I have had numerous requests about encrypting the web.config file for the SmartConnect web service. By default a web.config file contains plain text passwords for the connection strings and impersonation account. Normally this isn’t a problem since the web.config file is hosted on an IIS server somewhere, with limited users having access to it, however I have had multiple people ask how to encrypt the information. I did some research and discovered how to encrypt the two sections of the web.config file that have plain text passwords in them.
By default your web.config is going to be in one of two directories depending on if you are running a 32 bit or 64 bit operating system.
For 32 bit: C:Program FileseOne Solutionswcf
For 64 bit: C:Program Files (x86)eOne Solutionswcf
Encrypting the password information is done using an executable on the server named aspnet_regiis.exe. You can only encrypt this file from a command prompt.
The aspnet_regiis.exe file is going to be located in the C:WindowsMicrosoft.NETFrameworkv4.0.30319 directory. You may have it in additional folders, however we want to use the one located in this folder.
To encrypt it, open a command prompt as an administrator on the machine. Navigate to the C:WindowsMicrosoft.NETFrameworkv4.0.30319 folder by typing “cd C:WindowsMicrosoft.NETFrameworkv4.0.30319” and hitting the enter key.
At this prompt, you will type the following command :
NOTE: you may have to change the pathname to C:”Program FileseOne Solutionswcf” if you are on a 32 bit machine.
aspnet_regiis -PEF appSettings C:”Program Files (x86)eOne Solutionswcf”
Then hit the enter key, this command will encrypt everything in the appSettings section of the web.config.
Then type in this command:
aspnet_regiis -PEF system.web/identity C:”Program Files (x86)eOne Solutionswcf”
Then hit the enter key, this command will encrypt all the information in the system.web section of the web.config.
This is what the appSettings section of the web.config looks like before encrypting
This is the appSettings section of the web.config after encrypting
Here are the system.web settings before encryption
Here are the system.web settings after encryption
As I said, normally web.config files do not need to be secured because by their very nature, they are stored on the IIS server in a folder only administrators should have access to, however if you want to encrypt them to keep casual users out, this will do the job for you.
Nothing needs to be changed in the SmartConnect setup, IIS will automatically decrypt the passwords when needed, so from a SmartConnect standpoint, nothing else needs to be changed.
If you have any questions feel free to comment below or reach out to us at sales@eonesolutions.com!
