Installing > Installing System Architect XT > Adding encrypted security to the accounts in web.config
  
Adding encrypted security to the accounts in web.config
Introduction
System Architect XT can access encyclopedias using Windows authentication mode or SQL authentication mode. The web.config file can be configured to use one or the other. If you decide to use SQL authentication then there is a DBUser and DBPassword that have been added to the connectionStrings section of the web.config file. If the connectionString value of the DBUser item is not empty then the system will attempt to connect to the selected server using the values provided in the connectionString fields. If the connectionStrings value of the DBUser item is empty, then the system will continue to use the Windows authentication mode using the identity account. The fixed identity account should be a low-privilege account that has been granted only necessary permissions in the database.
The example below will cause the system to attempt connection to the database server using SQL authentication mode, using the user ID saxtuser and password saxtpwd.
<connectionStrings>
   <add name="DBUser" connectionString="saxtuser" />
   <add name="DBPassword" connectionString="saxtpwd" />
</connectionStrings>
The fixed identity account that is used for Windows authentication is stored in the <identity> element of the <system.web> section of the web.config file.
<identity impersonate="true" userName="Domain\saxtuser" password="saxtpwd" />
The information in the connectionStrings section and identity element can be encrypted with standard Microsoft utilities. We have summarized use of Machine-Level Key encryption in Machine-Level Key; the complete text can be found at the Microsoft page below:
https://docs.microsoft.com/en-us/previous-versions/msp-n-p/ff650304(v=pandp.10)
Where is the web.config file located?
The web.config file is located in the SAXT installation folder – usually Program Files (x86)\UNICOM Systems\System Architect Suite\SAXT.
Encrypting the information in the web.config file
Before proceeding, refer to Where is the web.config file located?.
Encrypting the connectionStrings section
1 Using the Command Prompt as Administrator, switch to the folder that contains the Microsoft aspnet_regiis.exe utility, using the command below:
CD "C:\Windows\Microsoft.NET\Framework\v4.0.30319"
2 Execute the aspnet_regiis command below:
C:\WINDOWS\Microsoft.NET\Framework\ v4.0.30319>aspnet_regiis -pef "connectionStrings" "C:\Program Files (x86)\UNICOM Systems\System Architect Suite\SAXT"
You should receive the message below if the utility was successful.
Encrypting configuration section...
Succeeded!
Encrypting the identity element in the web.system section
1 Use the same Microsoft aspnet_regiis.exe utility – switch to its folder using the command below:
CD "C:\Windows\Microsoft.NET\Framework\v4.0.30319"
2 Execute the aspnet_regiis command below:
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319>aspnet_regiis -pef "system.web/identity" "C:\Program Files (x86)\UNICOM Systems\System Architect Suite\SAXT"
You should receive the message below if the utility was successful.
Encrypting configuration section...
Succeeded!
Note IIS might fail to validate the <identity> element when it is encrypted. For that reason, you must disable the configuration validation in the web.config file. To do this, edit the web.config file using any text editor and under the <system.webserver> line add the entry below:
<validation validateIntegratedModeConfiguration="false" />
Machine-Level Key
When using Machine-Level Key encryption, the RSA machine key containers are stored in the folder below:
%ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\MachineKeys
The same SAXT identity impersonation user referred to above will need read access to the file created in this folder.
Granting the required access rights
Before proceeding, refer to Where is the web.config file located?.
1 Using the Command Prompt as Administrator, switch to the folder that contains the Microsoft aspnet_regiis.exe utility, using the command below:
CD "C:\Windows\Microsoft.NET\Framework\v4.0.30319"
2 Execute the aspnet_regiis command below, where Domain\saxtuser is the identity impersonation user specified in the SAXT web.config file:
C:\WINDOWS\Microsoft.NET\Framework\ v4.0.30319>aspnet_regiis -pa "NetFrameworkConfigurationKey" "Domain\saxtuser"
You should receive the message below if the utility was successful.
Adding ACL for access to the RSA Key container...
Succeeded!
3 IIS must be reset after updating the ACL, so from a DOS prompt run the command below:
C:\> IISReset
You should receive the messages below if the utility was successful.
Attempting stop...
Internet services successfully stopped
Attempting start...
Internet services successfully restarted
Decrypting the information in the web.config file
Before proceeding, refer to Where is the web.config file located?.
Decrypting the connectionStrings section
1 Using the Command Prompt as Administrator, switch to the folder that contains the Microsoft aspnet_regiis.exe utility, using the command below:
CD "C:\Windows\Microsoft.NET\Framework\v4.0.30319"
2 Execute the aspnet_regiis command below:
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319>aspnet_regiis -pdf "connectionStrings" "C:\Program Files (x86)\UNICOM Systems\System Architect Suite\SAXT"
You should receive the message below if the utility was successful.
Decrypting configuration section...
Succeeded!
Decrypting the identity element in the web.system section
1 Use the same Microsoft aspnet_regiis.exe utility – switch to its folder using the command below:
CD "C:\Windows\Microsoft.NET\Framework\v4.0.30319"
2 Execute the aspnet_regiis command below:
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319>aspnet_regiis -pef "system.web/identity" "C:\Program Files (x86)\UNICOM Systems\System Architect Suite\SAXT"
You should receive the message below if the utility was successful.
Decrypting configuration section...
Succeeded!
Removing the access rights given to the SAXT identity impersonation user
1 Use the same Microsoft aspnet_regiis.exe utility – switch to its folder using the command below:
CD "C:\Windows\Microsoft.NET\Framework\v4.0.30319"
2 Execute the aspnet_regiis command below, where Domain\saxtuser is the impersonation user specified in the SAXT web.config file:
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319>aspnet_regiis -pr "NetFrameworkConfigurationKey" "Domain\saxtuser"
You should receive the message below if the utility was successful.
Removing ACL for access to the RSA Key container...
Succeeded!
See also
Installing System Architect XT