key not valid for use in specified state

we are using CNG for encrypting some of our sensitive data. As a standard, we implement the SQL Integrated Security instead of using a SQL user with DB permissions. To implement this, we define the application Pool Identity as the same Active Directory identity which is given appropriate DB permission.

Now, the problem is when my AppPool runs under Local System i can create & retrieve keys from CNG Key Store however, the moment i change that identity to active di开发者_如何学Gorectory user, i start getting "Key not valid for use in specified state" when i am trying retrieve the keys from CNG Store. Here are some of our observations:

• To implement CNG at User level, we need to be able to create User Level CNG keys instead of Machine keys. we have done that and the User level keys is getting created successfully, we can see it in UserProfile - C:\Users\ADusername\AppData\Roaming\Microsoft\Crypto\Keys

  • We have set the "LoadUserProfile=True" in Pool Settings.
  • We have given read/modify permission for AD user to %windows%\Microsoft.Net\Framework\Asp.Net Temp files as well

we still continue to get this error. Any help would be highly appreciated.

I know this is an older question but I figured I would post a suggestion. I was trying to run an existing application on local IIS with the app pool running under AD creds and I was getting this same exception when calling the .ToXmlString(true) on the RSACryptoServiceProvider object.

They way I fixed this issue was just to re-import the key on my local machine and check the "Mark this key as exportable" checkbox.