I'm currently hosting a web application written in VB.NET 4. the app uses impersonation which stores a username and password in the web.config. My problem is when the impersonate account is locked (which takes down the site), the site displays an error page with a stack trace revealing the username and password in clear text.
Custom error messages are set to off so I'm not sure wh开发者_运维技巧y this is happening. I don't have the option of encrypting this portion of the web.config because we have a staging server that replicates to the production server, and the encryption keys are different on each server.
Entry in the web.config that is being displayed:
<identity impersonate="true" userName="test\myservice.account" password="123"/>
<machineKey validationKey="11111111" decryptionKey="222222222" validation="SHA1"/>
You stated that custom errors mode is off, which means you'll see web.config output. Set custom errors to true, specify the error page, and then you shouldn't see web.config output.
You should probably encrypt that portion of your configuration.
Encrypting Configuration Information Using Protected Configuration
or alternatively create a separate application pool for your site to run in and set the identity of the application pool.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论