Scenario
We’d copied a CM instance (VirtualMachine) from the PRD environment and placed this into the UATĂ‚Â environment, all configurations done as we’d tested and expected.
To avoid getting the error stating that the [clientUATdomain]\MTSUser does not have access to the tridion.security configuration setting we executed the TridionRsaContainer command
aspnet_regiis -pa "TridionRsaKeyContainer" "[clientUATdomain]\MTSUser"
This failed with the MTSUser. On confirming we had the correct [domain]/username/password and further investigation we found that no-one knew the actual account that had been used to install SDL Tridion 2011 CM. We needed this account so we could log into the UAT CM machine in order to give the MTSUser access to the tridion.security configuration setting. This is because this config setting is protected using this windows functionality : http://msdn.microsoft.com/en-us/library/yxw286t2(v=vs.100).aspx
Solution
We could see that file in question is actually a file in c:\programdata\microsoft\crypto\rsa
This file is accessible only to a small number of users (the production domain mtsuser had access to it). So we tried this:
- log in on the PRD machine as the production domain mtsuser
- export the rsa key via this command
aspnet_regiis -px "TridionRsaKeyContainer" keys.xml -pri
We then placed this keys.xml file onto the UAT CM box and then executed the import command
aspnet_regiis -pi "TridionRsaKeyContainer" c:\temp\keys.xml
and finally, the following command
aspnet_regiis -pa "TridionRsaKeyContainer" "[clientUATdomain]\MTSUser"
So, on booting up the CM Browser… boom… We got an error in the GUI after a quick dig into the respective ‘Tridion Configuration’ error in the Event system … we then executed
aspnet_regiis -pa "TridionRsaKeyContainer" "nt authority\network service"
Quick restart of the services and all is well again.
The motto of the story – DO NOT ‘LET SLIP‘ WHICH USER INSTALLED THE CM – especially if you want to clone the machine during a setup!
If you’ve had a similar experience we’d be very interested to hear if there are other ways around this – other than simply re-installing the CM with a noted user
Special thanks to Harald Hoffelinck on this solution!