Using DPAPI / ProtectedData in a web farm environment with the User Store

Posted by Lachman on Stack Overflow See other posts from Stack Overflow or by Lachman
Published on 2008-10-14T16:21:00Z Indexed on 2010/03/25 23:23 UTC
Read the original article Hit count: 447

Filed under:
|
|
|

I was wondering if anyone had successfully used DPAPI with a user store in a web farm enviroment?

Because our application is a recently converted from 1.1 to 2.0 asp.net app, we're using a custom wrapper which directly calls the CryptUnprotect methods. But this should be the same as the ProtectedData method available in the 2.0 framework.

Because we are operating in a web farm environment, we can't guarantee that the machine that did the encryption is going to be the one decrypting it. (Also because machine failures shouldn't destroy our encrypted data).

So what we have is a serviced component that runs in a service under a particular user account on each one of our web boxes. This user is a set up to have a roaming profile, as per the recomendation.

The problem we have is that info encrypted on one machine can not be decrypted on another, this fails with the win32 error 'Key not valid for use in specified state'.

I suspect that this is because I've made a mistake by having the encryption service running as the user on multiple machines, hence keeping the user logged in on more than one machine at the same time.

If this is the problem, how are other using DPAPI with the User Store in a web farm environment?

© Stack Overflow or respective owner

Related posts about dpapi

Related posts about encryption