Lab 11: Using aspnet_regiis

This article has been moved to its new home here:

General information

  • The description of the aspnet_regiis tool can be found here

Lab 11-1 Setup

  • 2 IIS servers are needed for this lab, install IIS as per these instructions Lab 1, but the CSharpGuitarBUgs web site is not required
  • Place a copy of each of the c:\windows\system32\inetsrv\config\applicationHost.config files in a temporary location, mark them so you know which server they came from
  • Copy c:\windows\system32\inetsrv\config\applicationHost.config from (IIS Server 1) and to the same location (IIS Server 2)
  • ASP.NET should initially be installed on both (IIS Server 1) and (IIS Server 2) server, ASP.NET 4.5 was used in this lab


Lab 11-1 – Error when changing application pool identity

Issue when an applicationHost.config is copied to another IIS server

  • It is usually better to use ShareConfiguration than to copy the configuration file
  • It is also possible to use WebDeploy to synchronize web sites in a web-farm

1. Click on Application Pools in the IIS Management Console

2. Click on DefaultAppPool and select the Advanced Settings… link from the Actions pane

3. Change the Identity to a custom account and press the OK button, the above window is rendered. NOTE: in production, never use an administrator account as the identity of a worker process, for simplicity only is this done here.


When attempting to change the identity of an application pool to a custom identity the following error is rendered: “Value does not fall within the expected range.”


4. Q: In which context does the application run in? I.e. which bit mode and .NET version does it run in. You need to know this to find which version of the aspnet_regiis to execute… A: by default on an IIS 8.5 server the worker is running in 64 bit mode and .NET Framework 4 is present.


5. From the location where the applicationHost.config file came from (IIS server 1) and execute the following commands to export the sessionKeys:  NOTE:  ASP.NET must be installed on this server.

a. aspnet_regiis -px "iisConfigurationKey" "c:\temp\iisConfigurationKey.xml" -pri

b. aspnet_regiis -px "iisWasKey" "c:\temp\iisWasKey.xml" –pri

image image

6. Copy the applicationHost.config and the 2 XML files created in step 5a and 5b from (IIS server 1) to (IIS Server 2)

7. Place the (IIS server 1) applicationHost.config (same as you did in the setup of this Lab) into the c:\windows\system32\inetsrv\config directory and reproduce the error

8. Import the sessionKeys to server 2 by executing the following commands:

a. aspnet_regiis -pi "iisConfigurationKey" "D:\iisConfigurationKey.xml"

b. aspnet_regiis -pi "iisWasKey" "D:\iisWasKey.xml"


9. The issue no longer happens and you can enter a custom identity for the application pool

Lab 11-2 Setup

  • Replace the current c:\windows\system32\inetsrv\config\applicationHost.config with the original on (IIS Server 2)
  • Place a deafult.aspx file into the c:\intetpub\wwwroot directory

Lab 11-2

1. Open IIS manager and navigate to the default.aspx file using a browser


2. Open the Handler Mappings feature and find the handler for the requested file type, it is missing


3. Q: What is the requested file type? A: ASPX

4. Find out which context the application pool is running in, I.e. bit mode and .NET version, then navigate to that directory via a command prompt, for example, c:\windows\Microsoft.NET\Framework64\v4.0.30319

5. Prior to IIS 8 you could use aspnet_regiis –i to reinstall/reset ASP.NET as you can see from the above image that the handlers are not present.  Use WPI as discussed in Lab 2, but it is always more important to take a backup of your configuration as discussed in Lab 9 and here, which is a lot easier and les risky than a complete reinstall.


6.  Once installed, reopen the Handler mapping feature and you will find the ASPX handler.  Refresh the default.aspx page and it renders as expected

Lab 11-3 Setup

  • Create a web.config file that includes a <connectionString> like below and place it into the c:\inetpub\wwwroot directory

<?xml version="1.0"?>



    <add name="TopSecretConnectionString"

         connectionString="Initial Catalog=aspnetdb;data source=localhost;Integrated Security=SSPI"

         providerName="System.Data.SqlClient" />



Lab 11-3

1. View the contents of the web.config file, pay special attention to the ConnectionStrings section.


2. Confirm the .NET version and bit-ness in which the application pool is running under and navigate to the correct version of the aspnt_regiis.


3. Execute the following command: aspnet_regiis –pef “connectionStrings” C:\inetpub\wwwroot –prov “DataProtectionConfigurationProvider”


4. Open the c:\inetpub\wwwroot\web.config file and you will see that the content is encrypted.


5. No code changes required to encrypt the connection string