following scenario:

I am using aspnet_regiis to encrypt parts of my web.config. this works fine
on the development machine. Now I move to the integration machine which is
based on a hardened server image. The user I am logged in with is in the
local administrators group. Creating the key container succeeds, but when I
try to encrypt the web.config section, I get the error:

Failed to encrypt the section 'appSettings' using provider
'RsaProtectedConfigurationProvider'. Error message from the provider: The RSA
key container could not be opened.
Failed!

With a second account that is in the same domain as the first and as well in
the local administrators group. When I execute the exact same steps (create
container and then encrypt) everything works as expected.

My suspision now is that in the hardened server image a specific right was
explicitly granted to the second administrative account and not to the first
one.

Can anyone elaborate on the specific permissions needed for an account when
encrypting with aspnet_regiis?

Any help is strongly appreciated.
Peter