![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 46%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER4%3C/text%3E%3C/svg%3E)
1,745 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 70%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYD%3C/text%3E%3C/svg%3E)
Hi @rr-4098,
By default, IIS includes two main providers for securing properties. These providers are located in the applicationHost.config file's <configProtectedData> configuration section and are defined in the <providers> element.
The AesProvider is specific to dealing with encryption and decryption for properties that are in the system.webServer section.
The IISWASOnlyRsaProvider is specific to dealing with encryption and decryption for properties that are in the system.applicationHost section.
These keys are in the iisConfigurationKey and iisWasKey key containers and are machine-specific. In a Web farm scenario, if encryption is required, then a key from one machine - usually the one that created the applicationHost.config file - is exported and brought into the other machines so that secure properties can be decrypted and used by the Web server.
If the original machine still exists, for example the new machine is been cloned to test an upgrade, you can run the export RSA container iisConfigurationKey or iisWasKey on the original server:
aspnet_regiis -px "iisConfigurationKey" c:\temp\iisConfigurationKey.xml -pri
aspnet_regiis -px "iisWasKey" c:\temp\iis\iisWasKey.xml -pri
Then run on the cloned server to import the RSA Container iisConfigurationKey or iisWasKey:
aspnet_regiis -pi "iisConfigurationKey" c:\temp\iisConfigurationKey.xml
aspnet_regiis -pi "iisWasKey" c:\temp\iis\iisWasKey.xml
If importing the RSA Key Container is successful, restart IIS by running: iisreset.
Reference documentation:
Importing and Exporting Protected Configuration RSA Key Containers
Dealing With Machine-specific Encrypted Properties
Creating and Exporting an RSA Key Container
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the email notification for this thread.
Best regards,
Yurong Dai