I'm running a production server (Windows Server 2012) with an AspNet Mvc Core RC1 website.

I'm seeing the following in the logs:

Neither user profile nor HKLM registry available. Using an ephemeral key repository. Protected data will be unavailable when application exits.

After inspecting the source code for DataProtection, I tracked the problem to the following method call:


This is probably returning null on the server for some reason. I don't have any special custom configuration in place and I've read the docs so I thought the default would work.

I think the problem is with the IIS website not running in a certain user's context but I have no idea how to confirm or fix this. My website is configured with its own pool.

As an aside: the result of running an in memory repository for storing keys causes them to recycle whenever the application exits which is very annoying and not even intended for use in production environments.

  • Is your application identity set to load it's user Profile?
    – TGlatzer
    Commented May 11, 2016 at 7:14
  • @TGlatzer I think that's the problem (in addition to something about containers). I'll try missing with it when I have access to the server.
    – mrahhal
    Commented May 11, 2016 at 8:19

4 Answers 4


User profile should be loaded in IIS configuration.

Open IIS, right click on Application Pools then Advanced Settings. And set "Load user profile" to true. Restart your app and it should work perfectly.

  • 6
    On my IIS it was already set to true which doesn't fix this error for me... Commented May 5, 2017 at 14:04
  • 3
    But... whyy??? It only started to happen now? Did something change? I don't understand.
    – Piotr Kula
    Commented Dec 29, 2017 at 10:58
  • I also had to change the application pool 'Identity' from 'ApplicationPoolIdentity' to a user with more rights to get rid of these warnings.
    – Ola Eldøy
    Commented Apr 22 at 10:09

Data Protection keys used by ASP.NET applications are stored in registry hives external to the applications. When running your application as an AppPool Identity you have to create a registry hive for every AppPool used with an ASP.NET Core application.

For standalone IIS installations, you may use the Data Protection PowerShell script for each application pool used with an ASP.NET Core application. The keys will be persisted in the registry.

Like clearly stated in the logs since the registry hive that Data Protection looks for does not exist, keys will not be persisted to disk. Instead, they will be ephemeral and live in-memory only.

In web farm scenarios, an application can be configured to use a UNC path to store its data protection key ring. By default, the data protection keys are not encrypted. You can deploy an x509 certificate to each machine to encrypt the key ring.

See the official ASP.NET Core doc about data-protection for more information

  • This is the correct answer, basically you need to tell IIS where to store the key so it can re-access between sessions. Just answered a similar question stackoverflow.com/questions/46225867/… Commented Oct 10, 2017 at 1:20
  • Is this even a problem if you're just running on a dev machine?
    – niico
    Commented Sep 23, 2018 at 13:31

Those who are on the hosted environment where the access rights are very limited can use PersistKeysToFileSystem instead. Adding the following listing into the Startup.cs will resolve your issue:

public void ConfigureServices(IServiceCollection services)
    .PersistKeysToFileSystem(new DirectoryInfo(@"\\server\share\directory\"));

You can change the path string acording to your needs. Please also check ProtectKeysWith if you want to configure the system to protect keys at rest by calling any of the ProtectKeysWith* configuration APIs.


Take a look at this from the DataProtection Git repository

In short, there is a bug in IIS that may never be corrected that prevent the correct registry setup for DataProtection keys. There is a powershell script to setup manually the registry correctly so that it works for AspNet Core. After you run the script for each application pool you use for AspNet Core applications, those applications will then work as intended.

  • What else can I do if I am on the hosted environment where the access rights are very limited. I cannot either run the powershell script nor change the app pool settings ?
    – kliszaq
    Commented Feb 9, 2018 at 21:51
  • You are in a difficult situation... I think you should check if it is possible to find someone that has access to do this. Normally, you should be able to find someone/procedure to alter server configurations when justified with some paper work. Good luck!
    – Yepeekai
    Commented Feb 9, 2018 at 22:33

Not the answer you're looking for? Browse other questions tagged or ask your own question.