As a solution to storing credentials in an application web.config. I am trying to store credentials in /configuration/location[@path = "mywebsite"]/system.web/identity but can only store plaintext passwords.
Using Set-WebConfigurationProperty -Filter system.web/identity -PSPath MACHINE/WEBROOT/APPHOST -Location mywebsite.mydomain.com -Name password -Value "myplaintextpassword"" stores the value in plaintext, unlike "Set-ItemProperty IIS:\Sites\mywebsite -Name password -Value "MyPassword"" which stores an AES encrypted value at the site level username/password attribute set.
I'm using DSC to deploy sites to a number of servers, and use DSC to manage various aspects of those servers, so encrypting sections of the config, or cloning the config across the servers is not feasible.
In addition, due to the way the applications have been developed, using Set-WebConfigurationProperty is not a viable solution.
Using DSC to make changes at the location node, I import the applicationHost.config into a PowerShell XML object and use XPath navigation to get to the right section to either create/delete elements or set/unset attributes.
In this case I want to encrypt the password attribute on the <identity> element within the <location path="mywebsite"> node using the in-built IIS AES password encryption provider so that the password is stored as "[enc:AesProvider:51m!l4rt07h!1SeNcrt3dH4shV4lu3:enc]", so that the password is secure, and the IIS worker process can decrypt it - this saves me from storing the value in the application's Web.Config which is distributed across all servers within the web farm, and thus makes the configuration that much more secure.
Ideally I'd like to do this within PowerShell, for example, by using the Web.Administration module, e.g.:
$PlainPassword="MyPassword"
$WebSecurity = New-Object Microsoft.Web.Administration.Security
$EncPassword = $WebSecurity.Encrypt($PlainPassword,"AesProvider")
$IISConfig.SelectSingleNode('/configuration/location[@path = "mywebsite.mydomain.com"]/system.web/impersonation').setAttribute("password",$EncPassword)
(NOTE: Microsoft.Web.Administration.Security is an arbitrary namespace and doesn't really exist)
So far I haven't found any way of exposing the encryption mechanism (I don't really care about decryption: the IIS WP handles that).
Any help would be useful.