Tridion.AudienceManagement.API throws exception during initialization

Question

I have created a console application that performs simple actions on the Tridion.AudienceManagement.API API. When I start the application, the first thing it does is reference UserContext.Current, at which point I get the following exception.

The type initializer for 'Tridion.AudienceManagement.DomainModel.Utilities.Configuration' threw an exception.
at Tridion.AudienceManagement.DomainModel.Utilities.Configuration.get_LogFolder()
at Tridion.AudienceManagement.DomainModel.Utilities.Logger.AssertValidLogFolder()
at Tridion.AudienceManagement.DomainModel.Utilities.Logger.WriteLine(LogLevel logLevel, String message, Object[] objects)
at Tridion.AudienceManagement.DomainModel.ServiceClient.ContentManagerClient.LogBindingInfo(Exception ex)
at Tridion.AudienceManagement.DomainModel.ServiceClient.ContentManagerClient.GetConfiguredCoreService()
at Tridion.AudienceManagement.DomainModel.ServiceClient.ContentManagerClient.GetClient(UserContext userContext, UserData& userData)
at Tridion.AudienceManagement.DomainModel.ServiceClient.ContentManagerClient.LoadCurrentUser(UserContext userContext, String userDataXml)
at Tridion.AudienceManagement.DomainModel.UserContext..ctor(String trusteeName)
at Tridion.AudienceManagement.API.UserContext..ctor()
at Tridion.AudienceManagement.API.UserContext.get_Current()   

I have confirmed that Audience Manager is installed and working on the server.

By running the programme from a shell logged in as the MTS User, we can avoid this problem. At first we thought the issue was with file system permissions on the log folder, however, even granting full control does not help.

When comparing procmon output from running the code as the two users, we could see that the user for whom it failed was getting ACCESS DENIED for creating a file within C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys - the filename is a long string of random-looking characters. This ACCESS DENIED is not seen for MtsUser.

Answer 1

It appears that the user running the console application is not allowed to read the encryption key which was used to encrypt the configuration.

You have a few options to solve it:

1. Remove the encryption (not recommended)
2. Run your tool as a user who does have permissions to use the key (i.e. MTSUser)
3. Grant permissions to the user you want to run the tool. Example command-line: aspnet_regiis -pa "TridionRsaProtectedConfigurationProvider" "domain\username"

(Which obviously needs to run as someone who can read the key -- MTSUser)

See the following URLs for more information:

• Encrypting sensitive strings for Audience Manager (SDL LiveContent)
• Walkthrough: Encrypting Configuration Information Using Protected Configuration (MSDN)