Topic
After moving K2 server VM to another hypervisor, K2 service cannot be started. The following error is logged in the HostServer logs.
Error 2001 Error Starting Host Server: System.Configuration.ConfigurationErrorsException: Failed to decrypt using provider 'K2ConfigurationKey'. Error message from the provider: The RSA key container could not be opened. (C:\Program Files\K2\Host Server\Bin\K2HostServer.exe.Config line 586) ---> System.Configuration.ConfigurationErrorsException: The RSA key container could not be opened.at System.Configuration.RsaProtectedConfigurationProvider.ThrowBetterException(Boolean keyMustExist)at System.Configuration.RsaProtectedConfigurationProvider.GetCryptoServiceProvider(Boolean exportable, Boolean keyMustExist)at System.Configuration.RsaProtectedConfigurationProvider.Decrypt(XmlNode encryptedNode)at System.Configuration.ProtectedConfigurationSection.DecryptSection(String encryptedXml, ProtectedConfigurationProvider provider)at System.Configuration.BaseConfigurationRecord.DecryptConfigSection(ConfigXmlReader reader, ProtectedConfigurationProvider protectionProvider)--- End of inner exception stack trace ---at System.Configuration.BaseConfigurationRecord.EvaluateOne(String[] keys, SectionInput input, Boolean isTrusted, FactoryRecord factoryRecord, SectionRecord sectionRecord, Object parentResult)at System.Configuration.BaseConfigurationRecord.Evaluate(FactoryRecord factoryRecord, SectionRecord sectionRecord, Object parentResult, Boolean getLkg, Boolean getRuntimeObject, Object& result, Object& resultRuntimeObject)at System.Configuration.BaseConfigurationRecord.GetSectionRecursive(String configKey, Boolean getLkg, Boolean checkPermission, Boolean getRuntimeObject, Boolean requestIsHere, Object& result, Object& resultRuntimeObject)at System.Configuration.Configuration.get_ConnectionStrings()at Sourc;Error Invoking 'StartHostServer' : eCode.Hosting.Server.Runtime.HostServerEngine.StartHostServer()SourceCode.HostServerLib : Failed to decrypt using provider 'K2ConfigurationKey'. Error message from the provider: The RSA key container could not be opened. (C:\Program Files\K2\Host Server\Bin\K2HostServer.exe.Config line 586)"
This error indicates K2 is unable to decrypt the encrypted connection strings stored in K2HostServer.exe.config.
Instructions
The RSA key used by K2 to encrypt the connection strings in K2HostServer.exe.config likely changed when the server VM is moved to a different hypervisor.
On the K2 server, in the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder, the RSA key files are present in the format [KeyID]_[MachineGuid].
When comparing this with the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid, the values are different. The MachineGuid for the VM changed during the migration process.
To ensure K2 can decrypt the connection strings in K2HostServer.exe.config, please make sure you can migrate the K2 server VM without altering the MachineGuid in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid and redo the VM migration.
If you have no way of retaining the MachineGuid during the migration, the only option is to remove the encrypted connection strings from K2HostServer.exe.config and populate the unencrypted connection strings in K2HostServer.exe.config manually. Upon starting the K2 service, K2 will encrypt the connection strings again using the new RSA key. Please log a support case with Nintex Support to have a Nintex Support Engineer assist you with this operation.