Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Security / October 2004

Tip: Looking for answers? Try searching our database.

pan machine dpapi user mode problems (roaming profiles & keys)

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Martin - 14 Oct 2004 13:33 GMT
Hi,

I have a web app that uses dpapi in user mode.  It's important that the keys
are usable across more than one machine - in case of disaster recovery, and
scaling path.

On a small test lan running windows 2000 and xp, I have this working - dpapi
service account with a roaming profile can encrypt on one machine and
decrypt on another.

In the live environment running windows 2003 and xp, across a site to site
vpn I have a number of problems:
1) using roaming profile across vpn is unreliable - had a situation with
existing local profile and no profile on remote machine (where the profile
path points) - logged in and out of local machine as the relevant account -
it didn't upload the profile in the location referenced by profile path for
that user.

2) therefore I did a manual backup and restore of the local profile
(documents and settings\username\*) from one machine to another (side
stepping roaming profile).  Whilst each computer could encrypt and decrypt
on it's own, I couldn't decrypt on one, what had been encrypted on the
other.

Is there any way to view the user profile keys used by dpapi?

Should doing a manual backup and restore of the profile to another machine
have preserved the original keys so that I can encyrpt on one, and decyrpt
on the other machine?

Thanks
Martin
Reply to this Message
Martin - 14 Oct 2004 14:01 GMT
I read in "How to troubleshoot the Data Protection API (DPAPI)"
section "DPAPI and Roaming Profiles"
(http://support.microsoft.com/default.aspx?scid=kb;en-us;309408#6) that "For
DPAPI to work correctly when it uses roaming profiles, the domain user must
only be logged on to a single computer in the domain. If the user wants to
log on to a different computer that is in the domain, the user must log off
the first computer before the user logs on to the second computer. If the
user is logged on to multiple computers at the same time, it is likely that
DPAPI will not be able to decrypt existing encrypted data correctly."

In an ASP.Net with enterprise services for DPAPI environment (as outlined
the ASP.Net dpapi user mode how to) , where the dpapiservice is running as
the account with the roaming profile, what happens if the service is running
on multiple machines simultaneously?  Is this equivelent to the same user
being logged in multiple times?  Is there any role for mandatory profiles to
stabalise the situation?

Is there any way for dpapi to be used in a web farm scenario?

Thanks
Martin

> Hi,
>
[quoted text clipped - 28 lines]
> Thanks
> Martin
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.