WindowsSSO realm - Failed to decrypt using provider 'RsaProtectedConfigurationProvider'

    Applies to:
  • Legacy SecureAuth IdP
Deployment model:
  • On Premises
  • Version Affected:  All


    One of the following errors when you browse to any Windows SSO realms

    • An error in the authentication has occurred. Please Try Again. If the error persists, please contact your Administrator.
    • Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: The RSA key container could not be opened.

    Screenshot of the error with custom error turned on:

    Screenshot of the error with custom error turned off and viewing from the IdP server:


    WindowsSSO realms impersonate the User and those users do not have access to the .Net Machine Key



    1. Open an Admin Command Prompt

    2. Run the following command to grant Authenticated Users access 

    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Aspnet_regiis -pa "NetFrameworkConfigurationKey" "Authenticated Users"


    Special Considerations:  

    You can adjust the command for other accounts. Such as 

    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Aspnet_regiis -pa "NetFrameworkConfigurationKey" "Network Service"
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Aspnet_regiis -pa "NetFrameworkConfigurationKey" "IIS AppPool\SecureAuth0pool"



    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

    0 out of 0 found this helpful



    Please sign in to leave a comment.