Clickonce application deployment, hiding password in app.config - vb.net

I have an application that i deploy to a client. In the config file there is a username/password that connects to a database. This config file gets stored in their local directory on their computer. I don't want them to see the password. How can i exclude the config to be installed on their machine or does it have to be there. and if so, how can I hide the password using encryption? thanks

You can encrypt, for example, the connection strings in your app.config file.
An example of an encrypted section from the MSDN documentation:
<connectionStrings configProtectionProvider="DataProtectionConfigurationProvider">
<EncryptedData>
<CipherData>
<CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAH2...</CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>

Related

Exe file not working in other PC when database details is encrypted VB2013

I created a desktop application using VB 2013 and one of the requirements is to encrypt the App.config file - the file in where the database connection details (username, password) is saved.
Before encryption of the App.config, I can run the .exe file in other pc (literally copy-paste the .exe file) but after encryption it's not working. Am I missing something?
This is what's inside my App.config:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<appSettings configProtectionProvider="DataProtectionConfigurationProvider">
<EncryptedData>
<CipherData>
<CipherValue>encrypted_data_random_characters</CipherValue>
</CipherData>
</EncryptedData>
</appSettings>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
</startup>
<connectionStrings configProtectionProvider="DataProtectionConfigurationProvider">
<EncryptedData>
<CipherData>
<CipherValue>encrypted_data_random_characters</CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>
</configuration>
The DPAPI is machine specific. Part of the point is that something encrypted on one machine cannot be decrypted on another machine. If you want to be able to encrypt once and decrypt anywhere then you will need to use some other option. I had links to these pages:
How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA
in this thread:
Protected Configuration (Encrypting Config Files)
from some time ago. They may outdated now but they show the difference between the two options even back then. You may need to look for a modern version/equivalent of the RSA option or else encrypt on the machine you want to decrypt on.

How to find SQL credentials from a .Net binary?

I have an .Net application named "abcd.EXE" with a "abcd.exe.config" file beside it.
Content of config file is:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<appSettings>
<add key="SqlPath" value="data source=192.168.1.1\companyname;connection timeout=120;integrated security=SSPI;persist security info=False;workstation id=SOMETHING;packet size=4096;initial catalog=" />
</appSettings>
< /configuration>
I can decompile EXE file with reflector.
How should I find the connection password?
Regards
integrated security=SSPI
Luckly the program authors used a proper authentication strategy and did not embed passwords in the program or config file. Integrated authentication means the program will connect using the credentials of the principal running the process.
The connection string uses the integrated security=SSPI
the value can be true/false/yes/no or SSPI (the Security Support Provider Interface).
When SSPI is used it is equal to true!
false: User ID and Password are specified in the connection.
true: the current Windows account credentials are used for authentication.
more info: SqlConnection.ConnectionString Property

