Server Error in '/' Application. Access is denied

Question

We have multiple servers in our Adaxes cluster. One of the servers is throwing an error of "Access is denied." before a login page even comes up. I looked at the app pool and several folders and didn't see anything different. What could be causing this?

[CryptographicException: Access is denied. ] System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr) +43 System.Security.Cryptography.Utils._GenerateKey(SafeProvHandle hProv, Int32 algid, CspProviderFlags flags, Int32 keySize, SafeKeyHandle& hKey) +0 System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) +575 System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() +139 System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize) +208 Softerra.Adaxes.Web.Infrastructure.AccessControl.CryptoManager.CreateRsaAlgorithm() +130 Softerra.Adaxes.Web.Infrastructure.AccessControl.CryptoManager.GetPublicKey() +26 Softerra.Adaxes.Web.App.Core.Controllers.HomeController.Index(String configurationName, Boolean legacyRequest, String legacyPage) +1534 lambda_method(Closure , ControllerBase , Object[] ) +247 System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary2 parameters) +35 System.Web.Mvc.Async.<>c.<BeginInvokeSynchronousActionMethod>b__9_0(IAsyncResult asyncResult, ActionInvocation innerInvokeState) +39 System.Web.Mvc.Async.WrappedAsyncResult2.CallEndDelegate(IAsyncResult asyncResult) +77 System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult) +42 System.Web.Mvc.Async.<>cDisplayClass11_0.<InvokeActionMethodFilterAsynchronouslyRecursive>b0() +80 System.Web.Mvc.Async.<>cDisplayClass11_2.<InvokeActionMethodFilterAsynchronouslyRecursive>b2() +396 System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult) +42 System.Web.Mvc.Async.<>cDisplayClass3_6.<BeginInvokeAction>b4() +50 System.Web.Mvc.Async.<>cDisplayClass3_1.<BeginInvokeAction>b1(IAsyncResult asyncResult) +188 System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) +38 System.Web.Mvc.<>c.<BeginExecuteCore>b__152_1(IAsyncResult asyncResult, ExecuteCoreState innerState) +29 System.Web.Mvc.Async.WrappedAsyncVoid1.CallEndDelegate(IAsyncResult asyncResult) +73 System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +52 System.Web.Mvc.Async.WrappedAsyncVoid1.CallEndDelegate(IAsyncResult asyncResult) +39 System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) +38 System.Web.Mvc.<>c.<BeginProcessRequest>b__20_1(IAsyncResult asyncResult, ProcessRequestState innerState) +43 System.Web.Mvc.Async.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) +73 System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +38 System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +431 System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) +75 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +158

Answer 1

Hello Mark,

According to the message, the issue occurs because the account of the application pool used for Adaxes Web Interface does not have access to encryption keys. To remedy the issue:

1. Launch elevated command prompt.
2. Navigate to folder C:\Windows\Microsoft.NET\Framework64\v4.0.30319\.
3. Execute the following command:

   aspnet_regiis.exe -pc Softerra.Adaxes.WebUI.CryptKeys

4. Execute the following command:

   aspnet_regiis.exe -pa Softerra.Adaxes.WebUI.CryptKeys "Authenticated Users"

5. Restart IIS and check whether the issue persists.

Comments

Hello Mark,

It looks like the file was not properly created and thus the permissions cannot be granted. To remedy the issue, please, do the following:

1. On the file system, navigate to folder C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys.
2. Find a file whose name starts with cb1d635e0f5a790c285b468d934b0aab.
3. Launch elevated command prompt.
4. In the command prompt, navigate to folder C:\Windows\Microsoft.NET\Framework64\v4.0.30319.
5. Execute the following command:

   aspnet_regiis.exe -pz Softerra.Adaxes.WebUI.CryptKeys

6. On the file system, check whether the file whose name starts with cb1d635e0f5a790c285b468d934b0aab still exists.
7. If it does, remove the file manually or just move it to a different location.
8. Refresh the Web Interface page.

---

Ran the command under an elevated prompt and got this message: The file was still there. In order to remove the file, I had to take ownership of the file to remove it. I refreshed the page and got this message: I attempted to run the command again and got the same error.

---

Hello Mark,

It looks like the issue occurs because the default permissions granted to the account under which the application pool runs over the file are not enough. To remedy the issue, please, do the following:

1. Make sure that the application pool used for Adaxes Web Interface runs under the Network Service identity.
2. Launch elevated command prompt.
3. Execute the following command:

   aspnet_regiis.exe -pa Softerra.Adaxes.WebUI.CryptKeys "NetworkService" –full

4. Check whether the issue persists.

---

IIS:

Command:

Web Interface Error:

Should I just re-install the web configuration part? The console seems to be fine.

---

Hello Mark,

Unfortunately, there is no possibility to re-install only the Web Interface component, it can only be done for all the components installed on a computer. If it is convenient, please, give the re-install a try.