This post is a small how to guide, on how to encrypt sensitive information in a web.config and in my specific case username and password for a service account used by the Azure Multi-Factor Authentication (MFA) services, such as MFA User Portal and MFA Mobile App web services. In my scenario, those services had been installed on dedicated servers and since it was decided to use service accounts for communicating with the backend MFA servers.
The MFA service account are configured in settings section of the web.config file and since the information in the web.config is clear text, it makes sense to encrypt this kind of information.
The guide for encrypting username and password in the web.config, can be used for other systems as well. But I focus on the information used by Microsoft Azure MFA Server and services.
Before Encrypting
Take a look at the existing web.config file, in my case located in:
- C:\inetpub\wwwroot\MultiFactorAuthMobileAppWebService (Default folder for the MFA Mobile App servers)
- C:\inetpub\wwwroot\MultiFactorAuth (Default folder for the MFA User Portal servers)
As you can see the information about username and password is not secure and in clear text in the web.config file:
How to Encrypt the information
Start an elevated command prompt or a PowerShell with Administrator privileges
At the command prompt enter:
cd C:\Windows\Microsoft.NET\Framework\v4.0.30319
In my case, I have the web.config files located in “C:\inetpub\wwwroot\MultiFactorAuthMobileAppWebService”, then I have to enter the following command to encrypt everything in “appSettings” (see the web.config above):
.\ASPNET_REGIIS –pef “appSettings” C:\inetpub\wwwroot\MultiFactorAuthMobileAppWebService
- The -pef switch specifies the configuration section to encrypt and allows you to supply the physical directory path for your configuration file.
Result:
After Encrypting
Review the Web.config file, and examine the changes. The following elements are created:
- <EncryptedData>
- <CipherData>
- <CipherValue>
Your modified Web.config file, with the appSettings section encrypted, should be similar to the following example.
That’s it – you are all done and the information in your web.config file is now encrypted.
MSDN reference documentation: https://msdn.microsoft.com/en-us/library/zhhddkxy.aspx
Thanks Peter, quick question but where does one find the credentials in the first place. I can see that a domain account PFUP_Servername got created on installing the web service SDK i believe but I never got asked for a password for it. Is it safe to reset this in AD?
This could be a local account on the web server, have you checked the Users on the local server ?