What is the default registry location that is used for the registry key ring for ASP.NET Core Data Protection system

Question

TL;DR;

In which registry hive does the ASP.NET Core Data protection system store it's keys when you are running your app in IIS with a worker process account without user profile

It looks like it's reusing the hive used by ASP.NET DPAPI, is it ?

We are setting up a bunch of asp.net core applications that need to work together and the antiforgery validation is currently messing things up for POST requests. It looks like ASP.NET core Data protection needs to be configured so that all applications are using the same keys.

All our applications currently run with a pool user for which neither the user profile nor the HKLM registry key ring seems to be available.

We are not allowed to activate the user profile for these pool users so we are looking to use the registry.

In the "Data protection" section of the "Host ASP.NET Core on Windows with IIS" document here we found that to configure data protection under IIS to persist the key ring, one of the approaches is to create Data Protection Registry Keys with a powershell script from github here :

This script is just called like this :

Provision-AutoGenKeys "4.0" "32" $poolSid

Reading this powershell script it seems that all it does is setting ACLs for the pool user on the following keys :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET\2.0.50727.0\AutoGenKeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET\4.0.30319.0\AutoGenKeys
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\ASP.NET\2.0.50727.0\AutoGenKeys
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\ASP.NET\4.0.30319.0\AutoGenKeys

Here is where I'm getting totally confused.... these look like hives for the "old" autogenerated keys for encryption by ASP.NET, not ASP.NET Core....

So, I'm wondering... is Microsoft reusing those hives for ASP.NET Core Data Protection ?

Or should I look elsewhere ?

Answer 1

ASP.NET Core can store Keys pretty much anywhere:

• File System
• Windows Registry
• IIS User Profile ( can in which keys are persisted to the HKLM registry in a special registry key that is ACLed only to the worker process account. Keys are encrypted at rest using DPAPI)
• Azure KeyVault, Azure Storage Account
• Azure app keys (at %HOME%\ASP.NET\DataProtection-Keys)
• SQL store
• Redis cache
• User profile (If the user profile is available, keys are at %LOCALAPPDATA%\ASP.NET\DataProtection-Keys folder and encrypted at rest using DPAPI for Windows)

So you should look at the location corresponding to your case/configuration.

Answer 2

The proof of the pudding is in the eating....

I've done a simple test and YES the .NET CORE Data Protection system is reusing the old ASP.NET AutoGenKeys hives for Microsoft.AspNetCore.DataProtection.KeyManagement.

In a test the following hive was used to add the data
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET\4.0.30319.0\AutoGenKeys\S-1-5-21-1112422158-284577691-398547282-74630\DataProtection

---

To elaborate a bit more on my test :

• I have two simple .net core applications that post to each other.
• Each application configured with it's own application pool.
• Each application pool configured with the same user.
• This pool user has no user profile and limited permissions...

As soon as I added AntiforgeryValidation (which uses .net core data protection under the hood) the calls started to fail.

The application log showed entries like :

• "Using an in-memory repository. Keys will not be persisted to storage."
• "Neither user profile nor HKLM registry available. Using an ephemeral key repository. Protected data will be unavailable when application exists."

As soon as I ran the Provision-AutoGenKeys.ps1 powershell script (from https://github.com/aspnet/AspNetCore/blob/master/src/DataProtection/Provision-AutoGenKeys.ps1) to ACL the old ASP.NET AutoGenKeys everything started to work ... No warnings anymore that HKLM registry was not available.

So, to answer my own question : YES.. .NET CORE Data Protection is reusing the old ASP.NET AutoGenKeys hive for Microsoft.AspNetCore.DataProtection.KeyManagement.