TDSE impersonation & snap in security

I’ve just finished upgrading a customer to SDL Tridion 2011 where part of the task involved migrating a custom application from Tridion 2009 server to the new 2011 GUI server.  The application uses the .Net Interop library in order to create a TDSE object.  When the code ran to impersonate the object the following exception was thrown with the message:

<?xml version=”1.0″ standalone=”yes”?>
<tcm:Error ErrorCode=”80040302″ Category=”16″ Source=”Kernel” Severity=”2″ xmlns:tcm=”″>
<tcm:Line ErrorCode=”80040302″ Cause=”false” MessageID=”4394″>
<![CDATA[Unable to Initialize TDSE object.]]>
<tcm:Line ErrorCode=”80040302″ Cause=”true”>
<![CDATA[Impersonation by this user requires the DOMAIN\john account to be configured as impersonation user.]]><tcm:Token>DOMAIN\john</tcm:Token>
Not expecting this I headed over to the snap-in to investigate, but wow I don’t have access to the Impersonation Users folder:

This isn’t something I’ve seen before and was a bit surprised as I had full admin access to the machine.  A cure was found in the Online SDL Tridion documentation here (thanks to Tridion Customer Support!).  to explain the security issue, I’ve reproduced their documentation below:

The Content Manager uses a .NET encryption key to ensure the encryption of sensitive configuration data such as passwords. The following user accounts automatically have access to this encryption key:

  • Any Content Manager system account (including the Content Manager user account and impersonation user accounts created during installation)
  • The user account of the user who originally ran the installer

The use of the configuration encryption functionality is completely transparent, so long as the following is true:

  • The user account that runs the SDL Tridion MMC Snap-in configuration tool is the same user account that originally ran the installer.
  • The user executing the various SDL Tridion Windows services is not changed from its default value.

If you want to run the Snap-in and/or Windows services as another user than specified, you must grant that new user access to the encryption key. To grant this access, log on as the user account of the user who originally ran the installer, or as another, similarly authorized user with access to the encryption key, and do the following:

  1. Open a Windows command prompt.
  2. Go to a directory on your machine on which a version of the .NET Framework is installed (a subdirectory of C:\Windows\Microsoft.NET\Framework\ or C:\Windows\Microsoft.NET\Framework64\).
  3. Enter the following command:
    aspnet_regiis -pa “TridionRsaKeyContainer” “<domain>\<account>”
    where <domain> is the domain of this user and <account> is the username of the user.

So after running the aspnet_regiis tool, I can now I can go in and add my user account to the impersonation user list:

and after restarting the COM+ and IIS the TDSE object is created and the application is running perfectly on the 2011 machine.

5 thoughts on “TDSE impersonation & snap in security

  1. Very interesting, thanks.
    You might want to contact Customer Support because I have no problem accessing the impersonation users folder in the snap-in on my image…

  2. Hi!
    I am having this same problem and I am administrator on the server. However when trying to do the above change in asp_regiis I get “”The RSA Key Container does not exist”.
    Will send it to Tridion support as well, but any suggestions?

    Kind regards

    [WORDPRESS HASHCASH] The poster sent us ‘0 which is not a hashcash value.

  3. Hi Ulrica, I’m afraid I’m not sure what the issue could be, when you get an answer back from support if would be great if you could add a comment here in case anyone else runs into the problem in the future. Thanks John

  4. I actually wanted to update the “Hide organizational items if no access to content” under General Settings for SDL Tridion Content Manager (via mmc snap-in). I got both the and the “The RSA Key Container does not exist” error. But I was able to still set the value.

    I just didn’t know what to restart–thanks for the tip, John!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>