Encrypting your Web.Config on an FBA Site

I was being a good boy *SHOCK* and encrypting my web.config sections on my MOSS server like I was supposed to. Except...

 

Except...

 

It worked like a charm on the Windows authentication side, but the FBA side was all wacky. Throwing:

So what to do? After a bunch o hunting I kept coming across this issue - it is permissions - need to allow the account to have permissions.

 

This is easly accomplished using the aspnet_regiis -pa "MyCustomKey" "AccountToGiveAccess" command line. But what account?

 

I tried "Nt Service". I tried "ASPNET". I tried the Application Pool account. But here is the clincher, because this allows Anonymous access, the account is whatever you have the Anonymous Account set to in IIS - EVEN AFTER YOU HAVE LOGGED ON USING FBA!!!!

 

This comes from the <identity impersonate='true' /> line in the web.config and how Sharepoint uses it. Note that you COULD set a specific impersonate there, but I am not sure you really want to (although I may experiment more in my quest to enable Sharepoint to assign anon permissions at a page, not subsite, level).

 

So what was the account - simply the %machinename%\IUSR_%machinename% account...

 

Remember to do this on ALL your servers on the farm... (as well as exporting the XML!)