Fixing CryptographicException “Object Already Exists”

I’ve got a couple of ASP.NET web sites running on the same machine that need to share access to a Key Container used for encrypting and decrypting authentication tickets.

Sample code for the encryption:

/// <summary>
/// Encrypt using RSA
/// </summary>
/// <param name="dataToEncrypt"></param>
/// <param name="keyContainerName"></param>
/// <returns></returns>
/// <exception cref="T:System.Security.Cryptography.CryptographicException"/>
internal static byte[] RSAEncrypt(byte[] dataToEncrypt, string keyContainerName)
    if (dataToEncrypt == null || dataToEncrypt.Length == 0)
        return null;

        CspParameters cspParams = new CspParameters();
        cspParams.Flags = CspProviderFlags.UseMachineKeyStore;
        cspParams.KeyContainerName = keyContainerName;
        RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(cspParams);
        List<byte> allData = new List<byte>();
        for (int i = 0; i < dataToEncrypt.Length; i += RsaBlockSize)
DoOAEPPadding)); } return allData.ToArray(); } catch (CryptographicException) { // TODO: Log the encryption error throw; } }

This was encrypting and decrypting fine in the first web site, but the second web site was throwing a CryptographicException “Object Already Exists” when attempting to decrypt the information.  After some research it seems this is a security exception to do with access to the key container (basically the ASP.NET user account could tell there was a key container but did not have access to use it for decryption, so was throwing an “Object Already Exists” exception).

This can be fixed with the following command line:

aspnet_regiis -pa "SampleKeys" "NT AUTHORITY\NETWORK SERVICE"

Where “SampleKeys” is the Key Container name. Here is some documentation on the subject from the MSDN website.

  1. #1 by Jon on January 11, 2009 - 3:33 am

    I\’ve encountered this error when installing SP on Win Server 2008. What value should I give for "SampleKeys"?

  2. #2 by Andrew on January 19, 2009 - 11:50 pm

    In my example "SampleKeys" is the key container name used in my code (what would have been passed into the RSAEncrypt function as the keyContainerName variable). If you don\’t know the key container name, this post probably isnt\’ going to help you (it\’s only for fixing your own code\’s issues with encryption).

  3. #3 by Corné on February 23, 2010 - 7:24 am

    changing the permission of the folder C:\\users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys to everyone / administrator full control solved the issue e.g. when installing sharepointI don\’t know if this creates a security issue, but it solved the problem

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: