Aspnetcore: UnauthorizedAccessException: Access to the path 'C:\Windows\system32\config\systemprofile\AppData\Local\ASP.NET\DataProtection-Keys' is denied.

Created on 31 Mar 2017 · 9Comments · Source: dotnet/aspnetcore

Hello There!
I am facing this issue from the very first day. My domain is cms.stagingdesk.com/admin. The login system is working fine on my development machine but when I publish it to my hosting environment it gives me this error:
UnauthorizedAccessException: Access to the path 'C:Windowssystem32configsystemprofileAppDataLocalASP.NETDataProtection-Keys' is denied.

Please help me my all major projects are stuck because of it. I talked to the hosting provider they said they gave me the full rights to the everywhere.

Thank you in advance.

wp_ss_20170331_0003
wp_ss_20170331_0002

Source

emcyborg

Most helpful comment

After a few hours to look up, I find out that the root cause is at this line:
https://github.com/aspnet/DataProtection/blob/b706a75e03f93d2f9175a7fc3339baa87ad653f0/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs#L130

The problem is the Create method will do nothing if the folder is already there.
https://msdn.microsoft.com/en-us/library/d869eykc(v=vs.110).aspx

I tried with NETWORK SERVICE user and Load User Profile = false:
https://i.gyazo.com/112738db70c794ef571b18cf2968aa9c.png

Therefore, the method GetDefaultKeyStorageDirectory returns C:Windowssystem32configsystemprofileAppDataLocalASP.NETDataProtection-Keys
but it doesn't check current user is having access to that folder or not.

quinvit on 7 Jun 2017

👍3

All 9 comments

@pakrym

Tratcher on 31 Mar 2017

@emcyborg what user is your IIS Application Pool running as?

pakrym on 31 Mar 2017

The standard users of IIS and Plesk

emcyborg on 1 Apr 2017

@emcyborg I have same issue on Plesk ,, I found like that , I just ask from my hosting provider
changing the Application Pool identity on IIS Server from "ApplicationPoolIdentity" to "LocalSystem"
then My problem fixed .

akaco on 7 Apr 2017

❤1

When DataProtection initialization is happening it tries to detect a place to save keys to, usually when running in IIS with .Net Framework installed on machine keys get persisted in secure registry store. If registry store does not exists for some reason LOCALAPPDATA, USERPROFILE and HOME environment variables are checked (https://github.com/aspnet/DataProtection/blob/91406009d3322f1b0c58f442883cecf52efcfcf8/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs#L104). When directory is selected access rights for it are checked so we don't try to save keys to a place we don't have access (https://github.com/aspnet/DataProtection/blob/91406009d3322f1b0c58f442883cecf52efcfcf8/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs#L127). Strange thing with your case is that first check succeeds but the next usage fails.

Couple things:

What hosting provider do you use?
You can use PersistKeysToFileSystem method to set storage directory explicitly

public void ConfigureServices(IServiceCollection services)
   {
       services.AddDataProtection()
           .PersistKeysToFileSystem(new DirectoryInfo(@"\\server\share\directory\"));

   }

pakrym on 7 Apr 2017

The problem is the Create method will do nothing if the folder is already there.
https://msdn.microsoft.com/en-us/library/d869eykc(v=vs.110).aspx

I tried with NETWORK SERVICE user and Load User Profile = false:
https://i.gyazo.com/112738db70c794ef571b18cf2968aa9c.png

quinvit on 7 Jun 2017

👍3

@quinvit Great work!

MaximRouiller on 7 Jun 2017

This issue is being closed because it has not been updated in 3 months.

We apologize if this causes any inconvenience. We ask that if you are still encountering this issue, please log a new issue with updated information and we will investigate.