ASP.NET 2.0 Encrypted Connection String and IIS 6.0

I am sure some of you have tried encrypting your connection strings in ASP.NET 2.0 and when you tested it locally it all worked fine, if you did this on the server your application wouldn’t be able to read the connection string(s).  You must perform an extra step since your application is probably running in an Application Pool using Network Service as the account. 

This is the command that you would have run to encrypt your connection string(s) in the web.config, aspnet_regiis.exe is located in the following folder "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\"

aspnet_regiis.exe -pef connectionStrings "D:\PathToWebSiteDirectory"

If you have to decrypt your connection string(s) you would run this command:

aspnet_regiis.exe -pdf connectionStrings "D:\PathToWebSiteDirectory"

If you then deployed your web site to a Windows Server 2003 machine running IIS 6.0 you would have to encrypt the section on that machine and then grant access to Network Service so it can decrypt the section.  Here are the steps:

Copy the web site to the IIS virtual directory (connection strings not encrypted yet)

Encrypt the connection strings using the aspnet_regiis command as above.  NOTE: This must be run on the physical machine that is hosting your web site or it won’t work.

Grant access to the specified container to the account "Network Service" by running the following command on the physical machine.

aspnet_regiis.exe -pa "NetFrameworkConfigurationKey" "Network Service"  

There you go, your web site should be able to read the encrypted connection strings with no other code changes required.  Of course if you are using integrated security to connect to your database this would not be required.