Getting CryptographicException exception "Padding is invalid and cannot be removed" after Migrating to ASP.NET 2.0

  • Article

Problem Description

=============

One of my colleague migrated his asp.net 1.1 application to asp.net 2.0. It worked fine for some time and soon after it is deployed it started giving intermittent security exception below:

Event code: 3005

 Event

 An unhandled exception has occurred.

 Event time: 6/22/2006 10:58:04 AM

 Event time (UTC): 6/22/2006 2:58:04 PM

 Event ID: 8f96fc240df941e98447cb4f46b8bc61

 Event sequence: 26440

 Event occurrence: 1321

 Event detail code: 0

 Application information:

 Application domain: /LM/W3SVC/<remoevd>/Root-1-127954582343593239

 Trust level: Full

 Application Virtual Path: /

 Application Path: <removed>

 Machine name: <removed>

 Process information:

 Process ID: 9364

 Process name: w3wp.exe

 Account name: <removed>

 Exception information:

 Exception type: CryptographicException

 Exception Msg: Padding is invalid and cannot be removed.

 Request information:

 Request URL: https://.../WebResource.axd?d=UphM0djXQAbNBS80WyI_2Q2&t=632863388699082620

 Request path: /WebResource.axd

 User host address: <removed>

 User:

 Is authenticated: False

 Authentication Type:

 Thread account name: <removed>

 Thread information:

 Thread ID: 12

 Thread account name: <removed>

 Is impersonating: False

 Stack trace: at System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[]& outputBuffer, Int32 outputOffset, PaddingMode paddingMode, Boolean fLast)

 at System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount)

 at System.Security.Cryptography.CryptoStream.FlushFinalBlock()

 at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, Boolean useValidationSymAlgo)

 at System.Web.UI.Page.DecryptString(String s)

 at System.Web.Handlers.AssemblyResourceLoader.System.Web.IHttpHandler.ProcessRequest(HttpContext context)

 at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

 at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Resolution

=======

Application is deployed on a web farm. Viewstate is disabled completely. The same application is working fine under a web farm in 1.1 version. Issue happens only when it is run under 2.0.

The reason it is not working because <machineKey> for this application on all the servers connected to a web farm is not the same. My colleague turned it off because he was not using viewstate at all and that worked fine in 1.1. Then why it is failing on 2.0 and that too when Webresource.axd file is requested. The reason being is data to be sent to server along with query string parameter which looks like some sought of hash value uses <machineKey> for encryption & decryption. As a result, it requires <machineKey> to be same for that application on all the servers.

To be sure, we isolated the issue by running testing the app. on a single server. By doing that, we did not get the issue.

More information on Webresource.axd can be found at: https://support.microsoft.com/kb/910442/en-us

HTH,

Parag