Getting to a User Profile without the User

TroubleshootingTips

LANGUAGES: All .NET Languages

ASP.NET VERSIONS: 1.0 | 1.1

Gettingto a User Profile without the User

Jumpingthrough DPAPI Hoops

By Don Kiely

Over thelast few iterations of this troubleshooting column, I've explored a solution toone of the most difficult, yet most critical, elements of Web applicationdevelopment: encrypting data while storing keys securely. It's far too easy towrite an app that is full of security holes, but the Windows Data ProtectionAPI (DPAPI) provides the infrastructure to securely store keys. The officialMicrosoft line is that DPAPI is available to any application in Windows 2000and later, but for ASP.NET applications you must jump through a few hoops toobtain the highest level of security.

Theproblem is that DPAPI creates its keys based on the user's password (or on someother credential from an alternative authentication method, such as a smartcard or a biometric technique). This means you must have a current user profilein order to utilize a user data store. And the user's profile is available onlyonce the user has logged onto the computer. This is far from an optimalsituation for server applications! Moreover, this problem isn't specific toASP.NET applications; any server application will have the same problem.

Oneoption is to use a machine store with DPAPI. This provides strong encryption,but means one of two things: either every application on that server can accessthe data, or you must use salt (an arbitrary value) to customize the encryptionkey. But then you have the same problem as with keys: You must protect the saltused in each application.

So forthe best security, you must figure out a way to make a user profile availablefor your ASP.NET application, without requiring a user to be logged onto theserver. Let me tell you, this ain't easy! When I first tackled this problem,every solution I came up with fell short in some way. I finally found thesolution in the Microsoft Patterns & Practices book BuildingSecure ASP.NET Applications (which you can download as a PDF file fromMSDN). The book has a how-to section called "Use DPAPI (User Store) fromASP.NET with Enterprise Services." The solution described there is what afriend of mine would call a goat rope; others might refer to Rube Goldberg. Butif you need secure encryption from an ASP.NET application, this is the way togo.

Thesolution involves adding a couple of tiers to your application. It boils downto creating a Windows service that loads a COM+ component that your ASP.NETapplication can use to provide the encryption. By setting everything upcorrectly, the COM+ component is loaded with a user profile - without requiringa user to be logged onto the server. It's pretty ugly, but it works nicely. Thecode accompanying this article includes a simple implementation of the ideasdiscussed in the book. You'll need to carefully read the how-to section, aswell as the readme included with the code, to get it all set up and working.

DPAPI isa great addition to Windows. Despite some of the minor difficulties in workingwith it, it can help keep your data safe and secure.

Thefiles accompanying this article are available for download.

Don Kiely is senior technology consultantfor Information Insights, a business and technology consultancy in Fairbanks,AK. E-mail him at mailto:[email protected].