.NET 4.0 Medium Trust Level and MYSQL connection

I have a problem and I think a proper answer will help a lot of people which is having same problem.Because it is a common and not well answered problem.
The problem is about "Medium trust level" configuration in IIS.A few months ago I coded my website with "Full trust level" configuration on my local machine and when I uploaded it to host that was working fine.
But my hosting company have a new rule about trust level,now they only allows "Medium trust level".
My web page doesn't work now.I tried to adapt my website but I have no idea how to do that.And that's sure a lot of people don't know either..
So I will tell what I have done so far, can you help me?
First I tried to changed my local configuration by going here,
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config
and opened my webconfig file,and changed
<trust level="Full" originUrl="" />
to
<trust level="Medium" originUrl="" />
After that just for testing I created a new website with ASP Default template.It was working.Then I add Mysql.dll as references to connect to Mysql database.But it throwed Security Exception with that stack:
[SecurityException: Request for the permission of type
'System.Security.Permissions.SecurityPermission, mscorlib,
Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'
failed.] MySql.Data.MySqlClient.MySqlTrace..cctor() +0
So what now? Can't we connect to mysql database anymore? Or is there a solution?I never changed my webconfig file in website project folder do I need to change something here?
Please help me guys?
Hi everyone I finnally find solution to my problem, so I will try to help that people having same problem.Partial trust and Medium Trust level are same thing note that out.
My first step at the question is absolutely necessary.Don't forget to change your trust level to "Medium". After that you need to get right .Net Connector version from
The Oficial Website
Be careful to choose version that your hosting provider using. For example my Hosting company is using Mysql Connector Net 6.5.4
Secondly you need to configure your projects webconfig file that will use your .dll files and get the necessary permisson under Medium Trust Level.
You need to add under your <configuration> something like this;
<mscorlib>
<security>
<policy>
<PolicyLevel version="1">
<SecurityClasses>
<SecurityClass Name="MySqlClientPermission" Description="MySql.Data.MySqlClient.MySqlClientPermission, MySql.Data, Version=6.6.4.0, Culture=neutral, PublicKeyToken=c5687fc88969c44d"/>
</SecurityClasses>
</PolicyLevel>
</policy>
</security>
</mscorlib>
And if your system doesn't add it automatically under your <system.web> you need to add;
<assemblies>
<add assembly="MySql.Data, Version=6.5.4.0, Culture=neutral, PublicKeyToken=C5687FC88969C44D"/>
<add assembly="MySql.Data.Entity, Version=6.5.4.0, Culture=neutral, PublicKeyToken=C5687FC88969C44D"/>
<add assembly="MySql.Web, Version=6.5.4.0, Culture=neutral, PublicKeyToken=C5687FC88969C44D"/>
</assemblies>
Sometimes this steps may not be enough and you need to edit your web_mediumtrust.config under the
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config
You need to add this lines under the
<SecurityClasses>
<securityclass Name="MySqlClientPermission" Description="MySql.Data.MySqlClient.MySqlClientPermission, MySql.Data, Version=6.5.4.0, Culture=neutral, PublicKeyToken=c5687fc88969c44d" />
and
<NamedPermissionSets>
<iPermission class = "MysqlClientPermission" version = "1">
<add connectionString = "Server =; Database =;" restrictions = "User =; User Id =; Password =; Port =; Pooling =;" KeyRestrictionBehavior = "(Prevent Usage | Allow Only)" />
</iPermission>
Be careful about version you are using dont forget to change lines according to that. If still you can't figure that out there is a pretty useful link for you
Trust Level Under the Partial Trust
Here is how I solved a similar issue with trying to get MySql to work in a medium trust environment.
We tried everything to the ‘book’ and simply could not get it to work!
Turns out the MySql connecter version is the key. Ask you web hosting company what version of the MySqlClient they have installed on their server in GAC.
(GAC simply means the library is installed on the server so that it can be referenced directly and without you having to upload the MySql.Data.dll to your bin folder. The latest installable version is available here: http://dev.mysql.com/downloads/connector/net/).
Once the driver is installed on the server in GAC you just need to reference it in your web.config like this, but replace Version=6.6.5.0 with your web hosting companies version:
<compilation debug="true" targetFramework="4.0">
<assemblies>
<add assembly="MySql.Data, Version=6.6.5.0, Culture=neutral, PublicKeyToken=C5687FC88969C44D"/>
</assemblies>
</compilation>

How to run svcutil.exe from behind authenticating proxy

I want to run the svcutil.exe tool to access a web service on the internet. Unfortunately, whenever I try, I get a bunch of errors that include the following message:
The request failed with HTTP status 407: Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied.
As I have learned from this related post (with more details here), the problem is that I am sitting behind an authenticating proxy. That post explains that I need to edit the app.config file, but I can't figure out how to do that. I think I will use the /svcutilConfig:alternate_app.config switch, but I don't know how to construct a valid .config file to pass to that switch. What is the default app.config file that svcutil.exe uses?
Well, I think I have figured out the answer to my question:
It turns out that the default .config file used by svcutil.exe is called svcutil.exe.config, and (at least for me) it lives in this folder:
C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\bin
I decided to just edit that file directly (rather than fumble around with the /svcutilConfig switch). I needed Admin privileges to do so.
The final contents of that file looked like this:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<runtime>
<generatePublisherEvidence enabled="false" />
</runtime>
<system.net>
<defaultProxy useDefaultCredentials="true" />
</system.net>
</configuration>
(with the secret sauce buried in the <system.net> element.)
In order for this all to work, I had to start the Command Prompt as Administrator, navigate to the folder listed above, and run the svcutil.exe command from there.
Hope this helps some other poor soul who gets stuck in this mess! Thanks to #AndrewWebb for the clues that got me going!

