Server Error in '/' Application. Access is denied

Question

We have multiple servers in our Adaxes cluster. One of the servers is throwing an error of "Access is denied." before a login page even comes up. I looked at the app pool and several folders and didn't see anything different. What could be causing this?

[CryptographicException: Access is denied. ] System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr) +43 System.Security.Cryptography.Utils._GenerateKey(SafeProvHandle hProv, Int32 algid, CspProviderFlags flags, Int32 keySize, SafeKeyHandle& hKey) +0 System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) +575 System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() +139 System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize) +208 Softerra.Adaxes.Web.Infrastructure.AccessControl.CryptoManager.CreateRsaAlgorithm() +130 Softerra.Adaxes.Web.Infrastructure.AccessControl.CryptoManager.GetPublicKey() +26 Softerra.Adaxes.Web.App.Core.Controllers.HomeController.Index(String configurationName, Boolean legacyRequest, String legacyPage) +1534 lambda_method(Closure , ControllerBase , Object[] ) +247 System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary2 parameters) +35 System.Web.Mvc.Async.<>c.<BeginInvokeSynchronousActionMethod>b__9_0(IAsyncResult asyncResult, ActionInvocation innerInvokeState) +39 System.Web.Mvc.Async.WrappedAsyncResult2.CallEndDelegate(IAsyncResult asyncResult) +77 System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult) +42 System.Web.Mvc.Async.<>cDisplayClass11_0.<InvokeActionMethodFilterAsynchronouslyRecursive>b0() +80 System.Web.Mvc.Async.<>cDisplayClass11_2.<InvokeActionMethodFilterAsynchronouslyRecursive>b2() +396 System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult) +42 System.Web.Mvc.Async.<>cDisplayClass3_6.<BeginInvokeAction>b4() +50 System.Web.Mvc.Async.<>cDisplayClass3_1.<BeginInvokeAction>b1(IAsyncResult asyncResult) +188 System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) +38 System.Web.Mvc.<>c.<BeginExecuteCore>b__152_1(IAsyncResult asyncResult, ExecuteCoreState innerState) +29 System.Web.Mvc.Async.WrappedAsyncVoid1.CallEndDelegate(IAsyncResult asyncResult) +73 System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +52 System.Web.Mvc.Async.WrappedAsyncVoid1.CallEndDelegate(IAsyncResult asyncResult) +39 System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) +38 System.Web.Mvc.<>c.<BeginProcessRequest>b__20_1(IAsyncResult asyncResult, ProcessRequestState innerState) +43 System.Web.Mvc.Async.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) +73 System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +38 System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +431 System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) +75 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +158

Answer 1

Hello Mark,

According to the message, the issue occurs because the account of the application pool used for Adaxes Web Interface does not have access to encryption keys. To remedy the issue:

1. Launch elevated command prompt.
2. Navigate to folder C:\Windows\Microsoft.NET\Framework64\v4.0.30319\.
3. Execute the following command:

   aspnet_regiis.exe -pc Softerra.Adaxes.WebUI.CryptKeys

4. Execute the following command:

   aspnet_regiis.exe -pa Softerra.Adaxes.WebUI.CryptKeys "Authenticated Users"

5. Restart IIS and check whether the issue persists.

Comments

I think it is the same error. I rebooted the server just to make sure.

---

Hello Mark,

For further troubleshooting, please, do the following on the computer where the Web Interface for which the issue occurs is installed:

1. Launch Internet Information Services (IIS) Manager.
2. In the Connections pane, expand Sites.
3. Expand the web site that hosts Adaxes Web Interface.
4. Right-click the Adaxes virtual directory.
5. In the context menu, navigate to Manage Application and then click Advanced Settings.
6. Take a screenshot and post it here or send to us (support[at]adaxes.com). We need something like the following:
7. In the Connections pane, select Application Pools.
8. Take a screenshot where all application pools and their properties will be visible.
9. Post the screenshot here or send to us (support[at]adaxes.com). We need something like the following:

---

---

Hello Mark,

Thank you for the provided screenshots. Please, change the Identity of DefaultAppPool to ApplicationPoolidentity, restart IIS and check whether the issue persists.

---

Same error. Also my other server is set to NetworkService as well.

---

Hello Mark,

Did you face any errors when executing the commands we provided in the first post here (e.g. aspnet_regiis.exe -pc Softerra.Adaxes.WebUI.CryptKeys)?

