Windows Server 2022 IIS 10 Shared Config

Question

Windows Server 2022 IIS 10 Shared Config

Bogdan Cirlan 5

I am trying to setup a farm of IIS 10 on 2(or more in the future) Windows 2022 servers. Enabling the Shared Config is not an issue, and it is located on D:\SharedConfig folder on each server. I am configuring the websites, application pools and all the other IIS settings on server 1, then copy over the files from D:\SharedConfig folder to server 2. But, because I am using a local user(member of local Administrators group) and it's password for the default Application Pools user, the websites on the server 2 do not work. The application pool for the websites stops while trying to brose the website locally on server 2. This is because the password used for the default application pool user is encrypted, and server 1 has different encryption keys than server 2. For IIS 7(Server 2012 R2) the problem was solved by exporting and importing the RSA keys using the aspnet_regiis command(aspnet_regiis -px "iisConfigurationKey" "D:\config_keys\iisConfigurationKey.xml" -pri and aspnet_regiis -pi "iisConfigurationKey" "D:\config_keys\iisConfigurationKey.xml"). But, IIS 10 uses a different encryption mechanism(CNG), and that export does not apply anymore. What would be the way to solve this, how can I have the same encryption keys on all servers so all them can read the passwords from applicationHost.config file ?

Brad Thiessen 0 Reputation points

2025-10-02T17:04:06.8566667+00:00

Did you ever find a resolution to this?
Bogdan Cirlan 5 Reputation points

2025-10-07T14:41:20.09+00:00

the only solution that I could find was to use a shared location to store the shared configuration, accessible from all servers, but that meant that we have a single point of failure so we did not adopt it. We just use a workaround , with a PS script that copies the applicationhost.config file between servers replacing the CNG keys on the fly for each server(as we know them in advance, when we configure the Shared Config on each server)
Brad Thiessen 0 Reputation points

2025-10-07T15:18:38.0933333+00:00
Thanks.

I ended up finding a solution:

In applicationHost.config I removed the rows in the configProtectedData section.

Removed all files in %ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys

Ran iissetup.exe /install SharedLibraries.

After that, I was able to update passwords in the application pools again.

1 answer

Your answer

Brad Thiessen 0 Reputation points

2025-10-02T17:04:06.8566667+00:00

Did you ever find a resolution to this?
Bogdan Cirlan 5 Reputation points

2025-10-07T14:41:20.09+00:00

the only solution that I could find was to use a shared location to store the shared configuration, accessible from all servers, but that meant that we have a single point of failure so we did not adopt it. We just use a workaround , with a PS script that copies the applicationhost.config file between servers replacing the CNG keys on the fly for each server(as we know them in advance, when we configure the Shared Config on each server)
Brad Thiessen 0 Reputation points

2025-10-07T15:18:38.0933333+00:00

Thanks.

I ended up finding a solution:

In applicationHost.config I removed the rows in the configProtectedData section.

Removed all files in %ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys

Ran iissetup.exe /install SharedLibraries.

After that, I was able to update passwords in the application pools again.

Answer 1

Harry Phan 20,055 Independent Advisor

To ensure all servers in your IIS farm can decrypt sensitive data (like application pool passwords) from the shared applicationHost.config, you’ll need to export and import the CNG encryption keys manually using the iisconfig tool. Here's how:

On Server 1, run: iisconfig.exe /export /configkey /keypath:"D:\config_keys"
On Server 2, run: iisconfig.exe /import /configkey /keypath:"D:\config_keys" This imports the same key, allowing Server 2 to decrypt the configuration. Make sure the key path is accessible and permissions are properly set. Also, ensure the same user identity is used across servers for application pools, ideally a domain account to avoid local SID mismatches

Bogdan Cirlan 5 Reputation points

2025-10-07T14:38:16.12+00:00

hi, thanks for feedback, This does not work, there are no config key in CNG type of encryption, The encryption is done using some certificate, not sure how, I opened a ticket with Microsoft and they could not tell me exactly how it is done on Azure servers. Shared \Configuration can be done only if you use a shared location accessible from all servers, but that becomes a single point of failure, so we did not adopt it. We found a workaround , with copying the applicaitonhost.config using a script and replacing the keys on the fly

Share via

Windows Server 2022 IIS 10 Shared Config

1 answer

Your answer