How to Encrypt Password in web.config files

3

Encrypting

This post is a small how to guide, on how to encrypt sensitive information in a web.config and in my specific case username and password for a service account used by the Azure Multi-Factor Authentication (MFA) services, such as MFA User Portal and MFA Mobile App web services. In my scenario, those services had been installed on dedicated servers and since it was decided to use service accounts for communicating with the backend MFA servers.

The MFA service account are configured in settings section of the web.config file and since the information in the web.config is clear text, it makes sense to encrypt this kind of information.

The guide for encrypting username and password in the web.config, can be used for other systems as well. But I focus on the information used by Microsoft Azure MFA Server and services.

Before Encrypting

Take a look at the existing web.config file, in my case located in:

  • C:\inetpub\wwwroot\MultiFactorAuthMobileAppWebService (Default folder for the MFA Mobile App servers)
  • C:\inetpub\wwwroot\MultiFactorAuth (Default folder for the MFA User Portal servers)

As you can see the information about username and password is not secure and in clear text in the web.config file:

image

How to Encrypt the information

Start an elevated command prompt or a PowerShell with Administrator privileges

At the command prompt enter:

cd C:\Windows\Microsoft.NET\Framework\v4.0.30319

In my case, I have the web.config files located in “C:\inetpub\wwwroot\MultiFactorAuthMobileAppWebService”, then I have to enter the following command to encrypt everything in “appSettings” (see the web.config above):

.\ASPNET_REGIIS –pef “appSettings” C:\inetpub\wwwroot\MultiFactorAuthMobileAppWebService

  • The -pef switch specifies the configuration section to encrypt and allows you to supply the physical directory path for your configuration file.

Result:

EncryptingWebConfig

After Encrypting

Review the Web.config file, and examine the changes. The following elements are created:

  • <EncryptedData>
  • <CipherData>
  • <CipherValue>

Your modified Web.config file, with the appSettings section encrypted, should be similar to the following example.

image

That’s it – you are all done and the information in your web.config file is now encrypted.

MSDN reference documentation: https://msdn.microsoft.com/en-us/library/zhhddkxy.aspx

+PeterSchmidt

About Author

Peter is an Exchange specialist with over 15+ years of experience with Exchange Server and certified Microsoft Certified Master (MCM) and Microsoft Certified Solutions Master (MCSM) on Exchange Server. He has been awarded the Microsoft MVP award, every year since 2007. He is active in the Microsoft community and User Group Leader for CoLabora (a danish UC & Cloud User Group). He works as an Cloud & Infrastructure Architect and Consulent, with primary focus on Exchange, Office 365, Azure and Skype for Business.

3 Comments

  1. Pingback: Weekly IT Newsletter – June 20-24, 2016 | Just a Lync Guy

  2. David Sampson on

    Thanks Peter, quick question but where does one find the credentials in the first place. I can see that a domain account PFUP_Servername got created on installing the web service SDK i believe but I never got asked for a password for it. Is it safe to reset this in AD?

Reply To Peter Schmidt Cancel Reply

Copyright 2005-2015 - Peter Schmidt.