App.config connection string Protection error

I am running into an issue I had before; can't find my reference on how to solve it.
Here is the issue. We encrypt the connection strings section in the app.config for our client application using code below:
config = ConfigurationManager.OpenExeConfiguration(ConfigurationUserLevel.None)
If config.ConnectionStrings.SectionInformation.IsProtected = False Then
config.ConnectionStrings.SectionInformation.ProtectSection(Nothing)
' We must save the changes to the configuration file.'
config.Save(ConfigurationSaveMode.Modified, True)
End If
The issue is we had a salesperson leave. The old laptop is going to a new salesperson and under the new user's login, when it tries to to do this we get an error. The error is:
Unhandled Exception: System.Configuration.ConfigurationErrorsException:
An error occurred executing the configuration section handler for connectionStrings. ---> System.Configuration.ConfigurationErrorsException: Failed to encrypt the section 'connectionStrings' using provider 'RsaProtectedConfigurationProvider'.
Error message from the provider: Object already exists.
---> System.Security.Cryptography.CryptographicException: Object already exists
http://blogs.msdn.com/mosharaf/archive/2005/11/17/protectedConfiguration.aspx#1657603
copy and paste :D
Monday, February 12, 2007 12:15 AM by Naica
re: Encrypting configuration files using protected configuration
Here is a list of all steps I've done to encrypt two sections on my PC and then deploy it to the WebServer. Maybe it will help someone...:
To create a machine-level RSA key container
aspnet_regiis -pc "DataProtectionConfigurationProviderKeys" -exp
Add this to web.config before connectionStrings section:
<add name="DataProtectionConfigurationProvider"
type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0,
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,
processorArchitecture=MSIL"
keyContainerName="DataProtectionConfigurationProviderKeys"
useMachineContainer="true" />
Do not miss the <clear /> from above! Important when playing with encrypting/decrypting many times
Check to have this at the top of Web.Config file. If missing add it:
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
Save and close Web.Config file in VS (very important!)
In Command Prompt (my local PC) window go to:
C:\WINNT\Microsoft.NET\Framework\v2.0.50727
Encrypt: (Be aware to Change physical path for your App, or use -app option and give the name o virtual directory for app! Because I used VS on my PC I preferred the bellow option. The path is the path to Web.config file)
aspnet_regiis -pef "connectionStrings" "c:\Bla\Bla\Bla" -prov "DataProtectionConfigurationProvider"
aspnet_regiis -pef "system.web/membership" "c:\Bla\Bla\Bla" -prov "DataProtectionConfigurationProvider"
To Decrypt (if needed only!):
aspnet_regiis -pdf "connectionStrings" "c:\Bla\Bla\Bla"
aspnet_regiis -pdf "system.web/membership" "c:\Bla\Bla\Bla"
Delete Keys Container (if needed only!)
aspnet_regiis -pz "DataProtectionConfigurationProviderKeys"
Save the above key to xml file in order to export it from your local PC to the WebServer (UAT or Production)
aspnet_regiis -px "DataProtectionConfigurationProviderKeys" \temp\mykeyfile.xml -pri
Import the key container on WebServer servers:
aspnet_regiis -pi "DataProtectionConfigurationProviderKeys" \temp\mykeyfile.xml
Grant access to the key on the web server
aspnet_regiis -pa "DataProtectionConfigurationProviderKeys" "DOMAIN\User"
See in IIS the ASP.NET user or use:
Response.Write(System.Security.Principal.WindowsIdentity.GetCurrent().Name
Remove Grant access to the key on the web server (Only if required!)
aspnet_regiis -pr "DataProtectionConfigurationProviderKeys" "Domain\User"
Copy and Paste to WebServer the encrypted Web.config file.
I found a more elegant solution that in my original answer to myself. I found if I just logged in as th euser who orignally installed the application and caused the config file connectionstrings to be encrypted and go to the .net framework directory in a commadn prompt and run
aspnet_regiis -pa "NetFrameworkConfigurationKey" "{domain}\{user}"
it gave the other user permission to access the RSA encryption key container and it then works for the other user(s).
Just wanted to add it here as I thought I had blogged this issue on our dev blog but found it here, so in case I need to look it up again it will be here. Will add link to our dev blog point at this thread as well.
So I did get it working.
removed old users account from laptop
reset app.config to have section not protected
removed key file from all users machine keys
ran app and allowed it to protect the section
But all this did was get it working for this user.
NOW I need to know what I have to do to change the code to protect the section so that multiple users on a PC can use the application. Virtual PC here I come (well after vacation to WDW tomorrow through next Wednesday)!
any advice to help pointing me in right direction, as I am not very experienced in this RSA encryption type stuff.
Sounds like a permissions issue. The (new) user in question has write permissions to the app.config file? Was the previous user a local admin or power user that could have masked this problem?