For further troubleshooting, please, do the following:

1. On the computer where the Web Interface is installed, navigate to folder C:\ProgramData\Microsoft\Crypto\RSA.
2. Right-click folder MachineKeys and then click Properties in the context menu.
3. In the dialog box that opens, activate the Security tab.
4. Click Advanced.
5. Take a screenshot and post it here or send to us (support[at]adaxes.com). We need something like the following:
6. For each entry in the Permission entries section, do the following:
   • Double-click the entry.
   • Take a screenshot and post it here or send to us (support[at]adaxes.com). We need something like the following for each entry:

---

Yes. I got an error on the first command. The second was successful.

---

C:\Windows\Microsoft.NET\Framework64\v4.0.30319>aspnet_regiis.exe -pc Softerra.Adaxes.WebUI.CryptKeys Microsoft (R) ASP.NET RegIIS version 4.0.30319.0 Administration utility to install and uninstall ASP.NET on the local machine. Copyright (C) Microsoft Corporation. All rights reserved. Creating RSA Key container... The RSA key container already exists. Failed!

---

---

Hello Mark,

Thank you for the provided screenshots. The permission settings look just fine. For further troubleshooting, please, post here or send us (support[at]adaxes.com) a screenshot of the authentication settings for Adaxes directory in IIS. To take the screenshot:

1. Launch Internet Information Services (IIS) Manager.
2. In the Connections pane, expand Sites.
3. Expand the web site that hosts Adaxes Web Interface.
4. Select the Adaxes virtual directory.
5. In the Home pane on the right, double-click Authentication.
6. Take a screenshot. We need something like the following:

---

Here you go:

---

Hello Mark,

Thank you for the provided details. The authentication settings look correct. To remedy the issue, please, do the following:

1. On the file system, navigate to folder C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys.
2. Find a file whose name starts with cb1d635e0f5a790c285b468d934b0aab.
3. Launch elevated command prompt.
4. In the command prompt, navigate to folder C:\Windows\Microsoft.NET\Framework64\v4.0.30319.
5. Execute the following command:

   aspnet_regiis.exe -pc Softerra.Adaxes.WebUI.CryptKeys

6. On the file system, check whether the file whose name starts with cb1d635e0f5a790c285b468d934b0aab still exists.
7. If it does, remove the file manually or just move it to a different location.
8. Refresh the Web Interface page.

---

New error. I removed that file and it recreated it.

---

Hello Mark,

It looks like the error occurs because the account under which the application pool used for Adaxes Web Interface runs does not have the permissions to see the file and thus tries to create it which results into the error. To remedy the issue, please, do the following:

1. Launch elevated command prompt.
2. Navigate to folder C:\Windows\Microsoft.NET\Framework64\v4.0.30319\.
3. Execute the following command:

   aspnet_regiis.exe -pa Softerra.Adaxes.WebUI.CryptKeys "Authenticated Users"

4. Clear browser cache and check whether the issue persists.

---

Error:

---

Hello Mark,

It looks like the file was not properly created and thus the permissions cannot be granted. To remedy the issue, please, do the following:

1. On the file system, navigate to folder C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys.
2. Find a file whose name starts with cb1d635e0f5a790c285b468d934b0aab.
3. Launch elevated command prompt.
4. In the command prompt, navigate to folder C:\Windows\Microsoft.NET\Framework64\v4.0.30319.
5. Execute the following command:

   aspnet_regiis.exe -pz Softerra.Adaxes.WebUI.CryptKeys

6. On the file system, check whether the file whose name starts with cb1d635e0f5a790c285b468d934b0aab still exists.
7. If it does, remove the file manually or just move it to a different location.
8. Refresh the Web Interface page.

---

Ran the command under an elevated prompt and got this message: The file was still there. In order to remove the file, I had to take ownership of the file to remove it. I refreshed the page and got this message: I attempted to run the command again and got the same error.

---

Hello Mark,

It looks like the issue occurs because the default permissions granted to the account under which the application pool runs over the file are not enough. To remedy the issue, please, do the following:

1. Make sure that the application pool used for Adaxes Web Interface runs under the Network Service identity.
2. Launch elevated command prompt.
3. Execute the following command:

   aspnet_regiis.exe -pa Softerra.Adaxes.WebUI.CryptKeys "NetworkService" –full

4. Check whether the issue persists.

---

IIS:

Command:

Web Interface Error:

Should I just re-install the web configuration part? The console seems to be fine.

---

Hello Mark,

Unfortunately, there is no possibility to re-install only the Web Interface component, it can only be done for all the components installed on a computer. If it is convenient, please, give the re-install a try.