F
ProcessAccount:R
This provides two lines of defense to help protect the data:
* The ACL permissions require the identity accessing the data to be an Administrator.
* An attacker must run code on the server (CryptUnprotectData) to recover the credentials for the account.
2. Impersonate in code behind. Example here in MSDN