Vault 3.0.2 Installation Removes ACEs From MachineKey ACL

[Derek Simon]

After running the installation for Vault 3.0.2, I went to compile an ASP.NET application only to receive an error:

error CS1548: Cryptographic failure while signing assembly '' -- 'Access is denied. '

Now, I've gotten this error before, since I run under a non-administrator account. I corrected it by adding my user account to the ACL on the following directory:

%SYSTEMROOT%:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

Suffice it to say, the install shouldn't be deleting the other ACEs. I assume it's a problem with the installer, since the NTFS APIs can and will remove inherited ACEs if not used correctly.

[jclausius]

Suffice it to say, the install shouldn't be deleting the other ACEs.

Derek:

The installation tries to grant permission on %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\MachineKeys for the account specified during the installation. If your installing with an account which cannot modifiy permissions on that directory, that would explain a failure. But in no means does the installer add or remove any other accounts to the ACL on the RSA directory.

Note, when Vault Server runs into this permissions based problem, the edb3f753ca89beb7d17f32a80a447d75_* file is created with incorrect permissions and content. The fix is to delete the file, and grant read/write/create permissions on the directory for Vault's ASP.Net process account.