程序开发 > C# > 正文

RSA加密给 Application Data 和 MachineKeys 文件夹分配权限且安装了补丁仍拒绝访问的解决办法

亮术网 2021-04-07 本网原创

RSA加密出现拒绝访问 CreateProvHandle 的错误,通常给用户 IIS_WPG 分配对 Application Data(C:\Documents and Settings\All Users\Application Data)和 MachineKeys(C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys)文件夹读写的权限,问题就可以解决,具体请看《解决rsa拒绝访问 CreateProvHandle》一文。但有时这样做了仍然无济于事,即使安装了补丁 KB938397 也还不能解决问题。

进行以上操作后又提示 CryptographicException: 拒绝访问,详细错误信息如下:

CryptographicException: 拒绝访问

Source: mscorlib

Stack:
at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr) 
at System.Security.Cryptography.Utils._GenerateKey(SafeProvHandle hProv, Int32 algid, CspProviderFlags flags, Int32 keySize, SafeKeyHandle& hKey)
at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters)
at LTS.Security.RSACrypto.GetKey(String containerName) 
at lt.mk.Login.Page_Load(Object sender, EventArgs e)
at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)
at System.Web.UI.Control.OnLoad(EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

TargetSite: Void ThrowCryptographicException(Int32)

 

 

把应用程序池的“预定义帐户”改为“本地系统”又提示:

Error:句柄无效。

Source: mscorlib

Stack:
at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters)
at LTS.Security.RSACrypto.GetKey(String containerName)
at lt.mk.Login.Page_Load(Object sender, EventArgs e) at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)
at System.Web.UI.Control.OnLoad(EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

TargetSite: System.Security.Cryptography.SafeProvHandle CreateProvHandle(System.Security.Cryptography.CspParameters, Boolean)

这个问题比较特别,四个网站三个都可以,就最先部署的这个后台管理登录不行,它的前台登录却可以,该分配的权限全分配且安装了所有补丁,仍然不行;但可以确定是无权限访问密钥的问题,只是不知道是哪个。后来发现有个密钥文件只有 1 KB 且是执行后台管理登录时生成的,给它分配“写”权限,问题解决。

 

 

解决办法:

打开 C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys,根据生成密钥的时间判定是哪个文件(如 1ec97b70dfe69t3346f89a52d938180_d205c760-w627-6817-y9232f9482h8j1ef),这个文件通常只有 1 KB,然后给它的用户 IIS_WPG(iis 6)、IIS_IUSRS(iis 7 以上)分配“写”的权限。

这个文件默认情况下,Administrator 也没有权限查看和修改,需要更改它的所有者,方法为:右键它 → 属性 → “安全”选项卡 → 高级 → 所有者 → 选择 Administrator → 确定,具体方法可参考《Windows2008修改文件夹所有者》一文。

本文浓缩标签:RSA权限
恒星彩票网址