When using SQL Server Login accounts, it is of the utmost importance that the server configuration file (appsettings.json) be encrypted, for it stores the database connection strings. These include the HostName of the database server (Data source), the name of the database (Initial Catalogue), and the credentials (User ID and Password).
However, since the encryption of the appsettings.json file requires using RsaProtectedConfigurationProvider from .NET Framework, additional permissions are necessary to access the NetFrameworkConfigurationKey container used by RSA Provider.
Omitting to obtain these permissions prevents the DevolutionsSchedulerService from starting and returns an error message if the Disable connection string encryption option is disabled in Devolutions Server Console (right-click on an instance, then Edit – IIS – Disable connection string encryption).
Granting access to the NetFrameworkConfigurationKey container could be a security concern, therefore it is recommended to not grant this permission to Network Service or Local Service.
We recommend using a dedicated account for the DevolutionsSchedulerService service, and setting the service to run under it.
Then run the following command from an elevated command prompt:
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis" -pa "NetFrameworkConfigurationKey" "SchedSvcLocalAccount"
This should return:
Microsoft (R) ASP.NET RegIIS version 4.0.30319.0
Administration utility to install and uninstall ASP.NET on the local machine.
Copyright (C) Microsoft Corporation. All rights reserved.
Adding ACL for access to the RSA Key container...
Succeeded!
Like with login accounts, omitting to get the permissions NetFrameworkConfigurationKey container used by RSA Provider prevents the DevolutionsSchedulerService from starting, likely returning this error from Windows Services Console.
The account set on the DevolutionsSchedulerService (referred to as the VaultDBScheduler account in Pre-Deployment Account Survey) will require permission to read the NetFrameworkConfigurationKey container.
To obtain these, run the following command from an elevated command prompt:
"C:\"Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis" -pa "NetFrameworkConfigurationKey" "<YourDomain>\<VaultDBSchedulerAccount>"
This should return:
Microsoft (R) ASP.NET RegIIS version 4.0.30319.0
Administration utility to install and uninstall ASP.NET on the local machine.
Copyright (C) Microsoft Corporation. All rights reserved.
Adding ACL for access to the RSA Key container...
Succeeded!
Give us Feedback