Unexpected System.Configuration.ConfigurationErrorsException: The RSA key container could not be opened.

Scenario:

You have a SharePoint 2013 application that has a web part consulting a external database (not a SharePoint database) and you add inside the Tag <configuration>:

<connectionStrings>

<add name=”MyAnyWebPart” connectionString=”Data Source=DataBaseServer;Initial Catalog=DatabaseName;User ID=UserName;Password=XXXXXXX”
providerName=”System.Data.SqlClient” />

</connectionStrings>

After performing the inclusion of connectionString, it should be encrypted. This way, you will prevent the credentials are exposed when some error occur. The RSA encryption will be used, which is automatically generated by aspnet_regiis.exe module.

To perform this action, follow the steps below:

1 – Open the command prompt with administrative privileges
2 – Go to C:\Windows\Microsoft.NET\Framework64\v4.0.30319
3 – Run the following command to perform the encryption connectionString:

Encrypt:

aspnet_regiis.exe -pef ” connectionStrings ” “C:\inetpub\wwwroot\wss\VirtualDirectories\80″

Decrypt:

aspnet_regiis.exe -pdf “connectionStrings” “C:\inetpub\wwwroot\wss\VirtualDirectories\80″

Note: Use your SharePoint Application path.

At the end of encryption steps, the result will be similar to that shown below:

<connectionStrings configProtectionProvider=”RsaProtectedConfigurationProvider”>
<EncryptedData Type=”http://www.w3.org/2001/04/xmlenc#Element” xmlns=”http://www.w3.org/2001/04/xmlenc#”>
<EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#tripledes-cbc” />
<KeyInfo xmlns=”http://www.w3.org/2000/09/xmldsig#”>
<EncryptedKey xmlns=”http://www.w3.org/2001/04/xmlenc#”>
<EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#rsa-1_5″ />
<KeyInfo xmlns=”http://www.w3.org/2000/09/xmldsig#”>
<KeyName>Rsa Key</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>WGkITVNdcbxdL8nfmPQ1xqRfUEWvFPp8mTi2KgRCUhcGG3emR0jcsy3iye8aVOLi2DWll0CaLpHJvsnghwAFrkSW8tWezZ8Fzo2kHdWNhkO2a7vbhv/F2hF2luZCfNRCdzv3azhhukUr3buvo1TORLjeFB7+sQ+NOU851b+yI +ejn9m/kzahzn87sfvTUzNoLeS7aq8ZIRFDMFa8lYh5b/mF3xDxwS1WSHUoG5oQ5EA6FNgnKo58+uOKEhpvPNv/16h8BVPHIXUAQYnoYk8EuwNBpOkVQZxlE30lTFXunfEZ/QGlIqZbkk+HaTSg0RWuIxoFnKxkb5YRfwQNRTsQDA==</CipherValue>

</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>VatoPp7VnYHTeRodDAv8Kaj6sU9APKgSb8aov2cjaGIVLhsBzm2Nue5RFAAo1frX+ZJ2UVbFwNwa9BimsLzbBf5p1er1lMsQsuNEjc/LHQcJC0cuKqRiV6DJDUA21507qjnuWIThHiVk5cs4EtwR4ci+lbFV/j45TIoYvGonNJr2m1YtwUXRBT+nAqDRhlQnvcSCRnpbz8s6n9Nii3frz0LmuO0NHTLf3xmYB8WTLEXIawtCXJ3/hxBMS624o/LfSJorzw5HS/wya5RRArbQLJQM3TkFU5VwVZxkt5N5jw8=</CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>

When you try to access your application, the browser presented the 403 error message.

Looking the error message in the ULS logs:

Error Message:

Unexpected       System.Configuration.ConfigurationErrorsException: The RSA key container could not be opened.    at System.Configuration.RsaProtectedConfigurationProvider.ThrowBetterException(Boolean keyMustExist)     at System.Configuration.RsaProtectedConfigurationProvider.GetCryptoServiceProvider(Boolean exportable, Boolean keyMustExist)     at System.Configuration.RsaProtectedConfigurationProvider.Decrypt(XmlNode encryptedNode)     at System.Configuration.ProtectedConfigurationSection.DecryptSection(String encryptedXml, ProtectedConfigurationProvider provider)     at System.Configuration.RuntimeConfigurationRecord.CallHostDecryptSection(String encryptedXml, ProtectedConfigurationProvider protectionProvider, ProtectedConfigurationSection protectedConfig)     at System.Configuration.BaseConfigurationRec… 315e609c-3258-1009-4f87-732a407e2da0

The resolution:

To solve this problem, you must to adjust some permissions because the key container for the anonymous IIS machine accounts (“IUSR” group and “Server\IIS_IUSR” user) usually saved in C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA doesn’t have the correct permission by default, and the worker process identity for the anonymous user should have access to these files to be able to decrypt it or you would get this error message.

To correct, just add the “IUSR” group and “Server\IIS_IUSR” user with “write” permission in the “MachineKeys” folder like described on the screenshots below:

That’s it. Now try to access your application again, and the result will be correct!