Information on Windows Azure Web Role Exception: "The 'validation' attribute is invalid. Enum must be one of MD5, SHA1, 3DES, AES"

  • Article

I was
working on a recent issue in which Windows Azure based Web Role was keep recycling
from initializing to busy, aborted etc state. The application
event logs shows the following error:

 

 Microsoft.WindowsAzure.ServiceRuntime Critical: 1 : Unhandled Exception:
System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]: Filename: \\?\E:\sitesroot\0\web.config
Line number: 158
Error: The 'validation' attribute is invalid.  Enum must be one of MD5, SHA1, 3DES, AES

 

 

Here
are a few key scenario with this problem occurred:

 - Windows
Azure Web Role with .NET 4. 

-  In
.NET 4 the default encryption type for machine key is HMACSHA256 so for .net 4
based web role the following is set automatically in web.config:

 - Actually
IIS does support HMACSHA256 based machine key validation however the problem is
realted with IISConfigurator.exe which runs after the web role (WaIISHost.exe) process
start to configure IIS site before stating the w3wp process.

 <machineKey validation="HMACSHA256" />

- IF
you look at IISConfigurator logs, you will see that the exception itself is
coming from IISConfigurator.exe:

 

 IISConfigurator Information: 0 : [03/28/11 06:01:44.76] Exception:System.Runtime.InteropServices.COMException (0x8007000D): Filename: \\?\E:\sitesroot\0\web.config
Line number: 52
Error: The 'validation' attribute is invalid.  Enum must be one of MD5, SHA1, 3DES, AES
   at Microsoft.Web.Administration.Interop.AppHostWritableAdminManager.GetAdminSection(String bstrSectionName, String bstrSectionPath)
   at Microsoft.Web.Administration.Configuration.GetSectionInternal(ConfigurationSection section, String sectionPath, String locationPath)
   at Microsoft.WindowsAzure.ServiceRuntime.IISConfigurator.WasManager.SetupMachineKeys(String siteName, ServerManager serverManager, String roleGuid)
   at Microsoft.WindowsAzure.ServiceRuntime.IISConfigurator.WasManager.DeploySite(String roleId, WASite roleSite, String appPoolName, String sitePath, String iisLogsRootFolder, String failedRequestLogsRootFolder, List`1 bindings, List`1 protocols, FileManager fileManager, WAAppPool defaultAppPoolSettings, String roleGuid, String& appPoolSid, List`1 appPoolsAdded)
   at Microsoft.WindowsAzure.ServiceRuntime.IISConfigurator.IISConfigurator.Deploy(String roleId, WebAppModel appModel, String roleRootDirectory, String sitesDestinationDirectory, String diagnosticsRootFolder, String roleGuid, Dictionary`2 globalEnvironment)

- So the problem is actually related with IISConfigurator.exe process
which cough the error that it does not support HMACSHA256 and cause web role to
stuck in infinite recycling loop.

 

Note: According
to the document here, validation algorithm can be HMACSHA256 and some other
values, but the error message says it must be one of MD5, SHA1, SDES, AES.

 

As you may know to solve this
problem you just need to modify the machine key validation setting to SHA1 as
below:

 

 <machineKey validation="SHA1" />